SlideShare a Scribd company logo

BeEF

A
AlexandraLacatus

Initial assessment presentation about the Browser Exploitation Framework

Technology
1 of 15
Download to read offline
BeEF The Browser Exploitation Framework alexandra.lacatus@info.uaic.ro FCS Iasi, Software Security
Overview What is BeEF Installation and requirements How it works Case studies & examples Advantages 2 Software Security, FCS Iasi, 2013-2014
What is BeEF? http://beefproject.com/ open-source penetration testing tool used to test and exploit web application and browser-based vunerabilities. Main developer: Wade Alcorn, security expert Last stable release: 0.4.4.7 / August 2013 3 Software Security, FCS Iasi, 2013-2014
Installation and requirements OSX 10.5.0 or higher, Modern Linux, Windows XP or higher Ruby 1.9.2 RVM or higher SQLite 3.x A list of ruby gems [...] 4 Software Security, FCS Iasi, 2013-2014
How it works BeEF uses a javascript file hook.js that will hook one or more browsers and will use them for launching directed command modules and further attacks against the system though a open door: the web browser context Uses a web interface to manage and send commands (attacks) to the browser zombies 5 Software Security, FCS Iasi, 2013-2014
BeEF Architecture 6 Software Security, FCS Iasi, 2013-2014 [3]
BeEF Features The official page lists 128 modules (exploits) Modular framework, can be easily extended with custom browser exploitation commands Provides RESTFul API that allows to control BeEF throuth HTTp requests (in JSON format) Can be configured to be integrated with Metasploit 7 Software Security, FCS Iasi, 2013-2014
BeEF Commands Modify the target's page html content (all the content, or alter only the hrefs) redirect the victim's browser to an arbitrary site generate dialog boxes/ fake notifications / request missing plugin installation as a context for placing and executing malicious code browser fingerprinting, detect plugins (ActiveX, Java, Flash, etc.) detect valid sessions of applications such as Twitter, Facebook and GMail. 8 Software Security, FCS Iasi, 2013-2014
Ex 1 - Malicious code injection Fake Notification Bar (e.g. Firefox) Displays a fake notification bar at the top of the screen. If the user clicks the notification they will be prompted to download a malicious Firefox extension (by default). Raw Javascript Sends the code to the selected hooked browsers where it will be executed. Code is run inside an anonymous function and the return value is passed to the framework. Multiline scripts are allowed, no special encoding is required. 9 Software Security, FCS Iasi, 2013-2014
Ex 2 - Web page defacement Replace content (Deface webpage) Overwrite the page, title and shortcut icon on the hooked page. Replace HREFs Rewrite all the href attributes of all matched links. TabNabbing This module redirects to the specified URL after the tab has been inactive for a specified amount of time. 10 Software Security, FCS Iasi, 2013-2014
Ex 3 - Keystroke Logging iFrame Event Logger Creates a 100% by 100% iFrame overlay with event logging. Fake LastPass Displays a fake LastPass user dialog which will log all the user's key strokes. 11 Software Security, FCS Iasi, 2013-2014
Ex 4 – Exporing the network Detect Social Networks This module will detect if the Hooked Browser is currently authenticated to GMail, Facebook and Twitter. (specify detection timeout) Network / Port Scanner Scan ports in a given hostname, using WebSockets, CORS and img tags. It uses the three methods to avoid blocked ports or Same Origin Policy. 12 Software Security, FCS Iasi, 2013-2014
Ex 5 – Browser fingerprinting Spider Eye Creates a snapshot of the victim's window Detect Firebug Detect Silverlight Detect Windows Media Player Detect ActiveX Detect toolbars Etc.. 13 Software Security, FCS Iasi, 2013-2014
Metasploit / w3af / BeEF Metasploit w3af BeEF Language Perl → Ruby Python Ruby Supported OS cross-platform cross-platform cross-platform Pen-testing target network Web applications browser $ Open source + paid Open source Open source Firewall 14 Software Security, FCS Iasi, 2013-2014
Bibliography [1] BeEF project main page: http://beefproject.com/ [2] BeEF project Github page: https://github.com/beefproject/beef [3] BeEF achitecture diagram: https://github.com/beefproject/beef/wiki/Architecture

Recommended

Advanced Client Side Exploitation Using BeEF
Advanced Client Side Exploitation Using BeEFAdvanced Client Side Exploitation Using BeEF
Advanced Client Side Exploitation Using BeEF1N3
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 
Web application firewall
Web application firewallWeb application firewall
Web application firewallAju Thomas
 
Virus & Anti Virus ppt
Virus & Anti Virus pptVirus & Anti Virus ppt
Virus & Anti Virus pptOECLIB Odisha Electronics Control Library
 
Anti phishing presentation
Anti phishing presentationAnti phishing presentation
Anti phishing presentationBokangMalunga
 
Symantec Endpoint Protection Enterprise Edition Best Practices Guidelines
Symantec Endpoint Protection Enterprise Edition Best Practices GuidelinesSymantec Endpoint Protection Enterprise Edition Best Practices Guidelines
Symantec Endpoint Protection Enterprise Edition Best Practices GuidelinesSree Harsha Boyapati
 
Phishing simulation exercises
Phishing simulation exercisesPhishing simulation exercises
Phishing simulation exercisesJisc
 
Mobile security
Mobile securityMobile security
Mobile securityMphasis
 

Recommended

Advanced Client Side Exploitation Using BeEF
Advanced Client Side Exploitation Using BeEFAdvanced Client Side Exploitation Using BeEF
Advanced Client Side Exploitation Using BeEF1N3
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 
Web application firewall
Web application firewallWeb application firewall
Web application firewallAju Thomas
 
Virus & Anti Virus ppt
Virus & Anti Virus pptVirus & Anti Virus ppt
Virus & Anti Virus pptOECLIB Odisha Electronics Control Library
 
Anti phishing presentation
Anti phishing presentationAnti phishing presentation
Anti phishing presentationBokangMalunga
 
Symantec Endpoint Protection Enterprise Edition Best Practices Guidelines
Symantec Endpoint Protection Enterprise Edition Best Practices GuidelinesSymantec Endpoint Protection Enterprise Edition Best Practices Guidelines
Symantec Endpoint Protection Enterprise Edition Best Practices GuidelinesSree Harsha Boyapati
 
Phishing simulation exercises
Phishing simulation exercisesPhishing simulation exercises
Phishing simulation exercisesJisc
 
Mobile security
Mobile securityMobile security
Mobile securityMphasis
 
Phishing detection & protection scheme
Phishing detection & protection schemePhishing detection & protection scheme
Phishing detection & protection schemeMussavir Shaikh
 
Email Security 101 – A Practical Guide For Every Business
Email Security 101 – A Practical Guide For Every Business Email Security 101 – A Practical Guide For Every Business
Email Security 101 – A Practical Guide For Every BusinessPECB
 
Detecting Phishing using Machine Learning
Detecting Phishing using Machine LearningDetecting Phishing using Machine Learning
Detecting Phishing using Machine Learningijtsrd
 
Password Cracking
Password CrackingPassword Cracking
Password CrackingHajer alriyami
 
Going Passwordless with Microsoft
Going Passwordless with MicrosoftGoing Passwordless with Microsoft
Going Passwordless with MicrosoftFIDO Alliance
 
Incident Reporting System
Incident Reporting SystemIncident Reporting System
Incident Reporting SystemSheikh Faiyaz
 
mobile application security
mobile application securitymobile application security
mobile application security-jyothish kumar sirigidi
 
Mobile Security
Mobile SecurityMobile Security
Mobile SecurityMarketingArrowECS_CZ
 
Mobile security in Cyber Security
Mobile security in Cyber SecurityMobile security in Cyber Security
Mobile security in Cyber SecurityGeo Marian
 
Introduction to biometric systems security
Introduction to biometric systems securityIntroduction to biometric systems security
Introduction to biometric systems securitySelf
 
Guide to MFA
Guide to MFAGuide to MFA
Guide to MFAJack Forbes
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat ModelingMiriam Celi, CISSP, GISP, MSCS, MBA
 
Different Types of Phishing Attacks
Different Types of Phishing AttacksDifferent Types of Phishing Attacks
Different Types of Phishing AttacksSysCloud
 
Ch03 Network and Computer Attacks
Ch03 Network and Computer AttacksCh03 Network and Computer Attacks
Ch03 Network and Computer Attacksphanleson
 
Cybersecurity Awareness Training for Employees.pptx
Cybersecurity Awareness Training for Employees.pptxCybersecurity Awareness Training for Employees.pptx
Cybersecurity Awareness Training for Employees.pptxMustafa Amiri
 
Keyloggers
KeyloggersKeyloggers
Keyloggersnovacharter
 
Information security in todays world
Information security in todays worldInformation security in todays world
Information security in todays worldSibghatullah Khattak
 
SQL Injection
SQL InjectionSQL Injection
SQL InjectionCongDoanVan1
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityIshan Girdhar
 
Beef
BeefBeef
BeefManah Chhabra
 
Man02 10 tab napping
Man02 10 tab nappingMan02 10 tab napping
Man02 10 tab nappingXIMO GOMIS
 

More Related Content

What's hot

Phishing detection & protection scheme
Phishing detection & protection schemePhishing detection & protection scheme
Phishing detection & protection schemeMussavir Shaikh
 
Email Security 101 – A Practical Guide For Every Business
Email Security 101 – A Practical Guide For Every Business Email Security 101 – A Practical Guide For Every Business
Email Security 101 – A Practical Guide For Every BusinessPECB
 
Detecting Phishing using Machine Learning
Detecting Phishing using Machine LearningDetecting Phishing using Machine Learning
Detecting Phishing using Machine Learningijtsrd
 
Going Passwordless with Microsoft
Going Passwordless with MicrosoftGoing Passwordless with Microsoft
Going Passwordless with MicrosoftFIDO Alliance
 
Incident Reporting System
Incident Reporting SystemIncident Reporting System
Incident Reporting SystemSheikh Faiyaz
 
Mobile security in Cyber Security
Mobile security in Cyber SecurityMobile security in Cyber Security
Mobile security in Cyber SecurityGeo Marian
 
Introduction to biometric systems security
Introduction to biometric systems securityIntroduction to biometric systems security
Introduction to biometric systems securitySelf
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
Different Types of Phishing Attacks
Different Types of Phishing AttacksDifferent Types of Phishing Attacks
Different Types of Phishing AttacksSysCloud
 
Ch03 Network and Computer Attacks
Ch03 Network and Computer AttacksCh03 Network and Computer Attacks
Ch03 Network and Computer Attacksphanleson
 
Cybersecurity Awareness Training for Employees.pptx
Cybersecurity Awareness Training for Employees.pptxCybersecurity Awareness Training for Employees.pptx
Cybersecurity Awareness Training for Employees.pptxMustafa Amiri
 
Information security in todays world
Information security in todays worldInformation security in todays world
Information security in todays worldSibghatullah Khattak
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityIshan Girdhar
 

What's hot (20)

Phishing detection & protection scheme
Phishing detection & protection schemePhishing detection & protection scheme
Phishing detection & protection scheme
 
Email Security 101 – A Practical Guide For Every Business
Email Security 101 – A Practical Guide For Every Business Email Security 101 – A Practical Guide For Every Business
Email Security 101 – A Practical Guide For Every Business
 
Detecting Phishing using Machine Learning
Detecting Phishing using Machine LearningDetecting Phishing using Machine Learning
Detecting Phishing using Machine Learning
 
Password Cracking
Password CrackingPassword Cracking
Password Cracking
 
Going Passwordless with Microsoft
Going Passwordless with MicrosoftGoing Passwordless with Microsoft
Going Passwordless with Microsoft
 
Incident Reporting System
Incident Reporting SystemIncident Reporting System
Incident Reporting System
 
mobile application security
mobile application securitymobile application security
mobile application security
 
Mobile Security
Mobile SecurityMobile Security
Mobile Security
 
Mobile security in Cyber Security
Mobile security in Cyber SecurityMobile security in Cyber Security
Mobile security in Cyber Security
 
Introduction to biometric systems security
Introduction to biometric systems securityIntroduction to biometric systems security
Introduction to biometric systems security
 
Guide to MFA
Guide to MFAGuide to MFA
Guide to MFA
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
 
Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat Modeling
 
Different Types of Phishing Attacks
Different Types of Phishing AttacksDifferent Types of Phishing Attacks
Different Types of Phishing Attacks
 
Ch03 Network and Computer Attacks
Ch03 Network and Computer AttacksCh03 Network and Computer Attacks
Ch03 Network and Computer Attacks
 
Cybersecurity Awareness Training for Employees.pptx
Cybersecurity Awareness Training for Employees.pptxCybersecurity Awareness Training for Employees.pptx
Cybersecurity Awareness Training for Employees.pptx
 
Keyloggers
KeyloggersKeyloggers
Keyloggers
 
Information security in todays world
Information security in todays worldInformation security in todays world
Information security in todays world
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 

Viewers also liked

Man02 10 tab napping
Man02 10 tab nappingMan02 10 tab napping
Man02 10 tab nappingXIMO GOMIS
 
Carcass grading
Carcass gradingCarcass grading
Carcass gradingDr Neo
 
Carcass Grade
Carcass GradeCarcass Grade
Carcass GradeRizza Muh
 
Phishing--The Entire Story of a Dark World
Phishing--The Entire Story of a Dark WorldPhishing--The Entire Story of a Dark World
Phishing--The Entire Story of a Dark WorldAvishek Datta
 
Man-In-The-Browser attacks
Man-In-The-Browser attacksMan-In-The-Browser attacks
Man-In-The-Browser attacksMário Almeida
 
Classification of fruits
Classification of fruitsClassification of fruits
Classification of fruitsLucia Martinez
 
Fruits: Parts and Classification
Fruits: Parts and ClassificationFruits: Parts and Classification
Fruits: Parts and ClassificationAlyssaBumanglag
 

Viewers also liked (13)

Beef
BeefBeef
Beef
 
Man02 10 tab napping
Man02 10 tab nappingMan02 10 tab napping
Man02 10 tab napping
 
Carcass grading
Carcass gradingCarcass grading
Carcass grading
 
Carcass Grade
Carcass GradeCarcass Grade
Carcass Grade
 
Beef Lecture
Beef LectureBeef Lecture
Beef Lecture
 
Phishing--The Entire Story of a Dark World
Phishing--The Entire Story of a Dark WorldPhishing--The Entire Story of a Dark World
Phishing--The Entire Story of a Dark World
 
Man-In-The-Browser attacks
Man-In-The-Browser attacksMan-In-The-Browser attacks
Man-In-The-Browser attacks
 
Types of fruits
Types of fruitsTypes of fruits
Types of fruits
 
Fruits
FruitsFruits
Fruits
 
Classification of fruits
Classification of fruitsClassification of fruits
Classification of fruits
 
FRUITS
FRUITS FRUITS
FRUITS
 
Types Of Fruits
Types Of FruitsTypes Of Fruits
Types Of Fruits
 
Fruits: Parts and Classification
Fruits: Parts and ClassificationFruits: Parts and Classification
Fruits: Parts and Classification
 

Similar to BeEF

Hacking The World With Flash
Hacking The World With FlashHacking The World With Flash
Hacking The World With Flashjoepangus
 
Abusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAbusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAjin Abraham
 
AbusingExploitingAndPWN-ingWithFirefoxAdd-Ons
AbusingExploitingAndPWN-ingWithFirefoxAdd-OnsAbusingExploitingAndPWN-ingWithFirefoxAdd-Ons
AbusingExploitingAndPWN-ingWithFirefoxAdd-Onsachettih
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guideSudhanshu Chauhan
 
Be ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruBe ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruMichele Orru
 
Become fully aware of the potential dangers of ActiveX attacks
Become fully aware of the potential dangers of ActiveX attacksBecome fully aware of the potential dangers of ActiveX attacks
Become fully aware of the potential dangers of ActiveX attacksHigh-Tech Bridge SA (HTBridge)
 
Bshield osdi2006
Bshield osdi2006Bshield osdi2006
Bshield osdi2006losalamos
 
Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012Roberto Suggi Liverani
 
Français Patch Tuesday – Novembre
Français Patch Tuesday – NovembreFrançais Patch Tuesday – Novembre
Français Patch Tuesday – NovembreIvanti
 
Phonegap android angualr material design
Phonegap android angualr material designPhonegap android angualr material design
Phonegap android angualr material designSrinadh Kanugala
 
Patch Tuesday Italia Novembre
Patch Tuesday Italia NovembrePatch Tuesday Italia Novembre
Patch Tuesday Italia NovembreIvanti
 
Abusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-onsAbusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-onsAjin Abraham
 
Web application framework
Web application frameworkWeb application framework
Web application frameworkPankaj Chand
 
Trabajo de jose
Trabajo de jose Trabajo de jose
Trabajo de jose josemgg
 
Rethinking-Security-of-Web-Based-System-Apps
Rethinking-Security-of-Web-Based-System-AppsRethinking-Security-of-Web-Based-System-Apps
Rethinking-Security-of-Web-Based-System-AppsMartin Georgiev
 
Cq3210191021
Cq3210191021Cq3210191021
Cq3210191021IJMER
 

Similar to BeEF (20)

Hacking The World With Flash
Hacking The World With FlashHacking The World With Flash
Hacking The World With Flash
 
Abusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAbusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox Addons
 
AbusingExploitingAndPWN-ingWithFirefoxAdd-Ons
AbusingExploitingAndPWN-ingWithFirefoxAdd-OnsAbusingExploitingAndPWN-ingWithFirefoxAdd-Ons
AbusingExploitingAndPWN-ingWithFirefoxAdd-Ons
 
Cisco WebEx vulnerability: it’s a kind of magic
Cisco WebEx vulnerability: it’s a kind of magicCisco WebEx vulnerability: it’s a kind of magic
Cisco WebEx vulnerability: it’s a kind of magic
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guide
 
Be ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruBe ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orru
 
Become fully aware of the potential dangers of ActiveX attacks
Become fully aware of the potential dangers of ActiveX attacksBecome fully aware of the potential dangers of ActiveX attacks
Become fully aware of the potential dangers of ActiveX attacks
 
Bshield osdi2006
Bshield osdi2006Bshield osdi2006
Bshield osdi2006
 
Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012
 
News bytes Oct-2011
News bytes Oct-2011News bytes Oct-2011
News bytes Oct-2011
 
Français Patch Tuesday – Novembre
Français Patch Tuesday – NovembreFrançais Patch Tuesday – Novembre
Français Patch Tuesday – Novembre
 
Phonegap android angualr material design
Phonegap android angualr material designPhonegap android angualr material design
Phonegap android angualr material design
 
Patch Tuesday Italia Novembre
Patch Tuesday Italia NovembrePatch Tuesday Italia Novembre
Patch Tuesday Italia Novembre
 
Abusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-onsAbusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-ons
 
Web application framework
Web application frameworkWeb application framework
Web application framework
 
Project Presentation
Project Presentation Project Presentation
Project Presentation
 
Trabajo de jose
Trabajo de jose Trabajo de jose
Trabajo de jose
 
Rethinking-Security-of-Web-Based-System-Apps
Rethinking-Security-of-Web-Based-System-AppsRethinking-Security-of-Web-Based-System-Apps
Rethinking-Security-of-Web-Based-System-Apps
 
Cq3210191021
Cq3210191021Cq3210191021
Cq3210191021
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
 

Recently uploaded

(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?Paolo Missier
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxFIDO Alliance
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Patrick Viafore
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsLeah Henrickson
 
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Skynet Technologies
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfFIDO Alliance
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfFIDO Alliance
 
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FIDO Alliance
 
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPTiSEO AI
 
Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Hiroshi SHIBATA
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...FIDO Alliance
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxTales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxFIDO Alliance
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftshyamraj55
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024Lorenzo Miniero
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...ScyllaDB
 
Intro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераIntro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераMark Opanasiuk
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGDSC PJATK
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireExakis Nelite
 
Using IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandUsing IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandIES VE
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctBrainSell Technologies
 

Recently uploaded (20)

(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
 
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
 
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
 
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
 
Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxTales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoft
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
 
Intro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераIntro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджера
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 Warsaw
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - Questionnaire
 
Using IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandUsing IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & Ireland
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage Intacct
 

BeEF

  • 1. BeEF The Browser Exploitation Framework alexandra.lacatus@info.uaic.ro FCS Iasi, Software Security
  • 2. Overview What is BeEF Installation and requirements How it works Case studies & examples Advantages 2 Software Security, FCS Iasi, 2013-2014
  • 3. What is BeEF? http://beefproject.com/ open-source penetration testing tool used to test and exploit web application and browser-based vunerabilities. Main developer: Wade Alcorn, security expert Last stable release: 0.4.4.7 / August 2013 3 Software Security, FCS Iasi, 2013-2014
  • 4. Installation and requirements OSX 10.5.0 or higher, Modern Linux, Windows XP or higher Ruby 1.9.2 RVM or higher SQLite 3.x A list of ruby gems [...] 4 Software Security, FCS Iasi, 2013-2014
  • 5. How it works BeEF uses a javascript file hook.js that will hook one or more browsers and will use them for launching directed command modules and further attacks against the system though a open door: the web browser context Uses a web interface to manage and send commands (attacks) to the browser zombies 5 Software Security, FCS Iasi, 2013-2014
  • 6. BeEF Architecture 6 Software Security, FCS Iasi, 2013-2014 [3]
  • 7. BeEF Features The official page lists 128 modules (exploits) Modular framework, can be easily extended with custom browser exploitation commands Provides RESTFul API that allows to control BeEF throuth HTTp requests (in JSON format) Can be configured to be integrated with Metasploit 7 Software Security, FCS Iasi, 2013-2014
  • 8. BeEF Commands Modify the target's page html content (all the content, or alter only the hrefs) redirect the victim's browser to an arbitrary site generate dialog boxes/ fake notifications / request missing plugin installation as a context for placing and executing malicious code browser fingerprinting, detect plugins (ActiveX, Java, Flash, etc.) detect valid sessions of applications such as Twitter, Facebook and GMail. 8 Software Security, FCS Iasi, 2013-2014
  • 9. Ex 1 - Malicious code injection Fake Notification Bar (e.g. Firefox) Displays a fake notification bar at the top of the screen. If the user clicks the notification they will be prompted to download a malicious Firefox extension (by default). Raw Javascript Sends the code to the selected hooked browsers where it will be executed. Code is run inside an anonymous function and the return value is passed to the framework. Multiline scripts are allowed, no special encoding is required. 9 Software Security, FCS Iasi, 2013-2014
  • 10. Ex 2 - Web page defacement Replace content (Deface webpage) Overwrite the page, title and shortcut icon on the hooked page. Replace HREFs Rewrite all the href attributes of all matched links. TabNabbing This module redirects to the specified URL after the tab has been inactive for a specified amount of time. 10 Software Security, FCS Iasi, 2013-2014
  • 11. Ex 3 - Keystroke Logging iFrame Event Logger Creates a 100% by 100% iFrame overlay with event logging. Fake LastPass Displays a fake LastPass user dialog which will log all the user's key strokes. 11 Software Security, FCS Iasi, 2013-2014
  • 12. Ex 4 – Exporing the network Detect Social Networks This module will detect if the Hooked Browser is currently authenticated to GMail, Facebook and Twitter. (specify detection timeout) Network / Port Scanner Scan ports in a given hostname, using WebSockets, CORS and img tags. It uses the three methods to avoid blocked ports or Same Origin Policy. 12 Software Security, FCS Iasi, 2013-2014
  • 13. Ex 5 – Browser fingerprinting Spider Eye Creates a snapshot of the victim's window Detect Firebug Detect Silverlight Detect Windows Media Player Detect ActiveX Detect toolbars Etc.. 13 Software Security, FCS Iasi, 2013-2014
  • 14. Metasploit / w3af / BeEF Metasploit w3af BeEF Language Perl → Ruby Python Ruby Supported OS cross-platform cross-platform cross-platform Pen-testing target network Web applications browser $ Open source + paid Open source Open source Firewall 14 Software Security, FCS Iasi, 2013-2014
  • 15. Bibliography [1] BeEF project main page: http://beefproject.com/ [2] BeEF project Github page: https://github.com/beefproject/beef [3] BeEF achitecture diagram: https://github.com/beefproject/beef/wiki/Architecture