Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF

4,756 views

Published on

What will you do during a pentest if you should get access to some target internal resources while having no exploitable external ones for the escalation? Well, there could be many responses on this provocative sentence, starting from Social Engineering techniques to the exploitation of victims browser inside the target.

We will see how BeEF can help resolving almost impossible pentest situations while directly exploiting the victims inside the target, using their machines as pivot to gather access to internal as well external resources, and how it’s much easier now to extend BeEF functionality writing your own modules to suit your needs.

Apart from that, the presentation will focus on covering the new BeEF platform that is being developed in Ruby, with a complete code rewrite and many new features: just to mention some of them, the newer Metasploit integration for zombie pwnage, persistent sessions, tunneling proxy and many new ways to use the victim browser to do nasty things.

0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,756
On SlideShare
0
From Embeds
0
Number of Embeds
1,890
Actions
Shares
0
Downloads
79
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF

  1. 1. Dr. Strangelove or: how I Learned to Stop Worrying and Love the BeEF Michele “antisnatchor” Orru’ Confidence 2011 - 25 May 2011Sunday, May 22, 2011
  2. 2. WHO AMI I? Penetration Tester @ Royal Bank of Scotland BeEF developer, lover and eater Failed business man and “entrepreneur” Kubrick fan Definitely not a fan of our Italian prime minister Silvio “bunga-bunga” BerlusconiConfidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 2Sunday, May 22, 2011
  3. 3. OUTLINE I cannot Pwn to Own :-( The new BeEF Add your own attacks to BeEF Extend BeEF (next conference...lack of time :-() Future development and cool ideasConfidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 3Sunday, May 22, 2011
  4. 4. I CANNOT PWN TO OWN :-( We need to break inside a network and reach the ApplicationServer The ApplicationServer is behind an Apache machine with mod_jk: OS: OpenBSD CPU: SPARC64 Open ports: 22 (public-key), 80, 443Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 4Sunday, May 22, 2011
  5. 5. I CANNOT PWN TO OWN :-(Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 5Sunday, May 22, 2011
  6. 6. I CANNOT PWN TO OWN :-(Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 6Sunday, May 22, 2011
  7. 7. I CANNOT PWN TO OWN :-(Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 7Sunday, May 22, 2011
  8. 8. I CANNOT PWN TO OWN :-(Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 8Sunday, May 22, 2011
  9. 9. I CANNOT PWN TO OWN :-(Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 9Sunday, May 22, 2011
  10. 10. I CANNOT PWN TO OWN :-(Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 10Sunday, May 22, 2011
  11. 11. I CANNOT PWN TO OWN :-(Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 11Sunday, May 22, 2011
  12. 12. I CANNOT PWN TO OWN :-(Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 12Sunday, May 22, 2011
  13. 13. I CANNOT PWN TO OWN :-(Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 13Sunday, May 22, 2011
  14. 14. I CANNOT PWN TO OWN :-(Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 14Sunday, May 22, 2011
  15. 15. CAN I EAT THE BEEF? (sorry vegetarians) Nope! Even if it’s tasty :-)Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 15Sunday, May 22, 2011
  16. 16. CAN I EAT THE BEEF? (sorry vegetarians) BeEF => Browser Exploitation Framework Pioneered by Wade Alcorn in 2005(public release) Originally Inspired by Anton Rager research Powerful platform for Client-side pwnage, XSS post- exploitation and generally victim browser security- context abuseConfidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 16Sunday, May 22, 2011
  17. 17. CAN I EAT THE BEEF? (sorry vegetarians)Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 17Sunday, May 22, 2011
  18. 18. THE OLD BeEF => PHP + static HTML :-(Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 18Sunday, May 22, 2011
  19. 19. THE NEW BeEF => RUBY & ExtJS :-)Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 19Sunday, May 22, 2011
  20. 20. THE NEW BeEF Rewritten from scratch in Ruby ExtJS for a usable and ajax-based GUI jQuery for DOM manipulation and XHR SQLite and MySQL support Modular and extensible architecture Core much more stable (next releases focused on attack scenarios - we’re open to any suggestions :-) A lot of new cool features and attacks...Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 20Sunday, May 22, 2011
  21. 21. coolest Features: METASPLOIT integration Launch MSF browser and client-side exploits (Flash, Adobe Reader, Java, ...) to the hooked browser in a point-and-click way :-) MSF integrated via XML-RPC, with an additional caching layer on the BeEF side Browser AutoPWN will be (re)added soon...Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 21Sunday, May 22, 2011
  22. 22. coolest Features: METASPLOIT integration Hidden iFrame injection with src pointing to the MSF listening callback serviceConfidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 22Sunday, May 22, 2011
  23. 23. coolest Features: EVENT LOGGER Log keystrokes, mouse clicks and form submissions that are executed by the hooked browser. ... Then send them back to BeEF ... Imagine finding XSS on the pre-auth surface of a websiteConfidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 23Sunday, May 22, 2011
  24. 24. coolest Features: EVENT LOGGERConfidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 24Sunday, May 22, 2011
  25. 25. coolest Features: EVENT LOGGER0day Reflected XSS on Plesk Panel 10.2.0 (with SSO) login pageConfidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 25Sunday, May 22, 2011
  26. 26. coolest Features: EVENT LOGGER0day Reflected XSS on Plesk Panel 10.2.0 (with SSO) login pageConfidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 26Sunday, May 22, 2011
  27. 27. coolest Features: EVENT LOGGER0day Reflected XSS on Plesk Panel 10.2.0 (with SSO) login page After hooking the victim browser to BeEF, Parallels Plesk admin/customer credentials can be stolen with JS keyloggingConfidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 27Sunday, May 22, 2011
  28. 28. coolest Features: NETWORK STACK BeEF base64 encodes the JSONed data stream and then splits the base64 string by the configured maximum URL length. Data is handled in streams of packets that are reconstructed by BeEF Once split each segment is sent as a packet and reconstructed by BeEF.Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 28Sunday, May 22, 2011
  29. 29. BeEF: NETWORK STACK architectureConfidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 29Sunday, May 22, 2011
  30. 30. coolest Features: NETWORK STACK In future releases the maximum URL will be automatically detected. How do you send 165KB of data back to BeEF? packet queue 165KB -> 165 packetsConfidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 30Sunday, May 22, 2011
  31. 31. coolest Features: TUNNELING PROXY The browser becomes the exit node for the tunnel: itwill perform the HTTP request and receive the response. Next the response is communicated back to the BeEFproxy which in turn delivers it to the browser. Afterwords the request in the context of the user (anyexisting cookies will be automatically used)Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 31Sunday, May 22, 2011
  32. 32. coolest Features: TUNNELING PROXY Similar to XSSProxy, but goes a step further: You can choose to which zombie tunnel requests Doesn’t need a third app (uses WebRick proxy)Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 32Sunday, May 22, 2011
  33. 33. coolest Features: PERSISTENCE Implemented using Samy’s EverCookie for the main BEEFHOOK cookie Various ready-to-use command modules: iFrame persistence pop-under windowConfidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 33Sunday, May 22, 2011
  34. 34. Add your own attacks to BeEF One of the many reasons to code your exploit to BeEF is because you have a nice Javascript API that gives you all you need for...Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 34Sunday, May 22, 2011
  35. 35. Add your own attacks to BeEF detect the browser including version, plugins, and other details detect the Operating System including iOS, BeOS and Win3.1 ;-) manipulate the DOM attaching/detaching applets, creating invisible iFrames, rewriting links, ...Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 35Sunday, May 22, 2011
  36. 36. Add your own attacks to BeEF log keystrokes, mouse clicks and form submissions do XHRs and retrieve all you need for further exploitation geolocate the victim retrieving latitude/longitude for further targeted attacksConfidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 36Sunday, May 22, 2011
  37. 37. loading sequence architecture BeEF:Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 37Sunday, May 22, 2011
  38. 38. Add your own attacks to BeEF JBoss 4.x, 5.1.0, 6.0.0.M1 JMX deploy exploit Exploit is available in MSF, but you need to have direct access to the target (or use a host as a pivot) Then why not use the victim browser as a pivot?Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 38Sunday, May 22, 2011
  39. 39. Add your own attacks to BeEF How to port the JBoss exploit to BeEF in 3 steps (approximately 15/20 mins, testing included :-)Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 39Sunday, May 22, 2011
  40. 40. Add your own attacks to BeEF first step: config fileConfidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 40Sunday, May 22, 2011
  41. 41. Add your own attacks to BeEFsecond step: UI exploit setupConfidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 41Sunday, May 22, 2011
  42. 42. Add your own attacks to BeEFthird step: javascript (exploit code)Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 42Sunday, May 22, 2011
  43. 43. Add your own attacks to BeEF Now lets see it in action... ✤ IT’s DEMO time!Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 43Sunday, May 22, 2011
  44. 44. Future development and cool ideas Enhance the Tunneling Proxy features caching request queueing generally: performance Enhance Yokoso add more device signatures add support for HTTPS/IPv6Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 44Sunday, May 22, 2011
  45. 45. Future development and cool ideas Implement Rider Victim x is browsing website example.com while hooked in BeEF. Use her browser to proxy attacker requests and "Ride" her session from the BeEF adminUI Implement Meterpreter wrapper/shell code that communicates HTTP In this way the browser can be a full pivot point :-)Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 45Sunday, May 22, 2011
  46. 46. Future development and cool ideas Command module autorun/autoexit This will add AutoPwn features, while being the starting point for command chains like: hasJava() -> loadMaliciousApplet(...) launchMetasploitAuroraExploit(...) if beef.browser.isIE7() Implement obfuscated/polymorphic Javascript hook Add support for HTTPSConfidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 46Sunday, May 22, 2011
  47. 47. Future development and cool ideas ... and many other (nasty) things ... Follow (and get in touch with) BeEF: @beefproject Checkout BeEF: http://code.google.com/p/beef/ Eat the BeEFConfidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 47Sunday, May 22, 2011
  48. 48. Thanks to Wade Alcorn and the other BeEF core developers (the two Bens, Scotty, Christian, ...) Michal & Piotr My employer Confidence crew and you attendeesConfidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 48Sunday, May 22, 2011
  49. 49. QUESTIONS?Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 49Sunday, May 22, 2011

×