advances in beef - athcon2012
TRANSCRIPT
RESTful API, WebSockets, XssRays
Advances in BeEF
2012 - Athens - 4 May 2012
Michele “antisnatchor” Orru’
Saturday, May 5, 12
Who am I?
- Senior Security Consultant @ TW SpiderLabs - BeEF lead core developer- Application Security researcher- OpenBSD, Ruby and Javascript addict
- @antisnatchor- http://antisnatchor.com
Saturday, May 5, 12
What is BeEF?
Browser Exploitation Framework
Powerful platform for Client-side pwnage, XSS post-exploitation and generally victim browser security-context abuse.
The framework allows the penetration tester to select specific modules (in real-time) to target each browser, and therefore each context.
Saturday, May 5, 12
What is BeEF?
Saturday, May 5, 12
Outline
Saturday, May 5, 12
Outline
1. The need to be RESTful: the new APIII. The need to be speedy: WebSockets supportIII. I want more XSSs: XssRays enhancementsIV. demos and fun :D
Saturday, May 5, 12
The need to be RESTful
- I hate SOAP- I hate XML-RPC- I love to use protocol (HTTP) features without reinventing the wheel
Saturday, May 5, 12
The need to be RESTful
Ruby + Sinatra + JSON = WIN
get ‘/to/a/pub’“BeER please”
end
Saturday, May 5, 12
- programmatically control BeEF with whatever eats HTTP and JSON (bash + curl?)
- facilitate integration with third tools (ZAP?)
- create your own custom UI/GUI (mobile?)
The need to be RESTful
Saturday, May 5, 12
More info: - http://blog.beefproject.com/2012/03/restful-api-from-antisnatchor-with-love.html - http://blog.beefproject.com/2012/03/restful-api-demo.html
Read the doc, you lazy! - https://github.com/beefproject/beef/wiki/BeEF-RESTful-API
The need to be RESTful
Saturday, May 5, 12
Pwn hooked browsers with JDK <= 1.6.0_271. get hooked browsers type/version/OS/pluginsII. if browserIsIE
createOverlayIframe(Above) else launchManInTheBrowser endIII. if javaEnabled launchGetSystemInfoIV. if JDK <= 1.6.0_27 launchRhinoRCEV. enjoy Java meterpreter
The need to be RESTfulDemo time
Saturday, May 5, 12
BeEF communication channel uses XHR-polling
The need to be speedy: WS
Pros: - works everywhere (we support IE, Chrome, Safari, Firefox, Opera and mobile browsers)
Cons: - not efficient, data overhead
Saturday, May 5, 12
Meet WebSocket support in BeEF
XHR-polling
The need to be speedy: WS
Saturday, May 5, 12
Meet WebSocket support in BeEF
XHR-polling WebSockets
The need to be speedy: WS
Saturday, May 5, 12
The need to be speedy: WS
If beef.browser.hasWebSocket() don’t use XHR-polling, open a WebSocket channel
currently supported: Firefox, Chrome, Safarialso MozWebSocket (damn prefixes #$*(%$)
speaks hixie-75, hixie-76, hybi-07, hybi-10
Saturday, May 5, 12
still experimental in BeEF (bugfixing/testing phase)clone https://github.com/radoen/beef-radoen to give it a try
The need to be speedy: WS
opens a whole new range of possible features- real time VNC-like hooked browser control- faster Tunneling proxy (fuzzing through the hooked browser 4/5 times faster)- general faster communication
Saturday, May 5, 12
- launch 1000 return_long_string modules,both normal XHR-polling and WebSockets
The need to be speedy: WSdemo time
Saturday, May 5, 12
I want more XSSs: XssRays
Originally developed by Gareth Heyes in 2009 as a pure JS-based XSS scanner. Then integrated in BeEF.
XssRays basically parse all the links and forms of the page where it is loaded and check for XSS on GET, POST parameters, and also in the URI path creating hidden iFrames.
Who uses FrameBusting/X-Frame-Options out there :-)?
Saturday, May 5, 12
I want more XSSs: XssRays
We inject a vector that will contact back BeEF if the JS code will be successfully executed (thus, the XSS confirmed). Also means false-positive free.
Potential false-negatives as we blindly inject vectors.
Basically the document.location.href of the injected iFrame that contains the vector will point to a known BeEF resource.
Saturday, May 5, 12
I want more XSSs: XssRays
Saturday, May 5, 12
I want more XSSs: XssRays
It also works cross-domain (respecting the SOP)
Saturday, May 5, 12
I want more XSSs: XssRays
Enhancements from previous months: - added more attack vectors double URL encoded, double nibble, DOM based injections
- added Chrome/Safari support base64‘ing the iFrame src in order to bypass the XSS filter
- added IE6 to IE9 support did you know that in IE6 location.pathname doesn’t contains the first forward slash? (thanks Gareth)
Saturday, May 5, 12
Thanks
Thanks to my BeEFfy friends: Wade, Christian, Brendan, Javier, Saafan, Graziano, Ben W., Ben P., Pipes and anyone I may have forgotten
Our new blogger Heather P.
SpiderLabs because I don’t have to take holidays to be here
Special thanks to Kyprianos and Chris
Saturday, May 5, 12
Thanks
(Please note: we’ll not pay you. You know we love OpenSource :-)
follow us: @beefprojectmain site: http://beefproject.comthe new blog: http://blog.beefproject.comgithub page: https://github.com/beefproject/beef
Saturday, May 5, 12
Questions?
Saturday, May 5, 12