SlideShare a Scribd company logo

Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF

Michele Orru'
Michele Orru'

This document discusses the Browser Exploitation Framework (BeEF). BeEF allows penetration testers to develop browser-based attacks and execute them against victim browsers from a centralized interface. The speaker discusses recently added features to BeEF like improved integration with Metasploit, enhanced event logging of victim browser activities, and a redesign using Ruby and ExtJS. Developers are encouraged to create their own attack modules for BeEF. Future work may include improving the proxying abilities and creating a way to interact with victim browsers like Meterpreter.

TechnologyEntertainment & Humor
1 of 49
Download to read offline
Dr. Strangelove or: how I Learned to Stop Worrying and Love the BeEF Michele “antisnatchor” Orru’ Confidence 2011 - 25 May 2011 Sunday, May 22, 2011
WHO AMI I? Penetration Tester @ Royal Bank of Scotland BeEF developer, lover and eater Failed business man and “entrepreneur” Kubrick fan Definitely not a fan of our Italian prime minister Silvio “bunga-bunga” Berlusconi Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 2 Sunday, May 22, 2011
OUTLINE I cannot Pwn to Own :-( The new BeEF Add your own attacks to BeEF Extend BeEF (next conference...lack of time :-() Future development and cool ideas Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 3 Sunday, May 22, 2011
I CANNOT PWN TO OWN :-( We need to break inside a network and reach the ApplicationServer The ApplicationServer is behind an Apache machine with mod_jk: OS: OpenBSD CPU: SPARC64 Open ports: 22 (public-key), 80, 443 Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 4 Sunday, May 22, 2011
I CANNOT PWN TO OWN :-( Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 5 Sunday, May 22, 2011
I CANNOT PWN TO OWN :-( Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 6 Sunday, May 22, 2011
I CANNOT PWN TO OWN :-( Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 7 Sunday, May 22, 2011
I CANNOT PWN TO OWN :-( Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 8 Sunday, May 22, 2011
I CANNOT PWN TO OWN :-( Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 9 Sunday, May 22, 2011
I CANNOT PWN TO OWN :-( Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 10 Sunday, May 22, 2011
I CANNOT PWN TO OWN :-( Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 11 Sunday, May 22, 2011
I CANNOT PWN TO OWN :-( Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 12 Sunday, May 22, 2011
I CANNOT PWN TO OWN :-( Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 13 Sunday, May 22, 2011
I CANNOT PWN TO OWN :-( Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 14 Sunday, May 22, 2011
CAN I EAT THE BEEF? (sorry vegetarians) Nope! Even if it’s tasty :-) Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 15 Sunday, May 22, 2011
CAN I EAT THE BEEF? (sorry vegetarians) BeEF => Browser Exploitation Framework Pioneered by Wade Alcorn in 2005(public release) Originally Inspired by Anton Rager research Powerful platform for Client-side pwnage, XSS post- exploitation and generally victim browser security- context abuse Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 16 Sunday, May 22, 2011
CAN I EAT THE BEEF? (sorry vegetarians) Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 17 Sunday, May 22, 2011
THE OLD BeEF => PHP + static HTML :-( Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 18 Sunday, May 22, 2011
THE NEW BeEF => RUBY & ExtJS :-) Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 19 Sunday, May 22, 2011
THE NEW BeEF Rewritten from scratch in Ruby ExtJS for a usable and ajax-based GUI jQuery for DOM manipulation and XHR SQLite and MySQL support Modular and extensible architecture Core much more stable (next releases focused on attack scenarios - we’re open to any suggestions :-) A lot of new cool features and attacks... Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 20 Sunday, May 22, 2011
coolest Features: METASPLOIT integration Launch MSF browser and client-side exploits (Flash, Adobe Reader, Java, ...) to the hooked browser in a point-and-click way :-) MSF integrated via XML-RPC, with an additional caching layer on the BeEF side Browser AutoPWN will be (re)added soon... Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 21 Sunday, May 22, 2011
coolest Features: METASPLOIT integration Hidden iFrame injection with src pointing to the MSF listening callback service Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 22 Sunday, May 22, 2011
coolest Features: EVENT LOGGER Log keystrokes, mouse clicks and form submissions that are executed by the hooked browser. ... Then send them back to BeEF ... Imagine finding XSS on the pre-auth surface of a website Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 23 Sunday, May 22, 2011
coolest Features: EVENT LOGGER Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 24 Sunday, May 22, 2011
coolest Features: EVENT LOGGER 0day Reflected XSS on Plesk Panel 10.2.0 (with SSO) login page Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 25 Sunday, May 22, 2011
coolest Features: EVENT LOGGER 0day Reflected XSS on Plesk Panel 10.2.0 (with SSO) login page Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 26 Sunday, May 22, 2011
coolest Features: EVENT LOGGER 0day Reflected XSS on Plesk Panel 10.2.0 (with SSO) login page After hooking the victim browser to BeEF, Parallels Plesk admin/customer credentials can be stolen with JS keylogging Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 27 Sunday, May 22, 2011
coolest Features: NETWORK STACK BeEF base64 encodes the JSON'ed data stream and then splits the base64 string by the configured maximum URL length. Data is handled in streams of packets that are reconstructed by BeEF Once split each segment is sent as a packet and reconstructed by BeEF. Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 28 Sunday, May 22, 2011
BeEF: NETWORK STACK architecture Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 29 Sunday, May 22, 2011
coolest Features: NETWORK STACK In future releases the maximum URL will be automatically detected. How do you send 165KB of data back to BeEF? packet queue 165KB -> 165 packets Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 30 Sunday, May 22, 2011
coolest Features: TUNNELING PROXY The browser becomes the exit node for the tunnel: it will perform the HTTP request and receive the response. Next the response is communicated back to the BeEF proxy which in turn delivers it to the browser. Afterwords the request in the context of the user (any existing cookies will be automatically used) Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 31 Sunday, May 22, 2011
coolest Features: TUNNELING PROXY Similar to XSSProxy, but goes a step further: You can choose to which zombie tunnel requests Doesn’t need a third app (uses WebRick proxy) Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 32 Sunday, May 22, 2011
coolest Features: PERSISTENCE Implemented using Samy’s EverCookie for the main BEEFHOOK cookie Various ready-to-use command modules: iFrame persistence pop-under window Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 33 Sunday, May 22, 2011
Add your own attacks to BeEF One of the many reasons to code your exploit to BeEF is because you have a nice Javascript API that gives you all you need for... Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 34 Sunday, May 22, 2011
Add your own attacks to BeEF detect the browser including version, plugins, and other details detect the Operating System including iOS, BeOS and Win3.1 ;-) manipulate the DOM attaching/detaching applets, creating invisible iFrames, rewriting links, ... Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 35 Sunday, May 22, 2011
Add your own attacks to BeEF log keystrokes, mouse clicks and form submissions do XHRs and retrieve all you need for further exploitation geolocate the victim retrieving latitude/longitude for further targeted attacks Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 36 Sunday, May 22, 2011
loading sequence architecture BeEF: Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 37 Sunday, May 22, 2011
Add your own attacks to BeEF JBoss 4.x, 5.1.0, 6.0.0.M1 JMX deploy exploit Exploit is available in MSF, but you need to have direct access to the target (or use a host as a pivot) Then why not use the victim browser as a pivot? Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 38 Sunday, May 22, 2011
Add your own attacks to BeEF How to port the JBoss exploit to BeEF in 3 steps (approximately 15/20 mins, testing included :-) Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 39 Sunday, May 22, 2011
Add your own attacks to BeEF first step: config file Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 40 Sunday, May 22, 2011
Add your own attacks to BeEF second step: UI exploit setup Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 41 Sunday, May 22, 2011
Add your own attacks to BeEF third step: javascript (exploit code) Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 42 Sunday, May 22, 2011
Add your own attacks to BeEF Now lets see it in action... ✤ IT’s DEMO time! Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 43 Sunday, May 22, 2011
Future development and cool ideas Enhance the Tunneling Proxy features caching request queueing generally: performance Enhance Yokoso add more device signatures add support for HTTPS/IPv6 Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 44 Sunday, May 22, 2011
Future development and cool ideas Implement Rider Victim x is browsing website example.com while hooked in BeEF. Use her browser to proxy attacker requests and "Ride" her session from the BeEF adminUI Implement Meterpreter wrapper/shell code that communicates HTTP In this way the browser can be a full pivot point :-) Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 45 Sunday, May 22, 2011
Future development and cool ideas Command module autorun/autoexit This will add AutoPwn features, while being the starting point for command chains like: hasJava() -> loadMaliciousApplet(...) launchMetasploitAuroraExploit(...) if beef.browser.isIE7() Implement obfuscated/polymorphic Javascript hook Add support for HTTPS Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 46 Sunday, May 22, 2011
Future development and cool ideas ... and many other (nasty) things ... Follow (and get in touch with) BeEF: @beefproject Checkout BeEF: http://code.google.com/p/beef/ Eat the BeEF Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 47 Sunday, May 22, 2011
Thanks to Wade Alcorn and the other BeEF core developers (the two Bens, Scotty, Christian, ...) Michal & Piotr My employer Confidence crew and you attendees Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 48 Sunday, May 22, 2011
QUESTIONS? Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 49 Sunday, May 22, 2011

Recommended

Be ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruBe ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruMichele Orru
 
Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Michele Orru
 
JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009Mario Heiderich
 
Java e Mercado de Trabalho
Java e Mercado de TrabalhoJava e Mercado de Trabalho
Java e Mercado de TrabalhoEduardo Carvalho
 
Hacktivity2011 be ef-preso_micheleorru
Hacktivity2011 be ef-preso_micheleorruHacktivity2011 be ef-preso_micheleorru
Hacktivity2011 be ef-preso_micheleorruMichele Orru
 
Web Insecurity And Browser Exploitation
Web Insecurity And Browser ExploitationWeb Insecurity And Browser Exploitation
Web Insecurity And Browser ExploitationMichele Orru'
 
Secure Programming And Common Errors Part II
Secure Programming And Common Errors Part IISecure Programming And Common Errors Part II
Secure Programming And Common Errors Part IIMichele Orru'
 
Secure Programming And Common Errors[Michele Orru Dec 2008]
Secure Programming And Common Errors[Michele Orru Dec 2008]Secure Programming And Common Errors[Michele Orru Dec 2008]
Secure Programming And Common Errors[Michele Orru Dec 2008]Michele Orru'
 

Recommended

Be ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruBe ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruMichele Orru
 
Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Michele Orru
 
JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009Mario Heiderich
 
Java e Mercado de Trabalho
Java e Mercado de TrabalhoJava e Mercado de Trabalho
Java e Mercado de TrabalhoEduardo Carvalho
 
Hacktivity2011 be ef-preso_micheleorru
Hacktivity2011 be ef-preso_micheleorruHacktivity2011 be ef-preso_micheleorru
Hacktivity2011 be ef-preso_micheleorruMichele Orru
 
Web Insecurity And Browser Exploitation
Web Insecurity And Browser ExploitationWeb Insecurity And Browser Exploitation
Web Insecurity And Browser ExploitationMichele Orru'
 
Secure Programming And Common Errors Part II
Secure Programming And Common Errors Part IISecure Programming And Common Errors Part II
Secure Programming And Common Errors Part IIMichele Orru'
 
Secure Programming And Common Errors[Michele Orru Dec 2008]
Secure Programming And Common Errors[Michele Orru Dec 2008]Secure Programming And Common Errors[Michele Orru Dec 2008]
Secure Programming And Common Errors[Michele Orru Dec 2008]Michele Orru'
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 

More Related Content

Recently uploaded

Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 

Recently uploaded (20)

Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 

Featured

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsKurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summarySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentLily Ray
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesVit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project managementMindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...RachelPearson36
 

Featured (20)

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 

Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF

  • 1. Dr. Strangelove or: how I Learned to Stop Worrying and Love the BeEF Michele “antisnatchor” Orru’ Confidence 2011 - 25 May 2011 Sunday, May 22, 2011
  • 2. WHO AMI I? Penetration Tester @ Royal Bank of Scotland BeEF developer, lover and eater Failed business man and “entrepreneur” Kubrick fan Definitely not a fan of our Italian prime minister Silvio “bunga-bunga” Berlusconi Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 2 Sunday, May 22, 2011
  • 3. OUTLINE I cannot Pwn to Own :-( The new BeEF Add your own attacks to BeEF Extend BeEF (next conference...lack of time :-() Future development and cool ideas Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 3 Sunday, May 22, 2011
  • 4. I CANNOT PWN TO OWN :-( We need to break inside a network and reach the ApplicationServer The ApplicationServer is behind an Apache machine with mod_jk: OS: OpenBSD CPU: SPARC64 Open ports: 22 (public-key), 80, 443 Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 4 Sunday, May 22, 2011
  • 5. I CANNOT PWN TO OWN :-( Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 5 Sunday, May 22, 2011
  • 6. I CANNOT PWN TO OWN :-( Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 6 Sunday, May 22, 2011
  • 7. I CANNOT PWN TO OWN :-( Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 7 Sunday, May 22, 2011
  • 8. I CANNOT PWN TO OWN :-( Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 8 Sunday, May 22, 2011
  • 9. I CANNOT PWN TO OWN :-( Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 9 Sunday, May 22, 2011
  • 10. I CANNOT PWN TO OWN :-( Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 10 Sunday, May 22, 2011
  • 11. I CANNOT PWN TO OWN :-( Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 11 Sunday, May 22, 2011
  • 12. I CANNOT PWN TO OWN :-( Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 12 Sunday, May 22, 2011
  • 13. I CANNOT PWN TO OWN :-( Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 13 Sunday, May 22, 2011
  • 14. I CANNOT PWN TO OWN :-( Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 14 Sunday, May 22, 2011
  • 15. CAN I EAT THE BEEF? (sorry vegetarians) Nope! Even if it’s tasty :-) Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 15 Sunday, May 22, 2011
  • 16. CAN I EAT THE BEEF? (sorry vegetarians) BeEF => Browser Exploitation Framework Pioneered by Wade Alcorn in 2005(public release) Originally Inspired by Anton Rager research Powerful platform for Client-side pwnage, XSS post- exploitation and generally victim browser security- context abuse Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 16 Sunday, May 22, 2011
  • 17. CAN I EAT THE BEEF? (sorry vegetarians) Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 17 Sunday, May 22, 2011
  • 18. THE OLD BeEF => PHP + static HTML :-( Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 18 Sunday, May 22, 2011
  • 19. THE NEW BeEF => RUBY & ExtJS :-) Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 19 Sunday, May 22, 2011
  • 20. THE NEW BeEF Rewritten from scratch in Ruby ExtJS for a usable and ajax-based GUI jQuery for DOM manipulation and XHR SQLite and MySQL support Modular and extensible architecture Core much more stable (next releases focused on attack scenarios - we’re open to any suggestions :-) A lot of new cool features and attacks... Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 20 Sunday, May 22, 2011
  • 21. coolest Features: METASPLOIT integration Launch MSF browser and client-side exploits (Flash, Adobe Reader, Java, ...) to the hooked browser in a point-and-click way :-) MSF integrated via XML-RPC, with an additional caching layer on the BeEF side Browser AutoPWN will be (re)added soon... Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 21 Sunday, May 22, 2011
  • 22. coolest Features: METASPLOIT integration Hidden iFrame injection with src pointing to the MSF listening callback service Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 22 Sunday, May 22, 2011
  • 23. coolest Features: EVENT LOGGER Log keystrokes, mouse clicks and form submissions that are executed by the hooked browser. ... Then send them back to BeEF ... Imagine finding XSS on the pre-auth surface of a website Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 23 Sunday, May 22, 2011
  • 24. coolest Features: EVENT LOGGER Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 24 Sunday, May 22, 2011
  • 25. coolest Features: EVENT LOGGER 0day Reflected XSS on Plesk Panel 10.2.0 (with SSO) login page Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 25 Sunday, May 22, 2011
  • 26. coolest Features: EVENT LOGGER 0day Reflected XSS on Plesk Panel 10.2.0 (with SSO) login page Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 26 Sunday, May 22, 2011
  • 27. coolest Features: EVENT LOGGER 0day Reflected XSS on Plesk Panel 10.2.0 (with SSO) login page After hooking the victim browser to BeEF, Parallels Plesk admin/customer credentials can be stolen with JS keylogging Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 27 Sunday, May 22, 2011
  • 28. coolest Features: NETWORK STACK BeEF base64 encodes the JSON'ed data stream and then splits the base64 string by the configured maximum URL length. Data is handled in streams of packets that are reconstructed by BeEF Once split each segment is sent as a packet and reconstructed by BeEF. Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 28 Sunday, May 22, 2011
  • 29. BeEF: NETWORK STACK architecture Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 29 Sunday, May 22, 2011
  • 30. coolest Features: NETWORK STACK In future releases the maximum URL will be automatically detected. How do you send 165KB of data back to BeEF? packet queue 165KB -> 165 packets Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 30 Sunday, May 22, 2011
  • 31. coolest Features: TUNNELING PROXY The browser becomes the exit node for the tunnel: it will perform the HTTP request and receive the response. Next the response is communicated back to the BeEF proxy which in turn delivers it to the browser. Afterwords the request in the context of the user (any existing cookies will be automatically used) Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 31 Sunday, May 22, 2011
  • 32. coolest Features: TUNNELING PROXY Similar to XSSProxy, but goes a step further: You can choose to which zombie tunnel requests Doesn’t need a third app (uses WebRick proxy) Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 32 Sunday, May 22, 2011
  • 33. coolest Features: PERSISTENCE Implemented using Samy’s EverCookie for the main BEEFHOOK cookie Various ready-to-use command modules: iFrame persistence pop-under window Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 33 Sunday, May 22, 2011
  • 34. Add your own attacks to BeEF One of the many reasons to code your exploit to BeEF is because you have a nice Javascript API that gives you all you need for... Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 34 Sunday, May 22, 2011
  • 35. Add your own attacks to BeEF detect the browser including version, plugins, and other details detect the Operating System including iOS, BeOS and Win3.1 ;-) manipulate the DOM attaching/detaching applets, creating invisible iFrames, rewriting links, ... Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 35 Sunday, May 22, 2011
  • 36. Add your own attacks to BeEF log keystrokes, mouse clicks and form submissions do XHRs and retrieve all you need for further exploitation geolocate the victim retrieving latitude/longitude for further targeted attacks Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 36 Sunday, May 22, 2011
  • 37. loading sequence architecture BeEF: Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 37 Sunday, May 22, 2011
  • 38. Add your own attacks to BeEF JBoss 4.x, 5.1.0, 6.0.0.M1 JMX deploy exploit Exploit is available in MSF, but you need to have direct access to the target (or use a host as a pivot) Then why not use the victim browser as a pivot? Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 38 Sunday, May 22, 2011
  • 39. Add your own attacks to BeEF How to port the JBoss exploit to BeEF in 3 steps (approximately 15/20 mins, testing included :-) Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 39 Sunday, May 22, 2011
  • 40. Add your own attacks to BeEF first step: config file Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 40 Sunday, May 22, 2011
  • 41. Add your own attacks to BeEF second step: UI exploit setup Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 41 Sunday, May 22, 2011
  • 42. Add your own attacks to BeEF third step: javascript (exploit code) Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 42 Sunday, May 22, 2011
  • 43. Add your own attacks to BeEF Now lets see it in action... ✤ IT’s DEMO time! Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 43 Sunday, May 22, 2011
  • 44. Future development and cool ideas Enhance the Tunneling Proxy features caching request queueing generally: performance Enhance Yokoso add more device signatures add support for HTTPS/IPv6 Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 44 Sunday, May 22, 2011
  • 45. Future development and cool ideas Implement Rider Victim x is browsing website example.com while hooked in BeEF. Use her browser to proxy attacker requests and "Ride" her session from the BeEF adminUI Implement Meterpreter wrapper/shell code that communicates HTTP In this way the browser can be a full pivot point :-) Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 45 Sunday, May 22, 2011
  • 46. Future development and cool ideas Command module autorun/autoexit This will add AutoPwn features, while being the starting point for command chains like: hasJava() -> loadMaliciousApplet(...) launchMetasploitAuroraExploit(...) if beef.browser.isIE7() Implement obfuscated/polymorphic Javascript hook Add support for HTTPS Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 46 Sunday, May 22, 2011
  • 47. Future development and cool ideas ... and many other (nasty) things ... Follow (and get in touch with) BeEF: @beefproject Checkout BeEF: http://code.google.com/p/beef/ Eat the BeEF Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 47 Sunday, May 22, 2011
  • 48. Thanks to Wade Alcorn and the other BeEF core developers (the two Bens, Scotty, Christian, ...) Michal & Piotr My employer Confidence crew and you attendees Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 48 Sunday, May 22, 2011
  • 49. QUESTIONS? Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 49 Sunday, May 22, 2011