Hacktivity2011 be ef-preso_micheleorru


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Hacktivity2011 be ef-preso_micheleorru

  1. 1. Dr. Strangelove or:how I Learned to Stop Worrying and Love the BeEFMichele “antisnatchor” Orru’ 18 September 2011
  2. 2. Who am I?❖ Penetration Tester @ The Royal Bank ofScotland❖ BeEF core developer: - Tunneling Proxy, - XssRays integration, - various exploits, - lot of bug-fixing, testing and fun❖ Kubrick fan❖ Definitely not a fan of our Italian primeminister Silvio „bunga-bunga” Berlusconi❖@antisnatchor❖http://antisnatchor.com
  3. 3. outline: cutting, devouring and digesting the legs off a browser❖ What the hell is BeEF?❖Cutting - Target enumeration and analysis❖Devouring - Internal net fingerprint - Exploiting internal services through the hooked browser - Keylogging, browser pwnage❖Digesting - Persistence, tunneling sqlmap/Burp through BeEF proxy - XSSrays integration❖Future development and ideas
  4. 4. The Browser Nowadays
  5. 5. What the hell is BeEF?❖ BeEF: Browser Exploitation Framework❖Pioneered by Wade Alcorn in 2005 (publicrelease)❖Powerful platform for Client-side pwnage,XSS post-exploitation and generally victimbrowser security-context abuse❖Each browser is likely to be within adifferent security context, and each contextmay provide a set of unique attack vectors.❖ The framework allows the penetrationtester to select specific modules (in real-time) to target each browser, and thereforeeach context.
  6. 6. What the hell is BeEF?
  7. 7. Cutting: Target enum and analysis❖ Lot of juicy information after first hookinitialization : ❖Browser/OS version ❖Cookies ❖Browser plugins ❖Supported features (Google Gears, Web Sockets, Flash, Java, . .)❖Specific modules are also there to help ❖Detect links/visited URLs ❖Detect social networks (authenticated in Twitter, Gmail, Facebook) and Tor ❖Execute your custom Javascript
  8. 8. Cutting: Target enum and analysis
  9. 9. Devouring: Internal net fingerprint❖Recon/NetworkFingerprinting module Watch „Jboss 6.0.0M1 JMX Deploy Exploit:❖Knowing the victim internal IP, the attackercan start to fingerprint the internal networkvia Javascript to find common servers anddevices. (http://vimeo.com/24410203) the BeEF way... ” on Vimeo❖The approach currently in use is similar toYokoso (InGuardians) ❖Map of device/application default images ❖img tags are loaded into the victim DOM ❖Onload event, if (image width/height/path == deviceImageMapEntry), then deviceXYZ@IP has been successfully found
  10. 10. Devouring: Internal net fingerprint❖Great preso „Intranet Footprinting” by Javier Marcos and Juan Galiana (Owasp AppSec Eu 2011)❖ They developed new BeEF modules❖ They are working with us and their work will be available in BeEF trunk soon.A few examples: ❖Internal DNS enumeration ❖Reliable Port Scanning ❖Ping sweep
  11. 11. Devouring: exploiting internal services❖Network/JbossJmxUploadExploit module Watch „Jboss 6.0.0M1 JMX Deploy Exploit:❖JBoss 4.x, 5.1.0, 6.0.0.M1 JMX deploy exploitis available in MSF, but you need to havedirect access to the target (or use a host as apivot) (http://vimeo.com/24410203) the BeEF way... ” on Vimeo❖Then why not use the victim browser as apivot?
  12. 12. Devouring: persistent keylogging❖Persistence/iFrameKeylogger module❖We can inject a 100%width/height overlay iFramethat loads the login page(in-domain), attaching alistener for keyboardevents (keylogger) in JS.❖After the victim logs in,she will stay in the injectediFrame while thecommunication channel willbe persistent in thebackground.
  13. 13. Devouring: module autorun❖ We’ve ported back (from the old PHPversion) the autorun feature❖Add autorun: true in the command moduleconfig.yaml that you want to autorun❖When a new browser will be hooked in BeEF,the module will be automatically launched❖Imagine addingautorun: true inMetasploit autopwnmodule (anotherfeature ported back)...
  14. 14. Digesting: hook default browser❖Originally disclosed by Billy (xs-sniper)Rios on „Expanding the Attack Surface”❖Browser/HookDefault module❖We use a PDF in order to attempt hookingthe default browser❖When executed, the hooked browser willload a PDF in a new window and use that tostart the default browser. ❖app.launchURL(" Hook-Js.html",true); ❖If everything will be ok, we hooked the default browser. ❖Future improvements: configurable bounce page and ruby pdf library
  15. 15. Digesting: tunneling proxy❖Having a communication channel with thehooked browser, we can: ❖Receive requests as a proxy on BeEF ❖Translate these requests to XHRs (in- domain) ❖Parse the XHRs responses and send the data back to the original requestor...
  16. 16. Digesting: tunneling proxy❖Using the victim browser hooked in BeEF as atunneling proxy, we will see the followingscenarios: ❖browsing the authenticated surface of the hooked domain through the security context of the victim browser; ❖spidering the hooked domain through the security context of the victim browser; ❖finding and exploiting SQLi with Burp Pro Scanner + sqlmap (through the victim browser too :-) ).
  17. 17. Digesting: tunneling proxy Let see the tunneling proxy in action! (demo time)
  18. 18. Digesting: XssRays❖ Originally developed by Gareth Heyes in2009 as a pure JS-based XSS scanner❖ The XssRays BeEF extension allows you tocheck if links, forms and URI paths of the pagewhere the browser is hooked are vulnerableto XSS.❖What XssRays do is basically parse all thelinks and forms of the page where it is loadedand check for XSS on GET, POST parameters,and also in the URI path.
  19. 19. Digesting: XssRays❖The original code by Gareth, from 2009,used a nice trick (the location.hash fragment)in order to have a sort of callback betweenparent and child iFrames❖This is now patched by all recent browsers. So how to check for XSSs cross- domain, respecting the SOP restrictions?
  20. 20. Digesting: XssRays❖We inject a vector that will contact backBeEF if the JS code will be successfullyexecuted (thus, the XSS confirmed).❖No false positives (oh yes, that’s what Ilike)!❖Basically the document.location.href of theinjected iFrame that contains the vector willpoint to a know BeEF resource. The followingis an example value of href:✴
  21. 21. Digesting: XssRays
  22. 22. Digesting: XssRays
  23. 23. Digesting: XssRays
  24. 24. Digesting: XssRays
  25. 25. Digesting: XssRays
  26. 26. Digesting: XssRays
  27. 27. Digesting: XssRays
  28. 28. Digesting: XssRays
  29. 29. Digesting: XssRays
  30. 30. Digesting: XssRays
  31. 31. Digesting: XssRays
  32. 32. Future dev and ideas❖Improve XssRays: ❖add more attack vectors, more testing ❖add JS depth crawler❖Multi-hooking: a browser can be hooked onmultiple domains❖Check for time-based blind SQLi cross-domain via JS❖Improve the BeEF console (command line UI)❖Well...take a look here: http://code.google.com/p/beef/issues/list
  33. 33. Get in touch with us❖Follow the BeEF: @beefproject❖Checkout BeEF: http://code.google.com/p/beef/❖Check our website: http://beefproject.com❖Have fun with it❖We’re hiring!!! (but we’ll not payyou...seriously, we have so many tasks to do,join us)
  34. 34. Thanks to❖Wade Alcorn and the other BeEF ninjas:Ben, Scotty, Christian, Brendan, Saafan,. .❖My colleagues Piotr & Michal❖My employer❖Hacktivity crew and you attendees
  35. 35. Questions?Thanks for your time!