Dr. Strangelove or: How I Learned to Stop Worrying and Love the Bomb
Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF
-
Upload
michele-orru -
Category
Technology
-
view
3.873 -
download
1
description
Transcript of Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF
Dr. Strangelove or: how I Learned to Stop Worrying
and Love the BeEF
Michele “antisnatchor” Orru’
Confidence 2011 - 25 May 2011Sunday, May 22, 2011
Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor #
WHO AMI I?
Penetration Tester @ Royal Bank of Scotland
BeEF developer, lover and eater
Failed business man and “entrepreneur”
Kubrick fan
Definitely not a fan of our Italian prime minister
Silvio “bunga-bunga” Berlusconi
2
Sunday, May 22, 2011
Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor #
OUTLINE
I cannot Pwn to Own :-(
The new BeEF
Add your own attacks to BeEF
Extend BeEF (next conference...lack of time :-()
Future development and cool ideas
3
Sunday, May 22, 2011
Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor #
I CANNOT PWN TO OWN :-(
We need to break inside a network and reach the
ApplicationServer
The ApplicationServer is behind an Apache
machine with mod_jk:
OS: OpenBSD
CPU: SPARC64
Open ports: 22 (public-key), 80, 443
4
Sunday, May 22, 2011
Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor #
I CANNOT PWN TO OWN :-(
5
Sunday, May 22, 2011
Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor #
I CANNOT PWN TO OWN :-(
6
Sunday, May 22, 2011
Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor #
I CANNOT PWN TO OWN :-(
7
Sunday, May 22, 2011
Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor #
I CANNOT PWN TO OWN :-(
8
Sunday, May 22, 2011
Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor #
I CANNOT PWN TO OWN :-(
9
Sunday, May 22, 2011
Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor #
I CANNOT PWN TO OWN :-(
10
Sunday, May 22, 2011
Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor #
I CANNOT PWN TO OWN :-(
11
Sunday, May 22, 2011
Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor #
I CANNOT PWN TO OWN :-(
12
Sunday, May 22, 2011
Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor #
I CANNOT PWN TO OWN :-(
13
Sunday, May 22, 2011
Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor #
I CANNOT PWN TO OWN :-(
14
Sunday, May 22, 2011
Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor #
CAN I EAT THE BEEF? (sorry vegetarians)
Nope! Even if it’s tasty :-)
15
Sunday, May 22, 2011
Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor #
BeEF => Browser Exploitation Framework
Pioneered by Wade Alcorn in 2005(public release)
Originally Inspired by Anton Rager research
Powerful platform for Client-side pwnage, XSS post-
exploitation and generally victim browser security-
context abuse
16
CAN I EAT THE BEEF? (sorry vegetarians)
Sunday, May 22, 2011
Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 17
CAN I EAT THE BEEF? (sorry vegetarians)
Sunday, May 22, 2011
Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor #
THE OLD BeEF => PHP + static HTML :-(
18
Sunday, May 22, 2011
Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor #
THE NEW BeEF => RUBY & ExtJS :-)
19
Sunday, May 22, 2011
Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor #
THE NEW BeEF Rewritten from scratch in Ruby
ExtJS for a usable and ajax-based GUI
jQuery for DOM manipulation and XHR
SQLite and MySQL support
Modular and extensible architecture
Core much more stable (next releases focused on
attack scenarios - we’re open to any suggestions :-)
A lot of new cool features and attacks...
20
Sunday, May 22, 2011
Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor #
coolest Features: METASPLOIT integration
Launch MSF browser and client-side exploits
(Flash, Adobe Reader, Java, ...) to the hooked browser
in a point-and-click way :-)
MSF integrated via XML-RPC, with an additional
caching layer on the BeEF side
Browser AutoPWN will be (re)added soon...
21
Sunday, May 22, 2011
Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor #
Hidden iFrame injection with src pointing to the
MSF listening callback service
22
coolest Features: METASPLOIT integration
Sunday, May 22, 2011
Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor #
coolest Features: EVENT LOGGER
Log keystrokes, mouse clicks and form submissions
that are executed by the hooked browser.
... Then send them back to BeEF ...
Imagine finding XSS on the
pre-auth surface of a
website
23
Sunday, May 22, 2011
Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor #
coolest Features: EVENT LOGGER
24
Sunday, May 22, 2011
Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor #
coolest Features: EVENT LOGGER
25
0day Reflected XSS on Plesk Panel 10.2.0 (with SSO) login page
Sunday, May 22, 2011
Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor #
coolest Features: EVENT LOGGER
26
0day Reflected XSS on Plesk Panel 10.2.0 (with SSO) login page
Sunday, May 22, 2011
Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor #
coolest Features: EVENT LOGGER
27
0day Reflected XSS on Plesk Panel 10.2.0 (with SSO) login page
After hooking the victim browser to BeEF, Parallels
Plesk admin/customer credentials can be stolen with
JS keylogging
Sunday, May 22, 2011
Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor #
coolest Features: NETWORK STACK
BeEF base64 encodes the JSON'ed data stream
and then splits the base64 string by the configured
maximum URL length.
Data is handled in streams of packets that are
reconstructed by BeEF
Once split each segment is sent as a packet and
reconstructed by BeEF.
28
Sunday, May 22, 2011
Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor #
BeEF: N
ETW
OR
K S
TAC
K
archit
ecture
29
Sunday, May 22, 2011
Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor #
coolest Features: NETWORK STACK
In future releases the maximum URL will be
automatically detected.
How do you send 165KB of data back to BeEF?
packet queue
165KB -> 165 packets
30
Sunday, May 22, 2011
Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor #
coolest Features: TUNNELING PROXY
The browser becomes the exit node for the tunnel: it
will perform the HTTP request and receive the response.
Next the response is communicated back to the BeEF
proxy which in turn delivers it to the browser.
Afterwords the request in the context of the user (any
existing cookies will be automatically used)
31
Sunday, May 22, 2011
Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor #
coolest Features: TUNNELING PROXY
Similar to XSSProxy, but goes a step further:
You can choose to which zombie tunnel requests
Doesn’t need a third app (uses WebRick proxy)
32
Sunday, May 22, 2011
Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor #
coolest Features: PERSISTENCE
Implemented using Samy’s EverCookie for the
main BEEFHOOK cookie
Various ready-to-use command modules:
iFrame persistence
pop-under window
33
Sunday, May 22, 2011
Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor #
Add your own attacks to BeEF
One of the many reasons to code your exploit to
BeEF is because you have a nice Javascript API that
gives you all you need for...
34
Sunday, May 22, 2011
Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor #
Add your own attacks to BeEF
detect the browser including version, plugins, and
other details
detect the Operating System including iOS, BeOS
and Win3.1 ;-)
manipulate the DOM attaching/detaching applets,
creating invisible iFrames, rewriting links, ...
35
Sunday, May 22, 2011
Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor #
Add your own attacks to BeEF
log keystrokes, mouse clicks and form submissions
do XHRs and retrieve all you need for further
exploitation
geolocate the victim retrieving latitude/longitude
for further targeted attacks
36
Sunday, May 22, 2011
Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor #
BeEF: loadin
g s
equence
archit
ecture
37
Sunday, May 22, 2011
Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor #
Add your own attacks to BeEF
38
JBoss 4.x, 5.1.0, 6.0.0.M1 JMX deploy exploit
Exploit is available in MSF, but you need to have
direct access to the target
(or use a host as a pivot)
Then why not use the victim browser as a pivot?
Sunday, May 22, 2011
Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor #
How to port the JBoss exploit to BeEF in 3 steps
(approximately 15/20 mins, testing included :-)
39
Add your own attacks to BeEF
Sunday, May 22, 2011
Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 40
Add your own attacks to BeEF
first step: config file
Sunday, May 22, 2011
Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 41
Add your own attacks to BeEF
second step: UI exploit setup
Sunday, May 22, 2011
Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor # 42
Add your own attacks to BeEF
third step: javascript (exploit code)
Sunday, May 22, 2011
Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor #
Now lets see it in action...
43
Add your own attacks to BeEF
✤ IT’s DEMO time!
Sunday, May 22, 2011
Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor #
Future development and cool ideas
Enhance the Tunneling Proxy features
caching
request queueing
generally: performance
Enhance Yokoso
add more device signatures
add support for HTTPS/IPv6
44
Sunday, May 22, 2011
Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor #
Future development and cool ideas
Implement Rider
Victim x is browsing website example.com while
hooked in BeEF.
Use her browser to proxy attacker requests and
"Ride" her session from the BeEF adminUI
Implement Meterpreter wrapper/shell code that
communicates HTTP
In this way the browser can be a full pivot point :-)
45
Sunday, May 22, 2011
Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor #
Future development and cool ideas
Command module autorun/autoexit
This will add AutoPwn features, while being the
starting point for command chains like:
hasJava() -> loadMaliciousApplet(...)
launchMetasploitAuroraExploit(...) if
beef.browser.isIE7()
Implement obfuscated/polymorphic Javascript hook
Add support for HTTPS46
Sunday, May 22, 2011
Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor #
Future development and cool ideas
... and many other (nasty) things ...
Follow (and get in touch with) BeEF: @beefproject
Checkout BeEF: http://code.google.com/p/beef/
Eat the BeEF
47
Sunday, May 22, 2011
Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor #
Thanks to
Wade Alcorn and the other BeEF core developers
(the two Bens, Scotty, Christian, ...)
Michal & Piotr
My employer
Confidence crew and you attendees
48
Sunday, May 22, 2011
Confidence 2011 {Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF} © antisnatchor #
QUESTIONS?
49
Sunday, May 22, 2011