32 KiB
32 KiB
BeEF Manual Testing Plan (Local VM Edition)
This document provides a simplified approach for manually testing BeEF modules entirely within the same Linux Ubuntu VM where BeEF is running.
1. Environment Setup (Local VM)
1.1 BeEF Server
- Dependencies: Already installed via
./install. - Configuration: Credentials have been updated in
config.yaml. - Launch: Run
./beeffrom the repository root. - Access: Open the local browser (e.g., Firefox) and navigate to the BeEF UI:
http://127.0.0.1:3000/ui/panel.
1.2 Hooked Browsers (Local)
For local testing on the same machine:
- Open a new tab or window in your browser (Firefox, Chromium, etc.).
- Navigate to the hook demo page:
http://127.0.0.1:3000/demos/butcher/index.html. - The browser will appear in the BeEF "Online Browsers" list as
127.0.0.1.
2. Testing Strategy: Grouped Execution
- Phase 1: Common Infrastructure (Firefox): Start here. These modules work on the standard Linux/Firefox setup provided by the VM and don't require external devices or specific insecure software.
- Phase 2: Specific Requirements (Firefox): Test these if you have the specific requirements (e.g., Android device, Flash plugin, specific vulnerable server running).
- Phase 3: Other Browsers: Use Chrome/Edge/Safari for modules that explicitly don't work in Firefox.
3. Module Inventory and Instructions
3.1 Phase 1: Common Infrastructure (Standard Firefox)
Test these modules using Firefox on your local Linux VM. They leverage standard browser features or the BeEF infrastructure itself.
| Status | Module Name | Instructions / Description | Cleanup Needed | Comments |
|---|---|---|---|---|
| [x] | Alert Dialog | 1. Configure: Title, Message, Button name2. Click Execute. Show user an alert |
None. | |
| [x] | BlockUI Modal Dialog | 1. Configure: Message, Timeout (s)2. Click Execute. This module uses jQuery BlockUI to block the window and display a message. |
None. | |
| [x] | Clickjacking | 1. Configure: iFrame Src, Security restricted (IE), Sandbox...2. Click Execute. Allows you to perform basic multi-click clickjacking. |
None. | |
| [x] | Confirm Close Tab | 1. Configure: Confirm text, Create a pop-under window on user\2. Click Execute. Shows a confirm dialog to the user when they try to close a tab. |
Close tab/window. Check for residual pop-unders. | a window pops up, but the text not as per command |
| [NEXT ] | Create Foreground iFrame | 1. Click Execute. Rewrites all links on the webpage to spawn a 100% by 100% iFrame with a source relative to the selected link. |
Close tab/window. Check for residual pop-unders. | |
| [ ] | Create Invisible Iframe | 1. Configure: URL2. Click Execute. Creates an invisible iframe. |
None. | |
| [ ] | Create Pop Under | 1. Configure: Clickjack2. Click Execute. This module creates a new discreet pop under window with the BeEF hook included. |
Close tab/window. Check for residual pop-unders. | |
| [ ] | Cross-Origin Scanner (CORS) | 1. Configure: Scan IP range (C class), Ports, Workers...2. Click Execute. Scan an IP range for web servers which allow cross-origin requests using CORS. |
None. | |
| [ ] | DNS Enumeration | 1. Configure: DNS (comma separated), Timeout (ms)2. Click Execute. Discover DNS hostnames within the victim's network using dictionary and timing attacks. |
None. | |
| [ ] | DNS Tunnel | 1. Configure: Domain, Data to send2. Click Execute. This module sends data one way over DNS, client to server only. |
None. | |
| [ ] | DNS Tunnel | 1. Configure: Domain, Message, Wait between requests (ms)2. Click Execute. This module sends data one way over DNS. Message split into chunks. |
None. | |
| [ ] | DNS Tunnel: Server-to-Client | 1. Configure: Payload Name, Zone, Message2. Click Execute. This module retrieves data sent by the server over DNS covert channel. |
None. | |
| [ ] | DOSer | 1. Configure: URL, Delay between requests (ms), HTTP Method...2. Click Execute. Do infinite GET or POST requests to a target. |
None. | |
| [ ] | Detect Antivirus | 1. Click Execute. This module detects the javascript code automatically included by some AVs. |
None. | |
| [ ] | Detect Burp | 1. Click Execute. This module checks if the browser is using Burp. |
None. | |
| [ ] | Detect Extensions | 1. Click Execute. This module detects extensions installed in Google Chrome and Mozilla Firefox. |
Remove installed extension if any. | |
| [ ] | Detect FireBug | 1. Click Execute. This module checks if the Mozilla Firefox Firebug extension is being use. |
None. | |
| [ ] | Detect LastPass | 1. Click Execute. This module checks if the LastPass extension is installed and active. |
None. | |
| [ ] | Detect MIME Types | 1. Click Execute. This module retrieves the browser's supported MIME types. |
None. | |
| [ ] | Detect Popup Blocker | 1. Click Execute. Detect if popup blocker is enabled. |
None. | |
| [ ] | Detect Toolbars | 1. Click Execute. Detects which browser toolbars are installed. |
None. | |
| [ ] | Detect Tor | 1. Configure: What Tor resource to request, Detection timeout2. Click Execute. This module will detect if the zombie is currently using Tor. |
None. | |
| [ ] | ETag Tunnel: Server-to-Client | 1. Configure: Payload Name, Message2. Click Execute. This module sends data from server to client using ETag HTTP header. |
None. | |
| [ ] | Fetch Port Scanner | 1. Configure: Scan IP or Hostname, Specific port(s) to scan2. Click Execute. Uses fetch to test the response in order to determine if a port is open or not. |
None. | |
| [ ] | Fingerprint Browser (PoC) | 1. Click Execute. This module attempts to fingerprint the browser type and version. |
None. | |
| [ ] | Fingerprint Browser | 1. Click Execute. This module attempts to fingerprint the browser and browser capabilities using FingerprintJS2. |
None. | |
| [ ] | Fingerprint Local Network | 1. Configure: Scan IP range (C class), Ports to test, Workers...2. Click Execute. Discover devices and applications in the victim's Local Area Network. |
None. | |
| [ ] | Fingerprint Routers | 1. Click Execute. This module attempts to discover network routers on the local network. |
None. | |
| [ ] | Get Geolocation (API) | 1. Click Execute. This module will retrieve the physical location using the HTML5 geolocation API. |
None. | |
| [ ] | Get HTTP Servers (Favicon) | 1. Configure: Remote IP(s), Ports, Workers...2. Click Execute. Attempts to discover HTTP servers on the specified IP range by checking for a favicon. |
None. | |
| [ ] | Get Internal IP WebRTC | 1. Click Execute. Retrieve the internal (behind NAT) IP address of the victim machine using WebRTC. |
None. | |
| [ ] | Get Protocol Handlers | 1. Configure: Link Protocol(s), Link Address2. Click Execute. This module attempts to identify protocol handlers present on the hooked browser. |
None. | |
| [ ] | Get Proxy Servers (WPAD) | 1. Click Execute. This module retrieves proxy server addresses for the zombie browser's local network using WPAD. |
None. | |
| [ ] | Get Visited Domains | 1. Configure: Specify custom page to check2. Click Execute. This module will retrieve rapid history extraction through non-destructive cache timing. |
None. | |
| [ ] | Hijack Opener Window | 1. Click Execute. This module abuses window.location.opener to hijack the opening window. |
Close tab/window. Check for residual pop-unders. | |
| [ ] | Hook Default Browser | 1. Configure: URL2. Click Execute. This module will use a PDF to attempt to hook the default browser. |
None. | |
| [ ] | Identify LAN Subnets | 1. Configure: Timeout for each request (ms)2. Click Execute. Discover active hosts in the internal network(s) of the hooked browser. |
None. | |
| [ ] | Lcamtuf Download | 1. Configure: Real File Path, Malicious File Path, Run Once2. Click Execute. This module will attempt to execute a lcamtuf download. |
Delete downloaded files. | |
| [ ] | Link Rewrite | 1. Click Execute. This module will rewrite all the href attributes of all matched links. |
None. | |
| [ ] | Man-In-The-Browser | 1. Click Execute. This module will use a Man-In-The-Browser attack to ensure that the BeEF hook will stay. |
Close tab/window. Check for residual pop-unders. | |
| [ ] | No Sleep | 1. Click Execute. This module uses NoSleep.js to prevent display sleep and enable wake lock in any Android or iOS web browser. |
None. | |
| [ ] | Ping Sweep (FF) | 1. Configure: Scan IP range (C class or IP), Timeout (ms), Delay between requests (ms)2. Click Execute. Discover active hosts in the internal network of the hooked browser. |
None. | |
| [ ] | Ping Sweep (JS XHR) | 1. Configure: Scan IP range (C class), Workers2. Click Execute. Discover active hosts in the internal network of the hooked browser using JavaScript XHR. |
None. | |
| [ ] | Play Sound | 1. Configure: Sound File Path2. Click Execute. Play a sound on the hooked browser. |
None. | |
| [ ] | Port Scanner (Multiple Methods) | 1. Configure: Scan IP or Hostname, Specific port(s) to scan, Closed port timeout (ms)...2. Click Execute. Scan ports in a given hostname, using WebSockets, CORS and img tags. |
None. | |
| [ ] | Pretty Theft | 1. Configure: Dialog Type, Backing, Custom Logo (Generic only)2. Click Execute. Asks the user for their username and password using a floating div. |
None. | |
| [ ] | Raw JavaScript | 1. Configure: Javascript Code2. Click Execute. Execute arbitrary JavaScript. |
None. | |
| [ ] | Redirect Browser (Rickroll) | 1. Click Execute. Overwrite the body of the page the victim is on with a full screen Rickroll. |
None. | |
| [ ] | Redirect Browser (Standard) | 1. Configure: Redirect URL2. Click Execute. Redirect the hooked browser to the address specified. |
None. | |
| [ ] | Redirect Browser (iFrame) | 1. Configure: Redirect URL, Title, Favicon...2. Click Execute. Creates a 100% x 100% overlaying iframe. |
None. | |
| [ ] | Replace Videos (Fake Plugin) | 1. Configure: Payload URL, jQuery Selector2. Click Execute. Replaces an object selected with jQuery with an image advising the user to install a missing plugin. |
None. | |
| [ ] | Resource Exhaustion DoS | 1. Click Execute. This module attempts to exhaust system resources rendering the browser unusable. |
None. | |
| [ ] | Return Ascii Chars | 1. Click Execute. This module will return the set of ascii chars. |
None. | |
| [ ] | Return Image | 1. Click Execute. This module will test returning a PNG image as a base64 encoded string. |
None. | |
| [ ] | Simple Hijacker | 1. Configure: Targetted domains, Template to use2. Click Execute. Hijack clicks on links to display what you want. |
None. | |
| [ ] | Spoof Address Bar (data URL) | 1. Configure: Spoofed URL, Real URL2. Click Execute. This module redirects the browser to a legitimate looking URL with a data scheme. |
None. | |
| [ ] | Spyder Eye | 1. Configure: Repeat, Delay2. Click Execute. This module takes a picture of the victim's browser window. |
None. | |
| [ ] | TabNabbing | 1. Configure: URL, Wait (minutes)2. Click Execute. This module redirects to the specified URL after the tab has been inactive. |
None. | |
| [ ] | Test CORS Request | 1. Configure: Method, URL, Data2. Click Execute. Test the beef.net.cors.request function. |
None. | |
| [ ] | Test HTTP Redirect | 1. Click Execute. Test the HTTP 'redirect' handler. |
None. | |
| [ ] | Test JS variable passing | 1. Configure: Payload Name2. Click Execute. Test for JS variable passing. |
None. | |
| [ ] | Test Network Request | 1. Configure: Scheme, Method, Domain...2. Click Execute. Test the beef.net.request function by retrieving a URL. |
None. | |
| [ ] | Test Returning Results | 1. Configure: Times to repeat, String to repeat2. Click Execute. This module will return a string of the specified length. |
None. | |
| [ ] | Test beef.debug() | 1. Configure: Debug Message2. Click Execute. Test the 'beef.debug()' function. |
None. | |
| [ ] | Text to Voice | 1. Configure: Text, Language2. Click Execute. Convert text to mp3 and play it on the hooked browser. |
None. | |
| [ ] | UnBlockUI | 1. Click Execute. This module removes all jQuery BlockUI dialogs. |
None. | |
| [ ] | Unhook | 1. Click Execute. This module removes the BeEF hook from the hooked page. |
None. | |
| [ ] | iFrame Event Key Logger | 1. Configure: iFrame Src, Send Back Interval (ms)2. Click Execute. Creates a 100% by 100% iFrame overlay with event logging. |
None. |
3.2 Phase 2: Specific Requirements (Firefox)
These modules require specific devices, plugins, vulnerable software, or valid credentials to work.
3.2.1 Mobile & PhoneGap
Requires an Android/iOS device or PhoneGap environment.
| Status | Module Name | Instructions / Description | Cleanup Needed | Comments |
|---|---|---|---|---|
| [ ] | Alert User | 1. Click Execute. Show user an alert. This module requires the PhoneGap API. |
None. | |
| [ ] | Beep | 1. Click Execute. Make the phone beep. This module requires the PhoneGap API. |
None. | |
| [ ] | Check Connection | 1. Click Execute. Find out the network connection type e.g. Wifi, 3G. This module requires the PhoneGap API. |
None. | |
| [ ] | Detect PhoneGap | 1. Click Execute. Detects if the PhoneGap API is present. |
None. | |
| [ ] | Geolocation | 1. Click Execute. Geo locate your victim. This module requires the PhoneGap API. |
None. | |
| [ ] | Get Network Connection Type | 1. Click Execute. Retrieve the network connection type (wifi, 3G, etc). Note: Android only. |
None. | |
| [ ] | Globalization Status | 1. Click Execute. Examine device local settings. This module requires the PhoneGap API. |
None. | |
| [ ] | Keychain | 1. Configure: Service name, Key, Value...2. Click Execute. Read/CreateUpdate/Delete Keychain Elements. This module requires the PhoneGap API. |
None. | |
| [ ] | List Contacts | 1. Click Execute. Examine device contacts. This module requires the PhoneGap API. |
None. | |
| [ ] | List Files | 1. Configure: Directory2. Click Execute. Examine device file system. This module requires the PhoneGap API. |
None. | |
| [ ] | List Plugins | 1. Click Execute. Attempts to guess installed plugins. This module requires the PhoneGap API. |
None. | |
| [ ] | Persist resume | 1. Click Execute. Persist over applications sleep/wake events. This module requires the PhoneGap API. |
None. | |
| [ ] | Persistence (PhoneGap) | 1. Configure: Hook URL2. Click Execute. Insert the BeEF hook into PhoneGap's index.html (iPhone only). This module requires the PhoneGap API. |
None. | |
| [ ] | Prompt User | 1. Configure: Title, Question, Yes...2. Click Execute. Ask device user a question. This module requires the PhoneGap API. |
None. | |
| [ ] | Start Recording Audio | 1. Configure: File Name2. Click Execute. Start recording audio. This module requires the PhoneGap API. |
None. | |
| [ ] | Stop Recording Audio | 1. Click Execute. Stop recording audio. This module requires the PhoneGap API. |
None. | |
| [ ] | Track Physical Movement | 1. Click Execute. This module will track the physical movement of the user's device. |
None. | |
| [ ] | Upload File | 1. Configure: Destination, File Path2. Click Execute. Upload files from device to a server of your choice. This module requires the PhoneGap API. |
None. |
3.2.2 Legacy Plugins (Flash, Java, Silverlight, etc.)
Requires the specific plugin to be installed and enabled in the browser.
| Status | Module Name | Instructions / Description | Cleanup Needed | Comments |
|---|---|---|---|---|
| [ ] | Cross-Origin Scanner (Flash) | 1. Configure: Scan IP range (C class), Ports, Workers...2. Click Execute. Scans an IP range... This module uses ContentHijacking.swf. |
None. | |
| [ ] | Detect Foxit Reader | 1. Click Execute. This module will check if the browser has Foxit Reader Plugin. |
None. | |
| [ ] | Detect QuickTime | 1. Click Execute. This module will check if the browser has Quicktime support. |
None. | |
| [ ] | Detect RealPlayer | 1. Click Execute. This module will check if the browser has RealPlayer support. |
None. | |
| [ ] | Detect Silverlight | 1. Click Execute. This module will check if the browser has Silverlight support. |
None. | |
| [ ] | Detect Unity Web Player | 1. Click Execute. Detects Unity Web Player. |
None. | |
| [ ] | Detect VLC | 1. Click Execute. This module will check if the browser has VLC plugin. |
None. | |
| [ ] | Detect Windows Media Player | 1. Click Execute. This module will check if the browser has the Windows Media Player plugin installed. |
None. | |
| [ ] | Get Internal IP (Java) | 1. Configure: Number2. Click Execute. Retrieve the local network interface IP address of the victim machine using an unsigned Java applet. |
None. | |
| [ ] | Get System Info (Java) | 1. Click Execute. This module will retrieve basic information about the host system using an unsigned Java Applet. |
None. | |
| [ ] | Webcam (Flash) | 1. Configure: Social Engineering Title...2. Click Execute. Shows the Adobe Flash 'Allow Webcam' dialog. |
None. | |
| [ ] | Webcam Permission Check | 1. Click Execute. Checks if user has allowed BeEF domain to access Camera/Mic with Flash. |
None. |
3.2.3 Specific Target Software / Services
Requires a specific vulnerable software or service to be running and accessible (e.g., Apache, JBoss, Printers).
| Status | Module Name | Instructions / Description | Cleanup Needed | Comments |
|---|---|---|---|---|
| [ ] | Apache Cookie Disclosure | 1. Click Execute. Exploits CVE-2012-0053. Requires Apache HTTP Server 2.2.0 through 2.2.21. |
Clear browser cookies. | |
| [ ] | Apache Felix Remote Shell | 1. Configure: Target Host, Target Port...2. Click Execute. Attempts to get a reverse shell on an Apache Felix Remote Shell server. |
None. | |
| [ ] | Bindshell (POSIX) | 1. Configure: Target Address, Target Port, Timeout (s)...2. Click Execute. Sends commands to a listening POSIX shell. |
None. | |
| [ ] | Bindshell (Windows) | 1. Configure: Target Address, Target Port, Timeout (s)...2. Click Execute. Sends commands to a listening Windows shell. |
None. | |
| [ ] | ColdFusion Directory Traversal | 1. Configure: Retrieve file, CF server OS...2. Click Execute. Exploits directory traversal in ColdFusion 8/9. |
None. | |
| [ ] | Cross-Site Faxing (XSF) | 1. Configure: Target Address, Target Port...2. Click Execute. Sends commands to ActiveFax RAW server socket. |
None. | |
| [ ] | Cross-Site Printing (XSP) | 1. Configure: Target Address, Target Port...2. Click Execute. Sends a message to a listening print port (9100). |
None. | |
| [ ] | Detect Airdroid | 1. Configure: IP or Hostname, Port2. Click Execute. Attempts to detect Airdroid application for Android running on localhost. |
None. | |
| [ ] | Detect CUPS | 1. Configure: IP or Hostname, Port2. Click Execute. Attempts to detect Common UNIX Printing System (CUPS) on localhost. |
None. | |
| [ ] | Detect Coupon Printer | 1. Click Execute. Attempts to detect Coupon Printer on localhost. |
None. | |
| [ ] | Detect Ethereum ENS | 1. Configure: Image resource...2. Click Execute. Detects if using Ethereum ENS resolvers. |
None. | |
| [ ] | Detect Google Desktop | 1. Click Execute. Attempts to detect Google Desktop running on the default port 4664. |
None. | |
| [ ] | Detect OpenNIC DNS | 1. Configure: Image resource...2. Click Execute. Detects if using OpenNIC DNS resolvers. |
None. | |
| [ ] | EXTRAnet Collaboration Tool | 1. Configure: Remote Host, Remote Port...2. Click Execute. Exploits command execution in 'admserver' component. |
None. | |
| [ ] | Farsite X25 gateway | 1. Configure: HTTP(s), Remote Host...2. Click Execute. Exploits CVE-2014-7175/7173 to execute code. |
None. | |
| [ ] | Firephp 0.7.1 RCE | 1. Click Execute. Exploit FirePHP <= 0.7.1. |
None. | |
| [ ] | Get Wireless Keys | 1. Click Execute. Retrieve wireless profiles (Windows Vista and Windows 7 only). |
None. | |
| [ ] | Get ntop Network Hosts | 1. Configure: Remote Host, Remote Port2. Click Execute. Retrieves information from ntop (unauthenticated). |
None. | |
| [ ] | GlassFish WAR Upload | 1. Configure: Host, Filename...2. Click Execute. Attempts to deploy a malicious war file on GlassFish Server 3.1.1. |
None. | |
| [ ] | GroovyShell Server | 1. Configure: Remote Host, Remote Port...2. Click Execute. Uses GroovyShell Server interface to execute commands. |
None. | |
| [ ] | HP uCMDB 9.0x add user | 1. Configure: Protocol, Host, Port...2. Click Execute. Attempts to add users to HP uCMDB. |
None. | |
| [ ] | IBM iNotes (Extract List) | 1. Click Execute. Extracts iNotes contact list. |
None. | |
| [ ] | IBM iNotes (Flooder) | 1. Configure: To, Subject, Body, Count...2. Click Execute. Floods an email address from the victim's account. |
None. | |
| [ ] | IBM iNotes (Read) | 1. Click Execute. Read a note from the victim's IBM iNotes. |
None. | |
| [ ] | IBM iNotes (Send) | 1. Configure: To, Subject, Body2. Click Execute. Sends an email from the victim's account. |
None. | |
| [ ] | IBM iNotes (Send w/ Attachment) | 1. Configure: To, Subject, Body, File...2. Click Execute. Sends an email with attachment from the victim's account. |
None. | |
| [ ] | IMAP | 1. Configure: IMAP Server, Port, Commands2. Click Execute. Sends commands to an IMAP4 server. |
None. | |
| [ ] | IRC | 1. Configure: IRC Server, Port, Username...2. Click Execute. Connects to an IRC server and sends messages. |
None. | |
| [ ] | IRC NAT Pinning | 1. Configure: Connect to, Private IP, Private Port2. Click Execute. Attempts to open closed ports on statefull firewalls compatible with IRC tracking. |
None. | |
| [ ] | Jboss 6.0.0M1 JMX Deploy | 1. Configure: Remote Target Host...2. Click Execute. Deploy a JSP reverse or bind shell using JMX. |
None. | |
| [ ] | Jenkins Code Exec CSRF | 1. Configure: Remote Host, Target URI...2. Click Execute. Attempts to get a reverse shell from Jenkins Groovy Script console. |
None. | |
| [ ] | Kemp LoadBalancer RCE | 1. Configure: URL, Remote Port...2. Click Execute. Exploits RCE in Kemp LoadBalancer 7.1-16. |
None. | |
| [ ] | QEMU Monitor 'migrate' | 1. Configure: Remote Host, Remote Port...2. Click Execute. Attempts to get a reverse shell from QEMU monitor service. |
None. | |
| [ ] | QNX QCONN Command Exec | 1. Configure: Remote Host, Remote Port...2. Click Execute. Exploits vulnerability in qconn component of QNX Neutrino. |
None. | |
| [ ] | RFI Scanner | 1. Configure: Target Protocol, Target Host...2. Click Execute. Scans web server for RFI vulnerabilities. |
None. | |
| [ ] | Redis | 1. Configure: Target Address, Target Port...2. Click Execute. Sends commands to a listening Redis daemon. |
None. | |
| [ ] | Shell Shock (CVE-2014-6271) | 1. Configure: Target, HTTP Method...2. Click Execute. Attemp to use vulnerability CVE-2014-627 to execute arbitrary code. |
None. | |
| [ ] | Shell Shock Scanner | 1. Configure: HTTP Method, Target Protocol...2. Click Execute. Attempts to get a reverse shell by requesting ~400 potentially vulnerable CGI scripts. |
None. | |
| [ ] | VTiger CRM Upload Exploit | 1. Configure: Target Web Server...2. Click Execute. Uploads and executes a reverse shell on VTiger CRM 5.0.4. |
None. | |
| [ ] | WAN Emulator Command Exec | 1. Configure: Target Host, Target Port...2. Click Execute. Attempts to get a reverse root shell on a WAN Emulator server. |
None. | |
| [ ] | WordPress Add User | 1. Configure: Username, Pwd, Email...2. Click Execute. Adds a WordPress User. |
None. | |
| [ ] | WordPress Add Administrator | 1. Configure: Username:, Pwd:...2. Click Execute. Stealthily adds a Wordpress administrator account. |
Close tab/window. Check for residual pop-unders. | |
| [ ] | WordPress Current User | 1. Click Execute. Get the current logged in user information. |
None. | |
| [ ] | WordPress Upload RCE (Plugin) | 1. Configure: Auth Key2. Click Execute. Attempts to upload and activate a malicious wordpress plugin. |
None. | |
| [ ] | Wordpress Post-Auth RCE | 1. Configure: Target Web Server2. Click Execute. Attempts to upload and activate a malicious wordpress plugin. |
None. | |
| [ ] | Zenoss 3.x Add User | 1. Configure: Zenoss web root...2. Click Execute. Attempts to add a user to a Zenoss Core 3.x server. |
None. | |
| [ ] | Zenoss 3.x Command Exec | 1. Configure: Target Host, Target Port...2. Click Execute. Attempts to get a reverse shell on a Zenoss 3.x server. |
None. | |
| [ ] | ruby-nntpd Command Exec | 1. Configure: Remote Host, Remote Port...2. Click Execute. Uses 'eval' verb in ruby-nntpd 0.01dev to execute commands. |
None. |
3.2.4 Social Engineering / Account Phishing
Requires the user to be logged into valid accounts (Gmail, Facebook, etc.) or susceptible to specific social engineering tricks.
| Status | Module Name | Instructions / Description | Cleanup Needed | Comments |
|---|---|---|---|---|
| [ ] | Clippy | 1. Configure: Clippy image directory...2. Click Execute. Brings up a clippy image and asks the user to do stuff. |
None. | |
| [ ] | Detect Social Networks | 1. Configure: Detection Timeout2. Click Execute. Detects if authenticated to GMail, Facebook and Twitter. |
None. | |
| [ ] | Fake Flash Update | 1. Configure: Image, Payload URI2. Click Execute. Prompts the user to install an update to Adobe Flash Player. |
None. | |
| [ ] | Fake Notification Bar | 1. Configure: Notification text2. Click Execute. Displays a fake notification bar. |
None. | |
| [ ] | Fake Notification Bar (Chrome) | 1. Configure: URL, Notification text2. Click Execute. Displays a fake Chrome notification bar. |
None. | |
| [ ] | Fake Notification Bar (Firefox) | 1. Configure: Plugin URL, Notification text2. Click Execute. Displays a fake Firefox notification bar. |
None. | |
| [ ] | Fake Notification Bar (IE) | 1. Configure: URL, Notification text2. Click Execute. Displays a fake IE notification bar. |
None. | |
| [ ] | Google Phishing | 1. Configure: XSS hook URI, Gmail logout interval...2. Click Execute. XSRF logout of Gmail, show phishing page. |
None. | |
| [ ] | Read Gmail | 1. Click Execute. Grabs unread message ids from gmail atom feed. |
None. | |
| [ ] | Send Gvoice SMS | 1. Configure: To, Message2. Click Execute. Send a text message (SMS) through Google Voice. |
None. | |
| [ ] | Skype iPhone XSS | 1. Click Execute. Steals iPhone contacts using a Skype XSS vuln. |
None. |
3.3 Phase 3: Other Browsers & Specialized Extensions
Test these modules only if they cannot be tested in Firefox. Use Chrome, Safari, or Edge.
| Status | Module Name | Instructions / Description | Cleanup Needed | Comments |
|---|---|---|---|---|
| [ ] | DNS Rebinding | 1. Click Execute. dnsrebind |
None. | |
| [ ] | Detect Evernote Web Clipper | 1. Click Execute. This module checks if the Evernote Web Clipper extension is installed and active. |
None. | |
| [ ] | Execute On Tab | 1. Configure: URL, Javascript2. Click Execute. Open a new tab and execute the Javascript code on it. Chrome Extension specific. |
None. | |
| [ ] | Fake Evernote Web Clipper Login | 1. Click Execute. Displays a fake Evernote Web Clipper login dialog. |
None. | |
| [ ] | Fake LastPass | 1. Click Execute. Displays a fake LastPass user dialog. (Often Chrome specific) |
None. | |
| [ ] | Get All Cookies | 1. Configure: Domain (e.g. http://facebook.com)2. Click Execute. Steal cookies, even HttpOnly cookies, providing the hooked extension has cookies access. |
Clear browser cookies. | |
| [ ] | Get Visited URLs (Avant Browser) | 1. Configure: Command ID2. Click Execute. Attempts to retrieve history requiring 'AFRunCommand()'. Avant Browser only. |
None. | |
| [ ] | Get Visited URLs (Old Browsers) | 1. Configure: URL(s)2. Click Execute. Detects visited URLs in older browsers. |
None. | |
| [ ] | Grab Google Contacts | 1. Click Execute. Attempt to grab the contacts... exploiting export to CSV. |
None. | |
| [ ] | Hook Microsoft Edge | 1. Configure: URL2. Click Execute. Uses 'microsoft-edge:' protocol handler to hook Edge. |
None. | |
| [ ] | Inject BeEF | 1. Click Execute. Attempt to inject the BeEF hook on all the available tabs. |
None. | |
| [ ] | JSONP Service Worker | 1. Configure: Path of the current domain...2. Click Execute. Exploits unfiltered callback in JSONP endpoint. |
Close tab/window. Check for residual pop-unders. | |
| [ ] | Local File Theft | 1. Configure: Target file2. Click Execute. JavaScript may have filesystem access if using file:// scheme (Safari/Local). |
None. | |
| [ ] | Make Skype Call | 1. Configure: Number2. Click Execute. Forces browser to Skype call. Protocol handler skype:. |
None. | |
| [ ] | Make Telephone Call | 1. Configure: Number2. Click Execute. Forces browser to telephone call (iOS). Protocol handler tel:. |
None. | |
| [ ] | Ping Sweep (Java) | 1. Configure: Scan IP range (C class or IP), Timeout (ms)2. Click Execute. Discover active hosts... using unsigned Java applet. (Alt for FF) |
None. | |
| [ ] | Screenshot | 1. Click Execute. Screenshots current tab (Chrome/HTML5). |
None. | |
| [ ] | Webcam HTML5 | 1. Configure: Screenshot size2. Click Execute. Leverage HTML5 WebRTC to capture webcam images. Only tested in Chrome. |
None. | |
| [ ] | iFrame Sniffer | 1. Configure: input URL, anchors to check2. Click Execute. Attempts to do framesniffing (aka Leaky Frame). |
None. |