Your SlideShare is downloading. ×
  • Like
Advances in BeEF - AthCon2012
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Advances in BeEF - AthCon2012

  • 5,564 views
Published

 

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
5,564
On SlideShare
0
From Embeds
0
Number of Embeds
10

Actions

Shares
Downloads
46
Comments
0
Likes
2

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Advances in BeEF RESTful API, WebSockets, XssRays Michele “antisnatchor” Orru’ 2012 - Athens - 4 May 2012Saturday, May 5, 12
  • 2. Who am I? - Senior Security Consultant @ TW SpiderLabs - BeEF lead core developer - Application Security researcher - OpenBSD, Ruby and Javascript addict - @antisnatchor - http://antisnatchor.comSaturday, May 5, 12
  • 3. What is BeEF? Browser Exploitation Framework Powerful platform for Client-side pwnage, XSS post-exploitation and generally victim browser security-context abuse. The framework allows the penetration tester to select specific modules (in real-time) to target each browser, and therefore each context.Saturday, May 5, 12
  • 4. What is BeEF?Saturday, May 5, 12
  • 5. OutlineSaturday, May 5, 12
  • 6. Outline 1. The need to be RESTful: the new API II. The need to be speedy: WebSockets support III. I want more XSSs: XssRays enhancements IV. demos and fun :DSaturday, May 5, 12
  • 7. The need to be RESTful - I hate SOAP - I hate XML-RPC - I love to use protocol (HTTP) features without reinventing the wheelSaturday, May 5, 12
  • 8. The need to be RESTful Ruby + Sinatra + JSON = WIN get ‘/to/a/pub’ “BeER please” endSaturday, May 5, 12
  • 9. The need to be RESTful - programmatically control BeEF with whatever eats HTTP and JSON (bash + curl?) - facilitate integration with third tools (ZAP?) - create your own custom UI/GUI (mobile?)Saturday, May 5, 12
  • 10. The need to be RESTful More info: - http://blog.beefproject.com/2012/03/restful-api-from- antisnatchor-with-love.html - http://blog.beefproject.com/2012/03/restful-api-demo.html Read the doc, you lazy! - https://github.com/beefproject/beef/wiki/BeEF-RESTful-APISaturday, May 5, 12
  • 11. The need to be RESTful Demo time Pwn hooked browsers with JDK <= 1.6.0_27 1. get hooked browsers type/version/OS/plugins II. if browserIsIE createOverlayIframe(Above) else launchManInTheBrowser end III. if javaEnabled launchGetSystemInfo IV. if JDK <= 1.6.0_27 launchRhinoRCE V. enjoy Java meterpreterSaturday, May 5, 12
  • 12. The need to be speedy: WS BeEF communication channel uses XHR-polling Pros: - works everywhere (we support IE, Chrome, Safari, Firefox, Opera and mobile browsers) Cons: - not efficient, data overheadSaturday, May 5, 12
  • 13. The need to be speedy: WS Meet WebSocket support in BeEF XHR-pollingSaturday, May 5, 12
  • 14. The need to be speedy: WS Meet WebSocket support in BeEF XHR-polling WebSocketsSaturday, May 5, 12
  • 15. The need to be speedy: WS If beef.browser.hasWebSocket() don’t use XHR-polling, open a WebSocket channel currently supported: Firefox, Chrome, Safari also MozWebSocket (damn prefixes #$*(%$) speaks hixie-75, hixie-76, hybi-07, hybi-10Saturday, May 5, 12
  • 16. The need to be speedy: WS still experimental in BeEF (bugfixing/testing phase) clone https://github.com/radoen/beef-radoen to give it a try opens a whole new range of possible features - real time VNC-like hooked browser control - faster Tunneling proxy (fuzzing through the hooked browser 4/5 times faster) - general faster communicationSaturday, May 5, 12
  • 17. The need to be speedy: WS demo time - launch 1000 return_long_string modules, both normal XHR-polling and WebSocketsSaturday, May 5, 12
  • 18. I want more XSSs: XssRays Originally developed by Gareth Heyes in 2009 as a pure JS- based XSS scanner. Then integrated in BeEF. XssRays basically parse all the links and forms of the page where it is loaded and check for XSS on GET, POST parameters, and also in the URI path creating hidden iFrames. Who uses FrameBusting/X-Frame-Options out there :-)?Saturday, May 5, 12
  • 19. I want more XSSs: XssRays We inject a vector that will contact back BeEF if the JS code will be successfully executed (thus, the XSS confirmed). Also means false-positive free. Potential false-negatives as we blindly inject vectors. Basically the document.location.href of the injected iFrame that contains the vector will point to a known BeEF resource.Saturday, May 5, 12
  • 20. I want more XSSs: XssRaysSaturday, May 5, 12
  • 21. I want more XSSs: XssRays It also works cross-domain (respecting the SOP)Saturday, May 5, 12
  • 22. I want more XSSs: XssRays Enhancements from previous months: - added more attack vectors double URL encoded, double nibble, DOM based injections - added Chrome/Safari support base64‘ing the iFrame src in order to bypass the XSS filter - added IE6 to IE9 support did you know that in IE6 location.pathname doesn’t contains the first forward slash? (thanks Gareth)Saturday, May 5, 12
  • 23. Thanks Thanks to my BeEFfy friends: Wade, Christian, Brendan, Javier, Saafan, Graziano, Ben W., Ben P., Pipes and anyone I may have forgotten Our new blogger Heather P. SpiderLabs because I don’t have to take holidays to be here Special thanks to Kyprianos and ChrisSaturday, May 5, 12
  • 24. Thanks follow us: @beefproject main site: http://beefproject.com the new blog: http://blog.beefproject.com github page: https://github.com/beefproject/beef (Please note: we’ll not pay you. You know we love OpenSource :-)Saturday, May 5, 12
  • 25. Questions?Saturday, May 5, 12