Hacktivity2011 be ef-preso_micheleorru
Upcoming SlideShare
Loading in...5

Like this? Share it with your network


Hacktivity2011 be ef-preso_micheleorru






Total Views
Views on SlideShare
Embed Views



6 Embeds 1,334

http://antisnatchor.com 1293
http://www.antisnatchor.com 31
http://paper.li 7
http://koto.github.com 1 1
http://webcache.googleusercontent.com 1



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Hacktivity2011 be ef-preso_micheleorru Presentation Transcript

  • 1. Dr. Strangelove or:how I Learned to Stop Worrying and Love the BeEFMichele “antisnatchor” Orru’ 18 September 2011
  • 2. Who am I?❖ Penetration Tester @ The Royal Bank ofScotland❖ BeEF core developer: - Tunneling Proxy, - XssRays integration, - various exploits, - lot of bug-fixing, testing and fun❖ Kubrick fan❖ Definitely not a fan of our Italian primeminister Silvio „bunga-bunga” Berlusconi❖@antisnatchor❖http://antisnatchor.com
  • 3. outline: cutting, devouring and digesting the legs off a browser❖ What the hell is BeEF?❖Cutting - Target enumeration and analysis❖Devouring - Internal net fingerprint - Exploiting internal services through the hooked browser - Keylogging, browser pwnage❖Digesting - Persistence, tunneling sqlmap/Burp through BeEF proxy - XSSrays integration❖Future development and ideas
  • 4. The Browser Nowadays
  • 5. What the hell is BeEF?❖ BeEF: Browser Exploitation Framework❖Pioneered by Wade Alcorn in 2005 (publicrelease)❖Powerful platform for Client-side pwnage,XSS post-exploitation and generally victimbrowser security-context abuse❖Each browser is likely to be within adifferent security context, and each contextmay provide a set of unique attack vectors.❖ The framework allows the penetrationtester to select specific modules (in real-time) to target each browser, and thereforeeach context.
  • 6. What the hell is BeEF?
  • 7. Cutting: Target enum and analysis❖ Lot of juicy information after first hookinitialization : ❖Browser/OS version ❖Cookies ❖Browser plugins ❖Supported features (Google Gears, Web Sockets, Flash, Java, . .)❖Specific modules are also there to help ❖Detect links/visited URLs ❖Detect social networks (authenticated in Twitter, Gmail, Facebook) and Tor ❖Execute your custom Javascript
  • 8. Cutting: Target enum and analysis
  • 9. Devouring: Internal net fingerprint❖Recon/NetworkFingerprinting module Watch „Jboss 6.0.0M1 JMX Deploy Exploit:❖Knowing the victim internal IP, the attackercan start to fingerprint the internal networkvia Javascript to find common servers anddevices. (http://vimeo.com/24410203) the BeEF way... ” on Vimeo❖The approach currently in use is similar toYokoso (InGuardians) ❖Map of device/application default images ❖img tags are loaded into the victim DOM ❖Onload event, if (image width/height/path == deviceImageMapEntry), then deviceXYZ@IP has been successfully found
  • 10. Devouring: Internal net fingerprint❖Great preso „Intranet Footprinting” by Javier Marcos and Juan Galiana (Owasp AppSec Eu 2011)❖ They developed new BeEF modules❖ They are working with us and their work will be available in BeEF trunk soon.A few examples: ❖Internal DNS enumeration ❖Reliable Port Scanning ❖Ping sweep
  • 11. Devouring: exploiting internal services❖Network/JbossJmxUploadExploit module Watch „Jboss 6.0.0M1 JMX Deploy Exploit:❖JBoss 4.x, 5.1.0, 6.0.0.M1 JMX deploy exploitis available in MSF, but you need to havedirect access to the target (or use a host as apivot) (http://vimeo.com/24410203) the BeEF way... ” on Vimeo❖Then why not use the victim browser as apivot?
  • 12. Devouring: persistent keylogging❖Persistence/iFrameKeylogger module❖We can inject a 100%width/height overlay iFramethat loads the login page(in-domain), attaching alistener for keyboardevents (keylogger) in JS.❖After the victim logs in,she will stay in the injectediFrame while thecommunication channel willbe persistent in thebackground.
  • 13. Devouring: module autorun❖ We’ve ported back (from the old PHPversion) the autorun feature❖Add autorun: true in the command moduleconfig.yaml that you want to autorun❖When a new browser will be hooked in BeEF,the module will be automatically launched❖Imagine addingautorun: true inMetasploit autopwnmodule (anotherfeature ported back)...
  • 14. Digesting: hook default browser❖Originally disclosed by Billy (xs-sniper)Rios on „Expanding the Attack Surface”❖Browser/HookDefault module❖We use a PDF in order to attempt hookingthe default browser❖When executed, the hooked browser willload a PDF in a new window and use that tostart the default browser. ❖app.launchURL(" Hook-Js.html",true); ❖If everything will be ok, we hooked the default browser. ❖Future improvements: configurable bounce page and ruby pdf library
  • 15. Digesting: tunneling proxy❖Having a communication channel with thehooked browser, we can: ❖Receive requests as a proxy on BeEF ❖Translate these requests to XHRs (in- domain) ❖Parse the XHRs responses and send the data back to the original requestor...
  • 16. Digesting: tunneling proxy❖Using the victim browser hooked in BeEF as atunneling proxy, we will see the followingscenarios: ❖browsing the authenticated surface of the hooked domain through the security context of the victim browser; ❖spidering the hooked domain through the security context of the victim browser; ❖finding and exploiting SQLi with Burp Pro Scanner + sqlmap (through the victim browser too :-) ).
  • 17. Digesting: tunneling proxy Let see the tunneling proxy in action! (demo time)
  • 18. Digesting: XssRays❖ Originally developed by Gareth Heyes in2009 as a pure JS-based XSS scanner❖ The XssRays BeEF extension allows you tocheck if links, forms and URI paths of the pagewhere the browser is hooked are vulnerableto XSS.❖What XssRays do is basically parse all thelinks and forms of the page where it is loadedand check for XSS on GET, POST parameters,and also in the URI path.
  • 19. Digesting: XssRays❖The original code by Gareth, from 2009,used a nice trick (the location.hash fragment)in order to have a sort of callback betweenparent and child iFrames❖This is now patched by all recent browsers. So how to check for XSSs cross- domain, respecting the SOP restrictions?
  • 20. Digesting: XssRays❖We inject a vector that will contact backBeEF if the JS code will be successfullyexecuted (thus, the XSS confirmed).❖No false positives (oh yes, that’s what Ilike)!❖Basically the document.location.href of theinjected iFrame that contains the vector willpoint to a know BeEF resource. The followingis an example value of href:✴
  • 21. Digesting: XssRays
  • 22. Digesting: XssRays
  • 23. Digesting: XssRays
  • 24. Digesting: XssRays
  • 25. Digesting: XssRays
  • 26. Digesting: XssRays
  • 27. Digesting: XssRays
  • 28. Digesting: XssRays
  • 29. Digesting: XssRays
  • 30. Digesting: XssRays
  • 31. Digesting: XssRays
  • 32. Future dev and ideas❖Improve XssRays: ❖add more attack vectors, more testing ❖add JS depth crawler❖Multi-hooking: a browser can be hooked onmultiple domains❖Check for time-based blind SQLi cross-domain via JS❖Improve the BeEF console (command line UI)❖Well...take a look here: http://code.google.com/p/beef/issues/list
  • 33. Get in touch with us❖Follow the BeEF: @beefproject❖Checkout BeEF: http://code.google.com/p/beef/❖Check our website: http://beefproject.com❖Have fun with it❖We’re hiring!!! (but we’ll not payyou...seriously, we have so many tasks to do,join us)
  • 34. Thanks to❖Wade Alcorn and the other BeEF ninjas:Ben, Scotty, Christian, Brendan, Saafan,. .❖My colleagues Piotr & Michal❖My employer❖Hacktivity crew and you attendees
  • 35. Questions?Thanks for your time!