O slideshow foi denunciado.
Seu SlideShare está sendo baixado. ×

DEF CON 23 - Xntrik - hooked browser meshed networks with webRTC and BeEF

Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Próximos SlideShares
WebRTC
WebRTC
Carregando em…3
×

Confira estes a seguir

1 de 88 Anúncio
Anúncio

Mais Conteúdo rRelacionado

Semelhante a DEF CON 23 - Xntrik - hooked browser meshed networks with webRTC and BeEF (20)

Mais de Felipe Prado (20)

Anúncio

Mais recentes (20)

DEF CON 23 - Xntrik - hooked browser meshed networks with webRTC and BeEF

  1. 1. Hooked Browser Meshed-Networks with WebRTC and BeEF The sad tale of vegetarian browsers Trigger warning: presentation includes JavaScript
  2. 2. $ whoami • Christian Frichot • @xntrik • Co-Author of The Browser Hacker’s Handbook • @beefproject developer DEFCON 23 @xntrik Vegie Browsers
  3. 3. DEFCON 23 @xntrik Vegie Browsers
  4. 4. $ ./display_overview.sh DEFCON 23 @xntrik Vegie Browsers
  5. 5. JS, client-side testing & BeEF Mooo DEFCON 23 @xntrik Vegie Browsers
  6. 6. Problems with browser communication channels DEFCON 23 @xntrik Vegie Browsers
  7. 7. How WebRTC can help Plus: wth is WebRTC? DEFCON 23 @xntrik Vegie Browsers
  8. 8. Integration WebRTC into BeEF Plus Demo! DEFCON 23 @xntrik Vegie Browsers
  9. 9. $ ./lets_go Unfortunately BeEF is written in Ruby and not #golang DEFCON 23 @xntrik Vegie Browsers
  10. 10. Client-side security testing DEFCON 23 @xntrik Vegie Browsers
  11. 11. Browser’s explosive growth DEFCON 23 @xntrik Vegie Browsers
  12. 12. Attack surface growth DEFCON 23 @xntrik Vegie Browsers
  13. 13. Demise of thick-ish based browser tech DEFCON 23 @xntrik Vegie Browsers
  14. 14. $ killall flash Who hasn’t done this yet?? DEFCON 23 @xntrik Vegie Browsers
  15. 15. $ brew install web2.0 DEFCON 23 @xntrik Vegie Browsers
  16. 16. DEFCON 23 @xntrik Vegie Browsers
  17. 17. WTF is browser hacking? $ ./initiate_pimp_mode.sh DEFCON 23 @xntrik Vegie Browsers
  18. 18. @antisnatchor (hates pants) @wadealcorn (likes pants) DEFCON 23 @xntrik Vegie Browsers
  19. 19. Initiating Control Retaining Control Bypassing SOP Attacking Users Attacking Extensions Attacking Users Attacking Browsers Attacking Plugins Attacking NetworksAttacks DEFCON 23 @xntrik Vegie Browsers
  20. 20. Initiating Control Bypassing SOP Attacking Users Attacking Extensions Attacking Users Attacking Browsers Attacking Plugins Attacking NetworksAttacks Retaining Control DEFCON 23 @xntrik Vegie Browsers
  21. 21. $ ./beef DEFCON 23 @xntrik Vegie Browsers
  22. 22. $ cat beef | grep ‘comm’ • XMLHttpRequest • WebSockets • DNS DEFCON 23 @xntrik Vegie Browsers
  23. 23. $ vim core/main/client/net.js
  24. 24. $ vim core/main/client/websocket.js
  25. 25. $ vim core/main/client/net/dns.js
  26. 26. DEFCON 23 @xntrik Vegie Browsers
  27. 27. $ ./beef DEFCON 23 @xntrik Vegie Browsers
  28. 28. DEFCON 23 @xntrik Vegie Browsers
  29. 29. $ cat solutions.txt DEFCON 23 @xntrik Vegie Browsers
  30. 30. DEFCON 23 @xntrik Vegie Browsers
  31. 31. DEFCON 23 @xntrik Vegie Browsers
  32. 32. DEFCON 23 @xntrik Vegie Browsers
  33. 33. DEFCON 23 @xntrik Vegie Browsers
  34. 34. DEFCON 23 @xntrik Vegie Browsers
  35. 35. Or… DEFCON 23 @xntrik Vegie Browsers
  36. 36. DEFCON 23 @xntrik Vegie Browsers
  37. 37. U mad? DEFCON 23 @xntrik Vegie Browsers
  38. 38. WebRTC is a free, open project that enables web browsers with Real-Time Communications (RTC) capabilities via simple JavaScript APIs. $ wget http://www.webrtc.org/ $ wget http://io13webrtc.appspot.com/ DEFCON 23 @xntrik Vegie Browsers
  39. 39. $ ./webrtc_functions.sh • MediaStream • RTCPeerConnection • RTCDataChannel DEFCON 23 @xntrik Vegie Browsers
  40. 40. $ cat mediastream.js DEFCON 23 @xntrik Vegie Browsers
  41. 41. $ cat rtcpeerconnection.js
  42. 42. $ cat rtcdatachannel.js DEFCON 23 @xntrik Vegie Browsers
  43. 43. $ cat cat.gif
  44. 44. v=0 o=- 7614219274584779017 2 IN IP4 127.0.0.1 s=- t=0 0 a=group:BUNDLE audio video a=msid-semantic: WMS m=audio 1 RTP/SAVPF 111 103 104 0 8 107 106 105 13 126 c=IN IP4 0.0.0.0 a=rtcp:1 IN IP4 0.0.0.0 a=ice-ufrag:W2TGCZw2NZHuwlnf a=ice-pwd:xdQEccP40E+P0L5qTyzDgfmW a=extmap:1 urn:ietf:params:rtp-hdrext:ssrc-audio- level a=mid:audio a=rtcp-mux a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline: 9c1AHz27dZ9xPI91YNfSlI67/EMkjHHIHORiClQe
  45. 45. $ cat modules/host/ get_internal_ip_webrtc/ command.js DEFCON 23 @xntrik Vegie Browsers
  46. 46. Signalling Signalling Media/Data DEFCON 23 @xntrik Vegie Browsers
  47. 47. Signalling Signalling DEFCON 23 @xntrik Vegie Browsers
  48. 48. Signalling Signalling STUN STUN $ wget https://tools.ietf.org/html/rfc5389 DEFCON 23 @xntrik Vegie Browsers
  49. 49. Signalling Signalling STUN STUN TURN TURN Media/Data $ wget https://tools.ietf.org/html/rfc5766 DEFCON 23 @xntrik Vegie Browsers
  50. 50. $ wget https://tools.ietf.org/html/rfc5245 Got ICE?
  51. 51. $ touch the_scene.txt
  52. 52. Step 1 - Hook Browsers hook.js hook.js DEFCON 23 @xntrik Vegie Browsers
  53. 53. Step 2 - Initialise Beefwebrtc You are the caller You are the receiverBeEF poll BeEF poll DEFCON 23 @xntrik Vegie Browsers
  54. 54. RTC offer and ICE candidates Step 3 - Caller sets up RTCPeerConnection Signalling DEFCON 23 @xntrik Vegie Browsers
  55. 55. RTC offer and ICE candidates Step 4 - Receiver receives offer and begins ITS RTCPeerConnection BeEF poll DEFCON 23 @xntrik Vegie Browsers
  56. 56. RTC answer and ICE candidates Step 5 - Receiver sends RTC answer and ITS ICE candidates Signalling DEFCON 23 @xntrik Vegie Browsers
  57. 57. RTC answer and ICE candidates Step 6 - Caller receives RTC answer from its peer BeEF poll DEFCON 23 @xntrik Vegie Browsers
  58. 58. Step 7 - Browsers establish peer connectivity via shared ICE candidates RTCPeerConnection DEFCON 23 @xntrik Vegie Browsers
  59. 59. Step 8 - Woot! iceConnectionState = connected iceConnectionState = connected Send ‘okay’ RTCDataChannel DEFCON 23 @xntrik Vegie Browsers
  60. 60. Still hooked? hook.js hook.js RTCDataChannel DEFCON 23 @xntrik Vegie Browsers
  61. 61. !gostealth hook.js RTCDataChannel DEFCON 23 @xntrik Vegie Browsers
  62. 62. $ curl /api/webrtc/cmdexec hook.js RTCDataChannel command module DEFCON 23 @xntrik Vegie Browsers
  63. 63. $ ./run_demo.sh W ORK IN PROGRESS DEFCON 23 @xntrik Vegie Browsers
  64. 64. DEFCON 23 @xntrik Vegie Browsers
  65. 65. DEFCON 23 @xntrik Vegie Browsers
  66. 66. DEFCON 23 @xntrik Vegie Browsers
  67. 67. DEFCON 23 @xntrik Vegie Browsers
  68. 68. DEFCON 23 @xntrik Vegie Browsers
  69. 69. DEFCON 23 @xntrik Vegie Browsers
  70. 70. $ cat issues.txt DEFCON 23 @xntrik Vegie Browsers
  71. 71. Issues with FF <-RTC-> Chrome DEFCON 23 @xntrik Vegie Browsers
  72. 72. DEFCON 23 @xntrik Vegie Browsers
  73. 73. Reliability with using UDP RTCDataChannels? DEFCON 23 @xntrik Vegie Browsers
  74. 74. IE doesn’t support WebRTC $ curl http://iswebrtcreadyyet.com/ DEFCON 23 @xntrik Vegie Browsers
  75. 75. But I is stuck? RTCDataChannel ????
  76. 76. DEFCON 23 @xntrik Vegie Browsers
  77. 77. DEFCON 23 @xntrik Vegie Browsers
  78. 78. DEFCON 23 @xntrik Vegie Browsers
  79. 79. $ vim todo.txt • Handle remote peers better (Integrate TURN into BeEF server?) • Handle peer termination better • Round-robin peers (?) • Further investigation into WebRTC enterprise network exfiltration DEFCON 23 @xntrik Vegie Browsers
  80. 80. $ cat thanks.txt • Wade, @antisnatchor and everyone who helps/ ed with BeEF & The Browser Hacker’s Handbook! • Asterisk Crew (@asteriskinfosec) • All you funny bastards on Twitter • Ten & Stel DEFCON 23 @xntrik Vegie Browsers
  81. 81. Qs? DEFCON 23 @xntrik Vegie Browsers

×