Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.



Published on

Brief intro to BeEF

New core features: RESTful API, WebSockets, HTTPS

New extensions:
Evasion, Social Engineering

Published in: Technology
  • Be the first to comment


  1. 1. BeEF, the BrowserExploitation Framework What’s new from 2011 EUSecWest - 19 Sept 2012 Michele “antisnatchor” Orru
  2. 2. Who am I• Lead core developer of BeEF• Application Security Researcher• OpenBSD, Ruby and Javascript addicted• Senior Security Consultant @ Trustwave SpiderLabs
  3. 3. Outline• Brief intro to BeEF• New core features: • RESTful API, WebSockets, HTTPS• New extensions: • Evasion, Social Engineering
  4. 4. Meet BeEF• Browser Exploitation Framework• Pioneered by Wade Alcorn in 2005• Powerful platform for Client-side pwnage, XSS post-exploitation and generally victim browser security-context abuse.• The framework allows the penetration tester to select specific modules (in real- time) to target each browser, and therefore each context.
  5. 5. RESTful API• The truth is: • I hate SOAP • I hate XML-RPC • I love to use protocol (HTTP) features without reinventing the wheel
  6. 6. RESTful APIRuby + Sinatra + JSONget ‘/to/a/pub’ “BeER please”end
  7. 7. RESTful API• Facts: • programmatically control BeEF with whatever eats HTTP and JSON • integration is much easier • add your custom logic is much easier
  8. 8. RESTful API demo: Java mass-pwner• Fingerprint hooked browsers• Achieve different forms of persistence• Inject an (unsigned) applet to determine exact JVM version/ architecture/platform• Inject a second applet to launch a targeted attack with a malicious payload
  9. 9. WebSockets• HTML5 specification introduces new features, including WebWorkers and WebSockets• WebSockets enable (almost) real-time communication between your webapp users and the backend• Streaming protocol, up to 2MB/ message in latest browsers
  10. 10. WebSocketsXHR-polling
  11. 11. WebSocketsXHR-polling WebSocket
  12. 12. WebSockets• Server-side: event-based server• Client-side: WebSocket (or MozWebSocket, damn prefixes #$%) objects exposed via Javascript• If the victim browsers supports the technology, protocols are switched• Not (yet) enabled by default in BeEF: we’re still testing it
  13. 13. WebSockets• WebSockets open new horizons: • faster Tunneling Proxy (10x faster) • real-time VNC-like hooked browser control • generally faster communication
  14. 14. WebSockets demo• BeEF Tunneling Proxy with and without WebSockets • exploiting a SQLi with sqlmap through the tunneling proxy with WebSockets
  15. 15. HTTPS/WSS• BeEF supports HTTPS and WebSocketSecure, you just need to specify your certificate• Motivation: • STS support implemented in latest browsers (see Mixed Scripting) • prevent filtering if an SSL-proxy is not used
  16. 16. HTTPS/WSS• About STS • Strict Transport Security, meaning that : • see ending-mixed-scripting-vulnerabilities.html hooked domain: The browser will deny loading a script from a BeEF: non-https resource
  17. 17. HTTPS/WSS• About STS • Strict Transport Security, meaning that : • see mixed-scripting-vulnerabilities.html hooked domain: This will work! BeEF:
  18. 18. Evasion Extension• Motivation: • decrease the likelihood that the BeEF hook injection and communication will be detected • by machines (network filters) • by humans
  19. 19. Evasion Extension• define your own technique, specify if they need a bootstrapper• define the technique chain
  20. 20. Social Eng. extension• The idea was to have some BeEF functionality that can be called via the RESTful API, in order to automate: • sending phishing emails using templates, • cloning webpages, harvesting credentials • client-side pwnage
  21. 21. AND... WE DID IT!
  22. 22. Social Eng. extension
  23. 23. Social Eng. extension: web_cloner• Clone a webpage and serve it on BeEF, then automatically: • modify the page to intercept POST requests • add the BeEF hook to it • if the page can be framed, after POST interception load the original page on an overlay iFrame, otherwise redirect to original page
  24. 24. Social Eng. extension: web_cloner • curl -H "Content-Type: application/json; charset=UTF-8" -d {"url":"https://", "mount":"/"} -X POST http://<BeEF>/api/ seng/clone_page? token=53921d2736116dbd86f8f7f7f10e46f1• If you register, you can specify a mount point of /config/ login_verify2, so the phishing url will be (almost) the same
  25. 25. Social Eng. extension: web_cloner • Demo
  26. 26. Social Eng. extension: mass_mailer• Do your phishing email campaigns • get a sample email from your target (with company footer...) • copy the HTML content in a new BeEF email template • download images so they will be added inline! • add your malicious links/attachments • send the mail to X targets and have fun
  27. 27. Social Eng. extension: mass_mailer • email templates structure
  28. 28. Social Eng. extension: mass_mailer• ‘default’ template HTML mail
  29. 29. Social Eng. extension: mass_mailer will look• how the ‘default’ template email
  30. 30. Social Eng. extension: mass_mailer • curl -H "Content-Type: application/json; charset=UTF-8" -d body -X POST http://<BeEF>/api/ seng/send_mails?token=0fda00ea62a1102f{ "template": "default", "subject": "Hi from BeEF", "fromname": "BeEF", "link": "", "linktext": "", "recipients": [{ "": "Michele", "": "Antisnatchor"}]}
  31. 31. Social Eng. extension: mass_mailer • Demo
  32. 32. Social Eng. extension Combine everything FTW• Register your phishing domain• Point the A/MX records to a VPS where you have an SMTP server and BeEF• Create a BeEF RESTful API script that: • Clone a webpage link with web_cloner • Send X emails with that link with mass_mailer • Script intelligent attacks thanks to BeEF browser detection
  33. 33. Unfortunately...• There were so many changes from 2011 that we can’t cover them all in a one hours long talk• Other interesting extensions: QRcode, CustomHook, Notification• Other interesting core features: web imitation, cleaner/better code :D• Tens of new modules: we now have 125 modules (and counting :-)
  34. 34. Thanks• Wade to be always awesome• The other BeEF guys: Brendan, Christian, Ben, Saafan, Ryan, Heather• A few new project joiners: Bart Leppens, gallypette, Quentin Swain• Tom Neaves for captain hook images :D
  35. 35. Questions?