Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF

Dr. Strangelove or: how I Learned to Stop Worrying and Love the BeEF Michele “antisnatchor” Orru’ Confidence 2011 - 25 May 2011Sunday, May 22, 2011

WHO AMI I? Penetration Tester @ Royal Bank of Scotland BeEF developer, lover and eater Failed business man and “entrepreneur” Kubrick fan Deﬁnitely not a fan of our Italian prime minister Silvio “bunga-bunga” BerlusconiConfidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 2Sunday, May 22, 2011

OUTLINE I cannot Pwn to Own :-( The new BeEF Add your own attacks to BeEF Extend BeEF (next conference...lack of time :-() Future development and cool ideasConfidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 3Sunday, May 22, 2011

I CANNOT PWN TO OWN :-( We need to break inside a network and reach the ApplicationServer The ApplicationServer is behind an Apache machine with mod_jk: OS: OpenBSD CPU: SPARC64 Open ports: 22 (public-key), 80, 443Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 4Sunday, May 22, 2011

I CANNOT PWN TO OWN :-(Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 5Sunday, May 22, 2011

CAN I EAT THE BEEF? (sorry vegetarians) Nope! Even if it’s tasty :-)Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 15Sunday, May 22, 2011

CAN I EAT THE BEEF? (sorry vegetarians) BeEF => Browser Exploitation Framework Pioneered by Wade Alcorn in 2005(public release) Originally Inspired by Anton Rager research Powerful platform for Client-side pwnage, XSS post- exploitation and generally victim browser security- context abuseConfidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 16Sunday, May 22, 2011

CAN I EAT THE BEEF? (sorry vegetarians)Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 17Sunday, May 22, 2011

THE OLD BeEF => PHP + static HTML :-(Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 18Sunday, May 22, 2011

THE NEW BeEF => RUBY & ExtJS :-)Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 19Sunday, May 22, 2011

THE NEW BeEF Rewritten from scratch in Ruby ExtJS for a usable and ajax-based GUI jQuery for DOM manipulation and XHR SQLite and MySQL support Modular and extensible architecture Core much more stable (next releases focused on attack scenarios - we’re open to any suggestions :-) A lot of new cool features and attacks...Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 20Sunday, May 22, 2011

coolest Features: METASPLOIT integration Launch MSF browser and client-side exploits (Flash, Adobe Reader, Java, ...) to the hooked browser in a point-and-click way :-) MSF integrated via XML-RPC, with an additional caching layer on the BeEF side Browser AutoPWN will be (re)added soon...Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 21Sunday, May 22, 2011

coolest Features: METASPLOIT integration Hidden iFrame injection with src pointing to the MSF listening callback serviceConfidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 22Sunday, May 22, 2011

coolest Features: EVENT LOGGER Log keystrokes, mouse clicks and form submissions that are executed by the hooked browser. ... Then send them back to BeEF ... Imagine ﬁnding XSS on the pre-auth surface of a websiteConfidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 23Sunday, May 22, 2011

coolest Features: EVENT LOGGERConfidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 24Sunday, May 22, 2011

coolest Features: EVENT LOGGER0day Reﬂected XSS on Plesk Panel 10.2.0 (with SSO) login pageConfidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 25Sunday, May 22, 2011

coolest Features: EVENT LOGGER0day Reﬂected XSS on Plesk Panel 10.2.0 (with SSO) login pageConfidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 26Sunday, May 22, 2011

coolest Features: EVENT LOGGER0day Reﬂected XSS on Plesk Panel 10.2.0 (with SSO) login page After hooking the victim browser to BeEF, Parallels Plesk admin/customer credentials can be stolen with JS keyloggingConfidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 27Sunday, May 22, 2011

coolest Features: NETWORK STACK BeEF base64 encodes the JSONed data stream and then splits the base64 string by the conﬁgured maximum URL length. Data is handled in streams of packets that are reconstructed by BeEF Once split each segment is sent as a packet and reconstructed by BeEF.Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 28Sunday, May 22, 2011

BeEF: NETWORK STACK architectureConfidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 29Sunday, May 22, 2011

coolest Features: NETWORK STACK In future releases the maximum URL will be automatically detected. How do you send 165KB of data back to BeEF? packet queue 165KB -> 165 packetsConfidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 30Sunday, May 22, 2011

coolest Features: TUNNELING PROXY The browser becomes the exit node for the tunnel: itwill perform the HTTP request and receive the response. Next the response is communicated back to the BeEFproxy which in turn delivers it to the browser. Afterwords the request in the context of the user (anyexisting cookies will be automatically used)Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 31Sunday, May 22, 2011

coolest Features: TUNNELING PROXY Similar to XSSProxy, but goes a step further: You can choose to which zombie tunnel requests Doesn’t need a third app (uses WebRick proxy)Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 32Sunday, May 22, 2011

coolest Features: PERSISTENCE Implemented using Samy’s EverCookie for the main BEEFHOOK cookie Various ready-to-use command modules: iFrame persistence pop-under windowConfidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 33Sunday, May 22, 2011

Add your own attacks to BeEF One of the many reasons to code your exploit to BeEF is because you have a nice Javascript API that gives you all you need for...Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 34Sunday, May 22, 2011

Add your own attacks to BeEF detect the browser including version, plugins, and other details detect the Operating System including iOS, BeOS and Win3.1 ;-) manipulate the DOM attaching/detaching applets, creating invisible iFrames, rewriting links, ...Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 35Sunday, May 22, 2011

Add your own attacks to BeEF log keystrokes, mouse clicks and form submissions do XHRs and retrieve all you need for further exploitation geolocate the victim retrieving latitude/longitude for further targeted attacksConfidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 36Sunday, May 22, 2011

loading sequence architecture BeEF:Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 37Sunday, May 22, 2011

Add your own attacks to BeEF JBoss 4.x, 5.1.0, 6.0.0.M1 JMX deploy exploit Exploit is available in MSF, but you need to have direct access to the target (or use a host as a pivot) Then why not use the victim browser as a pivot?Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 38Sunday, May 22, 2011

Add your own attacks to BeEF How to port the JBoss exploit to BeEF in 3 steps (approximately 15/20 mins, testing included :-)Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 39Sunday, May 22, 2011

Add your own attacks to BeEF first step: config fileConfidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 40Sunday, May 22, 2011

Add your own attacks to BeEFsecond step: UI exploit setupConfidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 41Sunday, May 22, 2011

Add your own attacks to BeEFthird step: javascript (exploit code)Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 42Sunday, May 22, 2011

Add your own attacks to BeEF Now lets see it in action... ✤ IT’s DEMO time!Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 43Sunday, May 22, 2011

Future development and cool ideas Enhance the Tunneling Proxy features caching request queueing generally: performance Enhance Yokoso add more device signatures add support for HTTPS/IPv6Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 44Sunday, May 22, 2011

Future development and cool ideas Implement Rider Victim x is browsing website example.com while hooked in BeEF. Use her browser to proxy attacker requests and "Ride" her session from the BeEF adminUI Implement Meterpreter wrapper/shell code that communicates HTTP In this way the browser can be a full pivot point :-)Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 45Sunday, May 22, 2011

Future development and cool ideas Command module autorun/autoexit This will add AutoPwn features, while being the starting point for command chains like: hasJava() -> loadMaliciousApplet(...) launchMetasploitAuroraExploit(...) if beef.browser.isIE7() Implement obfuscated/polymorphic Javascript hook Add support for HTTPSConfidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 46Sunday, May 22, 2011

Future development and cool ideas ... and many other (nasty) things ... Follow (and get in touch with) BeEF: @beefproject Checkout BeEF: http://code.google.com/p/beef/ Eat the BeEFConfidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 47Sunday, May 22, 2011

Thanks to Wade Alcorn and the other BeEF core developers (the two Bens, Scotty, Christian, ...) Michal & Piotr My employer Conﬁdence crew and you attendeesConfidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 48Sunday, May 22, 2011

QUESTIONS?Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 49Sunday, May 22, 2011

http://antisnatchor.com	615
http://www.antisnatchor.com	12
http://www.slideshare.net	7
url_unknown	6
http://koto.github.com	1

Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF

by Michele Orru' on May 30, 2011

Accessibility

Categories

Tags

Upload Details

Usage Rights

5 Embeds 641

Statistics

Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF — Presentation Transcript