Shake Hooves With BeEF - OWASP AppSec APAC 2012
-
Upload
christian-frichot -
Category
Documents
-
view
3.104 -
download
5
description
Transcript of Shake Hooves With BeEF - OWASP AppSec APAC 2012
![Page 1: Shake Hooves With BeEF - OWASP AppSec APAC 2012](https://reader033.fdocuments.in/reader033/viewer/2022051322/546391e5af79597e338b4572/html5/thumbnails/1.jpg)
Copyright 2007 © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
Shake Hands With BeEF
Christian “@xntrik” FrichotOWASP Perth ChapterAsterisk Information [email protected]
![Page 2: Shake Hooves With BeEF - OWASP AppSec APAC 2012](https://reader033.fdocuments.in/reader033/viewer/2022051322/546391e5af79597e338b4572/html5/thumbnails/2.jpg)
- Introduction
![Page 3: Shake Hooves With BeEF - OWASP AppSec APAC 2012](https://reader033.fdocuments.in/reader033/viewer/2022051322/546391e5af79597e338b4572/html5/thumbnails/3.jpg)
Story
-Traditional external pen testing tale of woe
![Page 4: Shake Hooves With BeEF - OWASP AppSec APAC 2012](https://reader033.fdocuments.in/reader033/viewer/2022051322/546391e5af79597e338b4572/html5/thumbnails/4.jpg)
Egg shell
- Many environments have hardened exteriors but less protected interiorshttp://www.flickr.com/photos/sidereal/2355999910/sizes/o/in/photostream/
![Page 5: Shake Hooves With BeEF - OWASP AppSec APAC 2012](https://reader033.fdocuments.in/reader033/viewer/2022051322/546391e5af79597e338b4572/html5/thumbnails/5.jpg)
OWASP
Effectiveness
• <html>(
Web(Browser(
• <?php(Web(Server(
• SELECT(*(
Database(
5
- How effective can your penetration testing be if all your doing is assessing a single external system ...
![Page 6: Shake Hooves With BeEF - OWASP AppSec APAC 2012](https://reader033.fdocuments.in/reader033/viewer/2022051322/546391e5af79597e338b4572/html5/thumbnails/6.jpg)
without putting it in the context of the whole environment?http://forums.untangle.com/runkel/Logical-Network-Diagram.gif
![Page 7: Shake Hooves With BeEF - OWASP AppSec APAC 2012](https://reader033.fdocuments.in/reader033/viewer/2022051322/546391e5af79597e338b4572/html5/thumbnails/7.jpg)
OWASP
Metasploit / SET
20072008
20092010
2011
Growth *
*nb: not real statistics 7
I call this the state of modern pen testing, you can’t just knock on the perimeter, you have to pivot through clients
![Page 8: Shake Hooves With BeEF - OWASP AppSec APAC 2012](https://reader033.fdocuments.in/reader033/viewer/2022051322/546391e5af79597e338b4572/html5/thumbnails/8.jpg)
Shrinking attack surfaces
- offsite SMTP - 3rd party (or different) location web hosting - VPNs - Proxies - Small to zero attack surface.. The attack surface is shrinking.
![Page 9: Shake Hooves With BeEF - OWASP AppSec APAC 2012](https://reader033.fdocuments.in/reader033/viewer/2022051322/546391e5af79597e338b4572/html5/thumbnails/9.jpg)
OWASP
Where’s the data?
9
- Internal systems are where the information is held, or via web portals to *aaS providers .. and - We can't gain access to these systems and their information without pivoting through a client.
![Page 10: Shake Hooves With BeEF - OWASP AppSec APAC 2012](https://reader033.fdocuments.in/reader033/viewer/2022051322/546391e5af79597e338b4572/html5/thumbnails/10.jpg)
OWASP
Patched?
10
- Metasploit, in particular combined with SET, is effective at providing this pivot point - What if the target environment is patched? Against known Metasploit exploits.
![Page 11: Shake Hooves With BeEF - OWASP AppSec APAC 2012](https://reader033.fdocuments.in/reader033/viewer/2022051322/546391e5af79597e338b4572/html5/thumbnails/11.jpg)
OWASP
Between full blown exploitation and pure social engineering
11
- This is the advantage point the BeEF has, to happily sit in the browser.
![Page 12: Shake Hooves With BeEF - OWASP AppSec APAC 2012](https://reader033.fdocuments.in/reader033/viewer/2022051322/546391e5af79597e338b4572/html5/thumbnails/12.jpg)
OWASP
Lots of HTTP
12
- Lots of websites (@jeremiahg mentioned ~30mil new websites a month)
![Page 13: Shake Hooves With BeEF - OWASP AppSec APAC 2012](https://reader033.fdocuments.in/reader033/viewer/2022051322/546391e5af79597e338b4572/html5/thumbnails/13.jpg)
Got BeEF?
- So what is BeEF? For those who don't know, it's the Browser Exploitation Framework
![Page 14: Shake Hooves With BeEF - OWASP AppSec APAC 2012](https://reader033.fdocuments.in/reader033/viewer/2022051322/546391e5af79597e338b4572/html5/thumbnails/14.jpg)
OWASP
PHP BeEF
14
- Originally announced on ha.ckers.org in 2006 based entirely PHP by Wade Alcorn
![Page 15: Shake Hooves With BeEF - OWASP AppSec APAC 2012](https://reader033.fdocuments.in/reader033/viewer/2022051322/546391e5af79597e338b4572/html5/thumbnails/15.jpg)
OWASP
Top 10 2010 - A2 - XSS
15
- In it's old incarnation BeEF was a great tool to demonstrate just how nasty XSS flaws could be (Instead of the typical alert(1); dialog)
![Page 16: Shake Hooves With BeEF - OWASP AppSec APAC 2012](https://reader033.fdocuments.in/reader033/viewer/2022051322/546391e5af79597e338b4572/html5/thumbnails/16.jpg)
OWASP
Method of pivoting, method of penetration
16
- and trying to become an all-round go-to platform for client-side exploitation development. - The framework allows a penetration tester to select specific modules in real time to target against a hooked browser within its current context (which will provide different, unique, attack vectors)
![Page 17: Shake Hooves With BeEF - OWASP AppSec APAC 2012](https://reader033.fdocuments.in/reader033/viewer/2022051322/546391e5af79597e338b4572/html5/thumbnails/17.jpg)
Moving to the future - These days BeEF is developed in Ruby (like Metasploit), with stacks of Javascript (we roll jquery in there for command modules too)
![Page 18: Shake Hooves With BeEF - OWASP AppSec APAC 2012](https://reader033.fdocuments.in/reader033/viewer/2022051322/546391e5af79597e338b4572/html5/thumbnails/18.jpg)
BeEF Architecture
Framework (slide thanks to Michele @antisnatchor Orru)
![Page 19: Shake Hooves With BeEF - OWASP AppSec APAC 2012](https://reader033.fdocuments.in/reader033/viewer/2022051322/546391e5af79597e338b4572/html5/thumbnails/19.jpg)
http://blog.beefproject.com
I like utilising Amazon’s EC2 instances. We have a blog post on how to quickly run up a fully blown BeEF instance in no time. .. BeEF Cloud
![Page 20: Shake Hooves With BeEF - OWASP AppSec APAC 2012](https://reader033.fdocuments.in/reader033/viewer/2022051322/546391e5af79597e338b4572/html5/thumbnails/20.jpg)
Ruby BeEF
![Page 21: Shake Hooves With BeEF - OWASP AppSec APAC 2012](https://reader033.fdocuments.in/reader033/viewer/2022051322/546391e5af79597e338b4572/html5/thumbnails/21.jpg)
![Page 22: Shake Hooves With BeEF - OWASP AppSec APAC 2012](https://reader033.fdocuments.in/reader033/viewer/2022051322/546391e5af79597e338b4572/html5/thumbnails/22.jpg)
Our dev team rely on modern agile development techniques, including a Continuous Integration service via Jenkins, utilising Rake test unit, selenium, capybara etc etc
![Page 23: Shake Hooves With BeEF - OWASP AppSec APAC 2012](https://reader033.fdocuments.in/reader033/viewer/2022051322/546391e5af79597e338b4572/html5/thumbnails/23.jpg)
OWASP
BeEF Trilogy (“Who is your father?”)
23
Beef is currently made up of 3 main components:http://img4.cookinglight.com/i/2009/01/0901p40f-beef-patty-m.jpg?300:300
![Page 24: Shake Hooves With BeEF - OWASP AppSec APAC 2012](https://reader033.fdocuments.in/reader033/viewer/2022051322/546391e5af79597e338b4572/html5/thumbnails/24.jpg)
Firstly is the core..http://www.imdb.com/media/rm1627756544/tt0298814
![Page 25: Shake Hooves With BeEF - OWASP AppSec APAC 2012](https://reader033.fdocuments.in/reader033/viewer/2022051322/546391e5af79597e338b4572/html5/thumbnails/25.jpg)
OWASP
Core
Central API
Filters
Primary client-side JS
Server-side asset handling Web servicing
Ruby extensions
Database models
Hooking methods for Extensions & Modules
25
! - The Core! ! - Central API! ! - Filters! ! - Primary client-side javascript! ! - Server-side asset handling and web servicing! ! - Ruby extensions! ! - Database models! ! - Hooking methods to load and manage arbitrary extensions and command modules
![Page 26: Shake Hooves With BeEF - OWASP AppSec APAC 2012](https://reader033.fdocuments.in/reader033/viewer/2022051322/546391e5af79597e338b4572/html5/thumbnails/26.jpg)
Extensions
Extensions
![Page 27: Shake Hooves With BeEF - OWASP AppSec APAC 2012](https://reader033.fdocuments.in/reader033/viewer/2022051322/546391e5af79597e338b4572/html5/thumbnails/27.jpg)
OWASP
Extensions
Web UI
Console
Demo pages
Event handling Browser initialisation
Metasploit
Proxy/Requester
XSSRays
27
! - Extensions! ! - Where you need to provide fairly tightly coupled functionality into the core, the extensions provide the developer with various API firing points, such as mounting new URL points. Currently beef has extensions for the admin web ui, the console, demo pages, event handling, initialisation of hooked browsers, metasploit, proxy, requester and the xssrays functionality.
![Page 28: Shake Hooves With BeEF - OWASP AppSec APAC 2012](https://reader033.fdocuments.in/reader033/viewer/2022051322/546391e5af79597e338b4572/html5/thumbnails/28.jpg)
OWASP 28
Command Moduleshttp://www.mobiinformer.com/wp-content/uploads/2010/11/big_red_button.jpg
![Page 29: Shake Hooves With BeEF - OWASP AppSec APAC 2012](https://reader033.fdocuments.in/reader033/viewer/2022051322/546391e5af79597e338b4572/html5/thumbnails/29.jpg)
OWASP
Command Modules
Browser
Debugging
Host Miscellaneous
Network
Persistence
Recon
Router29
! - Command Modules! ! - Command modules are where individually packaged HTML/JS packages are stored, currently these are broken down into the following categories: browser, debugging, host, misc, network, persistence, recon, router. Anything you want to do in Javascript, HTML, Java, <insert arbitrary browser acceptable language> can be done.
![Page 30: Shake Hooves With BeEF - OWASP AppSec APAC 2012](https://reader033.fdocuments.in/reader033/viewer/2022051322/546391e5af79597e338b4572/html5/thumbnails/30.jpg)
OWASP
It always starts with Hooking30
The first step in getting a browser into the framework is to get it to execute the BeEF payload, there’s a few methods of achieving this:
![Page 31: Shake Hooves With BeEF - OWASP AppSec APAC 2012](https://reader033.fdocuments.in/reader033/viewer/2022051322/546391e5af79597e338b4572/html5/thumbnails/31.jpg)
OWASP
Hooking Browsers
XSSSocial Engineering (i.e. tiny URL, or phishing via
email)Embedding the payload (think drive-by-
download)Maintaining persistence after already being
hooked (think Tab BeEF Injection)
31
![Page 32: Shake Hooves With BeEF - OWASP AppSec APAC 2012](https://reader033.fdocuments.in/reader033/viewer/2022051322/546391e5af79597e338b4572/html5/thumbnails/32.jpg)
OWASP
(Ab)use Cases
32
![Page 33: Shake Hooves With BeEF - OWASP AppSec APAC 2012](https://reader033.fdocuments.in/reader033/viewer/2022051322/546391e5af79597e338b4572/html5/thumbnails/33.jpg)
Credit to Michele @antisnatchor Orru and Gareth Hayes for creating XSSRays
![Page 34: Shake Hooves With BeEF - OWASP AppSec APAC 2012](https://reader033.fdocuments.in/reader033/viewer/2022051322/546391e5af79597e338b4572/html5/thumbnails/34.jpg)
OWASP
Tunnelling Proxy
34
http://www.youtube.com/watch?v=Z4cHyC3lowk&lr
http://www.youtube.com/watch?v=Z4cHyC3lowk&lr
![Page 35: Shake Hooves With BeEF - OWASP AppSec APAC 2012](https://reader033.fdocuments.in/reader033/viewer/2022051322/546391e5af79597e338b4572/html5/thumbnails/35.jpg)
OWASP
Hooking Mobile Devices
35
http://www.youtube.com/watch?v=5SVu6VdLWgs
http://www.youtube.com/watch?v=5SVu6VdLWgs
![Page 36: Shake Hooves With BeEF - OWASP AppSec APAC 2012](https://reader033.fdocuments.in/reader033/viewer/2022051322/546391e5af79597e338b4572/html5/thumbnails/36.jpg)
Teach a man to Fish BeEF...
So lets look at how we can customise BeEF .. first we’ll look at a simple command module
![Page 37: Shake Hooves With BeEF - OWASP AppSec APAC 2012](https://reader033.fdocuments.in/reader033/viewer/2022051322/546391e5af79597e338b4572/html5/thumbnails/37.jpg)
OWASP
RouterPwn.com
Compilation of ready to run JS/HTML exploits against many consumer routers
Designed to be run on smart phonesGreat candidate for a collection of BeEF
Command Modules
37
RouterPwn, from websec.ca’s Roberto Salgado
![Page 38: Shake Hooves With BeEF - OWASP AppSec APAC 2012](https://reader033.fdocuments.in/reader033/viewer/2022051322/546391e5af79597e338b4572/html5/thumbnails/38.jpg)
Each module resides of at least 3 files, the config file (in yaml format), the ruby module file, and the javascript file.The files are populated into categories, as touched on before.
![Page 39: Shake Hooves With BeEF - OWASP AppSec APAC 2012](https://reader033.fdocuments.in/reader033/viewer/2022051322/546391e5af79597e338b4572/html5/thumbnails/39.jpg)
Each config file contains the category, the name, a description, the authors and targeting configuration (This allows you to specify things like Safari only, or “user notify” for iPhone and Safari etc)
![Page 40: Shake Hooves With BeEF - OWASP AppSec APAC 2012](https://reader033.fdocuments.in/reader033/viewer/2022051322/546391e5af79597e338b4572/html5/thumbnails/40.jpg)
The module’s ruby file, in it’s simplest form, is used to configure what options are configurable, via the self.options method - and what to do with returned results.
![Page 41: Shake Hooves With BeEF - OWASP AppSec APAC 2012](https://reader033.fdocuments.in/reader033/viewer/2022051322/546391e5af79597e338b4572/html5/thumbnails/41.jpg)
And here is most of the javascript content. We utilise eruby for variable substitution (as can be seen where we’re pulling in the previously set ip and dns settings).You can also notice in this javascript we use a JS object called beef. This is the core beef library within the framework, and has a lot of functionality in-built, such as creating invisible iframes.
![Page 42: Shake Hooves With BeEF - OWASP AppSec APAC 2012](https://reader033.fdocuments.in/reader033/viewer/2022051322/546391e5af79597e338b4572/html5/thumbnails/42.jpg)
Here you can see what the user is presented with in the UI.
![Page 43: Shake Hooves With BeEF - OWASP AppSec APAC 2012](https://reader033.fdocuments.in/reader033/viewer/2022051322/546391e5af79597e338b4572/html5/thumbnails/43.jpg)
Introducing “Chipmunking” ..named, at least at the moment, in reference to movie posters, in particular, this movie poster...so QR codes are .. everywhere..
![Page 44: Shake Hooves With BeEF - OWASP AppSec APAC 2012](https://reader033.fdocuments.in/reader033/viewer/2022051322/546391e5af79597e338b4572/html5/thumbnails/44.jpg)
I mean .. Everywhere .. and they’re only becoming more ubuiquitous
![Page 45: Shake Hooves With BeEF - OWASP AppSec APAC 2012](https://reader033.fdocuments.in/reader033/viewer/2022051322/546391e5af79597e338b4572/html5/thumbnails/45.jpg)
So lets put together a new extension for BeEF .. lets build a custom hook point (URL) that if you (or your victims) visit it, will be hooked into BeEF, and immediately presented with a full-screen iFrame of the target site .. we’ll then use the current QRCode Extension into BeEF to generate this QR code for us too..
![Page 46: Shake Hooves With BeEF - OWASP AppSec APAC 2012](https://reader033.fdocuments.in/reader033/viewer/2022051322/546391e5af79597e338b4572/html5/thumbnails/46.jpg)
Similar to command modules, extensions require a few files.The config file (again, a yaml file)and then the extension ruby file itself.
![Page 47: Shake Hooves With BeEF - OWASP AppSec APAC 2012](https://reader033.fdocuments.in/reader033/viewer/2022051322/546391e5af79597e338b4572/html5/thumbnails/47.jpg)
beef/extensions/chipmunked/extension.rb
![Page 48: Shake Hooves With BeEF - OWASP AppSec APAC 2012](https://reader033.fdocuments.in/reader033/viewer/2022051322/546391e5af79597e338b4572/html5/thumbnails/48.jpg)
beef/extensions/chipmunked/api.rb
“/yougotchipmunked”
![Page 49: Shake Hooves With BeEF - OWASP AppSec APAC 2012](https://reader033.fdocuments.in/reader033/viewer/2022051322/546391e5af79597e338b4572/html5/thumbnails/49.jpg)
beef/extensions/chipmunked/html/index.html
![Page 50: Shake Hooves With BeEF - OWASP AppSec APAC 2012](https://reader033.fdocuments.in/reader033/viewer/2022051322/546391e5af79597e338b4572/html5/thumbnails/50.jpg)
beef/extensions/chipmunked/handler.rb
Handles the requests to /yougotchipmunked
![Page 51: Shake Hooves With BeEF - OWASP AppSec APAC 2012](https://reader033.fdocuments.in/reader033/viewer/2022051322/546391e5af79597e338b4572/html5/thumbnails/51.jpg)
Wrapping it together(here qr code qr code)
![Page 52: Shake Hooves With BeEF - OWASP AppSec APAC 2012](https://reader033.fdocuments.in/reader033/viewer/2022051322/546391e5af79597e338b4572/html5/thumbnails/52.jpg)
beef/extensions/qrcode/config.yaml
![Page 53: Shake Hooves With BeEF - OWASP AppSec APAC 2012](https://reader033.fdocuments.in/reader033/viewer/2022051322/546391e5af79597e338b4572/html5/thumbnails/53.jpg)
![Page 54: Shake Hooves With BeEF - OWASP AppSec APAC 2012](https://reader033.fdocuments.in/reader033/viewer/2022051322/546391e5af79597e338b4572/html5/thumbnails/54.jpg)
Demohttp://www.youtube.com/watch?v=aTLHeMrNBFQ&hd=1
http://www.youtube.com/watch?v=aTLHeMrNBFQ&hd=1
![Page 55: Shake Hooves With BeEF - OWASP AppSec APAC 2012](https://reader033.fdocuments.in/reader033/viewer/2022051322/546391e5af79597e338b4572/html5/thumbnails/55.jpg)
Where to from here?
![Page 56: Shake Hooves With BeEF - OWASP AppSec APAC 2012](https://reader033.fdocuments.in/reader033/viewer/2022051322/546391e5af79597e338b4572/html5/thumbnails/56.jpg)
If you get stuck .. or if we get stuck..
![Page 57: Shake Hooves With BeEF - OWASP AppSec APAC 2012](https://reader033.fdocuments.in/reader033/viewer/2022051322/546391e5af79597e338b4572/html5/thumbnails/57.jpg)
Help us out!Pull Requests Please
github.com/beefproject/beefbeefproject.com@beefproject
![Page 58: Shake Hooves With BeEF - OWASP AppSec APAC 2012](https://reader033.fdocuments.in/reader033/viewer/2022051322/546391e5af79597e338b4572/html5/thumbnails/58.jpg)
Want to talk more?@xntrik
![Page 59: Shake Hooves With BeEF - OWASP AppSec APAC 2012](https://reader033.fdocuments.in/reader033/viewer/2022051322/546391e5af79597e338b4572/html5/thumbnails/59.jpg)
OWASP
Questions?
59
Hehe .. “Descisions”