Download - BeEF_EUSecWest-2012_Michele-Orru
![Page 1: BeEF_EUSecWest-2012_Michele-Orru](https://reader034.vdocuments.mx/reader034/viewer/2022051816/54628dd5b1af9f71408b5160/html5/thumbnails/1.jpg)
BeEF, the Browser Exploitation Framework
What’s new from 2011
EUSecWest - 19 Sept 2012Michele “antisnatchor” Orru
![Page 2: BeEF_EUSecWest-2012_Michele-Orru](https://reader034.vdocuments.mx/reader034/viewer/2022051816/54628dd5b1af9f71408b5160/html5/thumbnails/2.jpg)
Who am I
• Lead core developer of BeEF
• Application Security Researcher
• OpenBSD, Ruby and Javascript addicted
• Senior Security Consultant @ Trustwave SpiderLabs
![Page 3: BeEF_EUSecWest-2012_Michele-Orru](https://reader034.vdocuments.mx/reader034/viewer/2022051816/54628dd5b1af9f71408b5160/html5/thumbnails/3.jpg)
Outline
• Brief intro to BeEF
• New core features:
• RESTful API, WebSockets, HTTPS
• New extensions:
• Evasion, Social Engineering
![Page 4: BeEF_EUSecWest-2012_Michele-Orru](https://reader034.vdocuments.mx/reader034/viewer/2022051816/54628dd5b1af9f71408b5160/html5/thumbnails/4.jpg)
Meet BeEF
• Browser Exploitation Framework
• Pioneered by Wade Alcorn in 2005
• Powerful platform for Client-side pwnage, XSS post-exploitation and generally victim browser security-context abuse.
• The framework allows the penetration tester to select specific modules (in real-time) to target each browser, and therefore each context.
![Page 5: BeEF_EUSecWest-2012_Michele-Orru](https://reader034.vdocuments.mx/reader034/viewer/2022051816/54628dd5b1af9f71408b5160/html5/thumbnails/5.jpg)
![Page 6: BeEF_EUSecWest-2012_Michele-Orru](https://reader034.vdocuments.mx/reader034/viewer/2022051816/54628dd5b1af9f71408b5160/html5/thumbnails/6.jpg)
![Page 7: BeEF_EUSecWest-2012_Michele-Orru](https://reader034.vdocuments.mx/reader034/viewer/2022051816/54628dd5b1af9f71408b5160/html5/thumbnails/7.jpg)
RESTful API
• The truth is:
• I hate SOAP
• I hate XML-RPC
• I love to use protocol (HTTP) features without reinventing the wheel
![Page 8: BeEF_EUSecWest-2012_Michele-Orru](https://reader034.vdocuments.mx/reader034/viewer/2022051816/54628dd5b1af9f71408b5160/html5/thumbnails/8.jpg)
RESTful API
Ruby + Sinatra + JSON
get ‘/to/a/pub’“BeER please”
end
![Page 9: BeEF_EUSecWest-2012_Michele-Orru](https://reader034.vdocuments.mx/reader034/viewer/2022051816/54628dd5b1af9f71408b5160/html5/thumbnails/9.jpg)
RESTful API
• Facts:
• programmatically control BeEF with whatever eats HTTP and JSON
• integration is much easier
• add your custom logic is much easier
![Page 10: BeEF_EUSecWest-2012_Michele-Orru](https://reader034.vdocuments.mx/reader034/viewer/2022051816/54628dd5b1af9f71408b5160/html5/thumbnails/10.jpg)
RESTful API demo:Java mass-pwner
• Fingerprint hooked browsers
• Achieve different forms of persistence
• Inject an (unsigned) applet to determine exact JVM version/architecture/platform
• Inject a second applet to launch a targeted attack with a malicious payload
![Page 11: BeEF_EUSecWest-2012_Michele-Orru](https://reader034.vdocuments.mx/reader034/viewer/2022051816/54628dd5b1af9f71408b5160/html5/thumbnails/11.jpg)
WebSockets
• HTML5 specification introduces new features, including WebWorkers and WebSockets
• WebSockets enable (almost) real-time communication between your webapp users and the backend
• Streaming protocol, up to 2MB/message in latest browsers
![Page 12: BeEF_EUSecWest-2012_Michele-Orru](https://reader034.vdocuments.mx/reader034/viewer/2022051816/54628dd5b1af9f71408b5160/html5/thumbnails/12.jpg)
WebSockets
XHR-polling
![Page 13: BeEF_EUSecWest-2012_Michele-Orru](https://reader034.vdocuments.mx/reader034/viewer/2022051816/54628dd5b1af9f71408b5160/html5/thumbnails/13.jpg)
WebSockets
XHR-polling WebSocket
![Page 14: BeEF_EUSecWest-2012_Michele-Orru](https://reader034.vdocuments.mx/reader034/viewer/2022051816/54628dd5b1af9f71408b5160/html5/thumbnails/14.jpg)
WebSockets
• Server-side: event-based server
• Client-side: WebSocket (or MozWebSocket, damn prefixes #$%) objects exposed via Javascript
• If the victim browsers supports the technology, protocols are switched
• Not (yet) enabled by default in BeEF: we’re still testing it
![Page 15: BeEF_EUSecWest-2012_Michele-Orru](https://reader034.vdocuments.mx/reader034/viewer/2022051816/54628dd5b1af9f71408b5160/html5/thumbnails/15.jpg)
WebSockets
• WebSockets open new horizons:
• faster Tunneling Proxy (10x faster)
• real-time VNC-like hooked browser control
• generally faster communication
![Page 16: BeEF_EUSecWest-2012_Michele-Orru](https://reader034.vdocuments.mx/reader034/viewer/2022051816/54628dd5b1af9f71408b5160/html5/thumbnails/16.jpg)
WebSockets demo
• BeEF Tunneling Proxy with and without WebSockets
• exploiting a SQLi with sqlmap through the tunneling proxy with WebSockets
![Page 17: BeEF_EUSecWest-2012_Michele-Orru](https://reader034.vdocuments.mx/reader034/viewer/2022051816/54628dd5b1af9f71408b5160/html5/thumbnails/17.jpg)
HTTPS/WSS
• BeEF supports HTTPS and WebSocketSecure, you just need to specify your certificate
• Motivation:
• STS support implemented in latest browsers (see Mixed Scripting)
• prevent filtering if an SSL-proxy is not used
![Page 18: BeEF_EUSecWest-2012_Michele-Orru](https://reader034.vdocuments.mx/reader034/viewer/2022051816/54628dd5b1af9f71408b5160/html5/thumbnails/18.jpg)
HTTPS/WSS• About STS
• Strict Transport Security, meaning that :
• see http://blog.chromium.org/2012/08/ending-mixed-scripting-vulnerabilities.html
hooked domain:https://linkedin.com
BeEF:http://beef.com
The browser will deny loading a script from a
non-https resource
![Page 19: BeEF_EUSecWest-2012_Michele-Orru](https://reader034.vdocuments.mx/reader034/viewer/2022051816/54628dd5b1af9f71408b5160/html5/thumbnails/19.jpg)
HTTPS/WSS
hooked domain:https://linkedin.com
BeEF:https://beef.com
This will work!
• About STS
• Strict Transport Security, meaning that :
• see http://blog.chromium.org/2012/08/ending-mixed-scripting-vulnerabilities.html
![Page 20: BeEF_EUSecWest-2012_Michele-Orru](https://reader034.vdocuments.mx/reader034/viewer/2022051816/54628dd5b1af9f71408b5160/html5/thumbnails/20.jpg)
Evasion Extension
• Motivation:
• decrease the likelihood that the BeEF hook injection and communication will be detected
• by machines (network filters)
• by humans
![Page 21: BeEF_EUSecWest-2012_Michele-Orru](https://reader034.vdocuments.mx/reader034/viewer/2022051816/54628dd5b1af9f71408b5160/html5/thumbnails/21.jpg)
Evasion Extension
• define your own technique, specify if they need a bootstrapper
• define the technique chain
![Page 22: BeEF_EUSecWest-2012_Michele-Orru](https://reader034.vdocuments.mx/reader034/viewer/2022051816/54628dd5b1af9f71408b5160/html5/thumbnails/22.jpg)
Social Eng. extension• The idea was to have some BeEF
functionality that can be called via the RESTful API, in order to automate:
• sending phishing emails using templates,
• cloning webpages, harvesting credentials
• client-side pwnage
![Page 23: BeEF_EUSecWest-2012_Michele-Orru](https://reader034.vdocuments.mx/reader034/viewer/2022051816/54628dd5b1af9f71408b5160/html5/thumbnails/23.jpg)
AND... WE DID IT!
![Page 24: BeEF_EUSecWest-2012_Michele-Orru](https://reader034.vdocuments.mx/reader034/viewer/2022051816/54628dd5b1af9f71408b5160/html5/thumbnails/24.jpg)
Social Eng. extension
![Page 25: BeEF_EUSecWest-2012_Michele-Orru](https://reader034.vdocuments.mx/reader034/viewer/2022051816/54628dd5b1af9f71408b5160/html5/thumbnails/25.jpg)
Social Eng. extension: web_cloner
• Clone a webpage and serve it on BeEF, then automatically:
• modify the page to intercept POST requests
• add the BeEF hook to it
• if the page can be framed, after POST interception load the original page on an overlay iFrame, otherwise redirect to original page
![Page 26: BeEF_EUSecWest-2012_Michele-Orru](https://reader034.vdocuments.mx/reader034/viewer/2022051816/54628dd5b1af9f71408b5160/html5/thumbnails/26.jpg)
• curl -H "Content-Type: application/json; charset=UTF-8" -d '{"url":"https://login.yahoo.com/config/login_verify2", "mount":"/"}' -X POST http://<BeEF>/api/seng/clone_page?token=53921d2736116dbd86f8f7f7f10e46f1
• If you register loginyahoo.com, you can specify a mount point of /config/login_verify2, so the phishing url will be (almost) the same
Social Eng. extension:web_cloner
![Page 27: BeEF_EUSecWest-2012_Michele-Orru](https://reader034.vdocuments.mx/reader034/viewer/2022051816/54628dd5b1af9f71408b5160/html5/thumbnails/27.jpg)
• Demo
Social Eng. extension: web_cloner
![Page 28: BeEF_EUSecWest-2012_Michele-Orru](https://reader034.vdocuments.mx/reader034/viewer/2022051816/54628dd5b1af9f71408b5160/html5/thumbnails/28.jpg)
Social Eng. extension: mass_mailer
• Do your phishing email campaigns
• get a sample email from your target (with company footer...)
• copy the HTML content in a new BeEF email template
• download images so they will be added inline!
• add your malicious links/attachments
• send the mail to X targets and have fun
![Page 29: BeEF_EUSecWest-2012_Michele-Orru](https://reader034.vdocuments.mx/reader034/viewer/2022051816/54628dd5b1af9f71408b5160/html5/thumbnails/29.jpg)
Social Eng. extension: mass_mailer
• email templates structure
![Page 30: BeEF_EUSecWest-2012_Michele-Orru](https://reader034.vdocuments.mx/reader034/viewer/2022051816/54628dd5b1af9f71408b5160/html5/thumbnails/30.jpg)
Social Eng. extension: mass_mailer
• ‘default’ template HTML mail
![Page 31: BeEF_EUSecWest-2012_Michele-Orru](https://reader034.vdocuments.mx/reader034/viewer/2022051816/54628dd5b1af9f71408b5160/html5/thumbnails/31.jpg)
• how the ‘default’ template email will look
Social Eng. extension: mass_mailer
![Page 32: BeEF_EUSecWest-2012_Michele-Orru](https://reader034.vdocuments.mx/reader034/viewer/2022051816/54628dd5b1af9f71408b5160/html5/thumbnails/32.jpg)
• curl -H "Content-Type: application/json; charset=UTF-8" -d 'body' -X POST http://<BeEF>/api/seng/send_mails?token=0fda00ea62a1102f
{ "template": "default", "subject": "Hi from BeEF", "fromname": "BeEF", "link": "http://www.microsoft.com/", "linktext": "http://beefproject.com", "recipients": [{ "[email protected]": "Michele", "[email protected]": "Antisnatchor"}]}
Social Eng. extension: mass_mailer
![Page 33: BeEF_EUSecWest-2012_Michele-Orru](https://reader034.vdocuments.mx/reader034/viewer/2022051816/54628dd5b1af9f71408b5160/html5/thumbnails/33.jpg)
• Demo
Social Eng. extension: mass_mailer
![Page 34: BeEF_EUSecWest-2012_Michele-Orru](https://reader034.vdocuments.mx/reader034/viewer/2022051816/54628dd5b1af9f71408b5160/html5/thumbnails/34.jpg)
Social Eng. extension Combine everything FTW
• Register your phishing domain
• Point the A/MX records to a VPS where you have an SMTP server and BeEF
• Create a BeEF RESTful API script that:
• Clone a webpage link with web_cloner
• Send X emails with that link with mass_mailer
• Script intelligent attacks thanks to BeEF browser detection
![Page 35: BeEF_EUSecWest-2012_Michele-Orru](https://reader034.vdocuments.mx/reader034/viewer/2022051816/54628dd5b1af9f71408b5160/html5/thumbnails/35.jpg)
Unfortunately...
• There were so many changes from 2011 that we can’t cover them all in a one hours long talk
• Other interesting extensions: QRcode, CustomHook, Notification
• Other interesting core features: web imitation, cleaner/better code :D
• Tens of new modules: we now have 125 modules (and counting :-)
![Page 36: BeEF_EUSecWest-2012_Michele-Orru](https://reader034.vdocuments.mx/reader034/viewer/2022051816/54628dd5b1af9f71408b5160/html5/thumbnails/36.jpg)
Thanks
• Wade to be always awesome
• The other BeEF guys: Brendan, Christian, Ben, Saafan, Ryan, Heather
• A few new project joiners: Bart Leppens, gallypette, Quentin Swain
• Tom Neaves for captain hook images :D
![Page 37: BeEF_EUSecWest-2012_Michele-Orru](https://reader034.vdocuments.mx/reader034/viewer/2022051816/54628dd5b1af9f71408b5160/html5/thumbnails/37.jpg)
Questions?