SlideShare a Scribd company logo

Buried by time, dust and BeEF

Michele Orru
Michele Orru

Slides of my talk at RuxCon 2013: For those who do not listen Mayhem and black metal, the talk title might seem a bit weird, and I can't blame you. You know the boundaries of the Same Origin Policy, you know SQL injection and time-delays, you know BeEF. You also know that when sending cross-domain XHRs you can still monitor the timing of the response: you might want to infer on 0 or 1 bits depending if the response was delayed or not. This means it's possible to exploit every kind of SQL injection, blind or not blind, through an hooked browser, if you can inject a time-delay and monitor the response timing. You don't need a 0day or a particular SOP bypass to do this, and it works in every browser. The potential of being faster than a normal single-host multi-threaded SQLi dumper will be explored. Two experiments will be shown: WebWorkers as well as multiple synched hooked browsers, which split the workload communicating partial results to a central server. A pure JavaScript approach will be exclusively presented during this talk, including live demos. Such approach would work for both internet facing targets as well as applications available in the intranet of the hooked browser. The talk will finish discussing the implications of such an approach in terms of Incident Response and Forensics, showing evidence of a very small footprint.

Technology
1 of 32
Download to read offline
Buried by time, dust and BeEF Antisnatchor – RuxCon 2013
Disclaimer §  My views and opinions do not represent those of my employer §  My employer has nothing to do with anything related to BeEF
Who am I ? §  Co-author of Browser Hacker’s Handbook (pre-order from Amazon.com, available March 2014) §  BeEF lead core developer §  Application Security researcher §  Ruby, Javascript, OpenBSD and BlackMetal fan
This made me LOL
And this made me ROFL (same page, scroll down)
The issue §  If the problem is getting caught: –  Spawn from 3 to X VPSs: 1. Each of them has SQLmap 2. Each of them dump a different data set 3. Each of them uses a different chain of proxies 4. When 1 data set is dumped, change the proxy chain. §  Restart from point 1 §  Downside: might not be cost-effective (depends on the data dumped :-). I don’t have enough money…
The issue
The issue §  Solving the issue without paying for multiple VPSs/infrastructure….
Use BeEF §  Exploit Time-Based Blind SQLi from multiple hooked browsers §  It’s the hooked browser that (just through JavaScript) send requests and dump data §  A forensic team will see a connection from multiple hooked browsers at the same time
Use BeEF §  §  §  §  §  Install BeEF and OpenVPN on a VPS VPN client -> TOR (or other proxies) -> VPS Hook some browsers Instruct the browsers to dump data for you When finished, terminate the VPS
Some background §  Same-Origin Policy and XHR §  Why Time-based Blind SQLi? §  The beautiful features of MSSQL §  BeEF and putting all together
Same-Origin Policy and XHR
Same-Origin Policy and XHR §  Cross-origin XmlHttpRequest –  You can’t read the HTTP Response (you need Access-Control-Allow-Origin, or a SOP bypass) But…. –  You can still send the request §  The request arrives to the destination –  You can check the state of the request §  xhr.readyState
Same-Origin Policy and XHR: implications §  Exploit RCE cross-origin from the browser –  See BeEF exploits on Jboss, GlassFish, and others –  You don’t need to read the response, just “blindly” send the attack vector §  Exploit XSRF §  Internal network attacks –  Ping sweeping, port scanning, and much more –  Inter-protocol communication and exploitation §  Wait for Browser Hacker’s Handbook :D
Same-Origin Policy and XHR: implications §  If you can know if xhr.readyState == 4 –  You can monitor the timing –  Just create 2 Date objects before and after sending the request, and do simple math :D
Same-Origin Policy and XHR: implications §  Firefox 24
Same-Origin Policy and XHR: implications §  Chrome 29
Same-Origin Policy and XHR: implications §  Internet Explorer 10
Why Time-based Blind SQLi? §  If we can infer the timing of the response, we can exploit Time-based blind SQLi cross-origin! §  Actually any type of SQL injection flaw can be exploited with Time-based blind vectors §  Sometimes time-based blind is the only way to exploit an instance of SQLi §  Sometimes SQLmap (great tool, kudos Bernardo!) is able to exploit SQL injections only using time-based vectors
The beautiful features of MSSQL §  http://msdn.microsoft.com/en-us/library/ ms187331.aspx
The beautiful features of MSSQL §  http://msdn.microsoft.com/en-us/library/ ms187024.aspx §  SQL Server 2008 R2 (<= 4 CPUs): §  256 thread pool (x86) §  512 thread pool (x86_64) §  I did my tests on SQL Server Express (on Windows 7) –  Connection numbers/thread pools are much more limited
The beautiful features of MSSQL §  MySQL and Postgres do not support this –  Postgres example: http://www.postgresql.org/docs/ 8.2/static/functions-datetime.html §  Still, you could use BENCHMARK or other similar functions –  Excessive CPU load if parallelized? Probably
The beautiful features of MSSQL §  With DBs != MSSQL you can still exploit SQLi using Time-based Blind vectors from the browser –  But you can’t parallelize requests §  Most ASP/.NET applications uses MSSQL §  MSSQL presence in the internet is widespread
The beautiful features of MSSQL
BeEF and putting all together §  MSSQL only right now –  PoC retrieving DB and Table names §  Concurrent approach –  Multiple WebWorkers –  Multiple hooked browsers §  3 to 4 times faster than SQLmap §  They disabled multi-threading when using time-based blind vectors, with every database, even MSSQL §  Can be re-enabled hacking the source code
Concurrent approach: WebWorkers §  Classic binary search inference IF ASCII(SUBSTRING((...),position,1)) > bin_value WAITFOR DELAY '00:00:02';-–  Position: byte position in the string to retrieve –  Bin_value: current mid value in the binary search §  Retrieving DB name (first request, first byte): http://172.16.37.149:8080/? book_id=1%20IF(UNICODE(SUBSTRING( (SELECT%20ISNULL(CAST(DB_NAME()%20AS %20NVARCHAR(4000)), CHAR(32))),1,1))%3E64)%20WAITFOR%20DELAY %20%270:0:2%27--
Concurrent approach: WebWorkers §  If the response is delayed, the first byte of the DB name string is > 64 (Integer value) §  If the response is NOT delayed, the first byte of the DB name string is <= 64 (Integer value) §  Example with first byte == 115 (“s”) §  §  §  §  §  §  §  Response delayed. Char is > 64 Response delayed. Char is > 96 Response delayed. Char is > 112 Response not delayed. Char is < 120 Response not delayed. Char is < 116 Response delayed. Char is > 114 Response not delayed. Char is == 115 -> s
Concurrent approach: WebWorkers §  Given a pool of WebWorkers (controlled by a state-machine in JavaScript) §  Every WW manage one byte (7 requests each) §  You can retrieve up to <pool_size> bytes at the same time §  WW communicate with the “parent” state-machine with postMessage() §  Everything is happening from and in the browser
Concurrent approach: multiple browsers §  As we can parallelize requests with WebWorkers, we could even distribute the data dumping process across multiple browser –  Reliability §  Minimize the impact of loosing an hooked browser –  Stealthiness (and piss-off forensic guys) §  The attack looks like coming from different sources –  Fun (and piss-off forensic guys) §  You want to target company X, which has company Y as competitor: hook some company Y browsers, and instrument them to exploit a SQLi in company X website :D §  Company X will think company Y is attacking them
BeEF and putting all together §  Demo –  Video, as last year here in RuxCon the live demo failed (Vmware Fusion issues, broken VM, porco dio!) –  https://vimeo.com/78055061
BeEF and putting all together §  If you liked this talk, support BeEF buying: §  Pre-order on Amazon available, out March 2014 §  50% of revenues will be used for the BeEF project (testing infrastructure, etc..)
Wrap-up §  Thanks to Wade Alcorn for inspiration, research motivation, and for being awesome! §  Thanks to Bernardo Damele (SQLmap) §  Thanks Chris and RuxCon crew §  Thanks Trustwave for paying my trip here §  BeE(F)R time now!

Recommended

Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEFMichele Orru
 
When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesMichele Orru
 
Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)Michele Orru
 
Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Michele Orru
 
I'm the butcher would you like some BeEF
I'm the butcher would you like some BeEFI'm the butcher would you like some BeEF
I'm the butcher would you like some BeEFMichele Orru
 
Practical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon XPractical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon XMichele Orru
 
ZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchorZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchorMichele Orru
 
Be ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruBe ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruMichele Orru
 

Recommended

Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEFMichele Orru
 
When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesMichele Orru
 
Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)Michele Orru
 
Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Michele Orru
 
I'm the butcher would you like some BeEF
I'm the butcher would you like some BeEFI'm the butcher would you like some BeEF
I'm the butcher would you like some BeEFMichele Orru
 
Practical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon XPractical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon XMichele Orru
 
ZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchorZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchorMichele Orru
 
Be ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruBe ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruMichele Orru
 
Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Krzysztof Kotowicz
 
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsI'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsKrzysztof Kotowicz
 
Hacktivity2011 be ef-preso_micheleorru
Hacktivity2011 be ef-preso_micheleorruHacktivity2011 be ef-preso_micheleorru
Hacktivity2011 be ef-preso_micheleorruMichele Orru
 
Dark Fairytales from a Phisherman
Dark Fairytales from a PhishermanDark Fairytales from a Phisherman
Dark Fairytales from a PhishermanMichele Orru
 
Advanced Chrome extension exploitation
Advanced Chrome extension exploitationAdvanced Chrome extension exploitation
Advanced Chrome extension exploitationKrzysztof Kotowicz
 
WordPress Security: Defend yourself against digital invaders
WordPress Security: Defend yourself against digital invadersWordPress Security: Defend yourself against digital invaders
WordPress Security: Defend yourself against digital invadersVladimír Smitka
 
WordPress security for everyone
WordPress security for everyoneWordPress security for everyone
WordPress security for everyoneVladimír Smitka
 
Same-origin Policy (SOP)
Same-origin Policy (SOP)Same-origin Policy (SOP)
Same-origin Policy (SOP)Netsparker
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Jeremiah Grossman
 
Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012Roberto Suggi Liverani
 
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionDrivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionWayne Huang
 
Secure Your Wordpress
Secure Your WordpressSecure Your Wordpress
Secure Your Wordpressn|u - The Open Security Community
 
Html5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraHtml5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraKrzysztof Kotowicz
 
Practical Exploitation - Webappy Style
Practical Exploitation - Webappy StylePractical Exploitation - Webappy Style
Practical Exploitation - Webappy StyleRob Fuller
 
Browser Security
Browser SecurityBrowser Security
Browser SecurityRoberto Suggi Liverani
 
Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Rob Fuller
 
Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5DefconRussia
 
Make CSRF Again
Make CSRF AgainMake CSRF Again
Make CSRF AgainNetsparker
 
Secuirty News Bytes-Bangalore may 2014
Secuirty News Bytes-Bangalore may 2014 Secuirty News Bytes-Bangalore may 2014
Secuirty News Bytes-Bangalore may 2014 n|u - The Open Security Community
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of themRoberto Suggi Liverani
 
Intro to advanced web development
Intro to advanced web developmentIntro to advanced web development
Intro to advanced web developmentStevie T
 
Get Ahead with HTML5 on Moible
Get Ahead with HTML5 on MoibleGet Ahead with HTML5 on Moible
Get Ahead with HTML5 on Moiblemarkuskobler
 

More Related Content

What's hot

Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Krzysztof Kotowicz
 
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsI'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsKrzysztof Kotowicz
 
Hacktivity2011 be ef-preso_micheleorru
Hacktivity2011 be ef-preso_micheleorruHacktivity2011 be ef-preso_micheleorru
Hacktivity2011 be ef-preso_micheleorruMichele Orru
 
Dark Fairytales from a Phisherman
Dark Fairytales from a PhishermanDark Fairytales from a Phisherman
Dark Fairytales from a PhishermanMichele Orru
 
Advanced Chrome extension exploitation
Advanced Chrome extension exploitationAdvanced Chrome extension exploitation
Advanced Chrome extension exploitationKrzysztof Kotowicz
 
WordPress Security: Defend yourself against digital invaders
WordPress Security: Defend yourself against digital invadersWordPress Security: Defend yourself against digital invaders
WordPress Security: Defend yourself against digital invadersVladimír Smitka
 
WordPress security for everyone
WordPress security for everyoneWordPress security for everyone
WordPress security for everyoneVladimír Smitka
 
Same-origin Policy (SOP)
Same-origin Policy (SOP)Same-origin Policy (SOP)
Same-origin Policy (SOP)Netsparker
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Jeremiah Grossman
 
Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012Roberto Suggi Liverani
 
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionDrivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionWayne Huang
 
Html5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraHtml5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraKrzysztof Kotowicz
 
Practical Exploitation - Webappy Style
Practical Exploitation - Webappy StylePractical Exploitation - Webappy Style
Practical Exploitation - Webappy StyleRob Fuller
 
Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Rob Fuller
 
Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5DefconRussia
 
Make CSRF Again
Make CSRF AgainMake CSRF Again
Make CSRF AgainNetsparker
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of themRoberto Suggi Liverani
 

What's hot (20)

Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)
 
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsI'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
 
Hacktivity2011 be ef-preso_micheleorru
Hacktivity2011 be ef-preso_micheleorruHacktivity2011 be ef-preso_micheleorru
Hacktivity2011 be ef-preso_micheleorru
 
Dark Fairytales from a Phisherman
Dark Fairytales from a PhishermanDark Fairytales from a Phisherman
Dark Fairytales from a Phisherman
 
Advanced Chrome extension exploitation
Advanced Chrome extension exploitationAdvanced Chrome extension exploitation
Advanced Chrome extension exploitation
 
WordPress Security: Defend yourself against digital invaders
WordPress Security: Defend yourself against digital invadersWordPress Security: Defend yourself against digital invaders
WordPress Security: Defend yourself against digital invaders
 
WordPress security for everyone
WordPress security for everyoneWordPress security for everyone
WordPress security for everyone
 
Same-origin Policy (SOP)
Same-origin Policy (SOP)Same-origin Policy (SOP)
Same-origin Policy (SOP)
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)
 
Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012
 
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionDrivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
 
Secure Your Wordpress
Secure Your WordpressSecure Your Wordpress
Secure Your Wordpress
 
Html5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraHtml5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPra
 
Practical Exploitation - Webappy Style
Practical Exploitation - Webappy StylePractical Exploitation - Webappy Style
Practical Exploitation - Webappy Style
 
Browser Security
Browser SecurityBrowser Security
Browser Security
 
Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014
 
Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5
 
Make CSRF Again
Make CSRF AgainMake CSRF Again
Make CSRF Again
 
Secuirty News Bytes-Bangalore may 2014
Secuirty News Bytes-Bangalore may 2014 Secuirty News Bytes-Bangalore may 2014
Secuirty News Bytes-Bangalore may 2014
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
 

Similar to Buried by time, dust and BeEF

Intro to advanced web development
Intro to advanced web developmentIntro to advanced web development
Intro to advanced web developmentStevie T
 
Get Ahead with HTML5 on Moible
Get Ahead with HTML5 on MoibleGet Ahead with HTML5 on Moible
Get Ahead with HTML5 on Moiblemarkuskobler
 
Embulk, an open-source plugin-based parallel bulk data loader
Embulk, an open-source plugin-based parallel bulk data loaderEmbulk, an open-source plugin-based parallel bulk data loader
Embulk, an open-source plugin-based parallel bulk data loaderSadayuki Furuhashi
 
Crash Course HTML/Rails Slides
Crash Course HTML/Rails SlidesCrash Course HTML/Rails Slides
Crash Course HTML/Rails SlidesUdita Plaha
 
Week 05 Web, App and Javascript_Brandon, S.H. Wu
Week 05 Web, App and Javascript_Brandon, S.H. WuWeek 05 Web, App and Javascript_Brandon, S.H. Wu
Week 05 Web, App and Javascript_Brandon, S.H. WuAppUniverz Org
 
High performance java script why everything youve been taught is wrong
High performance java script why everything youve been taught is wrongHigh performance java script why everything youve been taught is wrong
High performance java script why everything youve been taught is wrongTao Gao
 
Beginning MEAN Stack
Beginning MEAN StackBeginning MEAN Stack
Beginning MEAN StackRob Davarnia
 
NoSQL - No Security?
NoSQL - No Security?NoSQL - No Security?
NoSQL - No Security?Gavin Holt
 
Server-Sent Events (real-time HTTP push for HTML5 browsers)
Server-Sent Events (real-time HTTP push for HTML5 browsers)Server-Sent Events (real-time HTTP push for HTML5 browsers)
Server-Sent Events (real-time HTTP push for HTML5 browsers)yay w00t
 
Isomorphic web application
Isomorphic web applicationIsomorphic web application
Isomorphic web applicationOliver N
 
Jinx - Malware 2.0
Jinx - Malware 2.0Jinx - Malware 2.0
Jinx - Malware 2.0Itzik Kotler
 
Analysis of web application worms and viruses
Analysis of web application worms and virusesAnalysis of web application worms and viruses
Analysis of web application worms and virusesUltraUploader
 
IBM InterConnect: Java vs JavaScript for Enterprise WebApps
IBM InterConnect: Java vs JavaScript for Enterprise WebAppsIBM InterConnect: Java vs JavaScript for Enterprise WebApps
IBM InterConnect: Java vs JavaScript for Enterprise WebAppsChris Bailey
 
Play Framework: Intro & High-Level Overview
Play Framework: Intro & High-Level OverviewPlay Framework: Intro & High-Level Overview
Play Framework: Intro & High-Level OverviewJosh Padnick
 
Krug Fat Client
Krug Fat ClientKrug Fat Client
Krug Fat ClientPaul Klipp
 
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Divyanshu
 
Defending Against Application DoS attacks
Defending Against Application DoS attacksDefending Against Application DoS attacks
Defending Against Application DoS attacksRoberto Suggi Liverani
 
Node Security: The Good, Bad & Ugly
Node Security: The Good, Bad & UglyNode Security: The Good, Bad & Ugly
Node Security: The Good, Bad & UglyBishan Singh
 
"Hidden difficulties of debugger implementation for .NET WASM apps", Andrii R...
"Hidden difficulties of debugger implementation for .NET WASM apps", Andrii R..."Hidden difficulties of debugger implementation for .NET WASM apps", Andrii R...
"Hidden difficulties of debugger implementation for .NET WASM apps", Andrii R...Fwdays
 

Similar to Buried by time, dust and BeEF (20)

Intro to advanced web development
Intro to advanced web developmentIntro to advanced web development
Intro to advanced web development
 
Get Ahead with HTML5 on Moible
Get Ahead with HTML5 on MoibleGet Ahead with HTML5 on Moible
Get Ahead with HTML5 on Moible
 
Embulk, an open-source plugin-based parallel bulk data loader
Embulk, an open-source plugin-based parallel bulk data loaderEmbulk, an open-source plugin-based parallel bulk data loader
Embulk, an open-source plugin-based parallel bulk data loader
 
Crash Course HTML/Rails Slides
Crash Course HTML/Rails SlidesCrash Course HTML/Rails Slides
Crash Course HTML/Rails Slides
 
Week 05 Web, App and Javascript_Brandon, S.H. Wu
Week 05 Web, App and Javascript_Brandon, S.H. WuWeek 05 Web, App and Javascript_Brandon, S.H. Wu
Week 05 Web, App and Javascript_Brandon, S.H. Wu
 
High performance java script why everything youve been taught is wrong
High performance java script why everything youve been taught is wrongHigh performance java script why everything youve been taught is wrong
High performance java script why everything youve been taught is wrong
 
Beginning MEAN Stack
Beginning MEAN StackBeginning MEAN Stack
Beginning MEAN Stack
 
NoSQL - No Security?
NoSQL - No Security?NoSQL - No Security?
NoSQL - No Security?
 
Server-Sent Events (real-time HTTP push for HTML5 browsers)
Server-Sent Events (real-time HTTP push for HTML5 browsers)Server-Sent Events (real-time HTTP push for HTML5 browsers)
Server-Sent Events (real-time HTTP push for HTML5 browsers)
 
Isomorphic web application
Isomorphic web applicationIsomorphic web application
Isomorphic web application
 
MongoDB
MongoDBMongoDB
MongoDB
 
Jinx - Malware 2.0
Jinx - Malware 2.0Jinx - Malware 2.0
Jinx - Malware 2.0
 
Analysis of web application worms and viruses
Analysis of web application worms and virusesAnalysis of web application worms and viruses
Analysis of web application worms and viruses
 
IBM InterConnect: Java vs JavaScript for Enterprise WebApps
IBM InterConnect: Java vs JavaScript for Enterprise WebAppsIBM InterConnect: Java vs JavaScript for Enterprise WebApps
IBM InterConnect: Java vs JavaScript for Enterprise WebApps
 
Play Framework: Intro & High-Level Overview
Play Framework: Intro & High-Level OverviewPlay Framework: Intro & High-Level Overview
Play Framework: Intro & High-Level Overview
 
Krug Fat Client
Krug Fat ClientKrug Fat Client
Krug Fat Client
 
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
 
Defending Against Application DoS attacks
Defending Against Application DoS attacksDefending Against Application DoS attacks
Defending Against Application DoS attacks
 
Node Security: The Good, Bad & Ugly
Node Security: The Good, Bad & UglyNode Security: The Good, Bad & Ugly
Node Security: The Good, Bad & Ugly
 
"Hidden difficulties of debugger implementation for .NET WASM apps", Andrii R...
"Hidden difficulties of debugger implementation for .NET WASM apps", Andrii R..."Hidden difficulties of debugger implementation for .NET WASM apps", Andrii R...
"Hidden difficulties of debugger implementation for .NET WASM apps", Andrii R...
 

Recently uploaded

Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 

Recently uploaded (20)

Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 

Buried by time, dust and BeEF

  • 1. Buried by time, dust and BeEF Antisnatchor – RuxCon 2013
  • 2. Disclaimer §  My views and opinions do not represent those of my employer §  My employer has nothing to do with anything related to BeEF
  • 3. Who am I ? §  Co-author of Browser Hacker’s Handbook (pre-order from Amazon.com, available March 2014) §  BeEF lead core developer §  Application Security researcher §  Ruby, Javascript, OpenBSD and BlackMetal fan
  • 5. And this made me ROFL (same page, scroll down)
  • 6. The issue §  If the problem is getting caught: –  Spawn from 3 to X VPSs: 1. Each of them has SQLmap 2. Each of them dump a different data set 3. Each of them uses a different chain of proxies 4. When 1 data set is dumped, change the proxy chain. §  Restart from point 1 §  Downside: might not be cost-effective (depends on the data dumped :-). I don’t have enough money…
  • 8. The issue §  Solving the issue without paying for multiple VPSs/infrastructure….
  • 9. Use BeEF §  Exploit Time-Based Blind SQLi from multiple hooked browsers §  It’s the hooked browser that (just through JavaScript) send requests and dump data §  A forensic team will see a connection from multiple hooked browsers at the same time
  • 10. Use BeEF §  §  §  §  §  Install BeEF and OpenVPN on a VPS VPN client -> TOR (or other proxies) -> VPS Hook some browsers Instruct the browsers to dump data for you When finished, terminate the VPS
  • 11. Some background §  Same-Origin Policy and XHR §  Why Time-based Blind SQLi? §  The beautiful features of MSSQL §  BeEF and putting all together
  • 13. Same-Origin Policy and XHR §  Cross-origin XmlHttpRequest –  You can’t read the HTTP Response (you need Access-Control-Allow-Origin, or a SOP bypass) But…. –  You can still send the request §  The request arrives to the destination –  You can check the state of the request §  xhr.readyState
  • 14. Same-Origin Policy and XHR: implications §  Exploit RCE cross-origin from the browser –  See BeEF exploits on Jboss, GlassFish, and others –  You don’t need to read the response, just “blindly” send the attack vector §  Exploit XSRF §  Internal network attacks –  Ping sweeping, port scanning, and much more –  Inter-protocol communication and exploitation §  Wait for Browser Hacker’s Handbook :D
  • 15. Same-Origin Policy and XHR: implications §  If you can know if xhr.readyState == 4 –  You can monitor the timing –  Just create 2 Date objects before and after sending the request, and do simple math :D
  • 16. Same-Origin Policy and XHR: implications §  Firefox 24
  • 17. Same-Origin Policy and XHR: implications §  Chrome 29
  • 18. Same-Origin Policy and XHR: implications §  Internet Explorer 10
  • 19. Why Time-based Blind SQLi? §  If we can infer the timing of the response, we can exploit Time-based blind SQLi cross-origin! §  Actually any type of SQL injection flaw can be exploited with Time-based blind vectors §  Sometimes time-based blind is the only way to exploit an instance of SQLi §  Sometimes SQLmap (great tool, kudos Bernardo!) is able to exploit SQL injections only using time-based vectors
  • 20. The beautiful features of MSSQL §  http://msdn.microsoft.com/en-us/library/ ms187331.aspx
  • 21. The beautiful features of MSSQL §  http://msdn.microsoft.com/en-us/library/ ms187024.aspx §  SQL Server 2008 R2 (<= 4 CPUs): §  256 thread pool (x86) §  512 thread pool (x86_64) §  I did my tests on SQL Server Express (on Windows 7) –  Connection numbers/thread pools are much more limited
  • 22. The beautiful features of MSSQL §  MySQL and Postgres do not support this –  Postgres example: http://www.postgresql.org/docs/ 8.2/static/functions-datetime.html §  Still, you could use BENCHMARK or other similar functions –  Excessive CPU load if parallelized? Probably
  • 23. The beautiful features of MSSQL §  With DBs != MSSQL you can still exploit SQLi using Time-based Blind vectors from the browser –  But you can’t parallelize requests §  Most ASP/.NET applications uses MSSQL §  MSSQL presence in the internet is widespread
  • 25. BeEF and putting all together §  MSSQL only right now –  PoC retrieving DB and Table names §  Concurrent approach –  Multiple WebWorkers –  Multiple hooked browsers §  3 to 4 times faster than SQLmap §  They disabled multi-threading when using time-based blind vectors, with every database, even MSSQL §  Can be re-enabled hacking the source code
  • 26. Concurrent approach: WebWorkers §  Classic binary search inference IF ASCII(SUBSTRING((...),position,1)) > bin_value WAITFOR DELAY '00:00:02';-–  Position: byte position in the string to retrieve –  Bin_value: current mid value in the binary search §  Retrieving DB name (first request, first byte): http://172.16.37.149:8080/? book_id=1%20IF(UNICODE(SUBSTRING( (SELECT%20ISNULL(CAST(DB_NAME()%20AS %20NVARCHAR(4000)), CHAR(32))),1,1))%3E64)%20WAITFOR%20DELAY %20%270:0:2%27--
  • 27. Concurrent approach: WebWorkers §  If the response is delayed, the first byte of the DB name string is > 64 (Integer value) §  If the response is NOT delayed, the first byte of the DB name string is <= 64 (Integer value) §  Example with first byte == 115 (“s”) §  §  §  §  §  §  §  Response delayed. Char is > 64 Response delayed. Char is > 96 Response delayed. Char is > 112 Response not delayed. Char is < 120 Response not delayed. Char is < 116 Response delayed. Char is > 114 Response not delayed. Char is == 115 -> s
  • 28. Concurrent approach: WebWorkers §  Given a pool of WebWorkers (controlled by a state-machine in JavaScript) §  Every WW manage one byte (7 requests each) §  You can retrieve up to <pool_size> bytes at the same time §  WW communicate with the “parent” state-machine with postMessage() §  Everything is happening from and in the browser
  • 29. Concurrent approach: multiple browsers §  As we can parallelize requests with WebWorkers, we could even distribute the data dumping process across multiple browser –  Reliability §  Minimize the impact of loosing an hooked browser –  Stealthiness (and piss-off forensic guys) §  The attack looks like coming from different sources –  Fun (and piss-off forensic guys) §  You want to target company X, which has company Y as competitor: hook some company Y browsers, and instrument them to exploit a SQLi in company X website :D §  Company X will think company Y is attacking them
  • 30. BeEF and putting all together §  Demo –  Video, as last year here in RuxCon the live demo failed (Vmware Fusion issues, broken VM, porco dio!) –  https://vimeo.com/78055061
  • 31. BeEF and putting all together §  If you liked this talk, support BeEF buying: §  Pre-order on Amazon available, out March 2014 §  50% of revenues will be used for the BeEF project (testing infrastructure, etc..)
  • 32. Wrap-up §  Thanks to Wade Alcorn for inspiration, research motivation, and for being awesome! §  Thanks to Bernardo Damele (SQLmap) §  Thanks Chris and RuxCon crew §  Thanks Trustwave for paying my trip here §  BeE(F)R time now!