Hi All,
I did a fresh install and update (apt-get update && apt-get upgrade) of Kali in a Virtualbox VM and try to configure and use BeEF integrated with Metasploit.
Everything looks great but when I execute a Metasploit exploit from BeEF I cannot see any job created on Metasploit.Code:root@kali:~# uname -a Linux kali 3.14-kali1-amd64 #1 SMP Debian 3.14.5-1kali1 (2014-06-07) x86_64 GNU/Linux
I've already seen some videos on the internet and I saw this working in an Ubuntu box.
I'll describe the steps that I'm doing below just to check if I'm doing right.
First I configured BeEF following the BeEF Wiki page (https://github.com/beefproject/beef/wiki/Configuration) enabling Metasploit extension on BeEF configuration file:
After that I configured the Metasploit extension updating the parameters host and callback_host with my internal IP and setting the right path for os custom ({os: 'custom', path: '/usr/share/metasploit-framework/'}).Code:root@kali:~# grep metasploit /etc/beef-xss/config.yaml -A 1 metasploit: enable: true root@kali:~#
In order to start Metasploit first I started Postgresql database (service postgresql start) and after that I started Metasploit (service metasploit start).Code:root@kali:~# cat /usr/share/beef-xss/extensions/metasploit/config.yaml # # Copyright (c) 2006-2014 Wade Alcorn - [email protected] # Browser Exploitation Framework (BeEF) - http://beefproject.com # See the file 'doc/COPYING' for copying permission # # Enable MSF by changing extension:metasploit:enable to true # Then set msf_callback_host to be the public IP of your MSF server # # Ensure you load the xmlrpc interface in Metasploit # msf > load msgrpc ServerHost=10.211.55.2 Pass=abc123 # Please note that the ServerHost parameter must have the same value of host and callback_host variables here below. # Also always use the IP of your machine where MSF is listening. beef: extension: metasploit: name: 'Metasploit' enable: true host: "10.0.2.7" port: 55552 user: "msf" pass: "abc123" uri: '/api' # if you need "ssl: true" make sure you start msfrpcd with "SSL=y", like: # load msgrpc ServerHost=IP Pass=abc123 SSL=y ssl: false ssl_version: 'SSLv3' ssl_verify: true callback_host: "10.0.2.7" autopwn_url: "autopwn" auto_msfrpcd: false auto_msfrpcd_timeout: 120 msf_path: [ {os: 'osx', path: '/opt/local/msf/'}, {os: 'livecd', path: '/opt/metasploit-framework/'}, {os: 'bt5r3', path: '/opt/metasploit/msf3/'}, {os: 'bt5', path: '/opt/framework3/msf3/'}, {os: 'backbox', path: '/opt/metasploit3/msf3/'}, {os: 'kali', path: '/usr/share/metasploit-framework/'}, {os: 'pentoo', path: '/usr/lib/metasploit'}, {os: 'win', path: 'c:\\metasploit-framework\\'}, {os: 'custom', path: '/usr/share/metasploit-framework/'} ] root@kali:~#
With the services running I started msfconsole with some initial configuration (connect to DB, etc.) as you can see below:
For enabling RPC communication I started the msgrpc plugin. Of course, IP address, username and password are consistent with the configuration file:Code:root@kali:~# cat .msf4/msfconsole.rc db_connect -y /opt/metasploit/apps/pro/ui/config/database.yml set ConsoleLogging true set LogLevel 5 set SessionLogging true set TimestampOutput true spool /root/metasploit/metasploit.spool.txt set PROMPT '%U@%H(%L) :' root@kali:~# /usr/bin/msfconsole -r /root/.msf4/msfconsole.rc ... =[ metasploit v4.10.0-2014082101 [core:4.10.0.pre.2014082101 api:1.0.0]] + -- --=[ 1331 exploits - 722 auxiliary - 214 post ] + -- --=[ 340 payloads - 35 encoders - 8 nops ] + -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ][*] Processing /root/.msf4/msfconsole.rc for ERB directives. resource (/root/.msf4/msfconsole.rc)> db_connect -y /opt/metasploit/apps/pro/ui/config/database.yml[*] Rebuilding the module cache in the background... resource (/root/.msf4/msfconsole.rc)> set ConsoleLogging true Console logging is now enabled. ConsoleLogging => true resource (/root/.msf4/msfconsole.rc)> set LogLevel 5 LogLevel => 5 resource (/root/.msf4/msfconsole.rc)> set SessionLogging true Session logging will be enabled for future sessions. SessionLogging => true resource (/root/.msf4/msfconsole.rc)> set TimestampOutput true TimestampOutput => true resource (/root/.msf4/msfconsole.rc)> spool /root/metasploit/metasploit.spool.txt[*] Spooling to file /root/metasploit/metasploit.spool.txt... resource (/root/.msf4/msfconsole.rc)> set PROMPT '%U@%H(%L) :' PROMPT => %U@%H(%L) : root@kali(10.0.2.7) :>
Now it's time to run BeEF in another terminal.Code:root@kali(10.0.2.7) :> load msgrpc ServerHost=10.0.2.7 Pass=abc123[*] MSGRPC Service: 10.0.2.7:55552 [*] MSGRPC Username: msf[*] MSGRPC Password: abc123[*] Successfully loaded plugin: msgrpc root@kali(10.0.2.7) :>
As you can see in "Successful connection with Metasploit" the connection with Metasploit is OK!Code:root@kali:/usr/share/beef-xss# ./beef -x [ 9:41:15][*] Bind socket [imapeudora1] listening on [0.0.0.0:2000]. [ 9:41:15][*] Browser Exploitation Framework (BeEF) 0.4.4.9-alpha [ 9:41:15] | Twit: @beefproject [ 9:41:15] | Site: http://beefproject.com [ 9:41:15] | Blog: http://blog.beefproject.com [ 9:41:15] |_ Wiki: https://github.com/beefproject/beef/wiki [ 9:41:15][*] Project Creator: Wade Alcorn (@WadeAlcorn) [ 9:41:15][*] Successful connection with Metasploit. [ 9:41:18][*] Loaded 269 Metasploit exploits. [ 9:41:18][*] Resetting the database for BeEF. [ 9:41:18][*] BeEF is loading. Wait a few seconds... [ 9:41:23][*] 11 extensions enabled. [ 9:41:23][*] 464 modules enabled. [ 9:41:23][*] 2 network interfaces were detected. [ 9:41:23][+] running on network interface: 127.0.0.1 [ 9:41:23] | Hook URL: http://127.0.0.1:3000/hook.js [ 9:41:23] |_ UI URL: http://127.0.0.1:3000/ui/panel [ 9:41:23][+] running on network interface: 10.0.2.7 [ 9:41:23] | Hook URL: http://10.0.2.7:3000/hook.js [ 9:41:23] |_ UI URL: http://10.0.2.7:3000/ui/panel [ 9:41:23][*] RESTful API key: 571500b69782ad0a5f82f454aad7ee30022717ed [ 9:41:23][*] HTTP Proxy: http://127.0.0.1:6789 [ 9:41:23][*] BeEF server started (press control+c to stop)
So I opened BeEF panel on the Kali iceweasel browser login with beef/beef with no problem.
From another Virtualbox VM running Windows XP I accessed the demo page in order to hook it.
From BeEF panel on Kali I could see the the new hooked browser.
Since I already know that the Java CMM Remote Code Execution is working on this Windows XP I ran this modulo on this host with the parameters below:
From the terminal that I started BeEF I can see this:Code:Java CMM Remote Code Execution SSL: disabled SRVHOST: 10.0.2.7 SRVPORT: 8080 URIPATH: 10660e6c Payload: windows/meterpreter/reverse_tcp
But in the other terminal I cannot see any jobs on the msfconsole:Code:[ 9:44:54][*] New Hooked Browser [id:1, ip:10.0.2.10, type:IE-7, os:Windows XP], hooked domain [10.0.2.7:3000] [10:03:10][*] Hooked browser [id:1, ip:10.0.2.10] has been sent instructions from command module [id:1, name:'Java CMM Remote Code Execution']
If I use and run exploit direct from msfconsole it work perfectly.Code:root@kali(10.0.2.7) :> jobs Jobs ==== No active jobs. root@kali(10.0.2.7) :>
Anyone has BeEF and Metasploit working in a Kali fresh install?
Thanks
Ricardo
