ground
play

GROUND CUTTING, DEVOURING AND DIGESTING THE LEGS OFF A BROWSER - PowerPoint PPT Presentation

Dec 27, 2023 •206 likes •584 views

GROUND CUTTING, DEVOURING AND DIGESTING THE LEGS OFF A BROWSER MICHELE ANTISNATCHOR ORRU, 18 NOV 2011 1 1 WHO AM I? Penetration Tester @ The Royal Bank of Scotland BeEF core developer: Tunneling Proxy, XssRays integration,

  1. GROUND CUTTING, DEVOURING AND DIGESTING THE LEGS OFF A BROWSER MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 1 1

  2. WHO AM I? ❖ Penetration Tester @ The Royal Bank of Scotland ❖ BeEF core developer: Tunneling Proxy, XssRays integration, various exploits, new Thin+Rack migration, lot of bug-fixing, testing and fun ❖ Kubrick and Ruby fan ❖ Definitely not a fan of our Italian prime minister Silvio bunga-bunga Berlusconi ❖ @ antisnatchor ❖ http://antisnatchor.com MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 2 1 2

  3. Who Am I? ❖ Penetration Tester @ The Royal Bank of Scotland ❖ BeEF core developer: Tunneling Proxy, XssRays integration, various exploits, new Thin+Rack migra tion, lot of bug-fixing, testing and fun ❖ Kubrick and Ruby fan ❖ Definitely not a fan of our Italian prime minister Silvio bunga-bunga Berlusconi ❖ @ antisnatchor ❖ http://antisnatchor.com MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 3 1 3

  4. THE BROWSER NOWADAYS MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 4 1 4

  5. REAL-LIFE XSS PWNING ❖ 2005: Samy worm ❖ 2006: Yamanner worm ❖ 2008 until now: multiple XSSs in B. Obama website ❖ 2010: Apache pwned through an XSS in JIRA ❖ 2010: stored XSS in Youtube , actively used ❖ 2011: multiple XSS on Google.com , even stored (11/09/2011 @totally_unknown) .... we could continue, but you get the idea.... MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 5 1 5

  6. WHAT THE HELL IS BEEF? ❖ BeEF : Browser Exploitation Framework ❖ Pioneered by Wade Alcorn in 2005 (public release) ❖ Powerful platform for Client-side pwnage, XSS post-exploitation and generally victim browser security-context abuse . ❖ Each browser is likely to be within a different security context, and each context may provide a set of unique attack vectors . ❖ The framework allows the penetration tester to select specific modules (in real-time) to target each browser, and therefore each context. MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 6 1 6

  7. WHAT THE HELL IS BEEF? MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 7 1 7

  8. CUTTING: TARGET ENUM AND ANALYSIS ❖ Lot of juicy information after first hook initialization : ❖ Browser/OS version ❖ Cookies ❖ Browser plugins ❖ Supported features (Google Gears, Web Sockets, Flash, Java, . .) ❖ Specific modules are also there to help ❖ Detect links/visited URLs ❖ Detect social networks (authenticated in Twitter, Gmail, Facebook) and Tor ❖ Execute your custom Javascript MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 8 1 8

  9. CUTTING: TARGET ENUM AND ANALYSIS MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 9 1 9

  10. DEVOURING: INTERNAL NETWORK FINGERPRINT ❖ Knowing the victim internal IP (through Java), the attacker can start to fingerprint the internal network via Javascript to find common servers and devices. ❖ Modules: ❖ Ping Sweep ❖ DNS Enumeration ❖ Port Scanner: img tags/CORS/Websockets methods combined ❖ Network Fingerprint: img onload=function() { if (image width/height/path == deviceImageMapEntry) deviceXYZ@IP has been successfully found } MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 10 1 10

  11. DEVOURING: INTERNAL NETWORK FINGERPRINT ❖ Great presentations about Pwning internal networks with BeEF by Juan Galiana and Javier Marcos (BeEF developers now:-) http://nebula.indocisc.co.id/~za/owasp/appseceu2011/ JM%20del%20Prado%20&%20JG%20Lara%20-%20 Intranet%20Footprinting.pdf http://www.appsecusa.org/p/pwn.pdf ❖ BeEF and Intranet footprint video: http://www.youtube.com/watch?v=zOJ1LUfcv3k MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 11 1 11

  12. DEVOURING: EXPLOITING INTERNAL SERVICES ❖ Exploits/JbossJmxUploadExploit module ❖ JBoss 4.x, 5.1.0, 6.0.0.M1 JMX deploy exploit is available in MSF, but you need to have direct access to the target (or use a host as a pivot) ❖ Then why not use the victim browser as a pivot? ❖ Jboss 6.0.0M1 JMX Deploy Exploit: the BeEF way... http://www.youtube.com/user/TheBeefproject#p/a/u/2/0n7qfvo_CMM MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 12 1 12

  13. DEVOURING: HOW TO ACHIEVE PERSISTENCE ❖ When the victim browse away from the page where the BeEF hook is executed, we loose the browser :-( MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 13 1 13

  14. DEVOURING: HOW TO ACHIEVE PERSISTENCE ❖ Create an overlay iFrame reloading the content of the page, while the BeEF hook will remain active in the background. Javascript keylogging is native in BeEF, and we also have a second module to enable keylogging in the iFrame (attaching events to it) ❖ MITB ( Man In The Browser ): code contribution by Mathias Karlsson ❖ As we control the DOM, we can alter anchors and forms to do something when the user wants to browse away by clicking on them. ❖ Thanks again to CORS abuse (we love HTML5 ;-) ❖ same-domain: history.push (user doesn’t see any modifications) ❖ cross-domain: window.open (new tab, but many links use target=”_blank” already -> no big deal) MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 14 1 14

  15. DEVOURING: MODULE AUTORUN ❖ We’ve ported back (from the old PHP version) the autorun feature ❖ Add autorun: true in the command module config.yaml that you want to autorun ❖ When a new browser will be hooked in BeEF, the module will be automatically launched ❖ Imagine adding autorun: true in Metasploit autopwn module (another feature ported back)... MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 15 1 15

  16. DIGESTING: TUNNELING PROXY ❖ Having a communication channel with the hooked browser, we can: ❖ Receive requests as a proxy on BeEF ❖ Translate these requests to XHRs (in-domain) and execute them in the hooked browser ❖ Parse the XHRs responses and send the data back through the proxy ❖ This approach works on the same-domain, but we have plans to port Erlend Oftedal’s malaRIA to BeEF to extend the tunneling proxy to cross-domain resources using Flash liberal cross-domain policies <allow-access-from domain="*" /> ...how many WebServers whit liberal cross-domain policy do you have in your internal network...??? MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 16 1 16

  17. DIGESTING: TUNNELING PROXY ❖ Using the victim browser hooked in BeEF as a tunneling proxy, we will see the following scenarios: ❖ browsing the authenticated surface of the hooked domain through the security context of the victim browser ( cookies are automatically added to XHRs with jQuery); ❖ spidering the hooked domain through the security context of the victim browser; ❖ finding and exploiting SQLi with Burp Pro Scanner + sqlmap (through the victim browser too :-) ). ❖ BeEF tunneling proxy (for fun and profit) http://www.youtube.com/user/TheBeefproject#p/a/u/1/Z4cHyC3lowk MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 17 1 17

  18. DIGESTING: XSSRAYS ❖ Originally developed by Gareth Heyes in 2009 as a pure JS-based XSS scanner ❖ The XssRays BeEF extension allows you to check if links , forms and URI paths of the page where the browser is hooked are vulnerable to XSS . ❖ What XssRays does is basically parse all the links and forms of the page where it is loaded and check for XSS on GET, POST parameters, and also in the URI path creating hidden iFrames . ❖ Who uses FrameBusting/X-Frame-Options out there :-)? MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 18 1 18

  19. DIGESTING: XSSRAYS ❖ The original code by Gareth, from 2009, used a nice trick (the location.hash fragment ) in order to have a sort of callback between parent and child iFrames ❖ This is now patched by all recent browsers :-( ❖ AGAIN NO FUN..WTF? MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 19 1 19

  20. DIGESTING: XSSRAYS ❖ We inject a vector that will contact back BeEF if the JS code will be successfully executed (thus, the XSS confirmed). ❖ No false positives (oh yes, that’s what I like)! ❖ Potential false-negatives as we blindly inject vectors (can be minimized adding more attack vectors that covers different scenarios) ❖ Basically the document.location.href of the injected iFrame that contains the vector will point to a known BeEF resource . The following is an example value of that document.location.href: ✴ http://192.168.84.1:3000/ui/xssrays/rays? hbsess =ZdGQG32VvYmozDP3ia0mvNd5PwcjR9lXuzmTmxm1mAckrgjqA9bIfg41Si2eO fVpviNWYk9vi2q3kvZB& action =ray& raysid =3& p =http://192.168.84.128/dvwa/ vulnerabilities/xss_r/?name=%22%3E%3Cscript%3Ealert(1)%3C%2Fscript %3E& n =Standard%20script%20injection%20double& m =GET MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 20 1 20

  21. DIGESTING: XSSRAYS MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 21 1 21

  22. DIGESTING: XSSRAYS MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 22 1 22

  23. DIGESTING: XSSRAYS MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 23 1 23

  24. DIGESTING: XSSRAYS MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 24 1 24

  25. DIGESTING: XSSRAYS MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 25 1 25

  26. DIGESTING: XSSRAYS MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 26 1 26

  27. DIGESTING: XSSRAYS MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 27 1 27

  28. DIGESTING: XSSRAYS MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 28 1 28

  29. DIGESTING: XSSRAYS MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 29 1 29

  30. DIGESTING: XSSRAYS MICHELE “ANTISNATCHOR” ORRU’, 18 NOV 2011 1 30

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

5/12/2016 Ground Rules for Meetings Ground Rules for Meetings (contd) The ground rules for

5/12/2016 Ground Rules for Meetings Ground Rules for Meetings (contd) The ground rules for

5/12/2016 Ground Rules for Meetings Ground Rules for Meetings (contd) The ground rules for the workgroup meetings are simple, and designed 7. Speak one at a time in meetings, as recognized by the facilitator. to help the process forward

536 views • 27 slides
5/4/2016 Ground Rules for Meetings Ground Rules for Meetings (contd) The ground rules for the

5/4/2016 Ground Rules for Meetings Ground Rules for Meetings (contd) The ground rules for the

5/4/2016 Ground Rules for Meetings Ground Rules for Meetings (contd) The ground rules for the workgroup meetings are simple, and designed 7. Speak one at a time in meetings, as recognized by the facilitator. to help the process forward in

536 views • 8 slides
[SLIDE 1] Ground Water Evaluation Ground water can play a key role in affecting the timing and cost

[SLIDE 1] Ground Water Evaluation Ground water can play a key role in affecting the timing and cost

Ground Water Assessment [SLIDE 1] Ground Water Evaluation Ground water can play a key role in affecting the timing and cost associated with investigations at Voluntary Action Program properties. Taking the time to develop a well planned ground

176 views • 17 slides
1 Soil Impacts to Ground Water Investigating soil below the direct contact POC is essential *2

1 Soil Impacts to Ground Water Investigating soil below the direct contact POC is essential *2

Ground Water Assessment 1 I nvestigation and Protection OAC 3745-300-07 Certified Professional 8-Hour Training I nvestigating Ground Water: Discussion Topics 2 Conceptual Site Model Identification and Protection of Ground Water Zones

293 views • 16 slides
. Feet on the ground. Aiming for the stars. . Feet on the ground. Aiming for the stars. Best

. Feet on the ground. Aiming for the stars. . Feet on the ground. Aiming for the stars. Best

. Feet on the ground. Aiming for the stars. . Feet on the ground. Aiming for the stars. Best Batsman - Flynn Farrell Best Bowlers - Tyron Halpenny Best Fielder - Tom Fitzhenry Coaches award - Hayden Cockerill . Feet on the ground. Aiming for

309 views • 20 slides
1 Class B Class B Ground Water 11 Two criteria turn an otherwise Class A ground water into

1 Class B Class B Ground Water 11 Two criteria turn an otherwise Class A ground water into

Ground Water Classification 1 And Response Requirements OAC 3745-300-10 Certified Professional 8-Hour Training Ground Water Rule 2 Classification Urban setting designation Response requirements Ground Water Classification 3

300 views • 10 slides
1 HERMES HERMES Re-inventing Ground Re-inventing Ground Handling Handling 2 HERMES Created

1 HERMES HERMES Re-inventing Ground Re-inventing Ground Handling Handling 2 HERMES Created

1 HERMES HERMES Re-inventing Ground Re-inventing Ground Handling Handling 2 HERMES Created by Ground Handlers for Managing Ground Handling Operations 3 HERMES Local Customs Authority OUTBOUND / EXPORT CUSTOMS Electronic

1.07k views • 59 slides
DISCUSSION Leased oyster ground found to be in Public Ground. Newly found Chincoteague colored

DISCUSSION Leased oyster ground found to be in Public Ground. Newly found Chincoteague colored

DISCUSSION Leased oyster ground found to be in Public Ground. Newly found Chincoteague colored Public Ground (Baylor) chart shows 17 leases in Public Ground and 3 applications for oyster ground April 23, 2013 April 23, 2013 Constitution of

640 views • 7 slides
Autonomous Ground Systems CROSS CORRELATING GROUND-LEVEL PANORAMAS WITH SATELLITE IMAGERY FOR

Autonomous Ground Systems CROSS CORRELATING GROUND-LEVEL PANORAMAS WITH SATELLITE IMAGERY FOR

Autonomous Ground Systems CROSS CORRELATING GROUND-LEVEL PANORAMAS WITH SATELLITE IMAGERY FOR GPS-DENIED LOCALIZATION OF AUTONOMOUS GROUND VEHICLES Calvin Cheung Stanley Baek U.S. Army Tank Department of Electrical and Computer Army

397 views • 15 slides
Dynamic Compaction Martin Larisch &amp; Tim Pervan INSERT DATE HERE Ground Improvement - What is

Dynamic Compaction Martin Larisch &amp; Tim Pervan INSERT DATE HERE Ground Improvement - What is

Ground Improvement Techniques: Dynamic Compaction Martin Larisch &amp; Tim Pervan INSERT DATE HERE Ground Improvement - What is it? Ground Improvement = Black Box? Ground Improvement - Introduction Ground Improvement Improve the existing

1.31k views • 76 slides
UMBC A B M A L T F O U M B C I M Y O R T 1 (5/8/07) I E S R C E O V U

UMBC A B M A L T F O U M B C I M Y O R T 1 (5/8/07) I E S R C E O V U

Digital Systems Connectors II CMPE 650 Ground Continuity Underneath a Connector The following layout for a connector will not work properly at high speeds. 0.100 in. Ground layer Big hole in the ground plane Signal layer All signal return

399 views • 10 slides
GROUND ZERO SEO HOW TO ANALYZE YOUR SEO PROJECT BEFORE YOU GET STARTED What is Ground Zero SEO?

GROUND ZERO SEO HOW TO ANALYZE YOUR SEO PROJECT BEFORE YOU GET STARTED What is Ground Zero SEO?

GROUND ZERO SEO HOW TO ANALYZE YOUR SEO PROJECT BEFORE YOU GET STARTED What is Ground Zero SEO? My System of Analyzing an SEO project BEFORE I do anything! There are many questions you need to ask yourself that will determine the

407 views • 6 slides
Ground Water Classification [SLIDE 1] Ground Water Classification and Response Requirements Our

Ground Water Classification [SLIDE 1] Ground Water Classification and Response Requirements Our

Ground Water Classification [SLIDE 1] Ground Water Classification and Response Requirements Our discussion has now moved from the Phase II property assessment rule to the ground water rule, rule 3745 300 10 of the Ohio Administrative

131 views • 12 slides
GSCB-Workshop on Ground Segment Evolution Strategy N. Hanowski, EOP-G, Ground Segment and

GSCB-Workshop on Ground Segment Evolution Strategy N. Hanowski, EOP-G, Ground Segment and

GSCB-Workshop on Ground Segment Evolution Strategy N. Hanowski, EOP-G, Ground Segment and Operations Department, nicolaus.hanowski@esa.int 24 September 2015 ESA UNCLASSIFIED For Official Use - Slide 1 EO Ground Segment Evolution Strategy

324 views • 7 slides
Little Forest Burial Ground Scenario Little Forest Burial Ground Scenario Results Results

Little Forest Burial Ground Scenario Little Forest Burial Ground Scenario Results Results

Little Forest Burial Ground Scenario Little Forest Burial Ground Scenario Results Results September 2010, Vienna alph Code Participant Version CR sources CR distributions Soil Dist WT Database Techdoc 1616 Trunc L-normal ERICA CEH

575 views • 20 slides
Space Object Behaviors The View From the Ground 3/13/2019 1 3/13/2019 . . . antenna -

Space Object Behaviors The View From the Ground 3/13/2019 1 3/13/2019 . . . antenna -

Space Object Behaviors The View From the Ground 3/13/2019 1 3/13/2019 . . . antenna - pointing error thats proving difficult to fix . . . GEO Satellites Viewed from the Ground 3/13/2019 3 Ground Based Optical Observables Patent

151 views • 14 slides
OpenTag : Open Attribute Value Extraction From Product Profiles Guineng Zheng*, Subhabrata

OpenTag : Open Attribute Value Extraction From Product Profiles Guineng Zheng*, Subhabrata

OpenTag : Open Attribute Value Extraction From Product Profiles Guineng Zheng*, Subhabrata Mukherjee , Xin Luna Dong , FeiFei Li* Amazon.com, *University of Utah product KDD 2018 graph 1 Motivation Alexa , what are the flavors of

755 views • 42 slides
Working w ith more than one time series VISU AL IZIN G TIME SE R IE S DATA IN P YTH ON Thomas

Working w ith more than one time series VISU AL IZIN G TIME SE R IE S DATA IN P YTH ON Thomas

Working w ith more than one time series VISU AL IZIN G TIME SE R IE S DATA IN P YTH ON Thomas Vincent Head of Data Science , Ge y Images Working w ith m u ltiple time series An isolated time series A le w ith m u ltiple time series

505 views • 29 slides
The Panel Nicole Day Director of Programming, Communications, CADE nicole@cadefarms.org Chris

The Panel Nicole Day Director of Programming, Communications, CADE nicole@cadefarms.org Chris

The Panel Nicole Day Director of Programming, Communications, CADE nicole@cadefarms.org Chris Harmon Executive Director, CADE charmon@cadefarms.org Arion Thiboumery Lorentz Meats, Niche Meat Processor Assistance Network arion@iastate.edu

160 views • 5 slides
Progressive Interaction for Autonomous Entity Matching Ben McCamish, Arash Termehchy Oregon State

Progressive Interaction for Autonomous Entity Matching Ben McCamish, Arash Termehchy Oregon State

Progressive Interaction for Autonomous Entity Matching Ben McCamish, Arash Termehchy Oregon State University I nformation &amp; D ata Manag e ment and A nalytics Laboratory (IDEA) User interacts with local data source DBMS A DBMS B Products

604 views • 33 slides
More Examples Relative Prices (RP)? Consumers make decisions based on relative prices rather

More Examples Relative Prices (RP)? Consumers make decisions based on relative prices rather

Microeconomics and Macroeconomics What is microeconomics? Microeconomics deals with the behavior of individual consumers, households, and businesses. What is macroeconomics? Macroeconomics deals with national economic policy and

259 views • 5 slides
Markov decision process: Case example Optimal management of replacement heifers in beef herd

Markov decision process: Case example Optimal management of replacement heifers in beef herd

Markov decision process: Case example Optimal management of replacement heifers in beef herd Anna Helena Stygar Department of Department of Veterinary and Animal Sciences University of Copenhagen Polish beef industry Advanced quantitative

414 views • 37 slides
Wel elcome come Agenda 8:20 8:30 - Introduction 8:30 9:00 Overview of the US

Wel elcome come Agenda 8:20 8:30 - Introduction 8:30 9:00 Overview of the US

2/ 20/ 2018 Wel elcome come Agenda 8:20 8:30 - Introduction 8:30 9:00 Overview of the US Roundtable for Sustainable Beef 9:00 9:45 Overview of the Canadian Roundtable for Sustainable Beef. 9:45 10:15 Coffee Break

343 views • 18 slides
Ensuring Safety of Livestock Products Products Ensuring safety through (i) thorough feeding

Ensuring Safety of Livestock Products Products Ensuring safety through (i) thorough feeding

Livestock Ensuring Safety of Livestock Products Products Ensuring safety through (i) thorough feeding management in line with the new standard limits, (ii) testing of radioactive cesium, and (iii) restriction of distribution according to

345 views • 5 slides

More recommend