Advances in BeEF - AthCon2012

Advances in BeEF RESTful API, WebSockets, XssRays Michele “antisnatchor” Orru’ 2012 - Athens - 4 May 2012Saturday, May 5, 12

Who am I? - Senior Security Consultant @ TW SpiderLabs - BeEF lead core developer - Application Security researcher - OpenBSD, Ruby and Javascript addict - @antisnatchor - http://antisnatchor.comSaturday, May 5, 12

What is BeEF? Browser Exploitation Framework Powerful platform for Client-side pwnage, XSS post-exploitation and generally victim browser security-context abuse. The framework allows the penetration tester to select speciﬁc modules (in real-time) to target each browser, and therefore each context.Saturday, May 5, 12

What is BeEF?Saturday, May 5, 12

OutlineSaturday, May 5, 12

Outline 1. The need to be RESTful: the new API II. The need to be speedy: WebSockets support III. I want more XSSs: XssRays enhancements IV. demos and fun :DSaturday, May 5, 12

The need to be RESTful - I hate SOAP - I hate XML-RPC - I love to use protocol (HTTP) features without reinventing the wheelSaturday, May 5, 12

The need to be RESTful Ruby + Sinatra + JSON = WIN get ‘/to/a/pub’ “BeER please” endSaturday, May 5, 12

The need to be RESTful - programmatically control BeEF with whatever eats HTTP and JSON (bash + curl?) - facilitate integration with third tools (ZAP?) - create your own custom UI/GUI (mobile?)Saturday, May 5, 12

The need to be RESTful More info: - http://blog.beefproject.com/2012/03/restful-api-from- antisnatchor-with-love.html - http://blog.beefproject.com/2012/03/restful-api-demo.html Read the doc, you lazy! - https://github.com/beefproject/beef/wiki/BeEF-RESTful-APISaturday, May 5, 12

The need to be RESTful Demo time Pwn hooked browsers with JDK <= 1.6.0_27 1. get hooked browsers type/version/OS/plugins II. if browserIsIE createOverlayIframe(Above) else launchManInTheBrowser end III. if javaEnabled launchGetSystemInfo IV. if JDK <= 1.6.0_27 launchRhinoRCE V. enjoy Java meterpreterSaturday, May 5, 12

The need to be speedy: WS BeEF communication channel uses XHR-polling Pros: - works everywhere (we support IE, Chrome, Safari, Firefox, Opera and mobile browsers) Cons: - not efﬁcient, data overheadSaturday, May 5, 12

The need to be speedy: WS Meet WebSocket support in BeEF XHR-pollingSaturday, May 5, 12

The need to be speedy: WS Meet WebSocket support in BeEF XHR-polling WebSocketsSaturday, May 5, 12

The need to be speedy: WS If beef.browser.hasWebSocket() don’t use XHR-polling, open a WebSocket channel currently supported: Firefox, Chrome, Safari also MozWebSocket (damn preﬁxes #$*(%$) speaks hixie-75, hixie-76, hybi-07, hybi-10Saturday, May 5, 12

The need to be speedy: WS still experimental in BeEF (bugﬁxing/testing phase) clone https://github.com/radoen/beef-radoen to give it a try opens a whole new range of possible features - real time VNC-like hooked browser control - faster Tunneling proxy (fuzzing through the hooked browser 4/5 times faster) - general faster communicationSaturday, May 5, 12

The need to be speedy: WS demo time - launch 1000 return_long_string modules, both normal XHR-polling and WebSocketsSaturday, May 5, 12

I want more XSSs: XssRays Originally developed by Gareth Heyes in 2009 as a pure JS- based XSS scanner. Then integrated in BeEF. XssRays basically parse all the links and forms of the page where it is loaded and check for XSS on GET, POST parameters, and also in the URI path creating hidden iFrames. Who uses FrameBusting/X-Frame-Options out there :-)?Saturday, May 5, 12

I want more XSSs: XssRays We inject a vector that will contact back BeEF if the JS code will be successfully executed (thus, the XSS conﬁrmed). Also means false-positive free. Potential false-negatives as we blindly inject vectors. Basically the document.location.href of the injected iFrame that contains the vector will point to a known BeEF resource.Saturday, May 5, 12

I want more XSSs: XssRaysSaturday, May 5, 12

I want more XSSs: XssRays It also works cross-domain (respecting the SOP)Saturday, May 5, 12

I want more XSSs: XssRays Enhancements from previous months: - added more attack vectors double URL encoded, double nibble, DOM based injections - added Chrome/Safari support base64‘ing the iFrame src in order to bypass the XSS ﬁlter - added IE6 to IE9 support did you know that in IE6 location.pathname doesn’t contains the ﬁrst forward slash? (thanks Gareth)Saturday, May 5, 12

Thanks Thanks to my BeEFfy friends: Wade, Christian, Brendan, Javier, Saafan, Graziano, Ben W., Ben P., Pipes and anyone I may have forgotten Our new blogger Heather P. SpiderLabs because I don’t have to take holidays to be here Special thanks to Kyprianos and ChrisSaturday, May 5, 12

Thanks follow us: @beefproject main site: http://beefproject.com the new blog: http://blog.beefproject.com github page: https://github.com/beefproject/beef (Please note: we’ll not pay you. You know we love OpenSource :-)Saturday, May 5, 12

Questions?Saturday, May 5, 12

http://antisnatchor.com	1639
http://www.antisnatchor.com	85
http://abtasty.com	12
http://127.0.0.1	3
http://webcache.googleusercontent.com	1
http://translate.googleusercontent.com	1

Advances in BeEF - AthCon2012

by Michele Orru

Accessibility

Categories

Upload Details

Usage Rights

6 Embeds 1,741

Statistics

Advances in BeEF - AthCon2012 Presentation Transcript