Abaxio Managed Security

How can we help you today?

You are here: News >> Exploiting the Corporate Network


Exploiting the Corporate Network

How a Hacker Gained Access to the Internal Network via the BeEF XSS Framework

An Open Window in a World of Locked Doors

The corporate landscape has become a  breeding ground for the cyber criminal due to  the persistent  need for “big data”  and the small margin of error required  to  compromise an entire corporate  network.  Because  employees require  regular interaction with   any number of “standard” web applications,  today’s cyber  Criminal has shifted his attention from  the hardened network perimeter, towards the exploit-ability through a much easiest medium, an open window into every organization: the web browser. Web browsers are sophisticated software applications that come bundled with every consumer operating system, including both desktop and mobile platforms.  Accordingly, just like every other multifaceted software product, web browsers are prone to numerous vulnerabilities. Exploitation of these vulnerabilities can result in destructive consequences ranging from data theft and cyber extortion to network infrastructure damage.

Watch a live demo of a ethical hacker implementing this hack on a corporate network:

What is BeEF XSS?

beefloginBeEf is short for “Browser Exploitation Framework”. It is an open source tool used that can be used to attack a broad target surface in order to bypass traditional external perimeter defense and gain access to internal targets that would otherwise be inaccessible. In practice, the usage of BeEF follows a prescribed browser hacking methodology which consists of three high-level phases – initiating, retaining and attacking at-risk targets.

During the initiation phase, an unsuspecting user navigates his web browser to a website with a one-line reference to a malicious hook script.  This script contains a set of instructions required to initiate the communication channel between the browser and the BeEf server. The browser is then tricked into executing this script using social engineering, XSS attacks, compromised web applications, advertising networks, and Man-in-the-Middle (MitM) attacks.

The retaining phase is the execution of arbitrary commands to the browser, which opens the window for the attacker to place malicious scripts in the browser’s stored cookies and thus establishes an active and persistent communication channel between the hacker and the victim.

The attacking phase involves actual delivery of payloads to the victim’s browser, which it executes and communicates the results back to the BEef server. BEeF incorporates a collection of payloads that can target a variety of useful targets ranging from user credentials to internal network resources. The framework provides a conduit for a diverse range of potential malicious payloads including:  Browser fingerprinting, network enumeration and inter-protocol exploitation, key logging to extract sensitive data, the ability to use the victims browser as a proxy, request spoofing such as LastPass and Evernote login dialogs, chrome extension exploitation, and with full integration of the Metasploit, a framework to gain network access via the root/administrator password, thus compromising an organization’s internal (otherwise protected) network.

What is Cross-Site Scripting (XSS)?

Cross-site scripting uses known vulnerabilities in web-based applications, their servers, or plug-in systems on which they rely. Exploiting one of these, attackers fold malicious content into the content being delivered from the compromised site. When the resulting combined content arrives at the client-side web browser it has all been delivered from the trusted source, and thus operates under the permissions granted to that system. By finding ways of injecting malicious scripts into web pages, an attacker can gain elevated access-privileges to sensitive page content, session cookies, and a variety of other information maintained by the browser on behalf of the user.

Here’s How it Works:

After the hacker identifies his intended victim, his first step is always the same:   Perform a soft scan that is noninvasive and will not be detected. This generates  a list of all the potential domains and subdomains within his target victim’s organization.

Following the above, he can assess the vulnerability each domain, a.k.a. “widening the attack zone”.   After doing his due diligence the hacker can confirm if the company’s website and/or its customer portal are susceptible to an XSS attack.

The cyber criminal then injects a malicious hook script into the company’s website via the XSS expoit.  This establishes a connection between all visitors of the website and the malicious BEef server. Thus, not only has the hacker compromised the victim’s internal network but also the machines and networks of any/all of their clients who log on through the company’s website and/or internal work portal.

The potential for cyber extortion multiplies by orders of magnitude.

What is Social Engineering?

All social engineering techniques are based on specific attributes of human decision-making known as cognitive biases. These biases, sometimes called “bugs in the human hardware”, are exploited in various combinations to create attack techniques. The attacks used in social engineering can be used to steal employees’ or employers confidential information. The most common type of social engineering happens through people representing themselves to be someone who they are not. This can be done through the telephone, email, or in person.  An example of this would be an individual who walks into a building and posts an official-looking announcement to the company bulletin that says the number for the help desk has changed. So, when employees call for help the individual asks them for their passwords and ID’s thereby gaining the ability to access the company’s private information.

A Real Life Example

A Cyber Criminal had chosen a particular New York-based Family Office to target.  It didn’t take him long to identify the CIO as his way in, and via social media, the hacker was able to compile a list of the CIO’s hobbies and acquaintances, and his diligence paid off:  The CIO is an avid collector of antiques.

Having compiled the social information he needed to move forward, the hacker created a web blog called “Gold Coast Antiques” and injected it with the malicious BeEf hook script described above, connecting any of its viewers with the BeEf server.  Abaxio Red Team analysts were able to recreate the hack inside its lab; screenshots follow below (click to enlarge):


BeEf-Xss is loaded via the command line and now the malicious server is up and running (inside Abaxio’s cybersecurity lab)


Metasploit console is loaded, the exploit has been chosen, and now an alternate server is up and running waiting to deliver the payload.


The hacker has established read/write access to the victim’s root c:\ drive

The cyber criminal then spoofed an email account identical to one of the CIO’s close friends who shares his passion for antique collecting, and sent the CIO a link inviting him to comment on a particular piece.  The CIO saw read the email that was sent from his friend (so he thought), and he clicked the link to the blog.

Norton Anti-Virus, Kaspersky do generate warnings when connecting to the infected web page, but (a) they are powerless to stop the connection, and (b) once the page is loaded, it’s too late; even closing the page immediately does not invalidate the connection between the victim and the hacker’s BeEf (payload) server.

From the hacker’s perspective, the job was done: The CIO’s computer has been infiltrated.  In as little as 4-5 minutes the hacker had established read/write access to his desktop computer, giving the hacker a veritable arsenal of exploits to infect the network, including the dreaded key logger.

Close the Window Before You Catch the Chill

Abaxio has developed the only known protection against this particular exploit and several like it:  A browser plugin that identifies the known and detectable characteristics of malicious code. By doing so, the malicious content script is isolated, while giving the browser limited-access context before any other scripts on the page are able to run.

Subsequently, the content script is able to inject a custom window script into the global context to complete the necessary environment preparation in time. Specifically, it ensures that fingerprinting activity as well as XHR and WebSocket-based traffic can be intercepted and blocked, while notifying the user of the threat at the same time.

Abaxio takes a truely top-down, comprehensive approach to cybersecurity for its clients.  This means putting into place reliable systems to secure the office from both internal and external threats to an organization’s networks.  These include regular testing of the firewalls, email and malware scanning of the web applications, vulnerability testing within networks, and performing penetration tests on a periodic basis.  The two most important safeguards?  The ability to instantly recover any server within an internally-mandated “RTO” (“Recovery Time Objective”) of 5 minutes or less, and a comprehensive Cyber Liability insurance policy with large enough limits in the event all else fails.

To get the plugin, or to discuss the particular needs of your organization, please contact us:

Abaxio Cybersecurity Services
1-800-213-2120  LinkedIn
24×7 Direct support 1-877-5-ABAXIO
USA Office: 5700 N. Lincoln Avenue, Suite 217, Chicago, IL 60659
Canada: 65 boul. Brunswick, Suite 224, Montreal, QC H9B2N4