Your SlideShare is downloading. ×
Shake Hands With BeEF           Christian “@xntrik” Frichot           OWASP Perth Chapter           Asterisk Information S...
- Introduction
Story-Traditional external pen testing tale of woe
Egg shell- Many environments have hardened exteriors but less protectedinteriorshttp://www.flickr.com/photos/sidereal/23559...
Effectiveness                                     Web(Server(                  • <html>(                        •  SELECT(...
without putting it in the context of the whole environment?http://forums.untangle.com/runkel/Logical-Network-Diagram.gif
Metasploit / SET                                    Growth *                                                      2011    ...
Shrinking attack                    surfaces - offsite SMTP - 3rd party (or different) location web hosting - VPNs - Proxi...
Where’s the data?                                                     OWASP         9- Internal systems are where the info...
Patched?                                                       OWASP     10- Metasploit, in particular combined with SET, ...
Between full blown exploitation       and pure social engineering                                                       OW...
Lots of HTTP                                                  OWASP    12- Lots of websites (@jeremiahg mentioned ~30mil n...
Got BeEF?- So what is BeEF? For those who dont know, its the BrowserExploitation Framework
PHP BeEF                                                    OWASP       14- Originally announced on ha.ckers.org in 2006 b...
Top 10 2010 - A2 - XSS                                                      OWASP      15- In its old incarnation BeEF was...
Method of pivoting, method of               penetration                                                      OWASP      16...
Moving to the future - These days BeEF is developed in Ruby (like Metasploit), withstacks of Javascript (we roll jquery in...
BeEF ArchitectureFramework (slide thanks to Michele @antisnatchor Orru)
http://blog.beefproject.comI like utilising Amazon’s EC2 instances. We have a blog poston how to quickly run up a fully bl...
Ruby BeEF
Our dev team rely on modern agile developmenttechniques, including a Continuous Integration service viaJenkins, utilising ...
BeEF Trilogy (“Who is your father?”)                                                    OWASP     23Beef is currently made...
Firstly is the core..http://www.imdb.com/media/rm1627756544/tt0298814
Hooking methods         Central API                     for Extensions & Modules      Filters                             ...
ExtensionsExtensions
Web UI                               XSSRays    Console                                        Proxy/Requester            ...
OWASP   28Command Moduleshttp://www.mobiinformer.com/wp-content/uploads/2010/11/big_red_button.jpg
Recon         Browser                          Persistence                      Command Modules        Debugging          ...
It always starts with Hooking                                                OWASP    30The first step in getting a browser...
Hooking BrowsersXSSSocial Engineering (i.e. tiny URL, or phishing via email)Embedding the payload (think drive-by- down...
(Ab)use Cases                OWASP   32
Credit to Michele @antisnatchor Orru and Gareth Hayes forcreating XSSRays
Tunnelling Proxy               http://www.youtube.com/watch?v=Z4cHyC3lowk&lr                                              ...
Hooking Mobile Devices               http://www.youtube.com/watch?v=5SVu6VdLWgs                                           ...
Teach a man to Fish                BeEF...So lets look at how we can customise BeEF .. first we’ll lookat a simple command ...
RouterPwn.com  Compilation of ready to run JS/HTML exploits   against many consumer routers  Designed to be run on smart...
Each module resides of at least 3 files, the config file (inyaml format), the ruby module file, and the javascript file.The file...
Each config file contains the category, the name, adescription, the authors and targeting configuration (Thisallows you to sp...
The module’s ruby file, in it’s simplest form, is used toconfigure what options are configurable, via theself.options method ...
And here is most of the javascript content. We utilise erubyfor variable substitution (as can be seen where we’repulling i...
Here you can see what the user is presented with in the UI.
Introducing “Chipmunking” ..named, at least at themoment, in reference to movie posters, in particular, thismovie poster.....
I mean .. Everywhere .. and they’re only becoming moreubuiquitous
So lets put together a new extension for BeEF .. lets build acustom hook point (URL) that if you (or your victims) visit i...
Similar to command modules, extensions require a fewfiles.The config file (again, a yaml file)and then the extension ruby file ...
beef/extensions/chipmunked/extension.rb
beef/extensions/chipmunked/api.rb        “/yougotchipmunked”
beef/extensions/chipmunked/html/index.html
beef/extensions/chipmunked/handler.rb Handles the requests to /yougotchipmunked
Wrapping it together(here qr code qr code)
beef/extensions/qrcode/config.yaml
Demo                http://www.youtube.com/watch?v=aTLHeMrNBFQ&hd=1http://www.youtube.com/watch?v=aTLHeMrNBFQ&hd=1
Where to from here?
If you get stuck .. or if we get stuck..
Help us out!    Pull Requests Pleasegithub.com/beefproject/beef      beefproject.com       @beefproject
Want to talk more?    @xntrik christian.frichot@asteriskinfosec.com.au
Questions?                       OWASP   59Hehe .. “Descisions”
Shake Hooves With BeEF - OWASP AppSec APAC 2012
Shake Hooves With BeEF - OWASP AppSec APAC 2012
Upcoming SlideShare
Loading in...5
×

Shake Hooves With BeEF - OWASP AppSec APAC 2012

3,026

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
3,026
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
10
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Shake Hooves With BeEF - OWASP AppSec APAC 2012"

  1. 1. Shake Hands With BeEF Christian “@xntrik” Frichot OWASP Perth Chapter Asterisk Information SecurityOWASP christian.frichot@asteriskinfosec.com.au Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
  2. 2. - Introduction
  3. 3. Story-Traditional external pen testing tale of woe
  4. 4. Egg shell- Many environments have hardened exteriors but less protectedinteriorshttp://www.flickr.com/photos/sidereal/2355999910/sizes/o/in/photostream/
  5. 5. Effectiveness Web(Server( • <html>( •  SELECT(*( • <?php( Web(Browser( Database( OWASP 5- How effective can your penetration testing be if all your doing isassessing a single external system ...
  6. 6. without putting it in the context of the whole environment?http://forums.untangle.com/runkel/Logical-Network-Diagram.gif
  7. 7. Metasploit / SET Growth * 2011 2010 2009 2008 2007 *nb: not real statistics OWASP 7I call this the state of modern pen testing, you can’t just knock onthe perimeter, you have to pivot through clients
  8. 8. Shrinking attack surfaces - offsite SMTP - 3rd party (or different) location web hosting - VPNs - Proxies - Small to zero attack surface.. The attack surface is shrinking.
  9. 9. Where’s the data? OWASP 9- Internal systems are where the information is held, or via webportals to *aaS providers .. and- We cant gain access to these systems and their informationwithout pivoting through a client.
  10. 10. Patched? OWASP 10- Metasploit, in particular combined with SET, is effective atproviding this pivot point- What if the target environment is patched? Against knownMetasploit exploits.
  11. 11. Between full blown exploitation and pure social engineering OWASP 11- This is the advantage point the BeEF has, to happily sit in thebrowser.
  12. 12. Lots of HTTP OWASP 12- Lots of websites (@jeremiahg mentioned ~30mil new websites amonth)
  13. 13. Got BeEF?- So what is BeEF? For those who dont know, its the BrowserExploitation Framework
  14. 14. PHP BeEF OWASP 14- Originally announced on ha.ckers.org in 2006 based entirelyPHP by Wade Alcorn
  15. 15. Top 10 2010 - A2 - XSS OWASP 15- In its old incarnation BeEF was a great tool to demonstrate justhow nasty XSS flaws could be (Instead of the typical alert(1);dialog)
  16. 16. Method of pivoting, method of penetration OWASP 16 - and trying to become an all-round go-to platform for client-sideexploitation development. - The framework allows a penetration tester to select specificmodules in real time to target against a hooked browser within itscurrent context (which will provide different, unique, attackvectors)
  17. 17. Moving to the future - These days BeEF is developed in Ruby (like Metasploit), withstacks of Javascript (we roll jquery in there for command modulestoo)
  18. 18. BeEF ArchitectureFramework (slide thanks to Michele @antisnatchor Orru)
  19. 19. http://blog.beefproject.comI like utilising Amazon’s EC2 instances. We have a blog poston how to quickly run up a fully blown BeEF instance in notime. .. BeEF Cloud
  20. 20. Ruby BeEF
  21. 21. Our dev team rely on modern agile developmenttechniques, including a Continuous Integration service viaJenkins, utilising Rake test unit, selenium, capybara etc etc
  22. 22. BeEF Trilogy (“Who is your father?”) OWASP 23Beef is currently made up of 3 main components:http://img4.cookinglight.com/i/2009/01/0901p40f-beef-patty-m.jpg?300:300
  23. 23. Firstly is the core..http://www.imdb.com/media/rm1627756544/tt0298814
  24. 24. Hooking methods Central API for Extensions & Modules Filters Database models Core Primary client-side JS Ruby extensions Server-side asset handling Web servicing OWASP 25! - The Core! ! - Central API! ! - Filters! ! - Primary client-side javascript! ! - Server-side asset handling and web servicing! ! - Ruby extensions! ! - Database models! ! - Hooking methods to load and manage arbitrary extensionsand command modules
  25. 25. ExtensionsExtensions
  26. 26. Web UI XSSRays Console Proxy/Requester Extensions Demo pages Metasploit Event handling Browser initialisation OWASP 27! - Extensions! ! - Where you need to provide fairly tightly coupled functionalityinto the core, the extensions provide the developer with variousAPI firing points, such as mounting new URL points. Currentlybeef has extensions for the admin web ui, the console, demopages, event handling, initialisation of hooked browsers,metasploit, proxy, requester and the xssrays functionality.
  27. 27. OWASP 28Command Moduleshttp://www.mobiinformer.com/wp-content/uploads/2010/11/big_red_button.jpg
  28. 28. Recon Browser Persistence Command Modules Debugging Network Host Router Miscellaneous OWASP 29! - Command Modules! ! - Command modules are where individually packaged HTML/JS packages are stored, currently these are broken down into thefollowing categories: browser, debugging, host, misc, network,persistence, recon, router. Anything you want to do in Javascript,HTML, Java, <insert arbitrary browser acceptable language> canbe done.
  29. 29. It always starts with Hooking OWASP 30The first step in getting a browser into the framework is toget it to execute the BeEF payload, there’s a few methods ofachieving this:
  30. 30. Hooking BrowsersXSSSocial Engineering (i.e. tiny URL, or phishing via email)Embedding the payload (think drive-by- download)Maintaining persistence after already being hooked (think Tab BeEF Injection) OWASP 31
  31. 31. (Ab)use Cases OWASP 32
  32. 32. Credit to Michele @antisnatchor Orru and Gareth Hayes forcreating XSSRays
  33. 33. Tunnelling Proxy http://www.youtube.com/watch?v=Z4cHyC3lowk&lr OWASP 34http://www.youtube.com/watch?v=Z4cHyC3lowk&lr
  34. 34. Hooking Mobile Devices http://www.youtube.com/watch?v=5SVu6VdLWgs OWASP 35http://www.youtube.com/watch?v=5SVu6VdLWgs
  35. 35. Teach a man to Fish BeEF...So lets look at how we can customise BeEF .. first we’ll lookat a simple command module
  36. 36. RouterPwn.com Compilation of ready to run JS/HTML exploits against many consumer routers Designed to be run on smart phones Great candidate for a collection of BeEF Command Modules OWASP 37RouterPwn, from websec.ca’s Roberto Salgado
  37. 37. Each module resides of at least 3 files, the config file (inyaml format), the ruby module file, and the javascript file.The files are populated into categories, as touched onbefore.
  38. 38. Each config file contains the category, the name, adescription, the authors and targeting configuration (Thisallows you to specify things like Safari only, or “user notify”for iPhone and Safari etc)
  39. 39. The module’s ruby file, in it’s simplest form, is used toconfigure what options are configurable, via theself.options method - and what to do with returned results.
  40. 40. And here is most of the javascript content. We utilise erubyfor variable substitution (as can be seen where we’repulling in the previously set ip and dns settings).You can also notice in this javascript we use a JS objectcalled beef. This is the core beef library within theframework, and has a lot of functionality in-built, such ascreating invisible iframes.
  41. 41. Here you can see what the user is presented with in the UI.
  42. 42. Introducing “Chipmunking” ..named, at least at themoment, in reference to movie posters, in particular, thismovie poster...so QR codes are .. everywhere..
  43. 43. I mean .. Everywhere .. and they’re only becoming moreubuiquitous
  44. 44. So lets put together a new extension for BeEF .. lets build acustom hook point (URL) that if you (or your victims) visit it,will be hooked into BeEF, and immediately presented with afull-screen iFrame of the target site .. we’ll then use thecurrent QRCode Extension into BeEF to generate this QRcode for us too..
  45. 45. Similar to command modules, extensions require a fewfiles.The config file (again, a yaml file)and then the extension ruby file itself.
  46. 46. beef/extensions/chipmunked/extension.rb
  47. 47. beef/extensions/chipmunked/api.rb “/yougotchipmunked”
  48. 48. beef/extensions/chipmunked/html/index.html
  49. 49. beef/extensions/chipmunked/handler.rb Handles the requests to /yougotchipmunked
  50. 50. Wrapping it together(here qr code qr code)
  51. 51. beef/extensions/qrcode/config.yaml
  52. 52. Demo http://www.youtube.com/watch?v=aTLHeMrNBFQ&hd=1http://www.youtube.com/watch?v=aTLHeMrNBFQ&hd=1
  53. 53. Where to from here?
  54. 54. If you get stuck .. or if we get stuck..
  55. 55. Help us out! Pull Requests Pleasegithub.com/beefproject/beef beefproject.com @beefproject
  56. 56. Want to talk more? @xntrik christian.frichot@asteriskinfosec.com.au
  57. 57. Questions? OWASP 59Hehe .. “Descisions”

×