ShellShock and BeEF Framework – Exploitation Tutorial

In a previous tutorial, we successfully exploited the ShellShock Vulnerability with Metasploit Framework and Burp Suite. And in this article we’ll gonna exploit the same vulnerability with BeEF Framework which is one of the most popular Browser Exploitation Framework but it is not actively maintained by the developers.

BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack vectors. Unlike other security frameworks, BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser. BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context.

Lab Testing Environment Requirements –

[Target] Bee-Box (Ubuntu 8.0.4) – 192.168.20.133 (Version 1.6)
[Attacker] Kali Linux – 192.168.20.129 (Latest Version)

About Bee-Box – Bee-Box is a custom Linux VM pre-installed with bWAPP. With bee-box you have the opportunity to explore all bWAPP vulnerabilities! Bee-Box gives you several ways to hack and deface the bWAPP website. It’s even possible to hack the bee-box to get root access…

Install the Bee-Box operating system in your VMWare by downloading the direct ISO file from this link. The default Password of Bee-Box machine is “bug“.

To Test the ShellShock Vulnerability, open the terminal and type the following command into it as shown below:

Command: env x='() { :;}; echo VULNERABLE; exit;’ bash -c ‘echo NOT VULNERABLE’

If it shows “VULNERABLE” as an output then it means you can easily exploit this vulnerability by any means which we’ve already exploited the same with Metasploit Framework and a BadBash script.

Back to Kali Linux, make sure that you must have installed BeEF Framework.

Navigate to /usr/share/beef-xss/ directory and type ./beef to start the framework.

You can access the interface by opening http://127.0.0.1:3000/ui/panel whose default login username and password is “beef“.

This is the default display screen when you successfully log in to the BeEF XSS Framework control panel.

We must inject the hook URL address to the shellshock vulnerable machine.The BeEF hook is a JavaScript file hosted on the BeEF server that needs to run on client browsers.

When it does, it calls back to the BeEF server communicating a lot of information about the target. It also allows additional commands and modules to be run against the target. So now we will take the hook URL and try to send it to the victim.

The default hook URL is http://127.0.0.1:3000/demos/basic.html

Replace 127.0.0.1 with Kali Linux IP i.e. 192.168.20.129, the final URL will be http://192.168.20.129:3000/demos/basic.html

Now send the above crafted URL to your victim by any means i.e. Social Engineering by Email, Chat etc.

As soon as the victim clicks on the crafted URL the hook will be planted on BeEF running on the attacker’s machine and the victim’s browser details and other information will be disclosed as shown on Left Side with a Mark under “Online Browsers“.

By clicking on the new hooked browser, you will select this browser as the current browser and you will see a new tab “Current Browser“:

This new tab presents details on the browser, the hooked page and the hooked host but it provides also a new tab menu dedicated to the selected browser.

When a browser is hooked, BeEF automatically gather several pieces of information on the hooked browser :