BeEF in 2012: An Introduction

WHO

Official Job Title

IN2SECURITY
 BEFORE WE BEGIN

The BeEF Team!

: All of the following slides, features, cool stuff and

discussion is a direct result of work by the core BeEF
developers and greater community.

: Specifically:

• Wade Alcorn
• Michele Orru
• Brendan Coles
• Christian Frichot
• Ben Passmore
• Heather Pilkington
 XSS < 60 SECONDS

Cross-Site Scripting (XSS)

: Lack of escaping of untrusted data within a web

application results in an attackers script executing
within the browser in the context of the application
domain

: Executes within the scope of authenticated sessions

: Every browser is affected differently and many, many

edge cases of unexpected behaviour exist

: Some common mitigations (Same Origin Policy,

HTTP-Only Cookie flag etc)
 WHY THIS?

Why does this stuff matter?

: 15 years ago, “the web” and “web applications” were a

hillarious joke (oh how we laughed)

: In 2012, almost every application development is web-

centric and the majority are browser delivered

: Modern day application thick clients also reside in or rely

heavily on the browser (JavaScript, Native-Client)

: Potential browser attack surface is HUGE

: With regards to this technology we rushed development

: Research in this area is still new

 MICHAL ZALEWSKI SAYS

We all messed up, and it is time to repent.

 WHY THIS?

The Cross-Site Scripting Problem

: With exception to a few high profile worms, XSS impact doesn’t

seem to be very well understood
: A2 no the OWASP TOP 10 – 2010
: It has moved well beyond alert(‘Hello World!’):
 Recon
 Persistence
 Targetted exploit delivery
 Information leakage
: Mass hacking – Browsers are often a great way to target a large
number of clients from a single location
: Web applications are often the best way to “pivot” to your target
(internal networks, yummy data, financial systems etc.)
WHY THIS?
 WHY THIS?

: The future is scary!

: Chrome – Secure Shell
https://chrome.google.com/webstore/detail/pnhechapfaindjhompbnflcldabb
ghjo
 BeEF?

The Browser Exploitation Framework?

 INTRODUCING BeEF

The Browser Exploitation Framework

: Penetration testing tool which focuses on the web

browser

: Provides a platform for generating and delivering

interesting payloads directly to the target browser

: Goes beyond “basic XSS”

: Allows attackers to leverage unique and often

powerful attack vectors

: Intended for lawful research and penetration testing

only (yes, this is a disclaimer!)
HISTORY
 HISTORY

Back in 2009, I gave a talk at OWASP Day

: Discussion annoyed rant with regards to exploit

chaining

: Demonstrated VTiger “XSS -> File Upload -> File

Discovery -> File Request” as a single BeEF
delivered exploit

: Used something like BeEF 0.3.1.x PHP version

: It worked, but it was messy

 HISTORY

BeEF History

: Originally announced around 2006 by Wade Alcorn

: Got a little more popular in 2007 after Wade released

a paper titled: “Inter-Protocol Exploitation”

: Covered delivering basic network service exploits via

the browser

: It was awesome (when you could get it to work)

: It had a few issues…

 PHP BeEF

BeEF in PHP-minor

: BeEF was originally “hacked up” in PHP

: Contained a number of key issues:

• Plenty of code replication across modules

• There was not “real” or even usable API for

extending / leveraging within modules

• It used PHP (channeling @i0n1c)

REWRITE
 THE REWRITE

The BeEF rewrite

: BeEF has undergone a complete rewrite in Ruby

: Brings in some nice architecture changes, APIs, code

re-use etc

: As a result, there are a number of really nice modules

: Has a fancy new console interface

: Undergoes significant automated testing (via

Jenkins)

: Is now hosted at GitHub

(https://github.com/beefproject)
MODULE JS BEFORE
MODULE JS AFTER
 BeEF Features

Extensions & Features:

: Web UI

: Console UI

: Metasploit Integration

: XSSRays

: Modular structure

: BeEF JavaScript Object

 BeEF Features

Module Features:

: Interprocess communications & exploitation

: History gathering and intelligence

: Network recon (ping sweep, port scan etc)

: Host information gathering (OS, Arch)

: Browser plugin detection

: Persistence

: Exploits (RouterPWN etc)

ARCHITECTURE
 ARCHITECTURE

Architecture Overview

: BeEF CS has three main components:

: The Core

: Extensions

: Command Modules
 ARCHITECTURE

CORE

: CentralAPI

: Filters

: Primary client-side JavaScript

: Server-side asset handling and web services

: Ruby extensions

: Database modelling

: Hooking methods
 EXTENSIONS

Extensions

: Allows for extending The Core

: Can hook various functions and APIs

 EXTENSIONS

Extension Examples

: The Console

: Metasploit Integration

: XSS Rays

: Web UI

: Event handling

: Hook Demo Pages

 COMMAND MODULES

Command Modules

: Individually packaged HTML / JavaScript packages

: “The Payload”

: Several categories:
• Browser
• Debugging
• Host
• Misc.
• Network
• Persistence
• Recon
• Router
 ARCHITECTURE

Command Module Examples

: Browser Information Recon

:
: Network Recon
:
: Persistence Techniques

: Exploit Delivery (browser, router etc.)

: Host Information Recon

MODULES
 MODULES

Module Overview

: Each module is compromised of 3 primary files:

 Configuration File (config.yaml)

 Ruby Module Code (module.rb)

 JavaScript Payload (command.js)

 CONFIG.YAML

config.yaml:

: Provides some basic information

: Determines if the module is enabled

: Defines the targeting configuration

: Identifies who authored the module

 MODULE.RB

module.rb:

: Defines configurable options (self.options)

: Defines return result actions (post.execute)

 COMMAND.JS

command.js:

: JavaScript payload template

: Supports eRuby variable substitution (<%= @var %>)

: Leverages the BeEF JavaScript Object (beef):

E.g.: beef.dom.createInvisibleIframe();
UI VIEW
GETTING STARTED
EXECUTION – INSTALLATION ON EC2
EXECUTION – INSTALLATION ON EC2
EXECUTION – INSTALLATION ON EC2
UI: /ui/authentication
UI: /ui/panel
 ZOMBIE: /demos/basic.html

HOOKING:

: The goal is to get http://<beef>/hook.js into the target browser

: BeEF provides several ‘demo’ pages to demonstrate browser hooking (hook.js)
: http://<beef>/demos/basic.html
 UI: ZOMBIE COMMAND

COMMAND UI:

: Includes:
 Zombie list
 module browser
 selected command module configuration
 ZOMBIE: COMMAND RECV

POLLING:

: Once the browser is hooked, beef will ‘poll’ for new

JavaScript payloads to execute.

: When the a payload is found, it will execute it.

 ZOMBIE: RAW PAYLOAD

PAYLOAD:

: BeEF has substituted the eRuby variables as per the

template

: Script creation has been “taken care of”, provided no

errors, the payload will execute immediately and
provide the return value.
ZOMBIE: VIEW
 COMMAND VIEW

RETURN RESULT:

: The return result will appear in the Module Results

History window within the UI.
 MOBILE

MOBILE BROWSERS:

: For the most part, BeEF works

fine with mobile devices /
browsers

: Contains a number of mobile

specific modules

: QR code support
 INTRODUCING THE RESTFUL API

RESTFUL API:

: In 0.4.3.3, @antisnatchor introduced the RESTful API

: Allows monitoring & control of Zombies hooked on

your BeEF instance by thirdparty scripts and
applications

: Works as advertised

: Each BeEF instance now generates a new RESTful

API key (token)
 AVAILABLE METHODS

USAGE:

: /api/hooks (GET): Dump information about hooked

browsers (zombies)

: /api/logs (GET): Dump logging information from both

hooked browsers & control systems

: /api/modules (GET/POST): List, view and execute

command modules against zombies
EXAMPLE REQUEST
RESTFUL API DEMO
http://beefproject.com/
 ADDITIONAL RESOURCES

: Twitter :: @beefproject

: Github :: https://github.com/beefproject

: IRC :: ircs://irc.freenode.net/beefproject

: Development List :: [email protected]

: Me :: [email protected]
 REFERENCES

Futher Reading

: https://www.owasp.org/index.php/Cross-
site_Scripting_(XSS)

: http://code.google.com/p/browsersec/

: http://aaronhardy.com/javascript/javascript-
architecture-the-basics/

: http://events.ccc.de/congress/2011/Fahrplan/attachm
ents/2009_aaj-28c3.pdf

: https://github.com/beefproject/beef/wiki/BeEF-
RESTful-API
www.insomniasec.com