Upcoming SlideShare
Loading in...5




Brief intro to BeEF

Brief intro to BeEF

New core features: RESTful API, WebSockets, HTTPS

New extensions:
Evasion, Social Engineering



Total Views
Views on SlideShare
Embed Views



3 Embeds 14 12 1 1



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

BeEF_EUSecWest-2012_Michele-Orru BeEF_EUSecWest-2012_Michele-Orru Presentation Transcript

  • BeEF, the BrowserExploitation Framework What’s new from 2011 EUSecWest - 19 Sept 2012 Michele “antisnatchor” Orru
  • Who am I• Lead core developer of BeEF• Application Security Researcher• OpenBSD, Ruby and Javascript addicted• Senior Security Consultant @ Trustwave SpiderLabs
  • Outline• Brief intro to BeEF• New core features: • RESTful API, WebSockets, HTTPS• New extensions: • Evasion, Social Engineering
  • Meet BeEF• Browser Exploitation Framework• Pioneered by Wade Alcorn in 2005• Powerful platform for Client-side pwnage, XSS post-exploitation and generally victim browser security-context abuse.• The framework allows the penetration tester to select specific modules (in real- time) to target each browser, and therefore each context.
  • RESTful API• The truth is: • I hate SOAP • I hate XML-RPC • I love to use protocol (HTTP) features without reinventing the wheel
  • RESTful APIRuby + Sinatra + JSONget ‘/to/a/pub’ “BeER please”end
  • RESTful API• Facts: • programmatically control BeEF with whatever eats HTTP and JSON • integration is much easier • add your custom logic is much easier
  • RESTful API demo: Java mass-pwner• Fingerprint hooked browsers• Achieve different forms of persistence• Inject an (unsigned) applet to determine exact JVM version/ architecture/platform• Inject a second applet to launch a targeted attack with a malicious payload
  • WebSockets• HTML5 specification introduces new features, including WebWorkers and WebSockets• WebSockets enable (almost) real-time communication between your webapp users and the backend• Streaming protocol, up to 2MB/ message in latest browsers
  • WebSocketsXHR-polling
  • WebSocketsXHR-polling WebSocket
  • WebSockets• Server-side: event-based server• Client-side: WebSocket (or MozWebSocket, damn prefixes #$%) objects exposed via Javascript• If the victim browsers supports the technology, protocols are switched• Not (yet) enabled by default in BeEF: we’re still testing it
  • WebSockets• WebSockets open new horizons: • faster Tunneling Proxy (10x faster) • real-time VNC-like hooked browser control • generally faster communication
  • WebSockets demo• BeEF Tunneling Proxy with and without WebSockets • exploiting a SQLi with sqlmap through the tunneling proxy with WebSockets
  • HTTPS/WSS• BeEF supports HTTPS and WebSocketSecure, you just need to specify your certificate• Motivation: • STS support implemented in latest browsers (see Mixed Scripting) • prevent filtering if an SSL-proxy is not used
  • HTTPS/WSS• About STS • Strict Transport Security, meaning that : • see ending-mixed-scripting-vulnerabilities.html hooked domain: The browser will deny loading a script from a BeEF: non-https resource
  • HTTPS/WSS• About STS • Strict Transport Security, meaning that : • see mixed-scripting-vulnerabilities.html hooked domain: This will work! BeEF:
  • Evasion Extension• Motivation: • decrease the likelihood that the BeEF hook injection and communication will be detected • by machines (network filters) • by humans
  • Evasion Extension• define your own technique, specify if they need a bootstrapper• define the technique chain
  • Social Eng. extension• The idea was to have some BeEF functionality that can be called via the RESTful API, in order to automate: • sending phishing emails using templates, • cloning webpages, harvesting credentials • client-side pwnage
  • AND... WE DID IT!
  • Social Eng. extension
  • Social Eng. extension: web_cloner• Clone a webpage and serve it on BeEF, then automatically: • modify the page to intercept POST requests • add the BeEF hook to it • if the page can be framed, after POST interception load the original page on an overlay iFrame, otherwise redirect to original page
  • Social Eng. extension: web_cloner • curl -H "Content-Type: application/json; charset=UTF-8" -d {"url":"https://", "mount":"/"} -X POST http://<BeEF>/api/ seng/clone_page? token=53921d2736116dbd86f8f7f7f10e46f1• If you register, you can specify a mount point of /config/ login_verify2, so the phishing url will be (almost) the same
  • Social Eng. extension: web_cloner • Demo
  • Social Eng. extension: mass_mailer• Do your phishing email campaigns • get a sample email from your target (with company footer...) • copy the HTML content in a new BeEF email template • download images so they will be added inline! • add your malicious links/attachments • send the mail to X targets and have fun
  • Social Eng. extension: mass_mailer • email templates structure
  • Social Eng. extension: mass_mailer• ‘default’ template HTML mail
  • Social Eng. extension: mass_mailer will look• how the ‘default’ template email
  • Social Eng. extension: mass_mailer • curl -H "Content-Type: application/json; charset=UTF-8" -d body -X POST http://<BeEF>/api/ seng/send_mails?token=0fda00ea62a1102f{ "template": "default", "subject": "Hi from BeEF", "fromname": "BeEF", "link": "", "linktext": "", "recipients": [{ "": "Michele", "": "Antisnatchor"}]}
  • Social Eng. extension: mass_mailer • Demo
  • Social Eng. extension Combine everything FTW• Register your phishing domain• Point the A/MX records to a VPS where you have an SMTP server and BeEF• Create a BeEF RESTful API script that: • Clone a webpage link with web_cloner • Send X emails with that link with mass_mailer • Script intelligent attacks thanks to BeEF browser detection
  • Unfortunately...• There were so many changes from 2011 that we can’t cover them all in a one hours long talk• Other interesting extensions: QRcode, CustomHook, Notification• Other interesting core features: web imitation, cleaner/better code :D• Tens of new modules: we now have 125 modules (and counting :-)
  • Thanks• Wade to be always awesome• The other BeEF guys: Brendan, Christian, Ben, Saafan, Ryan, Heather• A few new project joiners: Bart Leppens, gallypette, Quentin Swain• Tom Neaves for captain hook images :D
  • Questions?