Cloudy with a chance of BeEF

April 13, 2012, 1:16 am

≫ Next: Why BeEF PHP is discontinued, and what's new in BeEF Ruby?

Running BeEF from a local workstation poses some problems during a penetration test: it doesn't have a static IP address, the workstation gets turned on and off, and it really doesn't demonstrate the impact of Internet-borne threats. Pentesters have been turning more and more to online VPS services, or Amazon's EC2. For example, check out the lightning talk that I did at CloudCamp: leveraging the "cloud" during penetration tests

This is where the idea of running BeEF on an Amazon EC2 instance started to simmer.

These days, the BeEF project uses IaaS and other cloud-esque services for a lot of the work. We have our continuous integration server running tests against our github hosted source code, heck, even this blog utilises SaaS (note to readers: if you think *aaS isn't already used throughout your organisation, you are sorely mistaken).

So here's a quick and dirty method to get you running the latest version of BeEF with an Amazon EC2 instance in no time. Before we begin though, this installation method is heavily inspired from RVM's installation method, so this will look familiar to RVM users.

You might be thinking, why not just create a canned Amazon Machine Image (AMI) of BeEF? When we considered all the different Amazon regions in which we'd have to host an AMI image, this method was just as simple, especially when dealing with all the changes to the framework over time. This process is still in its infancy though, so expect it to change in the future as the framework matures.

Step 1:
Create a fresh "Amazon Linux AMI" instance (if you're impatient the c1.xlarge can be up and running in about 5 mins, otherwise you can use the smaller instances).

Step 2.
SSH into the instance

Step 3.
At the prompt:

$ bash < <(curl -s https://raw.github.com/xntrik/beefcloud/master/beef-installer)

Step 4.
Re-activate rvm:

$ source ~/.bash_profile

Step 5.
Change into the beef folder:

$ cd beef

Step 6.
Run beef:

$ ./beef

Step 7.
...

Step 8.
Profit!

Under the hood, the beef-installer script is simply:

Installing dependencies with yum
Downloading RVM
Installing RVM
Using RVM to install OpenSSL and Ruby 1.9.2
Installing the 'bundler' gem (required for BeEF)
Cloning the latest BeEF from github
Going into the beef folder
Running bundler to install BeEF's gem dependencies

Hope you guys find this useful.

↧

Why BeEF PHP is discontinued, and what's new in BeEF Ruby?

April 19, 2012, 12:03 pm

≫ Next: Fresh meat: Release 0.4.3.4

≪ Previous: Cloudy with a chance of BeEF

I'm sure a lot of you out there are still using the PHP version of BeEF. Actually, when I was speaking in various conferences about BeEF I realized that many people didn't know about the new Ruby BeEF.

The PHP version has been discontinued for various reasons:

It wasn't easy to extend from a core perspective.
When adding new modules, code was duplicated; you had to copy and paste a lot of code from previous modules, then add maybe 3 lines of Javascript as the new code, resulting in an anti-patterns.
There was no decent API.
IMHO PHP sucks for many reasons: it's got a ton of security issues, like Sendmail; it's not a true OO language, and programming with objects makes life easier. Ruby instead is OO, and the new BeEF heavily relies on that.

The new BeEF Ruby development started around mid-2010, with Wade's first post announcing it in October 2010. Rewriting BeEF from scratch was in Wade's to-do list for quite some time. It required a bunch of developers and a good language.

Ruby was the choice, for many reasons:

It's fully Object Oriented, flexible and easy to code.
It does not require an external web server to run, so you have maximum flexibility with Ruby-written application servers. Features like the Tunneling Proxy would have been difficult to implement with Apache + PHP.

Lets be honest. Until 6 months ago, BeEF Ruby was experimental and unstable. It was using WebRick, the default application server that comes with Ruby (without additional gems). WebRick is not thread-safe. That's why mutexes were used in class constructors. LOL, don't blame me :-). Add to it sqlite, another piece of software that isn't thread-safe, and bam...we had to have XHR-polling (that's basically the communication channel we currently use) every 8-10 seconds.

So yeah, BeEF was damn slow and we had complaints over twitter, email, and so on. To add to the grief, BackTrack and other pentesting distros were still including the old PHP BeEF. This is now no longer true, read this if you are upgrading to BackTrack5-r2, or just use BT5-r2 to enjoy BeEF.

In November 2011, we had a programming sprint. We rewrote parts of the BeEF core to replace WebRick and custom "servlets" (for those of you coming from a JEE background, like me, this will sound familiar) with Thin, Rack, and recently Sinatra.

The performance advantages were massive, and all the concurrency and lock errors we had with sqlite went magically away :-) Thin is using Mongrel's parser and Event Machine, so it's handling tons of requests faster and consuming less resources because it's a state machine.

Rack and Sinatra really help you code your web application easier, faster and more securely. Take a look at the code of the RESTful API for an example.

Having this new powerful core, we could change the XHR-polling to execute every second, so 10 times faster than before :D Also, now BeEF can be easily used with tens (or more) of hooked browsers without the need to worry too much about performance.

Other big differences with the old PHP BeEF are the modularity and extensibility of the framework. We have command modules and extensions, so code duplication is minimized.

You write an extension, if you need to add a fairly tightly coupled functionality into the core, with the ability to switch it on or off when starting the framework. Tunneling Proxy, XssRays, and even the Admin User Interface are currently extensions.

You write a module when you need to add a new attack/exploit to be launched through BeEF. Basically anything you want to do in Javascript, HTML, Java, (insert arbitrary browser acceptable language) can be done through a command module.

There are also currently three APIs:

one API is internal to the core, used by extensions and modules;
the RESTful API we already discussed in previous blog posts, used to expose framework functionality externally;
and the Javascript API, with many useful helper methods to create invisible or overlay iframes, send requests, attach applets, manipulated the DOM in various ways, etc..

The old PHP BeEF lacked API support completely.

Last, but not least, we use an agile development process with unit and functional testing, including continuous integration. Writing tests is boring and sometimes more difficult than the code they are supposed to test, but they are effective at spotting errors and changes that break the core or modules. We are constantly adding new tests. Expect a cool blog post in the next week about this topic.

All the modules that were present in the PHP version, including the Metasploit integration, have been ported (when possible, some of them were old and not working in recent browsers).

So next time I will hear someone saying "mate, I'm still using the PHP version" I will scream :D No, seriously, give the Ruby BeEF a try by cloning or forking it from github. You will not be disappointed.

↧

Fresh meat: Release 0.4.3.4

April 30, 2012, 7:08 pm

≫ Next: Browsers, Browsers, Browsers!

≪ Previous: Why BeEF PHP is discontinued, and what's new in BeEF Ruby?

Here at the BeEF project, we like to give props to our contributors and to those who inspire us. So, here's some info about our new release, and a little about the folks who made it happen:In addition to a major move, and taking a new job, Michele has made updates to the RESTful API Wiki, including two new endpoints:

/api/admin/login (added by Christian) which will get the api token by passing BeEF user/pass. As a consequence of this, the BeEF credentials have been moved to the main config.yaml. (they were in the config.yaml of the admin_ui extension before)

/api/hooks/:session gets all the hooked browser details (like plugins, technologies enabled and so on)

We'll probably be making a longer post about some tests we added for debug_modules, too.
Also, he's made XSSRays work with IE now, too (IE6 through IE9). A special thanks to Brendan for helping in testing.

Really, there have been a slew of other changes Michele has made, including:

The initialization extension has been moved into the core.

Added get_internal_ip module. Using an unsigned applet we can detect the internal ip of the victim. The previous module (Beffeine) had issues and this is the new replacement that works great.

Every HTTP endpoint of the framework, except for the admin_ui and the XssRays extension, now extends the Router class. This means that routes are managed by Sinatra, and when the web_imitation features are turned on those handlers will respond like an IIS or Apache server.

But, Michele isn't the only contributor to BeEF! For example, Brendan has given us the ability to detect whether anyone is using any of the 1,000 most popular Chrome extensions with the Get Chrome Extensions module. And, we now log a copy of the clipboard whenever a user copies or pastes text (IE6 only) with the Event Logger.

So, here's a shout out to all of the BeEF contributors, and the folks who inspire us. If you want to read more about the release or those who contributed, download the new version, or help out, check out our github or visit the project website.

Thank you for keeping up with us! Please let us know what you want to see, and what you find useful. We want your feedback, too!

↧

Browsers, Browsers, Browsers!

May 8, 2012, 6:48 pm

≫ Next: Teaser: BeEF In a Real World Pen Test

≪ Previous: Fresh meat: Release 0.4.3.4

While everyone is arguing about the next big thing in cloud or whether or not anti-virus is dead, we at the BeEF Project are quietly pwning the big gaping door everyone is leaving open: the browser.

We've found some clever ways to hook zombies that don't involve the traditional boring phishing email, and we've put some good hard thought on how to get other juicy nuggets from our initial foothold in the browser.

We don't care about your security infrastructure, either >=)

So, if you want a break from all the mainstream babble, keep an eye out for more releases about our proof of concept code. Maybe you'll even see us in Las Vegas.

↧

Teaser: BeEF In a Real World Pen Test

May 11, 2012, 12:01 pm

≫ Next: BeEF In a Real World Pen Test - Part 1: BeEFy Marinades (Pre-hooking Profiling and Trust Yield)

≪ Previous: Browsers, Browsers, Browsers!

We post about some things we hope you'll think are pretty cool. But, we also know you want to know how BeEF can be used in a real world scenario. So, let’s talk about why BeEF is great for dinner, and why it’s a great addition to your social engineering and pentest diet.

On Monday, we'll begin a series to walk you through pentesting with BeEF, starting from initial research and continuing through final results.

In the first part of this series, we’ll walk you through clever ways to hook your victims using social media and some other tried and true phishing methods.

In the second part, we'll explore scope limiting your hooking, and explore how things like pop-under and man-in-the-browser attacks can assert persistence once you get your victim on the line.

In the third part, we’ll talk about how to collect information from the target, including what information you can get from cookies, the clipboard, and even the operating system.

Then we’ll talk a bit about how you can use the information you’ve gathered to get further into the network.

↧

BeEF In a Real World Pen Test - Part 1: BeEFy Marinades (Pre-hooking Profiling and Trust Yield)

May 14, 2012, 5:00 am

≫ Next: BeEF In a Real World Pen Test - Part 2: Tasty BeEF nuggets, line, hook and sinker (Social Engineering to get a hook)

≪ Previous: Teaser: BeEF In a Real World Pen Test

In this installment, we'll be talking about pre-hooking activities: how to build on the information from our target with social engineering to gain the trust required for stable BeEFed browsers.

Part I: Assumptions

Our engagement is a ten day project. As part of the standard engagement, the basic information we get from our client is:

Target company’s external IP address range.
The names of CEO, IT director, HR manager, and the names of a couple of normal employees.
The most important asset of the company (e.g. financial records, network availability,...etc ).

We'll want a phishing domain and some social media presence for our cons. For this scenario, we'll use Microsoft’s notorious fictional company, Contoso Ltd. (“We love Microsoft!”, as the Three Musketeers would say. Kudos Ed Skoudis, Kevin Johnson and Joshua Wright).

Part II: Pre-requisites

For our phishing campaign, we need e-mails that make it past spam filters with convincing links that will secure our targets. Good phishing domains for Contoso.com include variations in letter ordering, TLD interchange, or use of unicode characters (e.g. Cotnoso.com, Contoso.cm, Contoso.net, Ćontoso.com, ċontoso.com, ...etc). One great tool that can help find a suitable phishing domain isURLCrazy. It's a domain name typo generator that lists various common typos for a given domain.

Since this is a domain we actually own, we can even go one step further and purchase a valid SSL certificate for the phishing domain to ensure visitors that they are “secure”. But since SSL certificates usually take time, it’s a good idea to start this process as soon as the project kicks off.

Employees will probably interact with people they don't know within their organization. With the right fake profiles, this interaction is even easier on social networks. We create several fake profiles to target wider classes of people. Consider:

Statistically, people tend to accept friend requests from females more readily than from males.
The display name of a fake profile should be as generic as possible. Research and use common first and last names at the target company’s country.
Provocative female avatars will increase acceptance by males, but will lessen the probability of females accepting friend requests. It may also raise moral issues for married or religious people. Therefore, cartoonish female display pictures (e.g.Belle from the beauty and the beast) may give the profile a perfect “generic” look, allowing wider audience acceptance.

It is important to create fake profiles that pretend to work in the target company.
Vagueness leaves the details to the imagination of the people. It’s better to be vague than to trigger an alert that might reveal your fake identity. Hide most information to be as generic as possible.

Part III: Set the lines
Starting with the names we have, we expand our circle. We search for our target employees on Facebook, Twitter, Linkedin, etc. and filter out wrong profiles having the same name based on job description and/or picture. Then, we identify all related friends and classify profiles into:

Class A targets: employees working at the target company in key positions
that give them access to valuable information (e.g. HR, System admins,
...etc).
Class B targets: Normal employees working at the target company.
Class C targets: Friends of Class A people
Class D targets: Friends of Class B people.

Over the course of a day or two, we start interacting, following and friending people from the least important to the most important targets. Well timed interactions are crucial here. More important targets should not notice any flaws in the fake profiles’ activities. So, follow this pattern:

Send friend requests to many class D targets
When you have some class D friends in common with a class B target, add this class B target.
Repeat steps 1 and 2 till you have a significant number of class B targets.
Start adding class C targets
When you have some class C friends for a class A target, add this class A target.
Repeat steps 4 and 5 till you have a significant number of class A targets.

The process can be partially automated using the Facebook exploitation framework (FBPwn). Because people sometimes accept the friend request for a small period of time, it is critical to save relevant information as quickly as possible. Also, FBPwn gives you other options to pull off more advanced social engineering tricks.

Depending on the activity level of the targets, this process should take no more than two or three days. Be as friendly and generic as possible, and save any information you get. Key information to look for and save for future reference:

Posts mentioning interactions, rants, and or events happening inside the target company.
Company specific lingo and keywords.
Company specific or commonly used hashtags.
Conversations taking place between two people in the company.

In the next post in this series, we'll talk about how to use this information to bait and set the hook, and what we can do with the phish once we have them on the line.

↧

BeEF In a Real World Pen Test - Part 2: Tasty BeEF nuggets, line, hook and sinker (Social Engineering to get a hook)

May 21, 2012, 2:24 pm

≫ Next: BeEF 0.4.3.5

≪ Previous: BeEF In a Real World Pen Test - Part 1: BeEFy Marinades (Pre-hooking Profiling and Trust Yield)

In the first part of this series, we explained pre-hooking basics for reaching the maximum number of targets. In this post, we will go through the hooking process; taking into consideration the different social and technical aspects to hook the target’s browsers for as long as possible.

Preparing The Line
During recon of our target, Contoso.com, we harvested a few e-mails, and infiltrated some social media outlets. Some tips from the conversations we observed between employees led us to the non-official Facebook group for Contoso. Here, we learned that an internal football tournament is held yearly in a nearby stadium. It's organized by an internal "Sports Committee."

We even found some pictures of last year's winners holding a trophy. We also spotted a couple of people talking about internal e-mails with special discounts on sunglasses as part of an employee benefit program.

On Twitter, we found a couple of interesting hash tags: #screwContosoBoard with quite a bit of anger from employees towards Contoso's management and board of directors.

We also bought a phishing domain "Contso.com" and a valid SSL certificate for it. Finally, quick web vulnerability scanning identified a reflected cross-site scripting(XSS) vulnerability on Contoso's main website.

We will use this information to build our hooking strategy. We want to use our phishing domains and XSS exploit links to lure browsers at three main frontiers: Corporate email, Facebook and Twitter.

Preparing The Hook
First, we set the hook on our phishing page. It should have the same anatomy of the original website (Header, footer, side panes, CSS, ...etc), served on our “secure” SSL enabled phishing page on Contso.com. We'll add a loading progress bar in the middle pane and put up a user friendly message that says "this page might take some time to load." We'll set up the progress bar with an inverse exponential decaying function. The Javascript code below is an example of the progress code that can be used.



totalProgress = 100;
currentProgress = 1.0;

while (currentProgress < totalProgress)
{
   currentProgress =  currentProgress + (Math.exp(currentProgress  / -3) );
   sleep(100);
}

Disclaimer: None of this code is taken from the Windows file copying progress bar module, any similarities in function is a mere coincidence!

By going fast at the beginning, and slower towards the end, our hope is the visitor should feel encouraged, safe, and be less likely to close the page out of boredom. We even hope the user will switch tabs, leaving this in the background to load, and give us a longer chance to hook and do our BeEFY tricks.


Second, we prepare our XSS exploit link. The XSS Javascript exploit should inject BEeF’s hook into the vulnerable page. The exploit link should rewrite the center pane of the vulnerable page to remove any original content and add the loading progress bar. It should look identical to our phishing domain. This should decrease the probability of the victim noticing anything wrong and maximize the time he will stay hooked. Furthermore, we can use some basic link obfuscation to trick savvy victims. This can be achieved by forcing URL encoding for the whole value of the vulnerable parameter (including readable text). For example, the query parameter:


search=”<script src=”test.js”>

should look like:


search=%22%3c%73%63%72%69%70%74%20%73%72%63%3d%1d%74%65%73%74%2e%6a%73%22%3e

Also, URL shortening services can be a good tool for hiding the main link. They are very common for use on social networks, especially on Twitter.

Hooking Grounds
The first hooking ground we target is corporate email. We need to get our hands on a sample from Contoso’s internal email to make our phishing emails look more convincing. We want to match internal email anatomy (headers, fonts, text colors, signatures, ...etc).

We'll need to do some more social engineering. We use our fictional profile to go into the conversation about the sunglasses and ask for more details. Posing as a clueless new employee of Contoso, we receive a couple of responses about how the discount works. We take the discussion away from the public group to a private one-on-one conversation with the most friendly respondents, and ask them to forward the email to a non-corporate email under the ruse that our corporate email is not fully active yet.

Bingo! Now that we have the email, we craft a new one having the same anatomy of the sample we have, announcing the launch of a new football tournament. The email should appear to come from the sports committee and should have in the “to” field the same group name as the one from the original discount email. In the email body, we salute last year’s winners and add their picture with the trophy for a more convincing flavor; assuring people about the authenticity of the email.

And of course, we end the email with a “find out more” link that points to our hook.

Since we have two hooking strategies, we split our targets into two sets. To one, we send links pointing to phishing hook. To the other set, we send links pointing to the XSS hook. It’s noteworthy to mention that we need to tweak our server while sending phishing emails. We want to make sure we don't end up in the recipients' spam folders.

The server name is should be set correctly to match the sending domain name.
The reverse PTR record of the phishing domain name should match the server’s IP.
There should be an SPF record allowing the IP of our server to send emails using the phishing domain. This is a good SPF record builder from Microsoft.
Make sure that the server’s ISP IP blocks are not on any email spam blacklists. This is a handy free online blacklist checker.

These are all common tactics mail filters check for to identify spam.


The next hooking ground we target is social networking. We start by participating in group conversations and rants about work environment, politics, ...etc. but never in a direct conversation to keep our secret identity. Keeping our opinion with the flow also prevents controversial discussions that may trigger alarms. The target of this phase is to get people familiar with our display names popping on their news feed, so they don’t feel it’s odd when they see a link as our first interaction. After a day or two of interactivity, we start the fun! We send a few buzzing words with a link to check the details. Buzzing social network announcements have to rely on psychological need for a wide range of employees. This can be found from what people are saying about their company on Facebook and twitter. At Contoso, based on what we found, we thought of a few good buzzing messages:

On twitter, we tweet ”OMG! <CEO name> has resigned! Embarrassing video <hook link> #screwContosoBoard” with retweets from different accounts.
On Facebook, on the non-official group we broadcast the following buzzing messages from different fake profiles and maybe choose one of them to be shared on the wall some of the fake profiles:
“Big bonus for referral to this vacancy <hook link>, do you know anyone?”
“Sign with us this petition to demand a salary raise <hook link>. Be positive and we will make a  difference!”



We might even get to the secret cow level if we combine social engineering with physical materials that links to the hook. Good examples include:

Fill Contoso near-by streets with Stickers having a QR code with the XSS exploit link.
Distribute ad-like flyers in front of Contoso’s HQ with a short URL to the phishing page.


Adding Sinkers
Now that we have some people clicking links and getting hooked, we need to keep them hooked for as long as possible. Our sinking strategy relies on social engineering in addition to two helping modules in BeEF. 

The greatest sinker of all is how we engineer the phishing/XSS pages to convince the people to stay more. As mentioned earlier, the progress bar is a good trick. When combined with suitably entertaining animations, it would do the job. 

The pop-under module serves as a good persistence technique as well. We set its configuration to auto-run (from it’s corresponding config.yaml) such that it runs whenever a user is hooked. The module attempts to open a small pop-under window that to keep the browser hooked even if the user closes the main tab. Be careful, though, sometimes this gets blocked by pop-up blockers.


We also want to use the man-in-the-browser module. We'll set this to auto-run as well. This ensures that, whenever the zombie clicks on any link on the phishing page, the next page will still be hooked. Someone would have to manually type a new address in the address bar to get away from our hook.

Finally, we use the "frame-above" module wich is the best option for persistence if we are dealing with IE. It basically rewrites all links on the webpage to spawn a 100% by 100% iFrame with a source relative to the selected link; allowing ultra persistence. Michele "antisnatchor" Orru, BeEF's Lead Core Developer, talked about an Ultra cool way to automate the whole process at AthCon 2012 and even created a Ruby script that utilizes our latest REST API to do Java 1.6.0u27 mass pwnage!

In the next post, we will talk about how to do the real fun: exfiltrate sensitive data, hop into the internal network, and common pen test practices to limit the scope and prevent counter attacks.

↧

BeEF 0.4.3.5

June 4, 2012, 11:59 am

≫ Next: BeEF up: Installing BeEF

≪ Previous: BeEF In a Real World Pen Test - Part 2: Tasty BeEF nuggets, line, hook and sinker (Social Engineering to get a hook)

So, here we are with a fresh new BeEF release!

For those who want to know more about our development lifecycle, have a look here.

Obviously, with an Open Source project, it's a bit difficult to commit (well push, we're using Git at the end) the same amount of code/time every month, so it's normal to have months with more new features and addressed issues.

Last month's release (0.4.3.5) was full of new code added to the repo. I will cover the main changes.

We added experimental support to WebSockets as an alternative communication channel. The server-side handlers are event-based for performance reasons, and right now it works smoothly in Chrome/Safari and Firefox latest versions. To give it a try, modify beef.http.websocket.enable to true in the main config.yaml file. Using WebSockets the communication is much faster, especially when dealing with large requests (Tunneling Proxy) or an high number of command modules. The WebSockets work is a joint effort between Graziano Felline and Michele. The experimental branch was presented and demo'ed for the first time at AthCon 2012, together with the RESTful API. Have a look at antisnatchor blog for more information.

Antisnatchor (there are rumors in the BeEF dev team that he has a time-machine, and won't release its secrets :-)) added experimental support to Obfuscation. Disabled by default, enable the extension at beef.extension.evasion.enable at the end of the main config.yaml file if you want to play with it. The purpose of the extension is to reduce the likelihood that the BeEF hook will be detected by RegEx'es and Layer 7 filters. Obviously a manual analysis (a la sla.ckers) will reveal the goodness, but still the extension enables you to combine and chain multiple techniques as you most like it. Right now, when enabled, the main hook file and the code sent with modules is scrambled (random string substitution), minified and base64'ed. The extension is ready to accept new obfuscation techniques, have a look at the code here.

Brendan was very helpful with testing and module coding as always. He added a couple of XSRF modules for the Huawei SmartAX MT880 router and the Dlink DCS series camera, and updated the Deface Web Page module to change the page title and favicon. He added the first BeEF clickjacking module that can be used as a template for more specific attacks: an invisible iframe follows the mouse cursor. Right now, this works in Firefox and Chrome, but not yet in Internet Explorer. The code is here. Finally, he also added Cross-Site Printing (XSP) module which allows you to print to printers with port 9100 open. By default, this prints BeEF ASCII art.

Mike also committed awesome modules this time. Thanks to him, our social engineering modules are growing. He developed a module that prompts the user to install a fake Flash player update which is really a malicious Chrome extension (code). This is very nice because the extension can issue CrossDomain requests, have access to tabs, and be the launch point for other modules: Inject BeEF in all tabs, steal Google contacts, or a new one Mike added recently to steal all cookies from all tabs, including those marked with the HttpOnly flag (code).

Christian Frichot ruined his mind implementing some recursive code to enable nested module sub-categories, both in the module definition and in the admin UI. His work was really great and now for example we have the Exploit category, with general exploits and then Router and Camera sub-categories. He also added the Mobile Safari iOS 5.1 Address Bar Spoofing module, thats works great for non-patched versions.

Bart Leppens, a new recruit, added a few nice modules like the Glassfish WAR upload through XSRF (originally discovered by @malerisch, here), the frame sniffing module using LeakyFrame by Paul Stone, and a Netgear GS108T managed switch XSRF module.

Last, but not least because is pretty cool, the Heretic Clippy code has been integrated in BeEF by Nick Freeman and Denis Andzakovic: have fun tricking an IE victim to download what you want through this module :D

That's all for this release. Thanks again to everyone who contributed, and let us know if you have some cool code/feature you want to add to BeEF.

Last update, if you're around in Bochum, Germany don't miss @antisnatchor presentating at HackPra the 20th of June, and the 6th of July in Lisboa, Portugal at Just4Meeting.

↧

BeEF up: Installing BeEF

June 8, 2012, 6:24 pm

≫ Next: BeEF In a Real World Pen Test - Part 3: Hot BeEF Steak

≪ Previous: BeEF 0.4.3.5

We haven't forgotten about the BeEF in a Real World Pentest series. We're taking a break due to the new release, and getting you the stuff you need to use the tool we all know and love.

So, this week's post is about how to get up and running with BeEF.

This one comes from our very own Ben Waugh.

Getting up and running with BeEF:

The great things about BeEF are, the Console, GUI, and RESTful APIs are really easy to use; and the framework is well designed to make module development pretty self-explanatory.

But, getting BeEF up and running seems to trip up people. This is partly because of our use of the latest Ruby framework and gems.

Hence, we have put together this quick guide to the most common ways to get BeEF up and running with the software it relies on using your OS!

Requirements

This is what you'll need:

OSX 10.5.0 or higher, Modern Linux, Windows XP or higher
[Ruby](http://rubylang.org) 1.9.2 RVM or higher
[SQLite](http://sqlite.org) 3.x * The following GEMS:

bundler
thin
Sinatra
ANSI
TERM-ANSIcolor
dm-core
json
data_objects
dm-sqlite-adapter
parseconfig
erubis
dm-migrations
msfrpc-client
eventmachine
win32console (Windows Only)

Option 1: The Install Script (*nix only)

This is the easy way out. We have put together a quick script that will download and install BeEF's prerequisites and download the latest version of BeEF. The script installs RVM, Ruby 1.9, and the required Ruby gems. Be warned, this could affect other software using other versions of Ruby on your system or possibly break things. Use this option cautiously and at your own risk - don't say you were not warned!

To run the script on a *nix system just run;

bash < <(curl -s https://raw.github.com/beefproject/beef/master/install-beef )

If we are missing your OS or the script doesn't work let us know, and we'll try to update it to help other users.

Option 2: Manual Install

To take control of what you are installing or changing on your box, you can follow our install instructions. Which will take you through step by step how to install and configure on a clean system.

https://raw.github.com/beefproject/beef/master/INSTALL.txt

https://github.com/beefproject/beef/wiki/Install-Instructions

As before, if we are missing your OS or these instructions don't work let us know, and we'll try to update these pages to help other users.

Option 3: Experimental Features

CDE Package

If you would like to run beef without installing or modifying Ruby you can generate a CDE package. Note: you'll will need a box with a similar OS running Beef with pre-requisites in order to initially generate the CDE Package (or a friend with Beef up and running :))

This package is created using Philip Guos CDE generation script, check it out here; http://www.pgbovine.net/cde.html

To generate the CDE file run rake CDE. Once generated you can run beef from the cde-package/cde-exec binary created.. ie.

./cde-package/cde-exec cde-package/beef

Mac DMG Image

To package beef into a single DMG file you can run rake DMG. This will create a DMG image file suitable to distribute and install on Mac systems.

↧

BeEF In a Real World Pen Test - Part 3: Hot BeEF Steak

June 11, 2012, 8:22 am

≫ Next: BeEF, what a tasty piece of meat: HackPra talk

≪ Previous: BeEF up: Installing BeEF

Welcome back to our series about using BeEF in a Real World Pentest. If you would like a recap of our work so far, you can read Part 1 and Part 2 in our blog.

In this post, we talk about how we exploit browsers to hop into the core of Contoso and exfiltrate data from its secure vaults.

Tasting The BeEF

Because of our previous efforts, we now have a good number of hooked browsers. It’s time to start running modules.

First, we run a series of low-profile recon modules that gather information in order to enhance our understanding of the victims’ systems and eventually build better exploits without triggering any alarms. The recon phase includes:

Get Browser Cookies: We identify the victim’s cookie for the hooked website in the Details tab. This is a valuable piece of information in case the hook is via an XSS, because now we hijack the victim’s session and do actions on behalf of him.
Identify Platform Versions: From the details pane, we can identify the browser and OS types and versions. This is a crucial step for customizing exploits is to know the specific versions of the platform the victim uses. We use this to know what other modules we can use, or to find/craft other stable exploits. A lot of modules are IE specific and others are Chrome specific.
Hook Default Browser: Different browsers have different features that we want to (ab)use. So, to maximize our attack vectors, we run the “Host/Hook Default” module to try to hook the default browsers and hope that it is not the one currently hooked. Hooking multiple browsers ensures we can execute all possible modules. However, for stealthy execution, it is better to make sure that the victim has adobe pdf FF plugin, Adobe IE BHO or something similar according to the browser type. This makes inline PDF viewing possible. Otherwise, the user may see the PDF file downloading (and can cancel it) or can see the full adobe PDF reader popping up (and can close it).
Detect Software (IE only): We run the “Host/Detect Software” module that uses an IE hack-trick to attempt to get a list of directories in the “Program files” and “program files (x86)” folders. Using this, we can identify legacy/unmaintained programs installed on the victim’s machine that can be exploited later.

Conducting this exercise on Contoso’s hooked browsers, we found:

Most hooked browsers are using the latest version of Windows 7, a few people are using Windows XP and one using linux (probably a system admin, bingo!).
Most hooked browsers are using IE 8, a few are using Google Chrome and a few are using Firefox.
Most hooked browsers are using Microsoft Office, a few using a version of Real Player (very tempting for exploitation!)

More Aggressive Devouring

Now we want to run more aggressive modules and start exfiltrating data. However, those modules are likely to trigger the user’s attention as some of them requires user interaction and others make browsers behave abnormally.

The clipboard can be a Gold mine! Especially when, on Class A targets, we can find snippets of code, portions of contracts, financial records, and a lot more hanging on the system’s clipboard. We run “host/clipboard theft” module to get the hooked browsers’ clipboard and save it for future analysis.
In order to fingerprint the hooked browser’s host information such as network interface details, JVM version, and OS detailed version, we run the “host/get system info” module. JVM version particularly is very useful because Java exploits are much easier to pull off if you know the specific version of the JVM.
For the browsers hooked via the XSS exploit (refer to part 2 for more details), we can use their cookies and attempt to hijack their session. By manually setting our session ID to be the same as the victim’s session ID, we gain access to their account on the portal without having to log in! Now, we can do all sorts of data exfiltration by saving all possible information we find accessible to that account.
One effective technique to persuade top management about the seriousness of your pen test report is to take some pictures of Class-A targets via their webcams and put them in the report. We do this by running the “browser/webcam” module which takes a series of pictures off the hooked browsers’ webcam via Adobe flash. Although a warning is shown to the user, by customizing the text displayed in the warning, it is possible to manipulate the user into accepting the prompt.
If the enterprise has wireless networks, use the “host/get wireless keys” module. This module retrieves the wireless profiles saved on the hooked machine’s network manager. Then, we can import them into our machines and go snoop around near the victim’s physical location.
We can also save known sensitive files. The “misc/local file theft” module allows us to save common sensitive files such as ssh private keys, command line history files, and boot files. It's noteworthy to mention that this will only work when a user has been hooked via an HTML file opened from a local file on Safari or mobile Safari. It also works on the Android browsers and iPad Dropbox previewer. So, it is particularly successful when the hooked browser is a mobile device, where there are a lot of saved passwords and sensitive information for the “user convenience”.
Finally, to expand our exploitation, the Metasploit integration makes perfect sense. BeEF allows almost full Metasploit integration where you can see Metasploit modules inside BeEF’s module branches under “metasploit/*”. Now we can run a multi-handler and execute any of the the juicy metasploit modules suitable to the hooked system. This is fun beyond imagination! And beyond the scope of this text.

Following the scheme described above, we were able to achieve very good grounds penetrating Contoso’s first line of perimeter defenses.

In one of the clipboard snippets, we found a portion of the firewall configuration mapping and allowing access from an external high-address port (TCP/32111) to an internal (10.20.1.5) TCP/5900 which is the default port for a VNC server.. This allowed us to manually fingerprint the VNC listener identifying a known vulnerability, exploiting it and gaining access to this server. However, we found out that it is a test server, so it is a dead end. Also, we were able to identify part of the internal network schema by inspecting the IP address ranges and the allowed ports.
We were able to extract Contoso’s wireless network encryption key.
The file theft module harvested some good corporate credentials from mobile devices pulled from the browser history.
We took a snapshot off a Class-A target’s webcam which will fit very nicely next to the firewall configuration in the final report.
A few browsers were using a vulnerable version of Java. So, firing up Metasploit, with some obfuscation kung-fu, we were able to get meterpreter sessions, but it turned out to be for low profile people. However, this is a very good point for further hopping inside the network.

At this point, we have penetrated the first level of Contoso’s defenses accessing the user information. In the next post, we will talk about how to crack the inside network; maximizing damage and hopping into deeper layers. Also, we will discuss how to conduct this exercise as safely as possible without deviating out of scope, or getting hacked yourself!

↧

BeEF, what a tasty piece of meat: HackPra talk

June 23, 2012, 8:50 am

≫ Next: BeEF In a Real World Pen Test - Part 4: BeEFy Desserts

≪ Previous: BeEF In a Real World Pen Test - Part 3: Hot BeEF Steak

The 20th of June I gave a seminar at @HackPra in Bochum university, Germany.
First of all, thanks to Mario Heiderich and Marcus Niemietz for the invitation.

The talk went very well, covering several things:

communication channels: the default XHR-polling channel, and the new WebSocket channel;
XssRays integration: new enhancements (works with Webkit-based browsers that use XssAuditor, IE6 to 10);
abusing Chrome extensions: the Fake Flash Update module coded by Mike Haworth, and a few Chrome extension modules we have in BeEF (like the one you can use to inject the hook in all the open tabs). Imagine the impact of this (see screenshot below, where one of the tabs where the BeEF hook was injected is LinkedIn);

tunneling proxy: speed/performance enhancements while using WebSockets (4/5x times faster);
Evasion extension: for the first time, I was presenting the experimental Evasion extension. The aim of the extension is to obfuscate the hook and all code sent to the hooked browsers in order to evade passive regex-based filters. You can define your own obfuscation techniques, specifying in which order they need to be called. Right now we have 3 techniques: scramble (static string substitution, for example you don't see anymore beef in the hook), minify (awesome to save size) and base64. XOR is coming soon.

The talk went well, and as I promised there were a lot of live demos. Actually only one demo was not live. I've played again the Java mass pwner that uses RESTful API scripts, originally presented at AthCon 2012.

After the talk we all went to a GDATA building together with Karsten Tellmann, Felix @fluxfelix and other guys from @fluxfingers . Meeting Udo Strauch, the guy responsible for food and drinks, was a unique event :D His fine selection of rare beers was amazing: he particularly like some rare beers (honestly I didn't know them) from Teo Musso, an italian guy. The beers where really tasty and flavored, ans 8 to 10 percent :D

We were partying hard until late in the night. The next day I met up with Reiners, Tilman Frosch, and partially followed (it was in encrypted German) Felix's awesome lecture about reversing.

To conclude, it was a great time. They really took good care of me. Definitely two non-conventional days for a university seminar. Really recommended to everyone (entrance was free as well of course).

You can enjoy the slides/recording here. This was the first time I could watch the recording of my talk the next day :D

↧

BeEF In a Real World Pen Test - Part 4: BeEFy Desserts

June 23, 2012, 12:26 pm

≫ Next: Raspberry Pi with a side of BeEF

≪ Previous: BeEF, what a tasty piece of meat: HackPra talk

Welcome to the final installment of BeEF in a real world pentest.

You can read the previous installments in our blog.

But, to recap: in Part 1, we demonstrated how to build the con for our fictional target company Contoso. In Part 2, we set the hooks for our targets and got zombies on the line. In Part 3, we gathered information from our hooked targets and started exploiting that data.

In this episode, we will discuss how we can pivot and hop further inside the internal network and how we can foolproof our encounters to conduct a professional pen test within a given scope and time frame.

Based on our previous work, we have a slew of hooked browsers and we have penetrated the first level of defenses. At this point, we want to leverage our hooked browsers to pivot and hop inside the network.

Hopping Inside

We start off by identifying the computers in the same network of the hooked browsers. Since we already have the browser’s internal IP (refer to part 3), we run our scan against its class C network using the ping sweep modules. For firefox, we use the “network/Ping Sweep” module which does not require user interaction, and for other browsers we use the “network/Ping Sweep Java”.

Additionally, we fingerprint common appliances on the same network of the hooked browser using the “network/Internal Network Fingerprinting” module. This module will try to enumerate common appliances (printers, routers, media servers, ...etc) on some default IP address using pre-defined file signatures.

After we have identified some live IPs, we start scanning those IPs for open ports. Using the “network/Port Scanner” module, we can port scan internal IPs of a hooked browser (Firefox, and Chrome only). The module uses WebSockets and HTML5 techniques to conduct the scan.

To further investigate our internal targets, we can run a DNS enumeration scan on the internal network via the “Network/DNS Enumeration” module. The DNS enumeration module uses dictionary and timing attacks to identify common internal domain names such as (intranet, mail, print, ...etc). This can be very helpful in identifying internal resources.

Now that we have a good understanding of the internal network, the last step is to scan internal applications for further vulnerabilities. Using the “Tunneling Proxy” extension, we can chain our browser, a web vulnerability scanner such as Burp Suite and the hooked browser in a proxy chain. This video by Michele “antisnatchor” Orru best describes how this can be achieved.

We can even craft and send raw requests proxied via a hooked browser using the Rider extension tab. This allows us to conduct convoluted attacks on the internal web servers.

It is worth mentioning, we can do more pivoting and hopping by leveraging the meterpreter shells we have on some non-important hosts and the compromised test server (see part 3) but that is beyond the scope of this text.

Foolproofing

Now that we have fully penetrated our target, we want to point out some of the proofing tips that will help us keep the pen test clean and professional.

The first thing we need to take care of is preventing backfire from disgruntled employees and/or target sys admins. The last thing we want is to get hacked by our customers! To secure our own perimeter, we take a few precautions:

Limit the admin UI interface of BeEF to the internal IPs only that we actually use to administer BeEF. This can be achieved from the main config.yaml file by setting the “permitted_ui_subnet” to match the administration internal subnet.
Setup firewall rules on the BeEF server to block all external access except for the web port, metasploit payload delivery port and browser autopwn port (if applicable).

For larger numbers of hooked browsers, the performance of the default underlying DB driver (i.e. SQLite) drops dramatically leading sometimes to unexpected behaviours. If you are planning to have a large number of hooked browsers, use BeEF in MySQL DB mode. This can be configured in the main config.yaml file under “database:driver:” section. Also, changing the update timeout value to 1-2 seconds in updates.js (based on the connection speed) might give a performance boost.

It goes without saying that we need to have our written authorization of the penetration test. What is sometimes missing are small details that might cause problems. The following are examples of sensitive “grey” interactions that should be explicitly declared in the scope and agreed upon a priori:

Sending buzzing phishing emails (especially to or about C-Level execs).
Capturing employees personal information and using it to gain access to their corporate machines.
Extracting wireless keys from corporate machines given that there might be some personal wireless keys on laptops or BYOD-style devices.

In order to keep the scope of the pen test from creeping to personal grounds, we can take some more precautions:

Limit the hooking subnets to only the IP ranges of the target company to prevent accidental or out of scope hooking of browsers. However, this will severely limit smartphones hooking as they will most likely get hooked via their 3G/4G interface.
Limit the hooking machines to only ones with a predefined set of referrer URLs that we use. This is a weak limitation but might be handy in case of mobile devices.
Do not save exported wireless keys that do not belong to the corporate wireless.
Do not save or use private photos and/or videos exported from the users’ profiles or harvested in the recon phase, as this is not corporate related and probably off limits.

Now that we have successfully penetrated the perimeter, hopped inside the internals of the network, and secured ourselves from backfire and scope creep, we are ready to write the report focusing on how our client will be able to fix the issues through which we were able go gain this access.

Special thanks to Heather Pilkington for helping me out through this series, Michele Orru for his insightful comments, and all BeEF team for their great support!

↧

Raspberry Pi with a side of BeEF

July 3, 2012, 7:05 am

≫ Next: Opening closed ports on NAT device and bypassing stateful firewalls with BeEF

≪ Previous: BeEF In a Real World Pen Test - Part 4: BeEFy Desserts

A guest post from our friend g13:

The Raspberry Pi(http://www.raspberrypi.org) is a $25 ARM GNU/Linux box that is the size of a credit card. The applications for this little device are seemingly endless. So naturally I picked one up and started working on some penetration testing scripts for this box. One of my goals was to get BeEF running; which I have done.

BeEF comes with a couple installation scripts. I used these as a starting ground to get BeEF running on the Raspberry Pi. The script I started with was the "install-beef" script. After running the script, I noticed that the install failed after trying to install rvm. It appeared that even though rvm installed, it was not available to run. I was able to track this down to a PATH issue. In the install-beef script, the $HOME/.rvm/scripts/rvm file is referenced. That file was never created. I changed the install-beef script to contain a line which created the symbolic link between /usr/local/rvm/scripts/rvm and the one in my local path. After that, everything went off without a hitch!

I also removed some of the code to detect other OSes as the script is intended to only run on the Raspberry Pi. I would also like to note that during the installation, Ruby 1.9.2 is compiled and installed. I highly recommend changing the RAM allocation from 128/128 to 224/32. This will speed up compile time. If you are not familiar with how to do that, here is the command:

As Root: cp /boot/arm224-start.elf /boot/start.elf

BeEF takes about 1 minute to load after the RAM changes are made. It is not recommended to run X while running BeEF. Navigating to the UI from another machine is decent, but not as snappy if BeEF was run from more powerful hardware. I tested hooking a few clients and the performance in the UI did not degrade.

Of course, what would this post be without a screen shot of BeEF running on the Pi:

I have included my modified install script in the PwnBerryPi pentesting suite which is available on github.

↧

Opening closed ports on NAT device and bypassing stateful firewalls with BeEF

July 14, 2012, 6:05 pm

≫ Next: BeEF 0.4.3.7

≪ Previous: Raspberry Pi with a side of BeEF

Today's guest post comes from Bart Leppens. Thank you!

In 2010 Samy Kamkar discovered a method that he called "NAT Pinning." The idea was, an attacker lures a victim to a web page and that web page forces the victim's router or firewall to forward any port number back to the user's machine. The router, firewall, NAT-device must support connection tracking. Samy Kamkar has successfully tested this on a Belkin N1 Vision Wireless Router.

Now, IRC NAT Pinning is integrated in BeEF as a module. It requires the victim to use Firefox due to blocked port number 6667 in most other browsers. In this example, iptables is used to demonstrate how it actually works.

Let's imagine the following network:

And the configuration for iptables on the NAT/firewall:


#! /bin/sh

# DEFs
OUTIF=eth0
LANIF=eth1
LAN=192.168.1.0/24

# MODULES
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe iptable_nat

# Cleaning
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain

# Kernel vars
echo 1 > /proc/sys/net/ipv4/ip_forward

# Allow unlimited traffic on the loopback interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Set default policies
iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP

# Previously initiated and accepted exchanges bypass rule checking
# Allow unlimited outbound traffic
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow inbound traffic on LAN
iptables -A INPUT -i $LANIF -j ACCEPT

# NAT
##########
iptables -t nat -A POSTROUTING -o $OUTIF -j MASQUERADE

# initiated and accepted exchanges from WAN to LAN
iptables --append FORWARD -m state --state ESTABLISHED,RELATED -i $OUTIF -o $LANIF -j ACCEPT

# Allow unlimited outbound traffic from LAN to WAN
iptables --append FORWARD -m state --state NEW,ESTABLISHED,RELATED -o $OUTIF -i $LANIF -j ACCEPT


iptables -A INPUT -j LOG --log-level debug
iptables -A INPUT -j DROP
iptables -A FORWARD -j LOG --log-level debug
iptables -A FORWARD -j DROP

Iptables must accept RELATED inbound connections and the IRC connection tracking modules must be loaded.

Suppose that machine with IP 192.168.1.100 has an Apache-webserver running on port 80 to serve some intranet, and that this site is normally not reachable from the outside (probably the Internet).

When the attack is executed, BeEF creates a temporary socket that listens on port 6667 for incoming TCP connections. The demo used netcat for this "nc -l -p 6667", but thanks to Antisnatchor, this isn't needed anymore!

Once this is done, we must fill in the correct parameters in BeEF and then try if the port has been opened.

This can be seen on the following video:

The same can be attempted without NAT. In this case a stateful firewall (e.g. iptables) also needs to accept RELATED inbound connections and the IRC Connection Tracking module must be loaded.

Imagine now that telnetd is running on the victims machine, but it isn't reachable due to the packet filtering of the firewall. In BeEF, you can do this exactly as shown before. But, in this case, the private IP is the victim's public IP and the private port is the telnet port (probably 23).

If you're using iptables and you want to avoid problems with connection tracking, please refer to the secure use of iptables and connection tracking helpers. These are the best practices to make use of connection trackers.

↧

BeEF 0.4.3.7

August 9, 2012, 5:27 am

≫ Next: Happy Hooking! - BeEF autorun and Twitter notify

≪ Previous: Opening closed ports on NAT device and bypassing stateful firewalls with BeEF

We've been so busy in the last months that we haven't even had the time to write a blog post with the 0.4.3.6 changes :D

Anyway, here we are with a new tasty piece of BeEF, 0.4.3.7!

Here is the breakdown of the most important changes (without mentioning bugfixes, that are always there if you look at our GIT repo history):

Twitter and E-mail notifications (thanks @marcwickenden): we have a new extension where you can configure an SMTP server or Twitter account in order to receive automatic notifications as soon as a new browser is hooked in BeEF;
HTTPS support (thanks to one of our long-term developers, Christian @xntrik Frichot): you can now start BeEF with full HTTPS support. You should use this when you want to target HTTPS applications, especially if the user is using latest Chrome/Firefox browsers: they do security checks for mixed content and prevent the hook to work in case you use HTTP;
new Chrome extension module (thanks Mike Haworth): now you can have screenshots of the current tab the user is in;
Gmail phishing and Flash Webcam modules (thanks floyd.ch): using the first module you can logout a user from Gmail, create a fake Gmail login page, then steal the the Google account credentials. With the second module, if the user clicks "Allow Webcam" from the popup created by Flash, you can get photos from his webcam at a defined time interval you can specify;
Nat_pinning module (thanks Bart Leppens): you probably remember Samy's research on the topic. Well, we added this nice attack to BeEF, so you can have fun with it.
The GlassFish exploit has been enhanced (again, thanks Bart), and we also added GlassFish fingerprinting to our internal network fingerprinting module.
Brendan @_bcoles Coles, as always, did a great job adding new modules and porting various attacks to BeEF: Spring exploit for CVE-2010-1622, lots of XSRF and some RCE modules for various embedded devices like routers and cameras (D-Link dir-615, Linksys wcv series, Cisco E2400, 3Com OfficeConnect ADSL Wireless 11g, Asmax AR-804gu). Other than that, he also added enhanced fingerprinting for various mobile devices, and the balloon dialogs for the admin web-gui. Let us know via @beefproject if you want more/different stuff in this dialog.

Michele @antisnatchor Orru, except from bugfixes, added the confirm_close_tab module, in order to achieve better hook persistence and annoy the user (basically the user is asked for confirmation - in a loop - when he's closing the hooked tab). Another bunch of changes he worked on were about the AssetHandler (you can now bind/unbind raw sockets in BeEF, useful for example in the nat_pinning module to bind a socket on port 6667), the RESTful API (added a /api/modules/multi endpoint that you can now use to launch multiple modules at once to a single target) and the admin web-gui (added a JSON endpoint that enables you to call the RESTful API from ExtJS)

These 2 months were fun as always. If you want to get involved with out project, just let us know. We have tons of features to implement and we need man-power :D

Last thing to mention is the nice BlackHat 2012 presentation about BeEF in MiTM scenarios, from Steve Ocepek and Ryan Lynn (for those of you who don't remember him, Ryan developed the Metasploit integration we currently have in BeEF). Have a look at what awesome stuff they did here. For those of you who were not already using Ettercap + BeEF, you should definitely have a look at their work. Even if you used Ettercap before, they wrote a bunch of nice MiTM Ruby scripts using PacketFu that automate the whole process.

↧

Happy Hooking! - BeEF autorun and Twitter notify

August 13, 2012, 7:24 pm

≫ Next: BeEF web cloning, BeEF mass mailing, Social Engineering with better BeEF!

≪ Previous: BeEF 0.4.3.7

Today's post is contributed by Ryan Linn.

In previous posts, we’ve looked at both how to use BeEF in a real world pen test, as well as how to use the REST API to automate common tasks in BeEF. In this post, we’re going to take a look at how to use the REST API to auto-run multiple modules at one time, and set up Twitter notification.

Why would we want to do this? In the Real World series, we looked at number of modules that can be helpful when profiling browsers. But, what if we want to run them automatically so we don’t have to point and click for each new hooked zombie? By default, BeEF allows for a single module to be auto-run. But, we can auto-run a number of different modules, and even customize them for specific browsers using the REST API.

Now we can easily manage more zombies coming in at a time from a social engineering campaign. Also, we have ensured that we have maximized the information we can get from the browser regardless how long a browser is hooked!

To get the scripts, start by going to https://github.com/SpiderLabs/beef_injection_framework and downloading the framework tools. There will be two tools that we’ll be looking at in this blog post. The first is the autorun.rb script that will handle the autorun functionality. The second is the dump_mod_info.rb script, that will output all of the modules we may use.

To get the list of modules, let’s begin by starting our BeEF Instance:

$ ./beef
[17:57:07][*] Browser Exploitation Framework (BeEF)
[17:57:07] | Version 0.4.3.6-alpha
[17:57:07] | Website http://beefproject.com
[17:57:07] | Run 'beef -h' for basic help.
[17:57:07] |_ Run 'git pull' to update to the latest revision.
[17:57:08][*] BeEF is loading. Wait a few seconds...
[17:57:08][*] 8 extensions loaded:
[17:57:08] | Events
[17:57:08] | Requester
[17:57:08] | Proxy
[17:57:08] | Console
[17:57:08] | XSSRays
[17:57:08] | Demos
[17:57:08] | Autoloader
[17:57:08] |_ Admin UI
[17:57:08][*] 114 modules enabled.
[17:57:08][*] 2 network interfaces were detected.
[17:57:08][+] running on network interface: 127.0.0.1
[17:57:08] | Hook URL: http://127.0.0.1:3000/hook.js
[17:57:08] |_ UI URL: http://127.0.0.1:3000/ui/panel
[17:57:08][+] running on network interface: 172.16.149.141

[17:57:08] | Hook URL: http://172.16.149.141:3000/hook.js
[17:57:08] |_ UI URL: http://172.16.149.141:3000/ui/panel
[17:57:08][*] RESTful API key: fba4fc47a6d56c4b23b29027a4ea4524c410643f
[17:57:08][*] HTTP Proxy: http://127.0.0.1:6789
[17:57:08][*] BeEF server started (press control+c to stop)

Next, lets dump the list of modules and pipe it into less:

$ ./dump_mod_info.rb | less

The first thing we want to do is to launch a hidden IFRAME to point to our Metasploit instance. To do this, lets find the module to create a hidden IFRAME.

When we find it in the less output, it looks like this:

MOD: invisible_iframe
Creates an invisible iframe.
OPTIONS:
  [{"name"=>"target", "ui_label"=>"URL", "value"=>"http://beefproject.com/"}]

We have one option to set: the “target.” The value is the URL we want to launch in the hidden IFRAME. To make this module auto-launch in the autorun.rb script, we open the autorun.rb script and find the autorun_mods hash.

The autorun_mods hash is a key value pair. The key is the name of the module to run, and the value is a hash of options. In this case, if we wanted to just run this one module pointing to http://localhost:8080 then we’d create our autorun_mods to be:

@autorun_mods = [
  { 'Invisible_iframe' => {'target' => 'http://127.0.0.1:8080/' }}
]

We want to do more than that though, so let’s add some more fingerprinting in:

@autorun_mods = [
  { 'Invisible_iframe' => {'target' => 'http:// 127.0.0.1:8080/' }},
  { 'Browser_fingerprinting' => {}},
  { 'Get_cookie' => {}},
  { 'Get_system_info' => {}}
]

This will launch browser fingerprinting, our invisible iframe, try to get the cookies for the visiting page, and launch a java applet that will try to fingerprint the browser’s system info. Now that this is all setup, we save our autorun.rb script and just run it:

$ ./autorun.rb

Now the script is running, we launch a browser to get hooked and watch our BeEF
window:

[18:11:45][*] New Hooked Browser [ip:127.0.0.1, type:FF-13, os:Linux], hooked domain [127.0.0.1:3000]
[18:11:50][*] Hooked browser 127.0.0.1 has been sent instructions from command module 'Create Invisible Iframe'
[18:11:50][*] Hooked browser 127.0.0.1 has been sent instructions from command module 'Fingerprint Browser'
[18:11:50][*] Hooked browser 127.0.0.1 has been sent instructions from command module 'Get Cookie'
[18:11:50][*] File [/home/sussurro/beef/modules/host/get_system_info/ getSystemInfo.class] bound to url [/getSystemInfo.class]
[18:11:50][*] Hooked browser 127.0.0.1 has been sent instructions from command module 'Get System Info'
[18:11:55][*] Hooked browser 127.0.0.1 has executed instructions from command module 'Get Cookie'
[18:11:55][*] Hooked browser 127.0.0.1 has executed instructions from command module 'Create Invisible Iframe'
[18:11:57][*] Hooked browser 127.0.0.1 has executed instructions from command module 'Fingerprint Browser'

We can see from the output that our auto-run script has executed the modules 5 seconds after our initial hook has taken place. This is far faster than if we had done this manually. From here, we can go into the user interface to view the results. Or, the autorun script spits out session, module, and command id’s to get the statuses of the run modules programmatically.

While these scripts are a good starting point, you may want to do more customization. This can be done by modifying the Ruby and following the steps in the REST post and documentation.

The final piece we want to add is Twitter notification. Let's have a little birdie tell us when we've hooked our Zombies. This will make sure, if we have a social engineering campaign running, we can both auto-collect data and be notified when we start getting successes.

First we need to create a Twitter application at dev.twitter.com. Once logged in we want to create our application. Here’s the sample settings for my application, notice the permissions that are required to send DM’s.

BeEF Notifier Properties

Next, we need to create our personal access tokens for our account. To do this, there should be a link at the bottom of the page to authorize our account. Once we do, we should see another set of information about our access tokens like below:

Access Token

Now we have all of the information to update BeEF to configure twitter notifications. We edit extensions/notifications/config.yaml and set enable to true under notifications and under twitter. Finally we configure our keys from the previous steps and our target usernames, save the file, and we should be all set.

Restart BeEF, login, and hit the link for the basic demo page, and you should get two DM’s like below:

Direct Messages on Twitter

Now you’re all set for your campaign to begin. Sit back, wait on Twitter to tell you when you’ve got zombies, and automate as much as you can to maximize your success rate. Happy Hooking!

↧

BeEF web cloning, BeEF mass mailing, Social Engineering with better BeEF!

September 13, 2012, 4:57 am

≫ Next: BeEF and Pwnies - The Pwn Plug!

≪ Previous: Happy Hooking! - BeEF autorun and Twitter notify

After a week of hard work, I'm pleased to release a new Social Engineering extension that will come very handy during your social engineering attacks that involve Phishing, both email and web based.

Now BeEF has its own web cloner, and its own mass mailer! But, there are tools out there that do this already, you say. Why should I use BeEF to do this, you ask?

Because it's BeEF! While there are other tools out there to do these things, I've made some improvements to how these are done when adding them into BeEF. We're talking about things like cloning web pages with an exact path, automatic BeEF hooking, and finally a mass mailer that supports HTML emails... well, you should really read this whole post.

You are probably already aware that you can already do web cloning, credential harvesting and mass mailing with other tools. At the time of this writing though, these tool modules have various limitations. For example:

When you clone a web page, you cannot arbitrarily specify the exact path where you want to serve the cloned page from. For instance, if you clone hxxp://example.com/customer/login.aspx and your phishing domain is http://exaample.com, you cannot mount the cloned page on http://exaample.com/customer/login.aspx Instead, you have to use http://exaample.com/ unless you don't patch the tool by yourself.

Also, after a POST request is intercepted, the victim control is lost (unless you don't use other attacks that pwn the victim machine first).

Finally, you cannot have one instance of the tool that is serving multiple phishing pages (in case you want to do that).

When you use the mass mailer, you cannot send HTML emails. By default the degree of customization of your email is very limited, meaning that when you create a template you can specify only a subject, a body and an attachment. The email is always sent in plain text. In many attack scenarios, when you already profiled your victim (so you know already email/name and you probably have also an HTML email with company footer/branding), you want to send targeted emails that looks exactly the same as the one she will usually receive, a legitimate one.

I was frustrated with these limitations. I always needed to customize these tools in order to include BeEF hooks, so, I got bored and decided to write my own code.

The BeEF web cloner has the following features:

Clone the page you want, and mount it where you want (including exact path). You can clone multiple pages and mount them in multiple different locations. You can also specify if you want to mount the exact clone, or mount a different file of your own (for instance, after you applied your custom modifications that are easier to accomplish manually rather than with a parser);
The page that has been cloned is automatically modified in multiple ways: the BeEF hook is added - in a way that the victim will be automatically hooked in BeEF as soon she's on the page - and the 'form' fields are modified in order to intercept POST requests (credentials sent to a login page, for instance);
Finally, if the original page you cloned can be framed (currently the extension checks only for X-Frame-Options, not for custom framebusting code), after the victim clicks on the login page - and the POST request is intercepted - the original page will be loaded in an overlay iFrame while keeping the browser hooked in BeEF.

The BeEF mass mailer has the following features:

Connects to an SMTP server on the port you want (with/without TLS), and send highly customizable emails based on a template you choose to N victims you specify. When specifying your victim emails, you also associate every email with a name, so the final email will look more legitimate (like, Hi Michele, then next Hi Wade, etc... depending on the recipient). The mass_mailer configuration options and the default email template file structure are shown here below:

Template creation is actually where the fun starts. You are completely free to create both a plain text and an HTML email with the content you want. What I usually do, while having already the original legitimate HTML email of the victim, is the following:

copy and paste the original HTML content on your new template file mail.html;
if the email contains images (in the form of <img src="http://a.com/b.png" />), download those emails in the template directory;
then configure the config.yaml file by adding your new template, specifying which images you have, and assigning a Content Id to each of them;
using the Content Ids, edit the mail.html file modifying each image source with something like <img src="cid:__cidX__" /> , where X is the id of the CID of the image you want in that position;
finally, place __name__ and __link__ / __linktext__ placeholders where you want, as those values will be automatically replaced with content you want.

The default template email looks like the following:

And it looks like this when it's received from a mail client:

Note that the fromname (BeEF) can be always spoofed when creating an email, and you're free to specify the value you want. Also, by default, many mail clients displays only the fromname field instead of the full email address.

Both the web cloner and the mass mailer functionality are currently exposed only via the RESTful API. To clone https://example.com/login.aspx and mount it on /login.aspx on BeEF, use the following curl request:(update [BeEF]; and [token]; accordingly):

curl -H "Content-Type: application/json; charset=UTF-8" -d
 '{"url":"https://example.com/login.aspx", "mount":"/login.aspx"}' 
 -X POST http://[BeEF]/api/seng/clone_page?token=[token];

To send an email using the default template, with custom fromname/subject/link/linktext values, to 2 recipients, use the following curl request (update [BeEF] and [token] accordingly):

curl -H "Content-Type: application/json; charset=UTF-8" -d 
  '{"template": "default","subject": "your subject","fromname": "BeEF","link": 
  "http://[BeEF]/login.aspx","linktext": "https://example.com/login.aspx","recipients":
  [{"michele@example.com":"Michele","wade@example.com":"Wade"}]}
  ' -X POST http://[BeEF]/api/seng/send_mails?token=[token];

A few notes. The extension is (currently) not compatible with Windows, because it uses wget to clone the web page, and file to determine the correct mime type for inline/attachment email contents. Other than that, it leaves you to set up a public server with a proper domain name an MX records for the SMTP server (in case you cannot use the victim SMTP server for spoofing purposes).

Finally, don't forget to change beef.http.host in the main config.yaml file to your public server IP address.

Having these two nice tools, you can plan your social engineering campaigns using both web and email phishing, while using BeEF to do the dirty work. What I usually do is script everything with the RESTful API: clone a page, include that phishing link on a new mass mailer template, send the emails to my targets, hook them all in BeEF, launch targeted command modules, and (thanks to BeEF's awesome browser/plugin detection) wait for reverse shells :D

Have fun!

↧

BeEF and Pwnies - The Pwn Plug!

October 11, 2012, 5:46 pm

≫ Next: Mission impossible: to install BeEF on a VPS with only 128Mb of RAM

≪ Previous: BeEF web cloning, BeEF mass mailing, Social Engineering with better BeEF!

As a Pentester, you sometimes need to think out of the box and use multiple techniques in order to prove to a client that they are vulnerable even in their internal network. I was recently working with a client which had a XSS vulnerability in one of their internal web applications that just was not accessible from the internet...

Until I introduced the client to BeEF and the Pwn Plug Elite.

I knew I could use BeEF to show the client the vulnerability, but, I needed the BeEF server to be accessible on their internal network. That was where the Pwn Plug came to mind. But, it did not come with BeEF out of the box. With BeEF being so flexible I was able to install it on the Pwn Plug and I wanted to share how I did that.

Here is the code to install all the requirements and setup the beef_launcher script.

All the commands should be typed while logged in to the Pwn Plug.

Code:


# update and install requirements
sudo apt-get update
sudo apt-get install curl git-core ruby subversion

sudo apt-get libssl-dev libsqlite3-dev ruby1.9.2

# PwnPlug 1.1.1 has a directory called storage

# that is on the SD CARD with Metaspolit
cd /storage/

# Downloading rvm-installer
# bash >> curl would not work
curl -sk https://raw.github.com/wayneeseguin/rvm/master/binscripts/rvm-installer >> rvm-installer
chmod +x rvm-installer
./rvm-installer

# /usr/local/rvm is the install location
echo '[[ -s "/usr/local/rvm/scripts/rvm" ]] && . "/usr/local/rvm/scripts/rvm"' >> ~/.bashrc
source ~/.bashrc
source /usr/local/rvm/scripts/rvm

# Installing rvm....
/usr/local/rvm/scripts/rvm install 1.9.2

# q needs to be pressed during install 
rvm use 1.9.2 --default

# Download BeEF..
git clone git://github.com/beefproject/beef.git
cd beef

# Installing Ruby Gems
gem install bundler
bundle install

The beef_launcher.sh script should be created separately.


# create beef_launcher.sh in pentest / folder 
#################################################
#beef_launcher.sh
#!/bin/bash

export gem paths
export GEM_PATH=/usr/local/rvm/gems/ruby-1.9.2-p320/gems/
export GEM_HOME=/usr/local/rvm/gems/ruby-1.9.2-p320/gems/

# enter beef directory
cd /storage/beef

# print default password information
echo 'DEFAULT USER/PASSWORD: beef/beef'
echo ''

# launch
ruby-1.9.2-p320 beef –x

#end of beef_launcher.sh

And now...


#make /pentest/beef_launcher executable
chmod +x /pentest/beef_launcher.sh

#To run beef type
/pentest/beef_launcher.sh

By installing BeEF onto the Pwn Plug I was able to inject the BeEF hook into the vulnerable web application and remotely control users’ browsers thanks to the tunneling ability of the Pwn Plug. I couldn’t have landed the contract without the use of BeEF and the Pwn Plug.

This post contributed by:

Tobias Mccurry

Independent Security Consultant

Twitter - @lordsaibat

LinkedIn - http://www.linkedin.com/pub/tobias-mccurry-a-security-gsna-gcih/10/b81/477

P.S.
We have it on good authority from the Pwnie Express team that BeEF might be integrated in one or more of the Pwn Plugs soonish. Exciting! Keep an ear to the ground. You'll hear us running.

↧

Mission impossible: to install BeEF on a VPS with only 128Mb of RAM

October 30, 2012, 3:54 pm

≫ Next: Revitalizing the Inter-Protocol Exploitation with BeEF Bind

≪ Previous: BeEF and Pwnies - The Pwn Plug!

Today's guest post contributed by Matteo Campofiorito:

Several weeks ago I received a free VPS from ChunkHost, my goal was to install an instance of BeEF but my VPS has limited resources. Is it even possible? Here is my VPS configuration:

OS: Ubuntu 12.04.1 LTS (Linux 3.2.0-29 x86_64)
RAM: 128 MB
storage: 3GB

At first, everything went fine following BeEF's installation instruction on GitHub. But, when I executed "bundle install," I received an error installing "eventmachine." I googled around for a solution and realized that my problem was the limited RAM. With only 128MB, g++ fails miserably when it tries to compile eventmachine.

But, extra RAM costs money, so I found a workaround: create a swap file of 512MB. I used "dd" to create the file (here is a good howto about swap file creation), then I activated it and added to my fstab. Then, bundle install succeeded, no error received!

This was the only problem I had with BeEF installation. Everything else went fine, and the program runs smoothly.

I hooked several browsers (2 Firefox, 1 Internet Explorer 9 and one Chrome instance), and there is no slowness at all. The web UI feels responsive and so does the VPS. Here are some screenshots of the top command:

Before BeEF

After BeEF

During Hooking

I hope this helps you in your endeavors!

About Matteo:
Matteo is an open source addicted, security enthusiast and father of an awesome daughter. He works for one of the most important tech web sites in Italy, and in his spare time he writes his rambling thoughts on www.bufferoverflow.it You can reach him on Twitter as @matteoca

↧

Revitalizing the Inter-Protocol Exploitation with BeEF Bind

November 4, 2012, 8:33 pm

≫ Next: BeEF Shank - BeEF MitM for Pentests

≪ Previous: Mission impossible: to install BeEF on a VPS with only 128Mb of RAM

My last two talks about BeEF were great successes. I presented together with Ty Miller at RuxCon 2012 in the land of the BeEF, Australia. Then I presented the same talk, unfortunately without Ty, at OWASP AppSec USA, in yet another land of the BeEF, Texas (Austin) :D

The first RuxCon talk was on the first day at 9:00AM in the morning, after a drinking night. The room was also much more full at 9:10AM, and people couldn't get in :D

Ty and Me

Ty and I decided to release the new BeEF Bind research at RuxCon for various reasons:

RuxCon is an old and underground conference, full of proper hackers and friends, not script-kiddies;
many people from the project (Wade, Brendan, Christian, Ben, Scotty, basically everyone except Ryan, Heather, Saafan, Bart, and Quentin and me :-) are from Australia;
I've never been in the land of the kangaroos.

The research is revitalizing Wade's research on IPEC (2007) in the following ways:

We're using XmlHttpRequest instead of HTML forms to send cross-domain POST requests
A new staging shellcode has been developed to be used specifically for this attack technique
Everything has been merged into BeEF, with new exploitation reliability features

The original idea about IPEC is to exploit "tolerant" network protocols which do not close the client connection if non-valid protocol commands are sent. Lets say you have an IMAP server, and instead of sending LOGIN ciccio PASS pasticcio, which are valid commands, you send LOGIN ciccio CAZZ pasticcio. CAZZ is not a valid command for the IMAP protocol, but even if we fuzz the endpoint for thousand times sending the same CAZZ garbage, the connection is never closed unless we close it explicitly from the socket.

This behavior is different across protocol implementations, so you might find an IMAP implementation which does not behave in the following way. Our tests were focused mainly on IMAP, SIP, IRC and a few SMTP implementations. More details about this will be released in the near future.

You can clearly see that this behavior has an obvious flaw. We can exploit it encapsulating the data for this protocol with another one, lets say HTTP, because data which is not valid is just rejected but it is still parsed. This practically means the following HTTP request can be sent:

Wireshark HTTP Request

The HTTP request headers will be parsed as Bad Commands, while the body of the request will be correctly parsed because a001 LIST is a valid pre-authentication command. After that command we're actually sending shellcode, in this case the stager of the new BeEF Bind shellcode, together with an egg-hunter and current/next SEH pointers because the IMAP server (Eudora Mail 3 v6.1.19.0) is vulnerable to SEH based overflow. When the server will parse the LIST command, the shellcode will be loaded into process's memory binding a socket on port 4444. This is not yet a bind shell.

The next step is sending the stage to this port, as another POST request.

While the stage is running in memory, we have port 4444 listening again, waiting for POST requests like:

Wireshark with stager

Note the Access-Control-Allow-Origin, which enables cross-domain communication using CORS.
This means that after the stage is deployed, we can communicate with the shellcode cross-domain from Javascript, reading the HTTP response without violating/bypassing the Same Origin Policy.

The only cross-domain requests where we can't read the response is when we send the stager and the stage of the shellcode. This would have been very helpful, because we could have fingerprinted the service properly.

From a low-level point of view, you can see how the request looks like in the IMAP process memory:

Sending the POST Request

NOP NOP NOP

You can clearly see that the HTTP request headers are in memory, as garbage/NOPs are sent in a normal exploit where we need to fill lets say 800 bytes of memory before reaching the pointers we can overwrite. This adds additional complexity to the exploitation. We cannot know in advance (and we cannot query the XmlHttpRequest object to know it) the exact size of the the HTTP request headers. An error of one byte means the exploit will fail. To calculate the size we send a POST request back to BeEF, on a different socket (to maintain the cross-domain behavior). In this way we can know exactly the size of the headers which will be sent to the target, and we just need to adjust the size considering the Host field which will be clearly different.

Some of you may have been wondering. Wait a sec, how come you can send cross-domain POST requests to port 143? True, there is no magic here.

A pre-requisite is to disable PortBanning for selected ports, and we do that by delivering a malicious Firefox extension. As you know, Firefox extensions have no limitations on which configuration objects to override. So, basically, everything accessible from about:config can be overwritten or modified.

So it's enough to send a malicious (or backdoored) Firefox extension which contains in prefs.js the following line:


pref("network.security.ports.banned.override", "20,21,22,25,110,143");

to disable PortBanning for those selected ports.

Our research has been focused, and currently works perfectly, on latest Firefox. It works also in WebKit (Chrome/Safari) based browsers if you target not-banned ports. I still need to find a way to disable PortBanning on WebKit based browsers. Opera is still not tested, and Internet Explorer too. For IE there is an additional limitation: it looks like cross-domain POST requests cannot be sent.

The impact of this research is "Rooting your internals" (i.e. internal network services) from a browser which sits in your internal network, using only the browser as a pivot for internal network attacks. The communication with the shellcode is entirely in-browser via BeEF, there are no additional reverse sockets open. From a forensics point of view, this should be much more difficult to understand what's happening, or what happened. The attack is much more stealthy.

Slides from our RuxCon talk here:
http://www.slideshare.net/micheleorru2/rooting-your-internals-exploiting-internal-network-vulns-via-the-browser-using-beef-bind

I've also uploaded the screencast of the demo we shown at RuxCon on my Vimeo channel:
https://vimeo.com/52801406
The demo covers a phishing scenario using the BeEF Social Engineering extension, and shows all the steps required to use the BeEF Bind shellcode: from the malicious Firefox extension delivery, to internal live systems identification and port scanning, finishing with exploitation using IPEC.

Expect more goodness on this topic in the near future.

If you want to help debugging/analyzing known/new exploits and see if they can be ported to this technique, let us know. Your help will be greatly appreciated.

↧