Upload
michele-orru
View
1.183
Download
0
Embed Size (px)
DESCRIPTION
Brief intro to BeEF New core features: RESTful API, WebSockets, HTTPS New extensions: Evasion, Social Engineering
Citation preview
BeEF, the Browser Exploitation Framework
What’s new from 2011
EUSecWest - 19 Sept 2012Michele “antisnatchor” Orru
Who am I
• Lead core developer of BeEF
• Application Security Researcher
• OpenBSD, Ruby and Javascript addicted
• Senior Security Consultant @ Trustwave SpiderLabs
Outline
• Brief intro to BeEF
• New core features:
• RESTful API, WebSockets, HTTPS
• New extensions:
• Evasion, Social Engineering
Meet BeEF
• Browser Exploitation Framework
• Pioneered by Wade Alcorn in 2005
• Powerful platform for Client-side pwnage, XSS post-exploitation and generally victim browser security-context abuse.
• The framework allows the penetration tester to select specific modules (in real-time) to target each browser, and therefore each context.
RESTful API
• The truth is:
• I hate SOAP
• I hate XML-RPC
• I love to use protocol (HTTP) features without reinventing the wheel
RESTful API
Ruby + Sinatra + JSON
get ‘/to/a/pub’“BeER please”
end
RESTful API
• Facts:
• programmatically control BeEF with whatever eats HTTP and JSON
• integration is much easier
• add your custom logic is much easier
RESTful API demo:Java mass-pwner
• Fingerprint hooked browsers
• Achieve different forms of persistence
• Inject an (unsigned) applet to determine exact JVM version/architecture/platform
• Inject a second applet to launch a targeted attack with a malicious payload
WebSockets
• HTML5 specification introduces new features, including WebWorkers and WebSockets
• WebSockets enable (almost) real-time communication between your webapp users and the backend
• Streaming protocol, up to 2MB/message in latest browsers
WebSockets
XHR-polling
WebSockets
XHR-polling WebSocket
WebSockets
• Server-side: event-based server
• Client-side: WebSocket (or MozWebSocket, damn prefixes #$%) objects exposed via Javascript
• If the victim browsers supports the technology, protocols are switched
• Not (yet) enabled by default in BeEF: we’re still testing it
WebSockets
• WebSockets open new horizons:
• faster Tunneling Proxy (10x faster)
• real-time VNC-like hooked browser control
• generally faster communication
WebSockets demo
• BeEF Tunneling Proxy with and without WebSockets
• exploiting a SQLi with sqlmap through the tunneling proxy with WebSockets
HTTPS/WSS
• BeEF supports HTTPS and WebSocketSecure, you just need to specify your certificate
• Motivation:
• STS support implemented in latest browsers (see Mixed Scripting)
• prevent filtering if an SSL-proxy is not used
HTTPS/WSS• About STS
• Strict Transport Security, meaning that :
• see http://blog.chromium.org/2012/08/ending-mixed-scripting-vulnerabilities.html
hooked domain:https://linkedin.com
BeEF:http://beef.com
The browser will deny loading a script from a
non-https resource
HTTPS/WSS
hooked domain:https://linkedin.com
BeEF:https://beef.com
This will work!
• About STS
• Strict Transport Security, meaning that :
• see http://blog.chromium.org/2012/08/ending-mixed-scripting-vulnerabilities.html
Evasion Extension
• Motivation:
• decrease the likelihood that the BeEF hook injection and communication will be detected
• by machines (network filters)
• by humans
Evasion Extension
• define your own technique, specify if they need a bootstrapper
• define the technique chain
Social Eng. extension• The idea was to have some BeEF
functionality that can be called via the RESTful API, in order to automate:
• sending phishing emails using templates,
• cloning webpages, harvesting credentials
• client-side pwnage
AND... WE DID IT!
Social Eng. extension
Social Eng. extension: web_cloner
• Clone a webpage and serve it on BeEF, then automatically:
• modify the page to intercept POST requests
• add the BeEF hook to it
• if the page can be framed, after POST interception load the original page on an overlay iFrame, otherwise redirect to original page
• curl -H "Content-Type: application/json; charset=UTF-8" -d '{"url":"https://login.yahoo.com/config/login_verify2", "mount":"/"}' -X POST http://<BeEF>/api/seng/clone_page?token=53921d2736116dbd86f8f7f7f10e46f1
• If you register loginyahoo.com, you can specify a mount point of /config/login_verify2, so the phishing url will be (almost) the same
Social Eng. extension:web_cloner
• Demo
Social Eng. extension: web_cloner
Social Eng. extension: mass_mailer
• Do your phishing email campaigns
• get a sample email from your target (with company footer...)
• copy the HTML content in a new BeEF email template
• download images so they will be added inline!
• add your malicious links/attachments
• send the mail to X targets and have fun
Social Eng. extension: mass_mailer
• email templates structure
Social Eng. extension: mass_mailer
• ‘default’ template HTML mail
• how the ‘default’ template email will look
Social Eng. extension: mass_mailer
• curl -H "Content-Type: application/json; charset=UTF-8" -d 'body' -X POST http://<BeEF>/api/seng/send_mails?token=0fda00ea62a1102f
{ "template": "default", "subject": "Hi from BeEF", "fromname": "BeEF", "link": "http://www.microsoft.com/", "linktext": "http://beefproject.com", "recipients": [{ "[email protected]": "Michele", "[email protected]": "Antisnatchor"}]}
Social Eng. extension: mass_mailer
• Demo
Social Eng. extension: mass_mailer
Social Eng. extension Combine everything FTW
• Register your phishing domain
• Point the A/MX records to a VPS where you have an SMTP server and BeEF
• Create a BeEF RESTful API script that:
• Clone a webpage link with web_cloner
• Send X emails with that link with mass_mailer
• Script intelligent attacks thanks to BeEF browser detection
Unfortunately...
• There were so many changes from 2011 that we can’t cover them all in a one hours long talk
• Other interesting extensions: QRcode, CustomHook, Notification
• Other interesting core features: web imitation, cleaner/better code :D
• Tens of new modules: we now have 125 modules (and counting :-)
Thanks
• Wade to be always awesome
• The other BeEF guys: Brendan, Christian, Ben, Saafan, Ryan, Heather
• A few new project joiners: Bart Leppens, gallypette, Quentin Swain
• Tom Neaves for captain hook images :D
Questions?