Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF

Dr. Strangelove or: how I Learned to Stop Worrying

and Love the BeEF

Michele “antisnatchor” Orru’

Confidence 2011 - 25 May 2011Sunday, May 22, 2011

Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor #

WHO AMI I?

Penetration Tester @ Royal Bank of Scotland

BeEF developer, lover and eater

Failed business man and “entrepreneur”

Kubrick fan

Definitely not a fan of our Italian prime minister

Silvio “bunga-bunga” Berlusconi

2

Sunday, May 22, 2011


OUTLINE

I cannot Pwn to Own :-(

The new BeEF

Add your own attacks to BeEF

Extend BeEF (next conference...lack of time :-()

Future development and cool ideas

3



I CANNOT PWN TO OWN :-(

We need to break inside a network and reach the

ApplicationServer

The ApplicationServer is behind an Apache

machine with mod_jk:

OS: OpenBSD

CPU: SPARC64

Open ports: 22 (public-key), 80, 443

4




5




6




7




8




9




10




11




12




13




14



CAN I EAT THE BEEF? (sorry vegetarians)

Nope! Even if it’s tasty :-)

15



BeEF => Browser Exploitation Framework

Pioneered by Wade Alcorn in 2005(public release)

Originally Inspired by Anton Rager research

Powerful platform for Client-side pwnage, XSS post-

exploitation and generally victim browser security-

context abuse

16



Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 17




THE OLD BeEF => PHP + static HTML :-(

18



THE NEW BeEF => RUBY & ExtJS :-)

19



THE NEW BeEF Rewritten from scratch in Ruby

ExtJS for a usable and ajax-based GUI

jQuery for DOM manipulation and XHR

SQLite and MySQL support

Modular and extensible architecture

Core much more stable (next releases focused on

attack scenarios - we’re open to any suggestions :-)

A lot of new cool features and attacks...

20



coolest Features: METASPLOIT integration

Launch MSF browser and client-side exploits

(Flash, Adobe Reader, Java, ...) to the hooked browser

in a point-and-click way :-)

MSF integrated via XML-RPC, with an additional

caching layer on the BeEF side

Browser AutoPWN will be (re)added soon...

21



Hidden iFrame injection with src pointing to the

MSF listening callback service

22

coolest Features: METASPLOIT integration



coolest Features: EVENT LOGGER

Log keystrokes, mouse clicks and form submissions

that are executed by the hooked browser.

... Then send them back to BeEF ...

Imagine finding XSS on the

pre-auth surface of a

website

23




24




25

0day Reflected XSS on Plesk Panel 10.2.0 (with SSO) login page




26





27


After hooking the victim browser to BeEF, Parallels

Plesk admin/customer credentials can be stolen with

JS keylogging



coolest Features: NETWORK STACK

BeEF base64 encodes the JSON'ed data stream

and then splits the base64 string by the configured

maximum URL length.

Data is handled in streams of packets that are

reconstructed by BeEF

Once split each segment is sent as a packet and

reconstructed by BeEF.

28



BeEF: N

ETW

OR

K S

TAC

K

archit

ecture

29



coolest Features: NETWORK STACK

In future releases the maximum URL will be

automatically detected.

How do you send 165KB of data back to BeEF?

packet queue

165KB -> 165 packets

30



coolest Features: TUNNELING PROXY

The browser becomes the exit node for the tunnel: it

will perform the HTTP request and receive the response.

Next the response is communicated back to the BeEF

proxy which in turn delivers it to the browser.

Afterwords the request in the context of the user (any

existing cookies will be automatically used)

31



coolest Features: TUNNELING PROXY

Similar to XSSProxy, but goes a step further:

You can choose to which zombie tunnel requests

Doesn’t need a third app (uses WebRick proxy)

32



coolest Features: PERSISTENCE

Implemented using Samy’s EverCookie for the

main BEEFHOOK cookie

Various ready-to-use command modules:

iFrame persistence

pop-under window

33




One of the many reasons to code your exploit to

BeEF is because you have a nice Javascript API that

gives you all you need for...

34




detect the browser including version, plugins, and

other details

detect the Operating System including iOS, BeOS

and Win3.1 ;-)

manipulate the DOM attaching/detaching applets,

creating invisible iFrames, rewriting links, ...

35




log keystrokes, mouse clicks and form submissions

do XHRs and retrieve all you need for further

exploitation

geolocate the victim retrieving latitude/longitude

for further targeted attacks

36



BeEF: loadin

g s

equence

archit

ecture

37




38

JBoss 4.x, 5.1.0, 6.0.0.M1 JMX deploy exploit

Exploit is available in MSF, but you need to have

direct access to the target

(or use a host as a pivot)

Then why not use the victim browser as a pivot?



How to port the JBoss exploit to BeEF in 3 steps

(approximately 15/20 mins, testing included :-)

39





first step: config file




second step: UI exploit setup




third step: javascript (exploit code)



Now lets see it in action...

43


✤ IT’s DEMO time!




Enhance the Tunneling Proxy features

caching

request queueing

generally: performance

Enhance Yokoso

add more device signatures

add support for HTTPS/IPv6

44




Implement Rider

Victim x is browsing website example.com while

hooked in BeEF.

Use her browser to proxy attacker requests and

"Ride" her session from the BeEF adminUI

Implement Meterpreter wrapper/shell code that

communicates HTTP

In this way the browser can be a full pivot point :-)

45




Command module autorun/autoexit

This will add AutoPwn features, while being the

starting point for command chains like:

hasJava() -> loadMaliciousApplet(...)

launchMetasploitAuroraExploit(...) if

beef.browser.isIE7()

Implement obfuscated/polymorphic Javascript hook

Add support for HTTPS46




... and many other (nasty) things ...

Follow (and get in touch with) BeEF: @beefproject

Checkout BeEF: http://code.google.com/p/beef/

Eat the BeEF

47


http://code.google.com/p/beef/

http://code.google.com/p/beef/


Thanks to

Wade Alcorn and the other BeEF core developers

(the two Bens, Scotty, Christian, ...)

Michal & Piotr

My employer

Confidence crew and you attendees

48



QUESTIONS?

49


Technology

Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF