I’m the Butcherwould you like some BeEF?
Michele ‘antisnatchor’ OrruThomas MacKenzie
7th Sept 2012 - London
1
Who are we
Michele OrruThe Butcher
Thomas MacKenzieThe Meat
2
Outline
• A Social Engineering real story
• BeEF intro
• The new BeEF Social Engineering extension
• Having fun with the RESTful API
3
Social Engineering
• “Social engineering, in the context of security, is understood to mean the art of manipulating people into performing actions or divulging confidential information.” - Grandfather of all knowledge (Wikipedia).
4
Our Mission...• Tasked with gathering as many
usernames and passwords as possible in a small amount of time
• Tried calling and pretending to be person of authority but awareness seemed to be higher
5
So...
• We heard great things about S.E.T.
• Decided to use that to clone the website (but found some bugs and limitations that almost made it unusable)
6
Mass-Mailer
• With the help of a colleague we then created a basic mass-mailer that used personalization, HTML, pictures and had the ability to spoof the domain name (thanks to their SMTP server settings :-)
7
We Won
8
But The IT Admin was like...
• DO NOT CLICK ON THAT LINK
9
We then said (sending another email)...
• DO CLICK ON THAT LINK
10
AND... WE WON AGAIN!
11
But...• We thought we could do it better and
integrate some awesome client-side exploitation whilst we were at it...
12
Meet BeEF
• Browser Exploitation Framework
• Pioneered by Wade Alcorn in 2005
• Powerful platform for Client-side pwnage, XSS post-exploitation and generally victim browser security-context abuse.
• The framework allows the penetration tester to select specific modules (in real-time) to target each browser, and therefore each context.
13
14
15
Meet BeEF
• Demo
16
Social Eng. extension• The idea was to have some BeEF
functionality that can be called via the RESTful API, in order to automate:
• sending phishing emails using templates,
• cloning webpages, harvesting credentials
• client-side pwnage
17
AND... WE DID IT!
18
Social Eng. extension
19
BeEF web_cloner• Clone a webpage and serve it on BeEF,
then automatically:
• modify the page to intercept POST requests
• add the BeEF hook to it
• if the page can be framed, after POST interception load the original page on an overlay iFrame, otherwise redirect to original page
20
• curl -H "Content-Type: application/json; charset=UTF-8" -d '{"url":"https://login.yahoo.com/config/login_verify2", "mount":"/"}' -X POST http://<BeEF>/api/seng/clone_page?token=53921d2736116dbd86f8f7f7f10e46f1
• If you register loginyahoo.com, you can specify a mount point of /config/login_verify2, so the phishing url will be (almost) the same
BeEF web_cloner
21
• Demo
BeEF web_cloner
22
BeEF mass_mailer• Do your phishing email campaigns
• get a sample email from your target (with company footer...)
• copy the HTML content in a new BeEF email template
• download images so they will be added inline!
• add your malicious links/attachments
• send the mail to X targets and have fun 23
BeEF mass_mailer• email templates structure
24
BeEF mass_mailer• ‘default’ template HTML mail
25
• how the ‘default’ template email will look
BeEF mass_mailer
26
• curl -H "Content-Type: application/json; charset=UTF-8" -d 'body' -X POST http://<BeEF>/api/seng/send_mails?token=0fda00ea62a1102f
{ "template": "default", "subject": "Hi from BeEF", "fromname": "BeEF", "link": "http://www.microsoft.com/", "linktext": "http://beefproject.com", "recipients": [{ "[email protected]": "Michele", "[email protected]": "Antisnatchor"}]}
BeEF mass_mailer
27
• Demo
BeEF mass_mailer
28
Combine everything FTW• Register your phishing domain
• Point the A/MX records to a VPS where you have an SMTP server and BeEF
• Create a BeEF RESTful API script that:
• Clone a webpage link with web_cloner
• Send X emails with that link with mass_mailer
• Script intelligent attacks thanks to BeEF browser detection
29
• Last demo
Combine everything FTW
30
BeEF web_cloner + mass_mailer + RESTful API
=
31
Thanks
• Wade to be always awesome
• The other BeEF guys: Brendan, Christian, Ben, Saafan, Ryan, Heather
• A few new project joiners: Bart Leppens, gallypette, Quentin Swain
• Tom Neaves for the butcher/hook images :D
32
Questions?
33