SlideShare a Scribd company logo

Hacking Browsers with the BeEF Framework

Michele Orru
Michele Orru

The document discusses the Browser Exploitation Framework (BeEF) tool in three parts - cutting, devouring, and digesting. It provides an overview of how BeEF can be used to enumerate and analyze hooked browser details, fingerprint internal networks, achieve persistence, and use the browser as a tunneling proxy to exploit vulnerabilities like cross-site scripting. The document promotes BeEF as a powerful way to abuse the security context of victim browsers for penetration testing purposes.

Technology
1 of 36
Download to read offline
N D O U G R CUTTING, DEVOURING AND DIGESTING THE LEGS OFF A BROWSER MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 1 1
WHO AM I? ❖Penetration Tester @ The Royal Bank of Scotland ❖BeEF core developer: Tunneling Proxy, XssRays integration, various exploits, new Thin+Rack migration, lot of bug-fixing, testing and fun ❖Kubrick and Ruby fan ❖Definitely not a fan of our Italian prime minister Silvio bunga-bunga Berlusconi ❖@antisnatchor ❖http://antisnatchor.com MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 2 1 2
Who Am I? ❖ Penetration Tester @ The Royal Bank of Scotland ❖BeEF core developer: Tunneling Proxy, XssRays integration, various exploits, new Thin+Rack migration, lot of bug-fixing, testing and fun ❖Kubrick and Ruby fan ❖Definitely not a fan of our Italian prime minister Silvio bunga-bunga Berlusconi ❖@antisnatchor ❖http://antisnatchor.com MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 3 1 3
THE BROWSER NOWADAYS MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 4 1 4
REAL-LIFE XSS PWNING ❖2005: Samy worm ❖2006: Yamanner worm ❖2008 until now: multiple XSSs in B. Obama website ❖2010: Apache pwned through an XSS in JIRA ❖2010: stored XSS in Youtube, actively used ❖2011: multiple XSS on Google.com, even stored (11/09/2011 @totally_unknown) .... we could continue, but you get the idea.... MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 5 1 5
WHAT THE HELL IS BEEF? ❖ BeEF: Browser Exploitation Framework ❖Pioneered by Wade Alcorn in 2005 (public release) ❖Powerful platform for Client-side pwnage, XSS post-exploitation and generally victim browser security-context abuse. ❖Each browser is likely to be within a different security context, and each context may provide a set of unique attack vectors. ❖ The framework allows the penetration tester to select specific modules (in real-time) to target each browser, and therefore each context. MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 6 1 6
WHAT THE HELL IS BEEF? MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 7 1 7
CUTTING: TARGET ENUM AND ANALYSIS ❖ Lot of juicy information after first hook initialization : ❖Browser/OS version ❖Cookies ❖Browser plugins ❖Supported features (Google Gears, Web Sockets, Flash, Java, . .) ❖Specific modules are also there to help ❖Detect links/visited URLs ❖Detect social networks (authenticated in Twitter, Gmail, Facebook) and Tor ❖Execute your custom Javascript MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 8 1 8
CUTTING: TARGET ENUM AND ANALYSIS MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 9 1 9
DEVOURING: INTERNAL NETWORK FINGERPRINT ❖Knowing the victim internal IP (through Java), the attacker can start to fingerprint the internal network via Javascript to find common servers and devices. ❖Modules: ❖ Ping Sweep ❖ DNS Enumeration ❖ Port Scanner: img tags/CORS/Websockets methods combined ❖ Network Fingerprint: img onload=function() { if (image width/height/path == deviceImageMapEntry) deviceXYZ@IP has been successfully found } MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 10 1 10
DEVOURING: INTERNAL NETWORK FINGERPRINT ❖ Great presentations about Pwning internal networks with BeEF by Juan Galiana and Javier Marcos (BeEF developers now:-) http://nebula.indocisc.co.id/~za/owasp/appseceu2011/ JM%20del%20Prado%20&%20JG%20Lara%20-%20 Intranet%20Footprinting.pdf http://www.appsecusa.org/p/pwn.pdf ❖ BeEF and Intranet footprint video: http://www.youtube.com/watch?v=zOJ1LUfcv3k MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 11 1 11
DEVOURING: EXPLOITING INTERNAL SERVICES ❖Exploits/JbossJmxUploadExploit module ❖JBoss 4.x, 5.1.0, 6.0.0.M1 JMX deploy exploit is available in MSF, but you need to have direct access to the target (or use a host as a pivot) ❖Then why not use the victim browser as a pivot? ❖Jboss 6.0.0M1 JMX Deploy Exploit: the BeEF way... http://www.youtube.com/user/TheBeefproject#p/a/u/2/0n7qfvo_CMM MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 12 1 12
DEVOURING: HOW TO ACHIEVE PERSISTENCE ❖ When the victim browse away from the page where the BeEF hook is executed, we loose the browser :-( MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 13 1 13
DEVOURING: HOW TO ACHIEVE PERSISTENCE ❖Create an overlay iFrame reloading the content of the page, while the BeEF hook will remain active in the background. Javascript keylogging is native in BeEF, and we also have a second module to enable keylogging in the iFrame (attaching events to it) ❖MITB (Man In The Browser): code contribution by Mathias Karlsson ❖As we control the DOM, we can alter anchors and forms to do something when the user wants to browse away by clicking on them. ❖Thanks again to CORS abuse (we love HTML5 ;-) ❖same-domain: history.push (user doesn’t see any modifications) ❖cross-domain: window.open (new tab, but many links use target=”_blank” already -> no big deal) MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 14 1 14
DEVOURING: MODULE AUTORUN ❖ We’ve ported back (from the old PHP version) the autorun feature ❖Add autorun: true in the command module config.yaml that you want to autorun ❖When a new browser will be hooked in BeEF, the module will be automatically launched ❖Imagine adding autorun: true in Metasploit autopwn module (another feature ported back)... MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 15 1 15
DIGESTING: TUNNELING PROXY ❖Having a communication channel with the hooked browser, we can: ❖Receive requests as a proxy on BeEF ❖Translate these requests to XHRs (in-domain) and execute them in the hooked browser ❖Parse the XHRs responses and send the data back through the proxy ❖ This approach works on the same-domain, but we have plans to port Erlend Oftedal’s malaRIA to BeEF to extend the tunneling proxy to cross-domain resources using Flash liberal cross-domain policies <allow-access-from domain="*" /> ...how many WebServers whit liberal cross-domain policy do you have in your internal network...??? MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 16 1 16
DIGESTING: TUNNELING PROXY ❖Using the victim browser hooked in BeEF as a tunneling proxy, we will see the following scenarios: ❖browsing the authenticated surface of the hooked domain through the security context of the victim browser (cookies are automatically added to XHRs with jQuery); ❖spidering the hooked domain through the security context of the victim browser; ❖finding and exploiting SQLi with Burp Pro Scanner + sqlmap (through the victim browser too :-) ). ❖BeEF tunneling proxy (for fun and profit) http://www.youtube.com/user/TheBeefproject#p/a/u/1/Z4cHyC3lowk MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 17 1 17
DIGESTING: XSSRAYS ❖ Originally developed by Gareth Heyes in 2009 as a pure JS-based XSS scanner ❖ The XssRays BeEF extension allows you to check if links, forms and URI paths of the page where the browser is hooked are vulnerable to XSS. ❖What XssRays does is basically parse all the links and forms of the page where it is loaded and check for XSS on GET, POST parameters, and also in the URI path creating hidden iFrames. ❖Who uses FrameBusting/X-Frame-Options out there :-)? MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 18 1 18
DIGESTING: XSSRAYS ❖The original code by Gareth, from 2009, used a nice trick (the location.hash fragment) in order to have a sort of callback between parent and child iFrames ❖This is now patched by all recent browsers :-( ❖AGAIN NO FUN..WTF? MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 19 1 19
DIGESTING: XSSRAYS ❖We inject a vector that will contact back BeEF if the JS code will be successfully executed (thus, the XSS confirmed). ❖No false positives (oh yes, that’s what I like)! ❖Potential false-negatives as we blindly inject vectors (can be minimized adding more attack vectors that covers different scenarios) ❖Basically the document.location.href of the injected iFrame that contains the vector will point to a known BeEF resource. The following is an example value of that document.location.href: ✴http://192.168.84.1:3000/ui/xssrays/rays? hbsess=ZdGQG32VvYmozDP3ia0mvNd5PwcjR9lXuzmTmxm1mAckrgjqA9bIfg41Si2eO fVpviNWYk9vi2q3kvZB&action=ray&raysid=3&p=http://192.168.84.128/dvwa/ vulnerabilities/xss_r/?name=%22%3E%3Cscript%3Ealert(1)%3C%2Fscript %3E&n=Standard%20script%20injection%20double&m=GET MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 20 1 20
DIGESTING: XSSRAYS MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 21 1 21
DIGESTING: XSSRAYS MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 22 1 22
DIGESTING: XSSRAYS MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 23 1 23
DIGESTING: XSSRAYS MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 24 1 24
DIGESTING: XSSRAYS MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 25 1 25
DIGESTING: XSSRAYS MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 26 1 26
DIGESTING: XSSRAYS MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 27 1 27
DIGESTING: XSSRAYS MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 28 1 28
DIGESTING: XSSRAYS MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 29 1 29
DIGESTING: XSSRAYS MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 1 30
DIGESTING: XSSRAYS It works also cross-domain (respecting the SOP) MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 1 31
FUTURE DEV AND IDEAS ❖Optimize the core for performance (migration to Thin done ;-) ❖Obfuscation, polymorphism and URL randomization (yes, sysadmins are already detecting BeEF with regex ;-) ❖Improve XssRays (more attack vectors, add JS depth crawler) ❖Check for time-based blind SQLi cross-domain via JS ❖Improve the BeEF console (command line UI) ❖...and many more... ❖Well...take a look here: http://code.google.com/p/beef/issues/list MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 32 1 32
GET IN TOUCH WITH US ❖Follow the BeEF: @beefproject ❖Checkout BeEF: http://code.google.com/p/beef/ ❖Check our website: http://beefproject.com ❖Have fun with it ❖We’re hiring!!! MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 33 1 33
GET IN TOUCH WITH US ❖Follow the BeEF: @beefproject ❖Checkout BeEF: http://code.google.com/p/beef/ ❖Check our website: http://beefproject.com ❖Have fun with it ❖We’re hiring!!! (Please note: we’ll not pay you. You know we love OpenSource :-) MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 34 1 34
THANKS TO ❖Wade Alcorn and the other BeEF ninjas: ❖Ben, ❖Scotty, ❖Christian, ❖Brendan, ❖Saafan, ❖Juan, ❖Javier ❖My colleagues Piotr & Michal ❖My employer ❖DeepSec crew and you attendees MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 35 1 35
THANKS FOR YOUR TIME QUESTIONS? MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 36 1 36

Recommended

Explain Ethereum smart contract hacking like i am a five
Explain Ethereum smart contract hacking like i am a fiveExplain Ethereum smart contract hacking like i am a five
Explain Ethereum smart contract hacking like i am a fiveZoltan Balazs
 
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...Michele Orru
 
Stickybits & altoids (12.1.10)
Stickybits & altoids (12.1.10)Stickybits & altoids (12.1.10)
Stickybits & altoids (12.1.10)Steve Schlafman
 
Stickybits + Altoids Case Study Dec 2010
Stickybits + Altoids Case Study Dec 2010Stickybits + Altoids Case Study Dec 2010
Stickybits + Altoids Case Study Dec 2010Steve Schlafman
 
I'm the butcher would you like some BeEF
I'm the butcher would you like some BeEFI'm the butcher would you like some BeEF
I'm the butcher would you like some BeEFMichele Orru
 
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEFMichele Orru
 
Hacktivity2011 be ef-preso_micheleorru
Hacktivity2011 be ef-preso_micheleorruHacktivity2011 be ef-preso_micheleorru
Hacktivity2011 be ef-preso_micheleorruMichele Orru
 
Dark Fairytales from a Phisherman
Dark Fairytales from a PhishermanDark Fairytales from a Phisherman
Dark Fairytales from a PhishermanMichele Orru
 

Recommended

Explain Ethereum smart contract hacking like i am a five
Explain Ethereum smart contract hacking like i am a fiveExplain Ethereum smart contract hacking like i am a five
Explain Ethereum smart contract hacking like i am a fiveZoltan Balazs
 
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...Michele Orru
 
Stickybits & altoids (12.1.10)
Stickybits & altoids (12.1.10)Stickybits & altoids (12.1.10)
Stickybits & altoids (12.1.10)Steve Schlafman
 
Stickybits + Altoids Case Study Dec 2010
Stickybits + Altoids Case Study Dec 2010Stickybits + Altoids Case Study Dec 2010
Stickybits + Altoids Case Study Dec 2010Steve Schlafman
 
I'm the butcher would you like some BeEF
I'm the butcher would you like some BeEFI'm the butcher would you like some BeEF
I'm the butcher would you like some BeEFMichele Orru
 
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEFMichele Orru
 
Hacktivity2011 be ef-preso_micheleorru
Hacktivity2011 be ef-preso_micheleorruHacktivity2011 be ef-preso_micheleorru
Hacktivity2011 be ef-preso_micheleorruMichele Orru
 
Dark Fairytales from a Phisherman
Dark Fairytales from a PhishermanDark Fairytales from a Phisherman
Dark Fairytales from a PhishermanMichele Orru
 
Be ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruBe ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruMichele Orru
 
Єгор Попович, CTO @Tesseract, (Lviv, Ukraine) "Blockchain user: myth or reali...
Єгор Попович, CTO @Tesseract, (Lviv, Ukraine) "Blockchain user: myth or reali...Єгор Попович, CTO @Tesseract, (Lviv, Ukraine) "Blockchain user: myth or reali...
Єгор Попович, CTO @Tesseract, (Lviv, Ukraine) "Blockchain user: myth or reali...Dakiry
 
Pronounced S-pro-ut-Co-re (Introduction to SproutCore)
Pronounced S-pro-ut-Co-re (Introduction to SproutCore)Pronounced S-pro-ut-Co-re (Introduction to SproutCore)
Pronounced S-pro-ut-Co-re (Introduction to SproutCore)Julio Javier Cicchelli
 
New Insights into Clickjacking
New Insights into ClickjackingNew Insights into Clickjacking
New Insights into ClickjackingMarco Balduzzi
 
My Minecraft Smart Home: Prototyping the internet of uncanny things - Sascha ...
My Minecraft Smart Home: Prototyping the internet of uncanny things - Sascha ...My Minecraft Smart Home: Prototyping the internet of uncanny things - Sascha ...
My Minecraft Smart Home: Prototyping the internet of uncanny things - Sascha ...Codemotion Tel Aviv
 
My Minecraft-Smart-Home: Prototyping the Internet of Uncanny Things
My Minecraft-Smart-Home: Prototyping the Internet of Uncanny ThingsMy Minecraft-Smart-Home: Prototyping the Internet of Uncanny Things
My Minecraft-Smart-Home: Prototyping the Internet of Uncanny ThingsSascha Wolter
 
An introduction to honeyclient technology
An introduction to honeyclient technologyAn introduction to honeyclient technology
An introduction to honeyclient technologyAngelo Dell'Aera
 
Vn-info meetup on Node.js
Vn-info meetup on Node.jsVn-info meetup on Node.js
Vn-info meetup on Node.jsSon Nguyen Kim
 
Antisnatchor all you ever wanted to know about beef
Antisnatchor all you ever wanted to know about beefAntisnatchor all you ever wanted to know about beef
Antisnatchor all you ever wanted to know about beefDefconRussia
 
ZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchorZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchorMichele Orru
 
XPDDS18: Unleashing the Power of Unikernels with Unikraft - Florian Schmidt, ...
XPDDS18: Unleashing the Power of Unikernels with Unikraft - Florian Schmidt, ...XPDDS18: Unleashing the Power of Unikernels with Unikraft - Florian Schmidt, ...
XPDDS18: Unleashing the Power of Unikernels with Unikraft - Florian Schmidt, ...The Linux Foundation
 
P05-slides
P05-slidesP05-slides
P05-slidesIsaac (.ike) Levy
 
Wannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons LearnedWannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons LearnedThomas Roccia
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisTamas K Lengyel
 
OWASP Poland Day 2018 - Luca Carettoni - Web security in desktop world
OWASP Poland Day 2018 - Luca Carettoni - Web security in desktop worldOWASP Poland Day 2018 - Luca Carettoni - Web security in desktop world
OWASP Poland Day 2018 - Luca Carettoni - Web security in desktop worldOWASP
 
Cross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationCross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationRoberto Suggi Liverani
 
Webtech 17.11.2009
Webtech 17.11.2009Webtech 17.11.2009
Webtech 17.11.2009Patrick Lauke
 
hacking your website with vega, confoo2011
hacking your website with vega, confoo2011hacking your website with vega, confoo2011
hacking your website with vega, confoo2011Bachkoutou Toutou
 
Ht w23
Ht w23Ht w23
Ht w23SelectedPresentations
 
Brian Hogg - Web Apps using HTML5 and JS
Brian Hogg - Web Apps using HTML5 and JSBrian Hogg - Web Apps using HTML5 and JS
Brian Hogg - Web Apps using HTML5 and JS#DevTO
 
Practical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon XPractical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon XMichele Orru
 
Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)Michele Orru
 

More Related Content

Similar to Hacking Browsers with the BeEF Framework

Be ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruBe ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruMichele Orru
 
Єгор Попович, CTO @Tesseract, (Lviv, Ukraine) "Blockchain user: myth or reali...
Єгор Попович, CTO @Tesseract, (Lviv, Ukraine) "Blockchain user: myth or reali...Єгор Попович, CTO @Tesseract, (Lviv, Ukraine) "Blockchain user: myth or reali...
Єгор Попович, CTO @Tesseract, (Lviv, Ukraine) "Blockchain user: myth or reali...Dakiry
 
Pronounced S-pro-ut-Co-re (Introduction to SproutCore)
Pronounced S-pro-ut-Co-re (Introduction to SproutCore)Pronounced S-pro-ut-Co-re (Introduction to SproutCore)
Pronounced S-pro-ut-Co-re (Introduction to SproutCore)Julio Javier Cicchelli
 
New Insights into Clickjacking
New Insights into ClickjackingNew Insights into Clickjacking
New Insights into ClickjackingMarco Balduzzi
 
My Minecraft Smart Home: Prototyping the internet of uncanny things - Sascha ...
My Minecraft Smart Home: Prototyping the internet of uncanny things - Sascha ...My Minecraft Smart Home: Prototyping the internet of uncanny things - Sascha ...
My Minecraft Smart Home: Prototyping the internet of uncanny things - Sascha ...Codemotion Tel Aviv
 
My Minecraft-Smart-Home: Prototyping the Internet of Uncanny Things
My Minecraft-Smart-Home: Prototyping the Internet of Uncanny ThingsMy Minecraft-Smart-Home: Prototyping the Internet of Uncanny Things
My Minecraft-Smart-Home: Prototyping the Internet of Uncanny ThingsSascha Wolter
 
An introduction to honeyclient technology
An introduction to honeyclient technologyAn introduction to honeyclient technology
An introduction to honeyclient technologyAngelo Dell'Aera
 
Vn-info meetup on Node.js
Vn-info meetup on Node.jsVn-info meetup on Node.js
Vn-info meetup on Node.jsSon Nguyen Kim
 
Antisnatchor all you ever wanted to know about beef
Antisnatchor all you ever wanted to know about beefAntisnatchor all you ever wanted to know about beef
Antisnatchor all you ever wanted to know about beefDefconRussia
 
ZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchorZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchorMichele Orru
 
XPDDS18: Unleashing the Power of Unikernels with Unikraft - Florian Schmidt, ...
XPDDS18: Unleashing the Power of Unikernels with Unikraft - Florian Schmidt, ...XPDDS18: Unleashing the Power of Unikernels with Unikraft - Florian Schmidt, ...
XPDDS18: Unleashing the Power of Unikernels with Unikraft - Florian Schmidt, ...The Linux Foundation
 
Wannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons LearnedWannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons LearnedThomas Roccia
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisTamas K Lengyel
 
OWASP Poland Day 2018 - Luca Carettoni - Web security in desktop world
OWASP Poland Day 2018 - Luca Carettoni - Web security in desktop worldOWASP Poland Day 2018 - Luca Carettoni - Web security in desktop world
OWASP Poland Day 2018 - Luca Carettoni - Web security in desktop worldOWASP
 
Cross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationCross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationRoberto Suggi Liverani
 
hacking your website with vega, confoo2011
hacking your website with vega, confoo2011hacking your website with vega, confoo2011
hacking your website with vega, confoo2011Bachkoutou Toutou
 
Brian Hogg - Web Apps using HTML5 and JS
Brian Hogg - Web Apps using HTML5 and JSBrian Hogg - Web Apps using HTML5 and JS
Brian Hogg - Web Apps using HTML5 and JS#DevTO
 

Similar to Hacking Browsers with the BeEF Framework (20)

Be ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruBe ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orru
 
Єгор Попович, CTO @Tesseract, (Lviv, Ukraine) "Blockchain user: myth or reali...
Єгор Попович, CTO @Tesseract, (Lviv, Ukraine) "Blockchain user: myth or reali...Єгор Попович, CTO @Tesseract, (Lviv, Ukraine) "Blockchain user: myth or reali...
Єгор Попович, CTO @Tesseract, (Lviv, Ukraine) "Blockchain user: myth or reali...
 
Pronounced S-pro-ut-Co-re (Introduction to SproutCore)
Pronounced S-pro-ut-Co-re (Introduction to SproutCore)Pronounced S-pro-ut-Co-re (Introduction to SproutCore)
Pronounced S-pro-ut-Co-re (Introduction to SproutCore)
 
New Insights into Clickjacking
New Insights into ClickjackingNew Insights into Clickjacking
New Insights into Clickjacking
 
My Minecraft Smart Home: Prototyping the internet of uncanny things - Sascha ...
My Minecraft Smart Home: Prototyping the internet of uncanny things - Sascha ...My Minecraft Smart Home: Prototyping the internet of uncanny things - Sascha ...
My Minecraft Smart Home: Prototyping the internet of uncanny things - Sascha ...
 
My Minecraft-Smart-Home: Prototyping the Internet of Uncanny Things
My Minecraft-Smart-Home: Prototyping the Internet of Uncanny ThingsMy Minecraft-Smart-Home: Prototyping the Internet of Uncanny Things
My Minecraft-Smart-Home: Prototyping the Internet of Uncanny Things
 
An introduction to honeyclient technology
An introduction to honeyclient technologyAn introduction to honeyclient technology
An introduction to honeyclient technology
 
Vn-info meetup on Node.js
Vn-info meetup on Node.jsVn-info meetup on Node.js
Vn-info meetup on Node.js
 
Antisnatchor all you ever wanted to know about beef
Antisnatchor all you ever wanted to know about beefAntisnatchor all you ever wanted to know about beef
Antisnatchor all you ever wanted to know about beef
 
ZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchorZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchor
 
XPDDS18: Unleashing the Power of Unikernels with Unikraft - Florian Schmidt, ...
XPDDS18: Unleashing the Power of Unikernels with Unikraft - Florian Schmidt, ...XPDDS18: Unleashing the Power of Unikernels with Unikraft - Florian Schmidt, ...
XPDDS18: Unleashing the Power of Unikernels with Unikraft - Florian Schmidt, ...
 
P05-slides
P05-slidesP05-slides
P05-slides
 
Wannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons LearnedWannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons Learned
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysis
 
OWASP Poland Day 2018 - Luca Carettoni - Web security in desktop world
OWASP Poland Day 2018 - Luca Carettoni - Web security in desktop worldOWASP Poland Day 2018 - Luca Carettoni - Web security in desktop world
OWASP Poland Day 2018 - Luca Carettoni - Web security in desktop world
 
Cross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationCross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitation
 
Webtech 17.11.2009
Webtech 17.11.2009Webtech 17.11.2009
Webtech 17.11.2009
 
hacking your website with vega, confoo2011
hacking your website with vega, confoo2011hacking your website with vega, confoo2011
hacking your website with vega, confoo2011
 
Ht w23
Ht w23Ht w23
Ht w23
 
Brian Hogg - Web Apps using HTML5 and JS
Brian Hogg - Web Apps using HTML5 and JSBrian Hogg - Web Apps using HTML5 and JS
Brian Hogg - Web Apps using HTML5 and JS
 

More from Michele Orru

Practical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon XPractical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon XMichele Orru
 
Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)Michele Orru
 
When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesMichele Orru
 
Buried by time, dust and BeEF
Buried by time, dust and BeEFBuried by time, dust and BeEF
Buried by time, dust and BeEFMichele Orru
 
BeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-OrruBeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-OrruMichele Orru
 
Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Michele Orru
 

More from Michele Orru (6)

Practical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon XPractical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon X
 
Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)
 
When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the masses
 
Buried by time, dust and BeEF
Buried by time, dust and BeEFBuried by time, dust and BeEF
Buried by time, dust and BeEF
 
BeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-OrruBeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-Orru
 
Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012
 

Recently uploaded

Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 

Recently uploaded (20)

Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 

Hacking Browsers with the BeEF Framework

  • 1. N D O U G R CUTTING, DEVOURING AND DIGESTING THE LEGS OFF A BROWSER MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 1 1
  • 2. WHO AM I? ❖Penetration Tester @ The Royal Bank of Scotland ❖BeEF core developer: Tunneling Proxy, XssRays integration, various exploits, new Thin+Rack migration, lot of bug-fixing, testing and fun ❖Kubrick and Ruby fan ❖Definitely not a fan of our Italian prime minister Silvio bunga-bunga Berlusconi ❖@antisnatchor ❖http://antisnatchor.com MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 2 1 2
  • 3. Who Am I? ❖ Penetration Tester @ The Royal Bank of Scotland ❖BeEF core developer: Tunneling Proxy, XssRays integration, various exploits, new Thin+Rack migration, lot of bug-fixing, testing and fun ❖Kubrick and Ruby fan ❖Definitely not a fan of our Italian prime minister Silvio bunga-bunga Berlusconi ❖@antisnatchor ❖http://antisnatchor.com MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 3 1 3
  • 4. THE BROWSER NOWADAYS MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 4 1 4
  • 5. REAL-LIFE XSS PWNING ❖2005: Samy worm ❖2006: Yamanner worm ❖2008 until now: multiple XSSs in B. Obama website ❖2010: Apache pwned through an XSS in JIRA ❖2010: stored XSS in Youtube, actively used ❖2011: multiple XSS on Google.com, even stored (11/09/2011 @totally_unknown) .... we could continue, but you get the idea.... MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 5 1 5
  • 6. WHAT THE HELL IS BEEF? ❖ BeEF: Browser Exploitation Framework ❖Pioneered by Wade Alcorn in 2005 (public release) ❖Powerful platform for Client-side pwnage, XSS post-exploitation and generally victim browser security-context abuse. ❖Each browser is likely to be within a different security context, and each context may provide a set of unique attack vectors. ❖ The framework allows the penetration tester to select specific modules (in real-time) to target each browser, and therefore each context. MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 6 1 6
  • 7. WHAT THE HELL IS BEEF? MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 7 1 7
  • 8. CUTTING: TARGET ENUM AND ANALYSIS ❖ Lot of juicy information after first hook initialization : ❖Browser/OS version ❖Cookies ❖Browser plugins ❖Supported features (Google Gears, Web Sockets, Flash, Java, . .) ❖Specific modules are also there to help ❖Detect links/visited URLs ❖Detect social networks (authenticated in Twitter, Gmail, Facebook) and Tor ❖Execute your custom Javascript MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 8 1 8
  • 9. CUTTING: TARGET ENUM AND ANALYSIS MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 9 1 9
  • 10. DEVOURING: INTERNAL NETWORK FINGERPRINT ❖Knowing the victim internal IP (through Java), the attacker can start to fingerprint the internal network via Javascript to find common servers and devices. ❖Modules: ❖ Ping Sweep ❖ DNS Enumeration ❖ Port Scanner: img tags/CORS/Websockets methods combined ❖ Network Fingerprint: img onload=function() { if (image width/height/path == deviceImageMapEntry) deviceXYZ@IP has been successfully found } MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 10 1 10
  • 11. DEVOURING: INTERNAL NETWORK FINGERPRINT ❖ Great presentations about Pwning internal networks with BeEF by Juan Galiana and Javier Marcos (BeEF developers now:-) http://nebula.indocisc.co.id/~za/owasp/appseceu2011/ JM%20del%20Prado%20&%20JG%20Lara%20-%20 Intranet%20Footprinting.pdf http://www.appsecusa.org/p/pwn.pdf ❖ BeEF and Intranet footprint video: http://www.youtube.com/watch?v=zOJ1LUfcv3k MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 11 1 11
  • 12. DEVOURING: EXPLOITING INTERNAL SERVICES ❖Exploits/JbossJmxUploadExploit module ❖JBoss 4.x, 5.1.0, 6.0.0.M1 JMX deploy exploit is available in MSF, but you need to have direct access to the target (or use a host as a pivot) ❖Then why not use the victim browser as a pivot? ❖Jboss 6.0.0M1 JMX Deploy Exploit: the BeEF way... http://www.youtube.com/user/TheBeefproject#p/a/u/2/0n7qfvo_CMM MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 12 1 12
  • 13. DEVOURING: HOW TO ACHIEVE PERSISTENCE ❖ When the victim browse away from the page where the BeEF hook is executed, we loose the browser :-( MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 13 1 13
  • 14. DEVOURING: HOW TO ACHIEVE PERSISTENCE ❖Create an overlay iFrame reloading the content of the page, while the BeEF hook will remain active in the background. Javascript keylogging is native in BeEF, and we also have a second module to enable keylogging in the iFrame (attaching events to it) ❖MITB (Man In The Browser): code contribution by Mathias Karlsson ❖As we control the DOM, we can alter anchors and forms to do something when the user wants to browse away by clicking on them. ❖Thanks again to CORS abuse (we love HTML5 ;-) ❖same-domain: history.push (user doesn’t see any modifications) ❖cross-domain: window.open (new tab, but many links use target=”_blank” already -> no big deal) MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 14 1 14
  • 15. DEVOURING: MODULE AUTORUN ❖ We’ve ported back (from the old PHP version) the autorun feature ❖Add autorun: true in the command module config.yaml that you want to autorun ❖When a new browser will be hooked in BeEF, the module will be automatically launched ❖Imagine adding autorun: true in Metasploit autopwn module (another feature ported back)... MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 15 1 15
  • 16. DIGESTING: TUNNELING PROXY ❖Having a communication channel with the hooked browser, we can: ❖Receive requests as a proxy on BeEF ❖Translate these requests to XHRs (in-domain) and execute them in the hooked browser ❖Parse the XHRs responses and send the data back through the proxy ❖ This approach works on the same-domain, but we have plans to port Erlend Oftedal’s malaRIA to BeEF to extend the tunneling proxy to cross-domain resources using Flash liberal cross-domain policies <allow-access-from domain="*" /> ...how many WebServers whit liberal cross-domain policy do you have in your internal network...??? MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 16 1 16
  • 17. DIGESTING: TUNNELING PROXY ❖Using the victim browser hooked in BeEF as a tunneling proxy, we will see the following scenarios: ❖browsing the authenticated surface of the hooked domain through the security context of the victim browser (cookies are automatically added to XHRs with jQuery); ❖spidering the hooked domain through the security context of the victim browser; ❖finding and exploiting SQLi with Burp Pro Scanner + sqlmap (through the victim browser too :-) ). ❖BeEF tunneling proxy (for fun and profit) http://www.youtube.com/user/TheBeefproject#p/a/u/1/Z4cHyC3lowk MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 17 1 17
  • 18. DIGESTING: XSSRAYS ❖ Originally developed by Gareth Heyes in 2009 as a pure JS-based XSS scanner ❖ The XssRays BeEF extension allows you to check if links, forms and URI paths of the page where the browser is hooked are vulnerable to XSS. ❖What XssRays does is basically parse all the links and forms of the page where it is loaded and check for XSS on GET, POST parameters, and also in the URI path creating hidden iFrames. ❖Who uses FrameBusting/X-Frame-Options out there :-)? MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 18 1 18
  • 19. DIGESTING: XSSRAYS ❖The original code by Gareth, from 2009, used a nice trick (the location.hash fragment) in order to have a sort of callback between parent and child iFrames ❖This is now patched by all recent browsers :-( ❖AGAIN NO FUN..WTF? MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 19 1 19
  • 20. DIGESTING: XSSRAYS ❖We inject a vector that will contact back BeEF if the JS code will be successfully executed (thus, the XSS confirmed). ❖No false positives (oh yes, that’s what I like)! ❖Potential false-negatives as we blindly inject vectors (can be minimized adding more attack vectors that covers different scenarios) ❖Basically the document.location.href of the injected iFrame that contains the vector will point to a known BeEF resource. The following is an example value of that document.location.href: ✴http://192.168.84.1:3000/ui/xssrays/rays? hbsess=ZdGQG32VvYmozDP3ia0mvNd5PwcjR9lXuzmTmxm1mAckrgjqA9bIfg41Si2eO fVpviNWYk9vi2q3kvZB&action=ray&raysid=3&p=http://192.168.84.128/dvwa/ vulnerabilities/xss_r/?name=%22%3E%3Cscript%3Ealert(1)%3C%2Fscript %3E&n=Standard%20script%20injection%20double&m=GET MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 20 1 20
  • 21. DIGESTING: XSSRAYS MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 21 1 21
  • 22. DIGESTING: XSSRAYS MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 22 1 22
  • 23. DIGESTING: XSSRAYS MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 23 1 23
  • 24. DIGESTING: XSSRAYS MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 24 1 24
  • 25. DIGESTING: XSSRAYS MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 25 1 25
  • 26. DIGESTING: XSSRAYS MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 26 1 26
  • 27. DIGESTING: XSSRAYS MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 27 1 27
  • 28. DIGESTING: XSSRAYS MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 28 1 28
  • 29. DIGESTING: XSSRAYS MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 29 1 29
  • 30. DIGESTING: XSSRAYS MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 1 30
  • 31. DIGESTING: XSSRAYS It works also cross-domain (respecting the SOP) MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 1 31
  • 32. FUTURE DEV AND IDEAS ❖Optimize the core for performance (migration to Thin done ;-) ❖Obfuscation, polymorphism and URL randomization (yes, sysadmins are already detecting BeEF with regex ;-) ❖Improve XssRays (more attack vectors, add JS depth crawler) ❖Check for time-based blind SQLi cross-domain via JS ❖Improve the BeEF console (command line UI) ❖...and many more... ❖Well...take a look here: http://code.google.com/p/beef/issues/list MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 32 1 32
  • 33. GET IN TOUCH WITH US ❖Follow the BeEF: @beefproject ❖Checkout BeEF: http://code.google.com/p/beef/ ❖Check our website: http://beefproject.com ❖Have fun with it ❖We’re hiring!!! MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 33 1 33
  • 34. GET IN TOUCH WITH US ❖Follow the BeEF: @beefproject ❖Checkout BeEF: http://code.google.com/p/beef/ ❖Check our website: http://beefproject.com ❖Have fun with it ❖We’re hiring!!! (Please note: we’ll not pay you. You know we love OpenSource :-) MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 34 1 34
  • 35. THANKS TO ❖Wade Alcorn and the other BeEF ninjas: ❖Ben, ❖Scotty, ❖Christian, ❖Brendan, ❖Saafan, ❖Juan, ❖Javier ❖My colleagues Piotr & Michal ❖My employer ❖DeepSec crew and you attendees MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 35 1 35
  • 36. THANKS FOR YOUR TIME QUESTIONS? MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 36 1 36