Want to give me a demonstration of how browsers get hacked so give you an appreciation of really what is possible.
What does happen out there.
So here we have the latest Firefox fully patched on Windows 7 no exploits available for it.
We can see here we are running flash, javascript, Java and Silverline and we're patched up with Windows as well.
So if I want to attack this browser I to get something to run in this browser.
So if I imagine I'm away from this browser and I'm evil hacker and you are using this browser as I said I want to get something to run in this browser and this example I'm going to use javascript to send my payload and I can do this in many ways.
So I could send you an email with the javascript embedded within the email and if your email client runs scripts then I'm good I could look for vulnerabilities in sites that you visit cross-site scripting vulnerability.
Actually the technical name.
What I'd be looking for and then I'd be able to embed scripts in legitimate size.
So for example Facebook or more likely something like a form that you might visit.
I could buy an ad from an ad network and embed the script in that way you come to a site that I own and I could send you a link to come to that site.
Or I could send a link to anywhere where that script is running.
So there are lots of ways to get that script to run within your browser or in the context of your browser because that's simply how the Internet works.
It's a whole bunch of scripts running within your browser.
If you are specifically targeted by an attacker.
They might have you manually but it's most likely in most situations that the hacking of a browser will happen in an automated fashion so that they can harvest the most amount of victims.
But here I'm going to be demonstrating a hacked manually.
So here's a site that we have embedded the script the butcher this has a strange url but we'd have a normal url here.
Wouldn't be something that you would find unusual.
And there's a script somewhere embedded in here.
So we use firebug and we do a little search and there you can see script is there and it's reaching out to somewhere and I could embed this within the page and reach out to my evil server somewhere.
And if you're curious the script looks like this which is not going to make much sense to you unless you understand javascript.
Now I switch onto my pen testing box which is here.
This is Kali Linux which is a Debian based Linux distribution aimed at penetration testing and security auditing.
I'm going to be using a combination of the Metasploit framework which is an open source penetration testing tool for developing and executing exploit code.
And also what you can see here which is in front of you is the browser exploitation framework which as you just referred to is beef and that's an open source pen testing tool that's aimed at exploiting the browser.
So because you run that script I can see you here.
Let me close these ones and that is you that is the browser that is connected.
And I can see a lot of information about the browser as you would expect because the browser gives away all of that information.
I can see that you on a Windows machine.
I can see that you're running Firefox.
I can see the plugins are installed.
Google update can see there's Java there.
I can see all the various functionality web RTC which means I can tentatively you get your real
IP address if you're hidden behind a proxy there is your reply IP.
I can see the operating system and even the size of your screen.
So I want to start to compromise this box.
Now let's assume there are no vulnerabilities nothing to exploit.
And I'm just going to use the regular functionality within javascript in your browser.
So let's let's go down to the social engineering tab and fake notification bar.
Now I'm going to send a fake notification to that browser to look like say Firefox plugin extension and don't need to do is simply exit key notification has been displayed.
Let's have a look.
And there we are notifications there.
So you imagine this is just a form that you happen to be browsing on a slide that you're normally at and I've inserted that javascript and this pops up.
If you click on this and run this then I could potentially install anything a trojan, a rat, a backdoor.
It's close that made me want to try to steal your Facebook credentials.
I just tried putting up a fake Facebook log in.
And there we are send that Logan information thinking that we are logging in is normal and there we go.
We receive that information unencrypted because it's just been directly sent to was it's not from Facebook.
And perhaps we want to steal your Google credentials.
Let's execute this one.
And here we go.
Fake Google page again if you enter the user name and password and they'll be stolen back to beEf.
Now let's imagine there are exploits available for this.
So the Firefox browser is vulnerable.
Well maybe you haven't patched flash or Silverlight or Java.
And we find a vulnerability in those.
So let's imagine I exploit a job of vulnerability.
And in this case I have and what I've done is I've given myself a reverse shell back to the Windows machine and you can see on the Windows machine and I can see the very very secret password file if i type MS info 32 and actually get things to run on the desktop and you can see here I've just launched this.
And in fact from that command line I can pretty much do anything with the level of privileges that the current user is logged in as if I want to do more.
And after trying to exploit the operating system in order to escalate my privileges to an administrator that may or may not be difficult depending on the security that you've set up close.
Let's get back to Kali.
Now of course because I've got a reverse shell I can run anything so I can even use things like VNC so that I can actually use the desktop remotely or I'm using VNC remotely through a browser hack.
And you can see here that I've open the start menu but there are many things you can do once you get access and the user wouldn't necessarily be able to see what you were doing you wouldn't open a desktop that the user could see and you could do lots of things behind the scenes.
So I hope that gives you a clear idea of really what is possible once even just the smallest amount of script it run within your browser.
And do all of those social engineering attacks.
And then if you're not patched or there is exploits available zero day exploits then simply really you can create these reverse shells.
Reverse shells I'll explain later.
But it is simply just a way of getting remote access to your machine.
You can get those shells and then not say you own the machine.