Published on

Brief intro to BeEF

New core features: RESTful API, WebSockets, HTTPS

New extensions:
Evasion, Social Engineering

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. BeEF, the BrowserExploitation Framework What’s new from 2011 EUSecWest - 19 Sept 2012 Michele “antisnatchor” Orru
  2. 2. Who am I• Lead core developer of BeEF• Application Security Researcher• OpenBSD, Ruby and Javascript addicted• Senior Security Consultant @ Trustwave SpiderLabs
  3. 3. Outline• Brief intro to BeEF• New core features: • RESTful API, WebSockets, HTTPS• New extensions: • Evasion, Social Engineering
  4. 4. Meet BeEF• Browser Exploitation Framework• Pioneered by Wade Alcorn in 2005• Powerful platform for Client-side pwnage, XSS post-exploitation and generally victim browser security-context abuse.• The framework allows the penetration tester to select specific modules (in real- time) to target each browser, and therefore each context.
  5. 5. RESTful API• The truth is: • I hate SOAP • I hate XML-RPC • I love to use protocol (HTTP) features without reinventing the wheel
  6. 6. RESTful APIRuby + Sinatra + JSONget ‘/to/a/pub’ “BeER please”end
  7. 7. RESTful API• Facts: • programmatically control BeEF with whatever eats HTTP and JSON • integration is much easier • add your custom logic is much easier
  8. 8. RESTful API demo: Java mass-pwner• Fingerprint hooked browsers• Achieve different forms of persistence• Inject an (unsigned) applet to determine exact JVM version/ architecture/platform• Inject a second applet to launch a targeted attack with a malicious payload
  9. 9. WebSockets• HTML5 specification introduces new features, including WebWorkers and WebSockets• WebSockets enable (almost) real-time communication between your webapp users and the backend• Streaming protocol, up to 2MB/ message in latest browsers
  10. 10. WebSocketsXHR-polling
  11. 11. WebSocketsXHR-polling WebSocket
  12. 12. WebSockets• Server-side: event-based server• Client-side: WebSocket (or MozWebSocket, damn prefixes #$%) objects exposed via Javascript• If the victim browsers supports the technology, protocols are switched• Not (yet) enabled by default in BeEF: we’re still testing it
  13. 13. WebSockets• WebSockets open new horizons: • faster Tunneling Proxy (10x faster) • real-time VNC-like hooked browser control • generally faster communication
  14. 14. WebSockets demo• BeEF Tunneling Proxy with and without WebSockets • exploiting a SQLi with sqlmap through the tunneling proxy with WebSockets
  15. 15. HTTPS/WSS• BeEF supports HTTPS and WebSocketSecure, you just need to specify your certificate• Motivation: • STS support implemented in latest browsers (see Mixed Scripting) • prevent filtering if an SSL-proxy is not used
  16. 16. HTTPS/WSS• About STS • Strict Transport Security, meaning that : • see ending-mixed-scripting-vulnerabilities.html hooked domain: The browser will deny loading a script from a BeEF: non-https resource
  17. 17. HTTPS/WSS• About STS • Strict Transport Security, meaning that : • see mixed-scripting-vulnerabilities.html hooked domain: This will work! BeEF:
  18. 18. Evasion Extension• Motivation: • decrease the likelihood that the BeEF hook injection and communication will be detected • by machines (network filters) • by humans
  19. 19. Evasion Extension• define your own technique, specify if they need a bootstrapper• define the technique chain
  20. 20. Social Eng. extension• The idea was to have some BeEF functionality that can be called via the RESTful API, in order to automate: • sending phishing emails using templates, • cloning webpages, harvesting credentials • client-side pwnage
  21. 21. AND... WE DID IT!
  22. 22. Social Eng. extension
  23. 23. Social Eng. extension: web_cloner• Clone a webpage and serve it on BeEF, then automatically: • modify the page to intercept POST requests • add the BeEF hook to it • if the page can be framed, after POST interception load the original page on an overlay iFrame, otherwise redirect to original page
  24. 24. Social Eng. extension: web_cloner • curl -H "Content-Type: application/json; charset=UTF-8" -d {"url":"https://", "mount":"/"} -X POST http://<BeEF>/api/ seng/clone_page? token=53921d2736116dbd86f8f7f7f10e46f1• If you register, you can specify a mount point of /config/ login_verify2, so the phishing url will be (almost) the same
  25. 25. Social Eng. extension: web_cloner • Demo
  26. 26. Social Eng. extension: mass_mailer• Do your phishing email campaigns • get a sample email from your target (with company footer...) • copy the HTML content in a new BeEF email template • download images so they will be added inline! • add your malicious links/attachments • send the mail to X targets and have fun
  27. 27. Social Eng. extension: mass_mailer • email templates structure
  28. 28. Social Eng. extension: mass_mailer• ‘default’ template HTML mail
  29. 29. Social Eng. extension: mass_mailer will look• how the ‘default’ template email
  30. 30. Social Eng. extension: mass_mailer • curl -H "Content-Type: application/json; charset=UTF-8" -d body -X POST http://<BeEF>/api/ seng/send_mails?token=0fda00ea62a1102f{ "template": "default", "subject": "Hi from BeEF", "fromname": "BeEF", "link": "", "linktext": "", "recipients": [{ "": "Michele", "": "Antisnatchor"}]}
  31. 31. Social Eng. extension: mass_mailer • Demo
  32. 32. Social Eng. extension Combine everything FTW• Register your phishing domain• Point the A/MX records to a VPS where you have an SMTP server and BeEF• Create a BeEF RESTful API script that: • Clone a webpage link with web_cloner • Send X emails with that link with mass_mailer • Script intelligent attacks thanks to BeEF browser detection
  33. 33. Unfortunately...• There were so many changes from 2011 that we can’t cover them all in a one hours long talk• Other interesting extensions: QRcode, CustomHook, Notification• Other interesting core features: web imitation, cleaner/better code :D• Tens of new modules: we now have 125 modules (and counting :-)
  34. 34. Thanks• Wade to be always awesome• The other BeEF guys: Brendan, Christian, Ben, Saafan, Ryan, Heather• A few new project joiners: Bart Leppens, gallypette, Quentin Swain• Tom Neaves for captain hook images :D
  35. 35. Questions?