I’m the Butcherwould you like some BeEF?

Michele ‘antisnatchor’ OrruThomas MacKenzie

7th Sept 2012 - London

1

Who are we

Michele OrruThe Butcher

Thomas MacKenzieThe Meat

2

Outline

• A Social Engineering real story

• BeEF intro

• The new BeEF Social Engineering extension

• Having fun with the RESTful API

3

Social Engineering

• “Social engineering, in the context of security, is understood to mean the art of manipulating people into performing actions or divulging confidential information.” - Grandfather of all knowledge (Wikipedia).

4

Our Mission...• Tasked with gathering as many

usernames and passwords as possible in a small amount of time

• Tried calling and pretending to be person of authority but awareness seemed to be higher

5

So...

• We heard great things about S.E.T.

• Decided to use that to clone the website (but found some bugs and limitations that almost made it unusable)

6

Mass-Mailer

• With the help of a colleague we then created a basic mass-mailer that used personalization, HTML, pictures and had the ability to spoof the domain name (thanks to their SMTP server settings :-)

7

We Won

8

But The IT Admin was like...

• DO NOT CLICK ON THAT LINK

9

We then said (sending another email)...

• DO CLICK ON THAT LINK

10

AND... WE WON AGAIN!

11

But...• We thought we could do it better and

integrate some awesome client-side exploitation whilst we were at it...

12

Meet BeEF

• Browser Exploitation Framework

• Pioneered by Wade Alcorn in 2005

• Powerful platform for Client-side pwnage, XSS post-exploitation and generally victim browser security-context abuse.

• The framework allows the penetration tester to select specific modules (in real-time) to target each browser, and therefore each context.

13

14

15

Meet BeEF

• Demo

16

Social Eng. extension• The idea was to have some BeEF

functionality that can be called via the RESTful API, in order to automate:

• sending phishing emails using templates,

• cloning webpages, harvesting credentials

• client-side pwnage

17

AND... WE DID IT!

18

Social Eng. extension

19

BeEF web_cloner• Clone a webpage and serve it on BeEF,

then automatically:

• modify the page to intercept POST requests

• add the BeEF hook to it

• if the page can be framed, after POST interception load the original page on an overlay iFrame, otherwise redirect to original page

20

• curl -H "Content-Type: application/json; charset=UTF-8" -d '{"url":"https://login.yahoo.com/config/login_verify2", "mount":"/"}' -X POST http://<BeEF>/api/seng/clone_page?token=53921d2736116dbd86f8f7f7f10e46f1

• If you register loginyahoo.com, you can specify a mount point of /config/login_verify2, so the phishing url will be (almost) the same

BeEF web_cloner

21

• Demo

BeEF web_cloner

22

BeEF mass_mailer• Do your phishing email campaigns

• get a sample email from your target (with company footer...)

• copy the HTML content in a new BeEF email template

• download images so they will be added inline!

• add your malicious links/attachments

• send the mail to X targets and have fun 23

BeEF mass_mailer• email templates structure

24

BeEF mass_mailer• ‘default’ template HTML mail

25

• how the ‘default’ template email will look

BeEF mass_mailer

26

• curl -H "Content-Type: application/json; charset=UTF-8" -d 'body' -X POST http://<BeEF>/api/seng/send_mails?token=0fda00ea62a1102f

{ "template": "default", "subject": "Hi from BeEF", "fromname": "BeEF", "link": "http://www.microsoft.com/", "linktext": "http://beefproject.com", "recipients": [{ "user1@gmail.com": "Michele", "user2@antisnatchor.com": "Antisnatchor"}]}

BeEF mass_mailer

27

• Demo

BeEF mass_mailer

28

Combine everything FTW• Register your phishing domain

• Point the A/MX records to a VPS where you have an SMTP server and BeEF

• Create a BeEF RESTful API script that:

• Clone a webpage link with web_cloner

• Send X emails with that link with mass_mailer

• Script intelligent attacks thanks to BeEF browser detection

29

• Last demo

Combine everything FTW

30

BeEF web_cloner + mass_mailer + RESTful API

=

31

Thanks

• Wade to be always awesome

• The other BeEF guys: Brendan, Christian, Ben, Saafan, Ryan, Heather

• A few new project joiners: Bart Leppens, gallypette, Quentin Swain

• Tom Neaves for the butcher/hook images :D

32

Questions?

33