Your SlideShare is downloading. ×
0
BeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-Orru
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

BeEF_EUSecWest-2012_Michele-Orru

1,246

Published on

Brief intro to BeEF …

Brief intro to BeEF

New core features: RESTful API, WebSockets, HTTPS

New extensions:
Evasion, Social Engineering

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,246
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
28
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. BeEF, the BrowserExploitation Framework What’s new from 2011 EUSecWest - 19 Sept 2012 Michele “antisnatchor” Orru
  • 2. Who am I• Lead core developer of BeEF• Application Security Researcher• OpenBSD, Ruby and Javascript addicted• Senior Security Consultant @ Trustwave SpiderLabs
  • 3. Outline• Brief intro to BeEF• New core features: • RESTful API, WebSockets, HTTPS• New extensions: • Evasion, Social Engineering
  • 4. Meet BeEF• Browser Exploitation Framework• Pioneered by Wade Alcorn in 2005• Powerful platform for Client-side pwnage, XSS post-exploitation and generally victim browser security-context abuse.• The framework allows the penetration tester to select specific modules (in real- time) to target each browser, and therefore each context.
  • 5. RESTful API• The truth is: • I hate SOAP • I hate XML-RPC • I love to use protocol (HTTP) features without reinventing the wheel
  • 6. RESTful APIRuby + Sinatra + JSONget ‘/to/a/pub’ “BeER please”end
  • 7. RESTful API• Facts: • programmatically control BeEF with whatever eats HTTP and JSON • integration is much easier • add your custom logic is much easier
  • 8. RESTful API demo: Java mass-pwner• Fingerprint hooked browsers• Achieve different forms of persistence• Inject an (unsigned) applet to determine exact JVM version/ architecture/platform• Inject a second applet to launch a targeted attack with a malicious payload
  • 9. WebSockets• HTML5 specification introduces new features, including WebWorkers and WebSockets• WebSockets enable (almost) real-time communication between your webapp users and the backend• Streaming protocol, up to 2MB/ message in latest browsers
  • 10. WebSocketsXHR-polling
  • 11. WebSocketsXHR-polling WebSocket
  • 12. WebSockets• Server-side: event-based server• Client-side: WebSocket (or MozWebSocket, damn prefixes #$%) objects exposed via Javascript• If the victim browsers supports the technology, protocols are switched• Not (yet) enabled by default in BeEF: we’re still testing it
  • 13. WebSockets• WebSockets open new horizons: • faster Tunneling Proxy (10x faster) • real-time VNC-like hooked browser control • generally faster communication
  • 14. WebSockets demo• BeEF Tunneling Proxy with and without WebSockets • exploiting a SQLi with sqlmap through the tunneling proxy with WebSockets
  • 15. HTTPS/WSS• BeEF supports HTTPS and WebSocketSecure, you just need to specify your certificate• Motivation: • STS support implemented in latest browsers (see Mixed Scripting) • prevent filtering if an SSL-proxy is not used
  • 16. HTTPS/WSS• About STS • Strict Transport Security, meaning that : • see http://blog.chromium.org/2012/08/ ending-mixed-scripting-vulnerabilities.html hooked domain:https://linkedin.com The browser will deny loading a script from a BeEF: non-https resource http://beef.com
  • 17. HTTPS/WSS• About STS • Strict Transport Security, meaning that : • see http://blog.chromium.org/2012/08/ending- mixed-scripting-vulnerabilities.html hooked domain: https://linkedin.com This will work! BeEF: https://beef.com
  • 18. Evasion Extension• Motivation: • decrease the likelihood that the BeEF hook injection and communication will be detected • by machines (network filters) • by humans
  • 19. Evasion Extension• define your own technique, specify if they need a bootstrapper• define the technique chain
  • 20. Social Eng. extension• The idea was to have some BeEF functionality that can be called via the RESTful API, in order to automate: • sending phishing emails using templates, • cloning webpages, harvesting credentials • client-side pwnage
  • 21. AND... WE DID IT!
  • 22. Social Eng. extension
  • 23. Social Eng. extension: web_cloner• Clone a webpage and serve it on BeEF, then automatically: • modify the page to intercept POST requests • add the BeEF hook to it • if the page can be framed, after POST interception load the original page on an overlay iFrame, otherwise redirect to original page
  • 24. Social Eng. extension: web_cloner • curl -H "Content-Type: application/json; charset=UTF-8" -d {"url":"https:// login.yahoo.com/config/login_verify2", "mount":"/"} -X POST http://<BeEF>/api/ seng/clone_page? token=53921d2736116dbd86f8f7f7f10e46f1• If you register loginyahoo.com, you can specify a mount point of /config/ login_verify2, so the phishing url will be (almost) the same
  • 25. Social Eng. extension: web_cloner • Demo
  • 26. Social Eng. extension: mass_mailer• Do your phishing email campaigns • get a sample email from your target (with company footer...) • copy the HTML content in a new BeEF email template • download images so they will be added inline! • add your malicious links/attachments • send the mail to X targets and have fun
  • 27. Social Eng. extension: mass_mailer • email templates structure
  • 28. Social Eng. extension: mass_mailer• ‘default’ template HTML mail
  • 29. Social Eng. extension: mass_mailer will look• how the ‘default’ template email
  • 30. Social Eng. extension: mass_mailer • curl -H "Content-Type: application/json; charset=UTF-8" -d body -X POST http://<BeEF>/api/ seng/send_mails?token=0fda00ea62a1102f{ "template": "default", "subject": "Hi from BeEF", "fromname": "BeEF", "link": "http://www.microsoft.com/", "linktext": "http://beefproject.com", "recipients": [{ "user1@gmail.com": "Michele", "user2@antisnatchor.com": "Antisnatchor"}]}
  • 31. Social Eng. extension: mass_mailer • Demo
  • 32. Social Eng. extension Combine everything FTW• Register your phishing domain• Point the A/MX records to a VPS where you have an SMTP server and BeEF• Create a BeEF RESTful API script that: • Clone a webpage link with web_cloner • Send X emails with that link with mass_mailer • Script intelligent attacks thanks to BeEF browser detection
  • 33. Unfortunately...• There were so many changes from 2011 that we can’t cover them all in a one hours long talk• Other interesting extensions: QRcode, CustomHook, Notification• Other interesting core features: web imitation, cleaner/better code :D• Tens of new modules: we now have 125 modules (and counting :-)
  • 34. Thanks• Wade to be always awesome• The other BeEF guys: Brendan, Christian, Ben, Saafan, Ryan, Heather• A few new project joiners: Bart Leppens, gallypette, Quentin Swain• Tom Neaves for captain hook images :D
  • 35. Questions?

×