33
I’m the Butcher would you like some BeEF? Michele ‘antisnatchor’ Orru Thomas MacKenzie 7th Sept 2012 - London 1

I'm the butcher would you like some BeEF

Embed Size (px)

DESCRIPTION

Recently a lot of focus in BeEF has been towards developing cool new features that help the day to day job of a social engineer, hereafter known as “The Butcher”. We have been working very hard and secretively in the last months to widen our range of meaty goods within the Browser Exploitation Framework. During this talk we will release new modules and extensions specifically aimed toward automating the technical parts of a social engineer attack. Employing techniques that are currently used is great, however “The Butcher” wishes to impart knowledge upon the attendees regarding new techniques that employ successful vectors targeting different browser within different security contexts. After introducing people to the project who may have never heard of it before, we will be sharing information about real social engineering / penetration testing work that we have done recently and how we have advanced BeEF to achieve maximum coverage. This includes: Website Cloning: but you haven’t seen it like this before! Email Spoofing: mass email, easy. Browser Control / Pwnage Automation: control BeEF programmatically using the RESTful API.

Citation preview

Page 1: I'm the butcher would you like some BeEF

I’m the Butcherwould you like some BeEF?

Michele ‘antisnatchor’ OrruThomas MacKenzie

7th Sept 2012 - London

1

Page 2: I'm the butcher would you like some BeEF

Who are we

Michele OrruThe Butcher

Thomas MacKenzieThe Meat

2

Page 3: I'm the butcher would you like some BeEF

Outline

• A Social Engineering real story

• BeEF intro

• The new BeEF Social Engineering extension

• Having fun with the RESTful API

3

Page 4: I'm the butcher would you like some BeEF

Social Engineering

• “Social engineering, in the context of security, is understood to mean the art of manipulating people into performing actions or divulging confidential information.” - Grandfather of all knowledge (Wikipedia).

4

Page 5: I'm the butcher would you like some BeEF

Our Mission...• Tasked with gathering as many

usernames and passwords as possible in a small amount of time

• Tried calling and pretending to be person of authority but awareness seemed to be higher

5

Page 6: I'm the butcher would you like some BeEF

So...

• We heard great things about S.E.T.

• Decided to use that to clone the website (but found some bugs and limitations that almost made it unusable)

6

Page 7: I'm the butcher would you like some BeEF

Mass-Mailer

• With the help of a colleague we then created a basic mass-mailer that used personalization, HTML, pictures and had the ability to spoof the domain name (thanks to their SMTP server settings :-)

7

Page 8: I'm the butcher would you like some BeEF

We Won

8

Page 9: I'm the butcher would you like some BeEF

But The IT Admin was like...

• DO NOT CLICK ON THAT LINK

9

Page 10: I'm the butcher would you like some BeEF

We then said (sending another email)...

• DO CLICK ON THAT LINK

10

Page 11: I'm the butcher would you like some BeEF

AND... WE WON AGAIN!

11

Page 12: I'm the butcher would you like some BeEF

But...• We thought we could do it better and

integrate some awesome client-side exploitation whilst we were at it...

12

Page 13: I'm the butcher would you like some BeEF

Meet BeEF

• Browser Exploitation Framework

• Pioneered by Wade Alcorn in 2005

• Powerful platform for Client-side pwnage, XSS post-exploitation and generally victim browser security-context abuse.

• The framework allows the penetration tester to select specific modules (in real-time) to target each browser, and therefore each context.

13

Page 14: I'm the butcher would you like some BeEF

14

Page 15: I'm the butcher would you like some BeEF

15

Page 16: I'm the butcher would you like some BeEF

Meet BeEF

• Demo

16

Page 17: I'm the butcher would you like some BeEF

Social Eng. extension• The idea was to have some BeEF

functionality that can be called via the RESTful API, in order to automate:

• sending phishing emails using templates,

• cloning webpages, harvesting credentials

• client-side pwnage

17

Page 18: I'm the butcher would you like some BeEF

AND... WE DID IT!

18

Page 19: I'm the butcher would you like some BeEF

Social Eng. extension

19

Page 20: I'm the butcher would you like some BeEF

BeEF web_cloner• Clone a webpage and serve it on BeEF,

then automatically:

• modify the page to intercept POST requests

• add the BeEF hook to it

• if the page can be framed, after POST interception load the original page on an overlay iFrame, otherwise redirect to original page

20

Page 22: I'm the butcher would you like some BeEF

• Demo

BeEF web_cloner

22

Page 23: I'm the butcher would you like some BeEF

BeEF mass_mailer• Do your phishing email campaigns

• get a sample email from your target (with company footer...)

• copy the HTML content in a new BeEF email template

• download images so they will be added inline!

• add your malicious links/attachments

• send the mail to X targets and have fun 23

Page 24: I'm the butcher would you like some BeEF

BeEF mass_mailer• email templates structure

24

Page 25: I'm the butcher would you like some BeEF

BeEF mass_mailer• ‘default’ template HTML mail

25

Page 26: I'm the butcher would you like some BeEF

• how the ‘default’ template email will look

BeEF mass_mailer

26

Page 27: I'm the butcher would you like some BeEF

• curl -H "Content-Type: application/json; charset=UTF-8" -d 'body' -X POST http://<BeEF>/api/seng/send_mails?token=0fda00ea62a1102f

{ "template": "default", "subject": "Hi from BeEF", "fromname": "BeEF", "link": "http://www.microsoft.com/", "linktext": "http://beefproject.com", "recipients": [{ "[email protected]": "Michele", "[email protected]": "Antisnatchor"}]}

BeEF mass_mailer

27

Page 28: I'm the butcher would you like some BeEF

• Demo

BeEF mass_mailer

28

Page 29: I'm the butcher would you like some BeEF

Combine everything FTW• Register your phishing domain

• Point the A/MX records to a VPS where you have an SMTP server and BeEF

• Create a BeEF RESTful API script that:

• Clone a webpage link with web_cloner

• Send X emails with that link with mass_mailer

• Script intelligent attacks thanks to BeEF browser detection

29

Page 30: I'm the butcher would you like some BeEF

• Last demo

Combine everything FTW

30

Page 31: I'm the butcher would you like some BeEF

BeEF web_cloner + mass_mailer + RESTful API

=

31

Page 32: I'm the butcher would you like some BeEF

Thanks

• Wade to be always awesome

• The other BeEF guys: Brendan, Christian, Ben, Saafan, Ryan, Heather

• A few new project joiners: Bart Leppens, gallypette, Quentin Swain

• Tom Neaves for the butcher/hook images :D

32

Page 33: I'm the butcher would you like some BeEF

Questions?

33