Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Kiwicon 2014 - Hooked-browser Mesh-Networks with WebRTC

7,350 views

Published on

A slightly modified version of my presentation for Kiwicon 2014 on BeEF for Vegetarians, or, Hooked-browser Mesh-Networks with WebRTC. Also includes a link to the demo of the BeEF WebRTC Extension PoC (https://www.youtube.com/watch?v=pLC3hbUvhoE)

Published in: Internet
  • Be the first to comment

Kiwicon 2014 - Hooked-browser Mesh-Networks with WebRTC

  1. 1. Welcome to I989, a world without browsers. ..
  2. 2. asterisk ITHF3 I. Ifl. III'l'I' A Perth-based info sec consulting firm. .not aVo| P biz
  3. 3. |]| ]|]| ]|]D I
  4. 4. |]| ]|]| ]|]| ]|]| ]|]| ]|]| ]|]| ]|]| ]|]| ]|]| ]|]| ]|]| ]|]| ]|]| ]|]| ]|]| ]|]| ]|]| ]|]| ]|]| ]|]| ]|]| ]|]| ]|]| ]|]| ]|]
  5. 5. |][| |]| ]|]| ][| I But . .what the hell is WebRTC, and what the hell am I talking about?
  6. 6. The shift from attacking servers to attacking users '3‘ f‘
  7. 7. qq -v-1. u-. n.; rr; d-. -1-I_' ii--1 l‘] '| ::pI'| . _l. | 1-uL5:‘I. ::n E: -c: '_-: :qr 13:11: -_'i: -cflli Slltli I' : f,- Browsers are a popular user-based channel
  8. 8. .4“ Q . l'r‘a I--v $ no u no! two mrvnru 9 ll. 0-3’ 1 .4». -. Beliaauall ll) of coffee. ~ ‘ . ~ ‘ 3 1X7I'IO&23@ . o . — I; T.1“3L'I: '-'II: !1I: : - V I 3‘: ._‘ - , .1. - v. .:. _.__. .. -.i m . ,.. . I . K‘‘‘ _ I’: ll’'''~ { x ‘ £74 TRi'. '([l~'(. ‘ZI' r‘ u N» . 4| 1- "q 'woq— pu,
  9. 9. While browsers used to have a lot of fat plugins ripe for abuse. . they started to go away being replaced by. ..
  10. 10. |I| lI| |I| |I| lI| |I|
  11. 11. ll? Kl[lliT *lilll. E:"i; ilil iii [ W Lots of words about the stupid growth of JavaScript. ...
  12. 12. Talk to this guy about JavaScript . . I dare you DDUDUUUDUDDDDDDDDDEIUUDDUUUUDEIDDDDDDUEIIJDDDDDD I El] nminnnnn numb nminnnnntljl
  13. 13. |]| ][| [|| ]|]| ]|]| ]|]| ][| [| [|| ]|]| ]|]| ][| I ‘ii
  14. 14. 4--. . PIMP
  15. 15. "Look at me I'm a Threat Model! " ‘l<Pra Allstars I '1 firowsel‘ * hr ' e"s I Haltllzlndbook M —ui‘pn--1 I _: -‘I .5 £1 "C4" " 5"; ‘. ,q__ ‘I 3}! ‘__ __, mu. The other co- ’ » _ authors '1 p x’ ‘/ . r. " A -*‘/7;. -' : ' Xi‘ g IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
  16. 16. Initiating I r’ ' I Initiating I‘ I Control I Chapter 2 I I , . Mainly I v discussing I , "°‘"l". ‘"’ = I “: ;:: ::.9 I Chapter] / I compromise fl method of _ ; . . I Attacking retal ni n g : K _ « ‘ Bypassing the I Same Origin Policy control I K c. ... .m.4 I I ‘ Attacking Attacking I Users Browsers I I Chapters Chapleré ‘ J K / I V "FA V ’ I I Attacking J , /// ''1lk . I Attacking ‘ Extensions I '_ I I Plu ins I l_ Chap1cr7 -1 ‘fl Chargers I) / ‘ / "- -" / C_ I ‘ Attacking Attacking ; Web Applications Networks . i_ Chapter9 Chaptcrio
  17. 17. + ——————————— ——+ BeEF Server + . ... ... ... --> [< . ... ... ... ... .. _-+ + . ... ... ... . --+ A + + + + —————————————— ——+ + —————————————— ——+ + —————————————— ——+ Browser Browser M Browser
  18. 18. nnnnnnnnnnnnnn °: ;:: '.. ";e: ;:. 'V nnnnnnnnnn nnnnnnnflnnnnnnnnnnn ll _ _ - C n‘gEt}‘ Al “I
  19. 19. _ _ _ _ _ _ _ _ _ _ _ __-§- See a problem here? + Bow server ALL ROADS LEAD TOYOUR BeEF SERVER
  20. 20. [| |]| ][| [|| ][| [|| ]|] I nnnnnnnnnnnnnnnnnnnnn []nnnnnnnnnnnnnnnnnnn []nnnnnnnnnnnnnnnnnnnnnnn []nnnnnnnnnnn []nnnnnn []nnn
  21. 21. +—————————————+ | BeEF Server +——-————————————+ +———————————————+ E Browser Browser I +———————————————+ +__—__——__—___——+ +______________—+
  22. 22. + ___________ __+ BeEF Server L‘ I. + — — — — — — — — — — --+ + + _________ __+ Browser + . ... ... . __> < . ... .. --+ + — — — — — — — — — ——+ + “ + + _________ __+ + _________ __+ Browser Browser < —————————————————— ——+ + . ... ... .. --+ + . ... ... .. --+ A + A + _________ -_+ Browser + ________ __+ + ________ __+
  23. 23. IJIIJIIJIIIIIIIIIIIDIDIIIIIIEIEIIIIEIIIIIIIIIIIIIIIIIIIIIIIIIIII ElDDE| EEEWE| E|EE| EE| E|E| E|E| EE| E|EE| WE IIIIJIIEIIEIIIIIIIIIIIDIDIIIIIIEIIIIEIIIIIIIEIEIEIIIIIIIIIIEIIE Dmmmmmmmmmmmmmmmm IIIIJIIEIIEIEIIIIIIIIDIDIIIIIIEIIIIEIIIIIIIEIEIEIIIIIIIIIIIIIIII EEEEEIEIEEEEIHIIREEEE
  24. 24. IIIIIIIIIIIIIIIIIIIIIIIIDIIID T
  25. 25. var constraints = {video: true}; function successCallback(stream) document. querySelector("video"); window. URL. createObjectURL(stream); } var video video. src function errorCallback(error) { console. log("navigator. getUserMedia error: " } error); { navigator. getUserMedia(constraints, successcallback, errorcallback); I
  26. 26. IIIIIIIIIIIIIIIIIIIIIIIIIIIEIIIIIIIIIIDIIIEIDE
  27. 27. pc = new RTCPeerConnection(null); pc. onaddstream = gotRemoteStream; pc. addStream(localstream); pc. createOffer(gotOffer); function gotOffer(desc) { pc. setLocalDescription(desc); sendOffer(desc); } function gotAnswer(desc) { pc. setRemoteDescription(desc); } function gotRemoteStream(e) { attachMediaStream(remotevideo, e. stream); }
  28. 28. IIIEIIIIIIIIIIIIIIIIIIIIIIIIIIIIIJDEIE
  29. 29. var pc = new webkitRTCPeerConnection(servers, {optionalz [{RtpDataChannels: true}]}); pc. ondatachannel function(event) { receivechannel = event. channel; receiveChannel. onmessage = function(event){ document. querySelector("div#receive"). innerHTML = event. data; }; }; sendchannel = pc. createDataChannel("sendDataChannel", {reliablez false}); document. querySelector("button#send"). onclick = function (){ var data = document. querySelector("teXtarea#send"). value; sendChannel. send(data); };
  30. 30. |]| ]|]| ][| |]| ][| [|| ]|]| ]|][| |]| ]|][ | ]|]| ]|][| [|| ]|]| ][| [|| ]|] | :|| ]|]| :|| :|[| I I"" I‘. '-{.3 i: :_ We| |..
  31. 31. v=0 o= — 7614219274584779017 2 IN IP4 127.0.0.l 5:- You need to share Session t= O 0 Description Protocol (SDP) Signals. .. a= group: BUNDLE audio video a= msid—semantic: WMS m= audio 1 RTP/ SAVPF 111 103 104 0 8 107 106 105 13 126 c= IN IP4 0.0.0.0 a= rtcp:1 IN IP4 0.0.0.0 a= ice—ufrag: W2TGCZw2NZHuw1nf a= ice—pwd: xdQEccP40E+POL5qTyzDgfmW a= extmap:1 urn: ietf: params: rtp—hdrext: ssrc—audio— level a= mid: audio a= rtcp—mux a= crypto:1 AES_CM;128_HMAC_SHA1_80 in1ine: 9ClAHZ27dZ9XPI9lYNfSlI67/EMkjHHIHORiClQe a= rtDm1a13-‘I11 nnitq/48001]/7
  32. 32. lfllmnnmmmmmnmnnm Emlmmmmmmmmmmmmmmt . EM . . If xx 3-‘ ‘ 4' " , ‘ , , . i 1 _ ’ ‘. A i _ . ‘ ‘- . . . _ — : o. _ 4, 1 x x V . , «H, _ 7 l l l: * _ ' _ . ' V ‘ ‘ fl‘ . .
  33. 33. Signalling + ________ __> I I I I I I I I I + + ~~~~~~~~~~~~~~~~ ~—+ I Peer I I ---------------- --I I I I I I I I I I I + ________________ -_+ xxxxxxxx xxx xxxxxxxx xx xx xxxx x xx xx xxx x x x x Internet x xx x xxxxxxxxxxxxx xx xxx xxx xxxxx xx xxxxxx Media OR Data Signalling < ____________ __+ I I I I I I I I I + + ———————————————— ——+ I Peer I I ---------------- --I I I I I I -~-~~+| I I I + ________________ __+
  34. 34. XXX XXXXXXXX XXXXXXXX xx XX XXXX xxx XX XX X Signalling x <--------------+ x xx xxx xxxxx xx xxxxxx Signalling Internet +_________-> x XX XXXXXXXXXXXXX XXX I I + +------------------+ PW/ NAT +————————+ PW/ NAT Peer
  35. 35. Signalling + ———————— ——> I I I I I I I I I + + ———————————————— ——+ I Peer I I ---------------- --I I I I I I I I I+->I I I I I I I + ———————————————— ——+ XXXXXXXX XXX XXXXXXXX XX XX XXXX X XX XX XXX X X X x Internet x <———— XX X XXXXXXXXXXXXX XX XXX XXX XXXXX XX XXXXXX + — — — — — — - — + + — — — — — — - - + | Fw/ NAT | [ FW/ NAT | I ------ --I I ------ --I I I I I I I I+—-+ +_+I I <+ I I I I I I I I I I + —————— ——+ I I + —————— ——+ V V + — - — - - — - — - — + + - — - — - - — - — - + | STUN | | STUN [ + - — — — — - — — — — + «I» - - — — — — - — — — + IIIIIIIIIIIIIIIIIIIII Signalling ———————— ——+ I I I I I I I I I + + ———————————————— ——+ I Peer I I ---------------- --I I I I I I I I I I I + ———————————————— ——+ Session Traversal Utilities for NAT (or STUN)
  36. 36. XXXXXXXX xxxxxxxx xx x xx xx Signalling x + -------- ——> x Internet I xx I xxxxxxxxxxxxx I xxx I xxxxx I I + ———————— ——+ <---- I I TURN I +-_-- I + -------- ——+ Hedi I ‘ Data + + + ———————————————— ——+ + —————— ——+ I Peer I I PW/ NAT I I ---------------- -— I ------ --I I I I I I I I I I I+->I I+--+ I I I I I I I I I I + ———————————————— ——+ + —————— ——+ I v + . ... ... . ——+ I STUN I + ———————— ——+ IIIIIIIIIIIIIIIIIIIII XXX X XXXX X XXX X X x <--- X XX XXX XX XXXXXX ———+ + ———————— ——+ ___> I TURN I a/ + -------- ——+ A + + —————— ——+ I PW/ NAT I I ------ --I I I +-+I I I I I I + —————— ——+ V + -------- ——+ I swam I + ———————— ——+ Signalling ————————— ——+ I I I I I I I I I + + ———————————————— ——+ I Peer I . ... ... ... ... ... -_I I I I I I + ———————————————— ——+ Traversal Using Relays around NAT
  37. 37. IIIIIIIIIIIID E IIIIIIIIIIIIIIIIIIIII
  38. 38. ' Jlfia 5 H. I]I]I: II: II]I]I]I: II: I I]I]I]I][I[II] 0“ ‘_ ¥ I ‘ ___ I I». '-? ~ I’ I I DI] . ;£lI‘} »~ .12 ‘- o
  39. 39. I]I]I]I]I][I[II]I][I[II]I]I] IJIIIIJIJIJIIIIJDIIIEII O — — — — — — — — — — — — — — — — O Q — — — — — — — — — — — — — — — — I Q — — — — — — — — — — — — — — — —O I Browser Browser I — — — — — — — — — — — — — — — — O i — — — — — — — — — — — — — — — — I 0 — — — — — — — — — — — — — — — -0
  40. 40. EIEIEIEIEIEIEIEIEIEIEILIEIEIEIEIEIEIEIEI EIEIEIEIEIEIEIEIEIEIEIEI 4 — — — — — — — — — — — — -0 BeEF SSSS er I]I]I]I]I]I]I]I] I]I]I]I]I]I]I]I] I]I]I]I]I]I] I] I] DUI] I] I]I]I]DI]I] DUI] I] O — — — — — — — — — — — — — — — — O O — — — — — — — — — — — — — — — — I Q — — — — — — — — — — — — — — — —O I Browser I Browser I — — — — — — — — — — — — — — — — O i — — — — — — — — — — — — — — — — I 0 — — — — — — — — — — — — — — — -0
  41. 41. IIIIIIIIIIIIIIIIIIIJIJIJIIIIJIIIIIIIIIIIIIIIIIIIIIEIIIIIIIIJIIII IIIIIIIIIIIIIIIIJIJIJIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII _____________ -4 BeEF SSSS er IIIIIIIJIIIIIIIIIIIIEIIII ““““““““ “ IIIIIIIIIIIIIIIIIIIIIIIIIIIIII I DIJIJDIJDIJD 3333333333333 3' DDDDDDDDDD nnnnnnnnnn 0 — — — - — — — — - — - — — — — — 0 0 — — - — — — — — — — — — - — — — 0 0 — — — — — - — — — — — — — — — -0 I Browser Browser 0 — - - - - — — — - - - — — — — — 0 i - — - — — — - - - — — — - - - — I 0 - — — — — - — - — — — - - — - -0
  42. 42. [IIIIIIIIIIIIIIIIIIIIIIIIIEIIIIIIIIIIIIIIIIIIIIIIIIIIIIIJIIIIIIIIIIIIIIIIIIIIIIIIIII IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII IIIIIIIIIEIIIIIIIIIIIIIIIIIIIIIIIIIIIIIJIIIIIIIII _____________ -4 BeEF SSSS er nnnnnnnn ------------- -« nnnnnnnnnn DDDD 0 — — - - — — — — — — - — — — — — 0 0 — — - - — — — — — — — — - — — -0 Browser Browser d — — - - — — — - - - - — — — — - 0 i — — - - — — - - — — — — - - - — I I - — — — — - - — — — — - - — - -0
  43. 43. [I000000000000000000000000000 [I[I0000000000000000000000000000 000000000000000000 _____________ -4 BeEF SSSS er nnnnnnnnn ------------- ~ nnnnnnnnnnn DHTEHTEDI nd00%00%0% 0 - - - - — - - - - - - - - - - - 0 0 - - - - - - - - — — - - - - - -0 Browser Browser d — — - - — — — - - - - — — — — - 0 i — — - - — — - - — — — — - - - — I I - — — — — - - — — — — - - — - -0
  44. 44. 0000000000000000000000000000000[ 0000000000000000000000000000 _____________ -4 BeEF SSSS er 00000000 I 00000000000 ************ " 0000 nnnnnnnnnn 0 - - - - - - - - - - - - - - - - 0 0 - - - - - - - - - - - - - - - - 0 0 - - - - - - - - - - - - - - - -0 Browser d — — - - — — — - - - - — — — — - 0 i — — - - — — - - — — — — - - - — I ¢ - — — — — - - — — — — - - — - -0
  45. 45. 0000000000000 IIIIJEIDEIIJEIIJEIIJIJEIIJEIIJEIIJEIIJDEIDEIIJEIIJEIEIEIEIIJL Iflntinnti IIIIJEIIJEIIJEIIJEIIJIJEIIJEIEIEIEIEIIJDEIIJEIIJEIIJEIIJEIEI
  46. 46. 0000000000000000 0000000000000000I 0 - - - - - - - - - - - - - - - — 0 0 - - - - - - - - - - - - - - - - 0 0 - - - - - - - - - - - - - - - -0 I Browser Browser 0 — - - - - — — — - - - — — — — — 0 i - — - — — — - - - — — — - - - — I 0 - — — — — - — - — — — - - — - -0
  47. 47. 0000000000 I 0 - - - - - - - - - - - - -0 many RRRRRRRRRRRRR 3' DDDDDDD 00000000000 0 — - - - - — — — - - - — — — — — 0 i - — — - — — - - - — — — - - - - I 0 - — — — - - — - — — — - — — - -0
  48. 48. 00000000000 000000000I I: I 0000000000000000000000000000000 0000000000000000000000000000000000000 I: I 00000000000000 I: I 0000000000000000000000000 00000000000000000000000000 I: I 0000000000000000000000000000000000000 000000000000000000000000000 I: I 0000000000000000000000000000000000000I 000000000000000000000000000000000000 I: I 0000000000000000000000000000000000000 000000000
  49. 49. 0000
  50. 50. . H 4" -». .-9*" 4”“? ,), _, . ,.. V . .I. ’,'. x. 2'! ‘ . - ‘ff? .. I.
  51. 51. 0000000I KIagHBHH0000000000000IIII0000000000000000 III I i0fl000000lIMflM0000000fl
  52. 52. mmmmmm 00000000I IIIDEIDDEIDEI Iinmnniiln Danni I I I00000 I0000
  53. 53. 000000000000I I: I 00000000000000000000000000000000000000 0000000000000000 I: I 0000000000000000000000000000000 I: I 0000000000000000000000000000000 I: I 00000000000000000000000000000 I: I 0000000000000000000000 I: I 0000000000000000000000000000000000000 00000000
  54. 54. 00000000 I: I 0000000000000000000000000000000 000000000000000000000000000000000 00000000000000000 []nnnnnnnnnnnnnnnnnnnnnnnnnnnnnn []mannannnnnnnnnnnnnnnnnnnnnnnn [IDDDDDDDDD [IDDDDDDDDDD egg; Iggy STE If}.
  55. 55. EIDI If GRUB E E! IGRDG E GROG II

×