Embed Size (px)
DESCRIPTION
Brief intro to BeEF New core features: RESTful API, WebSockets, HTTPS New extensions: Evasion, Social Engineering
Citation preview
BeEF, the Browser Exploitation Framework
What’s new from 2011
EUSecWest - 19 Sept 2012Michele “antisnatchor” Orru
Who am I
• Lead core developer of BeEF
• Application Security Researcher
• OpenBSD, Ruby and Javascript addicted
• Senior Security Consultant @ Trustwave SpiderLabs
Outline
• Brief intro to BeEF
• New core features:
• RESTful API, WebSockets, HTTPS
• New extensions:
• Evasion, Social Engineering
Meet BeEF
• Browser Exploitation Framework
• Pioneered by Wade Alcorn in 2005
• Powerful platform for Client-side pwnage, XSS post-exploitation and generally victim browser security-context abuse.
• The framework allows the penetration tester to select specific modules (in real-time) to target each browser, and therefore each context.
RESTful API
• The truth is:
• I hate SOAP
• I hate XML-RPC
• I love to use protocol (HTTP) features without reinventing the wheel
RESTful API
Ruby + Sinatra + JSON
get ‘/to/a/pub’“BeER please”
end
RESTful API
• Facts:
• programmatically control BeEF with whatever eats HTTP and JSON
• integration is much easier
• add your custom logic is much easier
RESTful API demo:Java mass-pwner
• Fingerprint hooked browsers
• Achieve different forms of persistence
• Inject an (unsigned) applet to determine exact JVM version/architecture/platform
• Inject a second applet to launch a targeted attack with a malicious payload
WebSockets
• HTML5 specification introduces new features, including WebWorkers and WebSockets
• WebSockets enable (almost) real-time communication between your webapp users and the backend
• Streaming protocol, up to 2MB/message in latest browsers
WebSockets
XHR-polling
WebSockets
XHR-polling WebSocket
WebSockets
• Server-side: event-based server
• Client-side: WebSocket (or MozWebSocket, damn prefixes #$%) objects exposed via Javascript
• If the victim browsers supports the technology, protocols are switched
• Not (yet) enabled by default in BeEF: we’re still testing it
WebSockets
• WebSockets open new horizons:
• faster Tunneling Proxy (10x faster)
• real-time VNC-like hooked browser control
• generally faster communication
WebSockets demo
• BeEF Tunneling Proxy with and without WebSockets
• exploiting a SQLi with sqlmap through the tunneling proxy with WebSockets
HTTPS/WSS
• BeEF supports HTTPS and WebSocketSecure, you just need to specify your certificate
• Motivation:
• STS support implemented in latest browsers (see Mixed Scripting)
• prevent filtering if an SSL-proxy is not used
HTTPS/WSS• About STS
• Strict Transport Security, meaning that :
• see http://blog.chromium.org/2012/08/ending-mixed-scripting-vulnerabilities.html
hooked domain:https://linkedin.com
BeEF:http://beef.com
The browser will deny loading a script from a
non-https resource
HTTPS/WSS
hooked domain:https://linkedin.com
BeEF:https://beef.com
This will work!
• About STS
• Strict Transport Security, meaning that :
• see http://blog.chromium.org/2012/08/ending-mixed-scripting-vulnerabilities.html
Evasion Extension
• Motivation:
• decrease the likelihood that the BeEF hook injection and communication will be detected
• by machines (network filters)
• by humans
Evasion Extension
• define your own technique, specify if they need a bootstrapper
• define the technique chain
Social Eng. extension• The idea was to have some BeEF
functionality that can be called via the RESTful API, in order to automate:
• sending phishing emails using templates,
• cloning webpages, harvesting credentials
• client-side pwnage
AND... WE DID IT!
Social Eng. extension
Social Eng. extension: web_cloner
• Clone a webpage and serve it on BeEF, then automatically:
• modify the page to intercept POST requests
• add the BeEF hook to it
• if the page can be framed, after POST interception load the original page on an overlay iFrame, otherwise redirect to original page
• curl -H "Content-Type: application/json; charset=UTF-8" -d '{"url":"https://login.yahoo.com/config/login_verify2", "mount":"/"}' -X POST http://<BeEF>/api/seng/clone_page?token=53921d2736116dbd86f8f7f7f10e46f1
• If you register loginyahoo.com, you can specify a mount point of /config/login_verify2, so the phishing url will be (almost) the same
Social Eng. extension:web_cloner
• Demo
Social Eng. extension: web_cloner
Social Eng. extension: mass_mailer
• Do your phishing email campaigns
• get a sample email from your target (with company footer...)
• copy the HTML content in a new BeEF email template
• download images so they will be added inline!
• add your malicious links/attachments
• send the mail to X targets and have fun
Social Eng. extension: mass_mailer
• email templates structure
Social Eng. extension: mass_mailer
• ‘default’ template HTML mail
• how the ‘default’ template email will look
Social Eng. extension: mass_mailer
• curl -H "Content-Type: application/json; charset=UTF-8" -d 'body' -X POST http://<BeEF>/api/seng/send_mails?token=0fda00ea62a1102f
{ "template": "default", "subject": "Hi from BeEF", "fromname": "BeEF", "link": "http://www.microsoft.com/", "linktext": "http://beefproject.com", "recipients": [{ "[email protected]": "Michele", "[email protected]": "Antisnatchor"}]}
Social Eng. extension: mass_mailer
• Demo
Social Eng. extension: mass_mailer
Social Eng. extension Combine everything FTW
• Register your phishing domain
• Point the A/MX records to a VPS where you have an SMTP server and BeEF
• Create a BeEF RESTful API script that:
• Clone a webpage link with web_cloner
• Send X emails with that link with mass_mailer
• Script intelligent attacks thanks to BeEF browser detection
Unfortunately...
• There were so many changes from 2011 that we can’t cover them all in a one hours long talk
• Other interesting extensions: QRcode, CustomHook, Notification
• Other interesting core features: web imitation, cleaner/better code :D
• Tens of new modules: we now have 125 modules (and counting :-)
Thanks
• Wade to be always awesome
• The other BeEF guys: Brendan, Christian, Ben, Saafan, Ryan, Heather
• A few new project joiners: Bart Leppens, gallypette, Quentin Swain
• Tom Neaves for captain hook images :D
Questions?
![› ... › genetics › Edwards-syndro… · ,i \rx olyh lq wkh 6rxwk (dvw 7kdphv 5hjlrq frqwdfw &olqlfdo *hqhwlfv 'hsduwphqw wk )orru %rurxjk :lqj *x\¶v +rvslwdo *uhdw 0d]h 3rqg](https://img.pdfslide.us/doc/110x75/5f0b6bda7e708231d4306f9f/a-a-genetics-a-edwards-syndro-i-rx-olyh-lq-wkh-6rxwk-dvw-7kdphv-5hjlrq.jpg)
![DODO 6WUHHW 0XPEDL 'HDU 6LU - Hindustan Unilever · 2020-07-14 · 'DODO 6WUHHW 0XPEDL 1DWLRQDO 6WRFN ([FKDQJH RI ,QGLD /LPLWHG ([FKDQJH 3OD]D WK )ORRU 3ORW 1R & * %ORFN %DQGUD .XUOD](https://img.pdfslide.us/doc/110x75/5f66b00fca44f34e4530eaae/dodo-6wuhhw-0xpedl-hdu-6lu-hindustan-unilever-2020-07-14-dodo-6wuhhw-0xpedl.jpg)
![2019 -DDST Seattle 2-day - dshs.wa.gov · 'hyhorsphqwdo 'lvdelolwlhv 6shfldow\ 7udlqlqj 6fkhgxoh 6hdwwoh ''$ qg )orru /xqfkurrpv $ % (dvw &khuu\ 6wuhhw 6hdwwoh :$ } v ] u j > ] À](https://img.pdfslide.us/doc/110x75/5cecc97988c993d8588e019c/2019-ddst-seattle-2-day-dshswagov-hyhorsphqwdo-lvdelolwlhv-6shfldow.jpg)
![Untitled-14 [] · 35,17(' 0$77(5 %22. 3267,i xqgholyhuhg sohdvh uhwxuq wr 65, .35 ,1'8675,(6 /,0,7(' wk )orru .35 +rxvh 6 3 5rdg 6hfxqghudedg 7hodqjdqd ,1',$](https://img.pdfslide.us/doc/110x75/5f885ff64749ca65cf189fed/untitled-14-3517-0775-22-3267i-xqgholyhuhg-sohdvh-uhwxuq-wr-65-35.jpg)
![Secure Programming And Common Errors[Michele Orru Dec 2008]](https://img.pdfslide.us/doc/110x75/54be00434a795994118b45ea/secure-programming-and-common-errorsmichele-orru-dec-2008.jpg)
