I'm the butcher would you like some BeEF

Download I'm the butcher would you like some BeEF

Post on 12-Nov-2014




1 download

Embed Size (px)


Recently a lot of focus in BeEF has been towards developing cool new features that help the day to day job of a social engineer, hereafter known as The Butcher. We have been working very hard and secretively in the last months to widen our range of meaty goods within the Browser Exploitation Framework. During this talk we will release new modules and extensions specifically aimed toward automating the technical parts of a social engineer attack. Employing techniques that are currently used is great, however The Butcher wishes to impart knowledge upon the attendees regarding new techniques that employ successful vectors targeting different browser within different security contexts. After introducing people to the project who may have never heard of it before, we will be sharing information about real social engineering / penetration testing work that we have done recently and how we have advanced BeEF to achieve maximum coverage. This includes: Website Cloning: but you havent seen it like this before! Email Spoofing: mass email, easy. Browser Control / Pwnage Automation: control BeEF programmatically using the RESTful API.


<ul><li> 1. Im the Butcherwould you like some BeEF? 7th Sept 2012 - London Michele antisnatchor Orru Thomas MacKenzie 1 </li> <li> 2. Who are weMichele OrruThe Butcher Thomas MacKenzie The Meat 2 </li> <li> 3. Outline A Social Engineering real story BeEF intro The new BeEF Social Engineering extension Having fun with the RESTful API 3 </li> <li> 4. Social Engineering Social engineering, in the context of security, is understood to mean the art of manipulating people into performing actions or divulging condential information. - Grandfather of all knowledge (Wikipedia). 4 </li> <li> 5. Our Mission... Tasked with gathering as many usernames and passwords as possible in a small amount of time Tried calling and pretending to be person of authority but awareness seemed to be higher 5 </li> <li> 6. So... We heard great things about S.E.T. Decided to use that to clone the website (but found some bugs and limitations that almost made it unusable) 6 </li> <li> 7. Mass-Mailer With the help of a colleague we then created a basic mass-mailer that used personalization, HTML, pictures and had the ability to spoof the domain name (thanks to their SMTP server settings :-) 7 </li> <li> 8. We Won 8 </li> <li> 9. But The IT Admin was like... DO NOT CLICK ON THAT LINK 9 </li> <li> 10. We then said (sending another email)... DO CLICK ON THAT LINK 10 </li> <li> 11. AND... WE WON AGAIN! 11 </li> <li> 12. But... We thought we could do it better and integrate some awesome client-side exploitation whilst we were at it... 12 </li> <li> 13. Meet BeEF Browser Exploitation Framework Pioneered by Wade Alcorn in 2005 Powerful platform for Client-side pwnage, XSS post-exploitation and generally victim browser security-context abuse. The framework allows the penetration tester to select specic modules (in real- time) to target each browser, and therefore each context. 13 </li> <li> 14. 14 </li> <li> 15. 15 </li> <li> 16. Meet BeEF Demo 16 </li> <li> 17. Social Eng. extension The idea was to have some BeEF functionality that can be called via the RESTful API, in order to automate: sending phishing emails using templates, cloning webpages, harvesting credentials client-side pwnage 17 </li> <li> 18. AND... WE DID IT! 18 </li> <li> 19. Social Eng. extension 19 </li> <li> 20. BeEF web_cloner Clone a webpage and serve it on BeEF, then automatically: modify the page to intercept POST requests add the BeEF hook to it if the page can be framed, after POST interception load the original page on an overlay iFrame, otherwise redirect to original page 20 </li> <li> 21. BeEF web_cloner curl -H "Content-Type: application/json; charset=UTF-8" -d {"url":"https:// login.yahoo.com/cong/login_verify2", "mount":"/"} -X POST http:///api/ seng/clone_page? token=53921d2736116dbd86f8f7f7f10e46f1 If you register loginyahoo.com, you can specify a mount point of /cong/ login_verify2, so the phishing url will be (almost) the same 21 </li> <li> 22. BeEF web_cloner Demo 22 </li> <li> 23. BeEF mass_mailer Do your phishing email campaigns get a sample email from your target (with company footer...) copy the HTML content in a new BeEF email template download images so they will be added inline! add your malicious links/attachments send the mail to X targets and have fun 23 </li> <li> 24. BeEF mass_mailer email templates structure 24 </li> <li> 25. BeEF mass_mailer default template HTML mail 25 </li> <li> 26. BeEF mass_mailer how the default template email will look 26 </li> <li> 27. BeEF mass_mailer curl -H "Content-Type: application/json; charset=UTF-8" -d body -X POST http:///api/ seng/send_mails?token=0fda00ea62a1102f{ "template": "default", "subject": "Hi from BeEF", "fromname": "BeEF", "link": "http://www.microsoft.com/", "linktext": "http://beefproject.com", "recipients": [{ "user1@gmail.com": "Michele", "user2@antisnatchor.com": "Antisnatchor"}]} 27 </li> <li> 28. BeEF mass_mailer Demo 28 </li> <li> 29. Combine everything FTW Register your phishing domain Point the A/MX records to a VPS where you have an SMTP server and BeEF Create a BeEF RESTful API script that: Clone a webpage link with web_cloner Send X emails with that link with mass_mailer Script intelligent attacks thanks to BeEF browser detection 29 </li> <li> 30. Combine everything FTW Last demo 30 </li> <li> 31. BeEF web_cloner + mass_mailer + RESTful API = 31 </li> <li> 32. Thanks Wade to be always awesome The other BeEF guys: Brendan, Christian, Ben, Saafan, Ryan, Heather A few new project joiners: Bart Leppens, gallypette, Quentin Swain Tom Neaves for the butcher/hook images :D 32 </li> <li> 33. Questions? 33 </li> </ul>