SlideShare a Scribd company logo

Buried by time, dust and BeEF

Michele Orru
Michele Orru

Slides of my talk at RuxCon 2013: For those who do not listen Mayhem and black metal, the talk title might seem a bit weird, and I can't blame you. You know the boundaries of the Same Origin Policy, you know SQL injection and time-delays, you know BeEF. You also know that when sending cross-domain XHRs you can still monitor the timing of the response: you might want to infer on 0 or 1 bits depending if the response was delayed or not. This means it's possible to exploit every kind of SQL injection, blind or not blind, through an hooked browser, if you can inject a time-delay and monitor the response timing. You don't need a 0day or a particular SOP bypass to do this, and it works in every browser. The potential of being faster than a normal single-host multi-threaded SQLi dumper will be explored. Two experiments will be shown: WebWorkers as well as multiple synched hooked browsers, which split the workload communicating partial results to a central server. A pure JavaScript approach will be exclusively presented during this talk, including live demos. Such approach would work for both internet facing targets as well as applications available in the intranet of the hooked browser. The talk will finish discussing the implications of such an approach in terms of Incident Response and Forensics, showing evidence of a very small footprint.

Technology
1 of 32
Download to read offline
Buried by time, dust and BeEF Antisnatchor – RuxCon 2013
Disclaimer §  My views and opinions do not represent those of my employer §  My employer has nothing to do with anything related to BeEF
Who am I ? §  Co-author of Browser Hacker’s Handbook (pre-order from Amazon.com, available March 2014) §  BeEF lead core developer §  Application Security researcher §  Ruby, Javascript, OpenBSD and BlackMetal fan
This made me LOL
And this made me ROFL (same page, scroll down)
The issue §  If the problem is getting caught: –  Spawn from 3 to X VPSs: 1. Each of them has SQLmap 2. Each of them dump a different data set 3. Each of them uses a different chain of proxies 4. When 1 data set is dumped, change the proxy chain. §  Restart from point 1 §  Downside: might not be cost-effective (depends on the data dumped :-). I don’t have enough money…
The issue
The issue §  Solving the issue without paying for multiple VPSs/infrastructure….
Use BeEF §  Exploit Time-Based Blind SQLi from multiple hooked browsers §  It’s the hooked browser that (just through JavaScript) send requests and dump data §  A forensic team will see a connection from multiple hooked browsers at the same time
Use BeEF §  §  §  §  §  Install BeEF and OpenVPN on a VPS VPN client -> TOR (or other proxies) -> VPS Hook some browsers Instruct the browsers to dump data for you When finished, terminate the VPS
Some background §  Same-Origin Policy and XHR §  Why Time-based Blind SQLi? §  The beautiful features of MSSQL §  BeEF and putting all together
Same-Origin Policy and XHR
Same-Origin Policy and XHR §  Cross-origin XmlHttpRequest –  You can’t read the HTTP Response (you need Access-Control-Allow-Origin, or a SOP bypass) But…. –  You can still send the request §  The request arrives to the destination –  You can check the state of the request §  xhr.readyState
Same-Origin Policy and XHR: implications §  Exploit RCE cross-origin from the browser –  See BeEF exploits on Jboss, GlassFish, and others –  You don’t need to read the response, just “blindly” send the attack vector §  Exploit XSRF §  Internal network attacks –  Ping sweeping, port scanning, and much more –  Inter-protocol communication and exploitation §  Wait for Browser Hacker’s Handbook :D
Same-Origin Policy and XHR: implications §  If you can know if xhr.readyState == 4 –  You can monitor the timing –  Just create 2 Date objects before and after sending the request, and do simple math :D
Same-Origin Policy and XHR: implications §  Firefox 24
Same-Origin Policy and XHR: implications §  Chrome 29
Same-Origin Policy and XHR: implications §  Internet Explorer 10
Why Time-based Blind SQLi? §  If we can infer the timing of the response, we can exploit Time-based blind SQLi cross-origin! §  Actually any type of SQL injection flaw can be exploited with Time-based blind vectors §  Sometimes time-based blind is the only way to exploit an instance of SQLi §  Sometimes SQLmap (great tool, kudos Bernardo!) is able to exploit SQL injections only using time-based vectors
The beautiful features of MSSQL §  http://msdn.microsoft.com/en-us/library/ ms187331.aspx
The beautiful features of MSSQL §  http://msdn.microsoft.com/en-us/library/ ms187024.aspx §  SQL Server 2008 R2 (<= 4 CPUs): §  256 thread pool (x86) §  512 thread pool (x86_64) §  I did my tests on SQL Server Express (on Windows 7) –  Connection numbers/thread pools are much more limited
The beautiful features of MSSQL §  MySQL and Postgres do not support this –  Postgres example: http://www.postgresql.org/docs/ 8.2/static/functions-datetime.html §  Still, you could use BENCHMARK or other similar functions –  Excessive CPU load if parallelized? Probably
The beautiful features of MSSQL §  With DBs != MSSQL you can still exploit SQLi using Time-based Blind vectors from the browser –  But you can’t parallelize requests §  Most ASP/.NET applications uses MSSQL §  MSSQL presence in the internet is widespread
The beautiful features of MSSQL
BeEF and putting all together §  MSSQL only right now –  PoC retrieving DB and Table names §  Concurrent approach –  Multiple WebWorkers –  Multiple hooked browsers §  3 to 4 times faster than SQLmap §  They disabled multi-threading when using time-based blind vectors, with every database, even MSSQL §  Can be re-enabled hacking the source code
Concurrent approach: WebWorkers §  Classic binary search inference IF ASCII(SUBSTRING((...),position,1)) > bin_value WAITFOR DELAY '00:00:02';-–  Position: byte position in the string to retrieve –  Bin_value: current mid value in the binary search §  Retrieving DB name (first request, first byte): http://172.16.37.149:8080/? book_id=1%20IF(UNICODE(SUBSTRING( (SELECT%20ISNULL(CAST(DB_NAME()%20AS %20NVARCHAR(4000)), CHAR(32))),1,1))%3E64)%20WAITFOR%20DELAY %20%270:0:2%27--
Concurrent approach: WebWorkers §  If the response is delayed, the first byte of the DB name string is > 64 (Integer value) §  If the response is NOT delayed, the first byte of the DB name string is <= 64 (Integer value) §  Example with first byte == 115 (“s”) §  §  §  §  §  §  §  Response delayed. Char is > 64 Response delayed. Char is > 96 Response delayed. Char is > 112 Response not delayed. Char is < 120 Response not delayed. Char is < 116 Response delayed. Char is > 114 Response not delayed. Char is == 115 -> s
Concurrent approach: WebWorkers §  Given a pool of WebWorkers (controlled by a state-machine in JavaScript) §  Every WW manage one byte (7 requests each) §  You can retrieve up to <pool_size> bytes at the same time §  WW communicate with the “parent” state-machine with postMessage() §  Everything is happening from and in the browser
Concurrent approach: multiple browsers §  As we can parallelize requests with WebWorkers, we could even distribute the data dumping process across multiple browser –  Reliability §  Minimize the impact of loosing an hooked browser –  Stealthiness (and piss-off forensic guys) §  The attack looks like coming from different sources –  Fun (and piss-off forensic guys) §  You want to target company X, which has company Y as competitor: hook some company Y browsers, and instrument them to exploit a SQLi in company X website :D §  Company X will think company Y is attacking them
BeEF and putting all together §  Demo –  Video, as last year here in RuxCon the live demo failed (Vmware Fusion issues, broken VM, porco dio!) –  https://vimeo.com/78055061
BeEF and putting all together §  If you liked this talk, support BeEF buying: §  Pre-order on Amazon available, out March 2014 §  50% of revenues will be used for the BeEF project (testing infrastructure, etc..)
Wrap-up §  Thanks to Wade Alcorn for inspiration, research motivation, and for being awesome! §  Thanks to Bernardo Damele (SQLmap) §  Thanks Chris and RuxCon crew §  Thanks Trustwave for paying my trip here §  BeE(F)R time now!

Recommended

Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEFMichele Orru
 
When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesMichele Orru
 
Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)Michele Orru
 
Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Michele Orru
 
I'm the butcher would you like some BeEF
I'm the butcher would you like some BeEFI'm the butcher would you like some BeEF
I'm the butcher would you like some BeEFMichele Orru
 
Practical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon XPractical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon XMichele Orru
 
ZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchorZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchorMichele Orru
 
Be ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruBe ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruMichele Orru
 

Recommended

Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEFMichele Orru
 
When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesMichele Orru
 
Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)Michele Orru
 
Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Michele Orru
 
I'm the butcher would you like some BeEF
I'm the butcher would you like some BeEFI'm the butcher would you like some BeEF
I'm the butcher would you like some BeEFMichele Orru
 
Practical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon XPractical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon XMichele Orru
 
ZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchorZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchorMichele Orru
 
Be ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruBe ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruMichele Orru
 
Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Krzysztof Kotowicz
 
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsI'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsKrzysztof Kotowicz
 
Hacktivity2011 be ef-preso_micheleorru
Hacktivity2011 be ef-preso_micheleorruHacktivity2011 be ef-preso_micheleorru
Hacktivity2011 be ef-preso_micheleorruMichele Orru
 
Dark Fairytales from a Phisherman
Dark Fairytales from a PhishermanDark Fairytales from a Phisherman
Dark Fairytales from a PhishermanMichele Orru
 
Advanced Chrome extension exploitation
Advanced Chrome extension exploitationAdvanced Chrome extension exploitation
Advanced Chrome extension exploitationKrzysztof Kotowicz
 
WordPress Security: Defend yourself against digital invaders
WordPress Security: Defend yourself against digital invadersWordPress Security: Defend yourself against digital invaders
WordPress Security: Defend yourself against digital invadersVladimír Smitka
 
WordPress security for everyone
WordPress security for everyoneWordPress security for everyone
WordPress security for everyoneVladimír Smitka
 
Same-origin Policy (SOP)
Same-origin Policy (SOP)Same-origin Policy (SOP)
Same-origin Policy (SOP)Netsparker
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Jeremiah Grossman
 
Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012Roberto Suggi Liverani
 
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionDrivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionWayne Huang
 
Secure Your Wordpress
Secure Your WordpressSecure Your Wordpress
Secure Your Wordpressn|u - The Open Security Community
 
Html5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraHtml5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraKrzysztof Kotowicz
 
Practical Exploitation - Webappy Style
Practical Exploitation - Webappy StylePractical Exploitation - Webappy Style
Practical Exploitation - Webappy StyleRob Fuller
 
Browser Security
Browser SecurityBrowser Security
Browser SecurityRoberto Suggi Liverani
 
Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Rob Fuller
 
Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5DefconRussia
 
Make CSRF Again
Make CSRF AgainMake CSRF Again
Make CSRF AgainNetsparker
 
Secuirty News Bytes-Bangalore may 2014
Secuirty News Bytes-Bangalore may 2014 Secuirty News Bytes-Bangalore may 2014
Secuirty News Bytes-Bangalore may 2014 n|u - The Open Security Community
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of themRoberto Suggi Liverani
 
Intro to advanced web development
Intro to advanced web developmentIntro to advanced web development
Intro to advanced web developmentStevie T
 
Get Ahead with HTML5 on Moible
Get Ahead with HTML5 on MoibleGet Ahead with HTML5 on Moible
Get Ahead with HTML5 on Moiblemarkuskobler
 

More Related Content

What's hot

Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Krzysztof Kotowicz
 
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsI'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsKrzysztof Kotowicz
 
Hacktivity2011 be ef-preso_micheleorru
Hacktivity2011 be ef-preso_micheleorruHacktivity2011 be ef-preso_micheleorru
Hacktivity2011 be ef-preso_micheleorruMichele Orru
 
Dark Fairytales from a Phisherman
Dark Fairytales from a PhishermanDark Fairytales from a Phisherman
Dark Fairytales from a PhishermanMichele Orru
 
Advanced Chrome extension exploitation
Advanced Chrome extension exploitationAdvanced Chrome extension exploitation
Advanced Chrome extension exploitationKrzysztof Kotowicz
 
WordPress Security: Defend yourself against digital invaders
WordPress Security: Defend yourself against digital invadersWordPress Security: Defend yourself against digital invaders
WordPress Security: Defend yourself against digital invadersVladimír Smitka
 
WordPress security for everyone
WordPress security for everyoneWordPress security for everyone
WordPress security for everyoneVladimír Smitka
 
Same-origin Policy (SOP)
Same-origin Policy (SOP)Same-origin Policy (SOP)
Same-origin Policy (SOP)Netsparker
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Jeremiah Grossman
 
Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012Roberto Suggi Liverani
 
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionDrivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionWayne Huang
 
Html5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraHtml5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraKrzysztof Kotowicz
 
Practical Exploitation - Webappy Style
Practical Exploitation - Webappy StylePractical Exploitation - Webappy Style
Practical Exploitation - Webappy StyleRob Fuller
 
Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Rob Fuller
 
Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5DefconRussia
 
Make CSRF Again
Make CSRF AgainMake CSRF Again
Make CSRF AgainNetsparker
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of themRoberto Suggi Liverani
 

What's hot (20)

Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)
 
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsI'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
 
Hacktivity2011 be ef-preso_micheleorru
Hacktivity2011 be ef-preso_micheleorruHacktivity2011 be ef-preso_micheleorru
Hacktivity2011 be ef-preso_micheleorru
 
Dark Fairytales from a Phisherman
Dark Fairytales from a PhishermanDark Fairytales from a Phisherman
Dark Fairytales from a Phisherman
 
Advanced Chrome extension exploitation
Advanced Chrome extension exploitationAdvanced Chrome extension exploitation
Advanced Chrome extension exploitation
 
WordPress Security: Defend yourself against digital invaders
WordPress Security: Defend yourself against digital invadersWordPress Security: Defend yourself against digital invaders
WordPress Security: Defend yourself against digital invaders
 
WordPress security for everyone
WordPress security for everyoneWordPress security for everyone
WordPress security for everyone
 
Same-origin Policy (SOP)
Same-origin Policy (SOP)Same-origin Policy (SOP)
Same-origin Policy (SOP)
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)
 
Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012
 
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionDrivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
 
Secure Your Wordpress
Secure Your WordpressSecure Your Wordpress
Secure Your Wordpress
 
Html5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraHtml5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPra
 
Practical Exploitation - Webappy Style
Practical Exploitation - Webappy StylePractical Exploitation - Webappy Style
Practical Exploitation - Webappy Style
 
Browser Security
Browser SecurityBrowser Security
Browser Security
 
Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014
 
Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5
 
Make CSRF Again
Make CSRF AgainMake CSRF Again
Make CSRF Again
 
Secuirty News Bytes-Bangalore may 2014
Secuirty News Bytes-Bangalore may 2014 Secuirty News Bytes-Bangalore may 2014
Secuirty News Bytes-Bangalore may 2014
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
 

Similar to Buried by time, dust and BeEF

Intro to advanced web development
Intro to advanced web developmentIntro to advanced web development
Intro to advanced web developmentStevie T
 
Get Ahead with HTML5 on Moible
Get Ahead with HTML5 on MoibleGet Ahead with HTML5 on Moible
Get Ahead with HTML5 on Moiblemarkuskobler
 
Embulk, an open-source plugin-based parallel bulk data loader
Embulk, an open-source plugin-based parallel bulk data loaderEmbulk, an open-source plugin-based parallel bulk data loader
Embulk, an open-source plugin-based parallel bulk data loaderSadayuki Furuhashi
 
Crash Course HTML/Rails Slides
Crash Course HTML/Rails SlidesCrash Course HTML/Rails Slides
Crash Course HTML/Rails SlidesUdita Plaha
 
Week 05 Web, App and Javascript_Brandon, S.H. Wu
Week 05 Web, App and Javascript_Brandon, S.H. WuWeek 05 Web, App and Javascript_Brandon, S.H. Wu
Week 05 Web, App and Javascript_Brandon, S.H. WuAppUniverz Org
 
High performance java script why everything youve been taught is wrong
High performance java script why everything youve been taught is wrongHigh performance java script why everything youve been taught is wrong
High performance java script why everything youve been taught is wrongTao Gao
 
Beginning MEAN Stack
Beginning MEAN StackBeginning MEAN Stack
Beginning MEAN StackRob Davarnia
 
NoSQL - No Security?
NoSQL - No Security?NoSQL - No Security?
NoSQL - No Security?Gavin Holt
 
Server-Sent Events (real-time HTTP push for HTML5 browsers)
Server-Sent Events (real-time HTTP push for HTML5 browsers)Server-Sent Events (real-time HTTP push for HTML5 browsers)
Server-Sent Events (real-time HTTP push for HTML5 browsers)yay w00t
 
Isomorphic web application
Isomorphic web applicationIsomorphic web application
Isomorphic web applicationOliver N
 
Jinx - Malware 2.0
Jinx - Malware 2.0Jinx - Malware 2.0
Jinx - Malware 2.0Itzik Kotler
 
Analysis of web application worms and viruses
Analysis of web application worms and virusesAnalysis of web application worms and viruses
Analysis of web application worms and virusesUltraUploader
 
IBM InterConnect: Java vs JavaScript for Enterprise WebApps
IBM InterConnect: Java vs JavaScript for Enterprise WebAppsIBM InterConnect: Java vs JavaScript for Enterprise WebApps
IBM InterConnect: Java vs JavaScript for Enterprise WebAppsChris Bailey
 
Play Framework: Intro & High-Level Overview
Play Framework: Intro & High-Level OverviewPlay Framework: Intro & High-Level Overview
Play Framework: Intro & High-Level OverviewJosh Padnick
 
Krug Fat Client
Krug Fat ClientKrug Fat Client
Krug Fat ClientPaul Klipp
 
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Divyanshu
 
Defending Against Application DoS attacks
Defending Against Application DoS attacksDefending Against Application DoS attacks
Defending Against Application DoS attacksRoberto Suggi Liverani
 
Node Security: The Good, Bad & Ugly
Node Security: The Good, Bad & UglyNode Security: The Good, Bad & Ugly
Node Security: The Good, Bad & UglyBishan Singh
 
"Hidden difficulties of debugger implementation for .NET WASM apps", Andrii R...
"Hidden difficulties of debugger implementation for .NET WASM apps", Andrii R..."Hidden difficulties of debugger implementation for .NET WASM apps", Andrii R...
"Hidden difficulties of debugger implementation for .NET WASM apps", Andrii R...Fwdays
 

Similar to Buried by time, dust and BeEF (20)

Intro to advanced web development
Intro to advanced web developmentIntro to advanced web development
Intro to advanced web development
 
Get Ahead with HTML5 on Moible
Get Ahead with HTML5 on MoibleGet Ahead with HTML5 on Moible
Get Ahead with HTML5 on Moible
 
Embulk, an open-source plugin-based parallel bulk data loader
Embulk, an open-source plugin-based parallel bulk data loaderEmbulk, an open-source plugin-based parallel bulk data loader
Embulk, an open-source plugin-based parallel bulk data loader
 
Crash Course HTML/Rails Slides
Crash Course HTML/Rails SlidesCrash Course HTML/Rails Slides
Crash Course HTML/Rails Slides
 
Week 05 Web, App and Javascript_Brandon, S.H. Wu
Week 05 Web, App and Javascript_Brandon, S.H. WuWeek 05 Web, App and Javascript_Brandon, S.H. Wu
Week 05 Web, App and Javascript_Brandon, S.H. Wu
 
High performance java script why everything youve been taught is wrong
High performance java script why everything youve been taught is wrongHigh performance java script why everything youve been taught is wrong
High performance java script why everything youve been taught is wrong
 
Beginning MEAN Stack
Beginning MEAN StackBeginning MEAN Stack
Beginning MEAN Stack
 
NoSQL - No Security?
NoSQL - No Security?NoSQL - No Security?
NoSQL - No Security?
 
Server-Sent Events (real-time HTTP push for HTML5 browsers)
Server-Sent Events (real-time HTTP push for HTML5 browsers)Server-Sent Events (real-time HTTP push for HTML5 browsers)
Server-Sent Events (real-time HTTP push for HTML5 browsers)
 
Isomorphic web application
Isomorphic web applicationIsomorphic web application
Isomorphic web application
 
MongoDB
MongoDBMongoDB
MongoDB
 
Jinx - Malware 2.0
Jinx - Malware 2.0Jinx - Malware 2.0
Jinx - Malware 2.0
 
Analysis of web application worms and viruses
Analysis of web application worms and virusesAnalysis of web application worms and viruses
Analysis of web application worms and viruses
 
IBM InterConnect: Java vs JavaScript for Enterprise WebApps
IBM InterConnect: Java vs JavaScript for Enterprise WebAppsIBM InterConnect: Java vs JavaScript for Enterprise WebApps
IBM InterConnect: Java vs JavaScript for Enterprise WebApps
 
Play Framework: Intro & High-Level Overview
Play Framework: Intro & High-Level OverviewPlay Framework: Intro & High-Level Overview
Play Framework: Intro & High-Level Overview
 
Krug Fat Client
Krug Fat ClientKrug Fat Client
Krug Fat Client
 
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
 
Defending Against Application DoS attacks
Defending Against Application DoS attacksDefending Against Application DoS attacks
Defending Against Application DoS attacks
 
Node Security: The Good, Bad & Ugly
Node Security: The Good, Bad & UglyNode Security: The Good, Bad & Ugly
Node Security: The Good, Bad & Ugly
 
"Hidden difficulties of debugger implementation for .NET WASM apps", Andrii R...
"Hidden difficulties of debugger implementation for .NET WASM apps", Andrii R..."Hidden difficulties of debugger implementation for .NET WASM apps", Andrii R...
"Hidden difficulties of debugger implementation for .NET WASM apps", Andrii R...
 

Recently uploaded

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Principled Technologies
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 

Recently uploaded (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 

Buried by time, dust and BeEF

  • 1. Buried by time, dust and BeEF Antisnatchor – RuxCon 2013
  • 2. Disclaimer §  My views and opinions do not represent those of my employer §  My employer has nothing to do with anything related to BeEF
  • 3. Who am I ? §  Co-author of Browser Hacker’s Handbook (pre-order from Amazon.com, available March 2014) §  BeEF lead core developer §  Application Security researcher §  Ruby, Javascript, OpenBSD and BlackMetal fan
  • 5. And this made me ROFL (same page, scroll down)
  • 6. The issue §  If the problem is getting caught: –  Spawn from 3 to X VPSs: 1. Each of them has SQLmap 2. Each of them dump a different data set 3. Each of them uses a different chain of proxies 4. When 1 data set is dumped, change the proxy chain. §  Restart from point 1 §  Downside: might not be cost-effective (depends on the data dumped :-). I don’t have enough money…
  • 8. The issue §  Solving the issue without paying for multiple VPSs/infrastructure….
  • 9. Use BeEF §  Exploit Time-Based Blind SQLi from multiple hooked browsers §  It’s the hooked browser that (just through JavaScript) send requests and dump data §  A forensic team will see a connection from multiple hooked browsers at the same time
  • 10. Use BeEF §  §  §  §  §  Install BeEF and OpenVPN on a VPS VPN client -> TOR (or other proxies) -> VPS Hook some browsers Instruct the browsers to dump data for you When finished, terminate the VPS
  • 11. Some background §  Same-Origin Policy and XHR §  Why Time-based Blind SQLi? §  The beautiful features of MSSQL §  BeEF and putting all together
  • 13. Same-Origin Policy and XHR §  Cross-origin XmlHttpRequest –  You can’t read the HTTP Response (you need Access-Control-Allow-Origin, or a SOP bypass) But…. –  You can still send the request §  The request arrives to the destination –  You can check the state of the request §  xhr.readyState
  • 14. Same-Origin Policy and XHR: implications §  Exploit RCE cross-origin from the browser –  See BeEF exploits on Jboss, GlassFish, and others –  You don’t need to read the response, just “blindly” send the attack vector §  Exploit XSRF §  Internal network attacks –  Ping sweeping, port scanning, and much more –  Inter-protocol communication and exploitation §  Wait for Browser Hacker’s Handbook :D
  • 15. Same-Origin Policy and XHR: implications §  If you can know if xhr.readyState == 4 –  You can monitor the timing –  Just create 2 Date objects before and after sending the request, and do simple math :D
  • 16. Same-Origin Policy and XHR: implications §  Firefox 24
  • 17. Same-Origin Policy and XHR: implications §  Chrome 29
  • 18. Same-Origin Policy and XHR: implications §  Internet Explorer 10
  • 19. Why Time-based Blind SQLi? §  If we can infer the timing of the response, we can exploit Time-based blind SQLi cross-origin! §  Actually any type of SQL injection flaw can be exploited with Time-based blind vectors §  Sometimes time-based blind is the only way to exploit an instance of SQLi §  Sometimes SQLmap (great tool, kudos Bernardo!) is able to exploit SQL injections only using time-based vectors
  • 20. The beautiful features of MSSQL §  http://msdn.microsoft.com/en-us/library/ ms187331.aspx
  • 21. The beautiful features of MSSQL §  http://msdn.microsoft.com/en-us/library/ ms187024.aspx §  SQL Server 2008 R2 (<= 4 CPUs): §  256 thread pool (x86) §  512 thread pool (x86_64) §  I did my tests on SQL Server Express (on Windows 7) –  Connection numbers/thread pools are much more limited
  • 22. The beautiful features of MSSQL §  MySQL and Postgres do not support this –  Postgres example: http://www.postgresql.org/docs/ 8.2/static/functions-datetime.html §  Still, you could use BENCHMARK or other similar functions –  Excessive CPU load if parallelized? Probably
  • 23. The beautiful features of MSSQL §  With DBs != MSSQL you can still exploit SQLi using Time-based Blind vectors from the browser –  But you can’t parallelize requests §  Most ASP/.NET applications uses MSSQL §  MSSQL presence in the internet is widespread
  • 25. BeEF and putting all together §  MSSQL only right now –  PoC retrieving DB and Table names §  Concurrent approach –  Multiple WebWorkers –  Multiple hooked browsers §  3 to 4 times faster than SQLmap §  They disabled multi-threading when using time-based blind vectors, with every database, even MSSQL §  Can be re-enabled hacking the source code
  • 26. Concurrent approach: WebWorkers §  Classic binary search inference IF ASCII(SUBSTRING((...),position,1)) > bin_value WAITFOR DELAY '00:00:02';-–  Position: byte position in the string to retrieve –  Bin_value: current mid value in the binary search §  Retrieving DB name (first request, first byte): http://172.16.37.149:8080/? book_id=1%20IF(UNICODE(SUBSTRING( (SELECT%20ISNULL(CAST(DB_NAME()%20AS %20NVARCHAR(4000)), CHAR(32))),1,1))%3E64)%20WAITFOR%20DELAY %20%270:0:2%27--
  • 27. Concurrent approach: WebWorkers §  If the response is delayed, the first byte of the DB name string is > 64 (Integer value) §  If the response is NOT delayed, the first byte of the DB name string is <= 64 (Integer value) §  Example with first byte == 115 (“s”) §  §  §  §  §  §  §  Response delayed. Char is > 64 Response delayed. Char is > 96 Response delayed. Char is > 112 Response not delayed. Char is < 120 Response not delayed. Char is < 116 Response delayed. Char is > 114 Response not delayed. Char is == 115 -> s
  • 28. Concurrent approach: WebWorkers §  Given a pool of WebWorkers (controlled by a state-machine in JavaScript) §  Every WW manage one byte (7 requests each) §  You can retrieve up to <pool_size> bytes at the same time §  WW communicate with the “parent” state-machine with postMessage() §  Everything is happening from and in the browser
  • 29. Concurrent approach: multiple browsers §  As we can parallelize requests with WebWorkers, we could even distribute the data dumping process across multiple browser –  Reliability §  Minimize the impact of loosing an hooked browser –  Stealthiness (and piss-off forensic guys) §  The attack looks like coming from different sources –  Fun (and piss-off forensic guys) §  You want to target company X, which has company Y as competitor: hook some company Y browsers, and instrument them to exploit a SQLi in company X website :D §  Company X will think company Y is attacking them
  • 30. BeEF and putting all together §  Demo –  Video, as last year here in RuxCon the live demo failed (Vmware Fusion issues, broken VM, porco dio!) –  https://vimeo.com/78055061
  • 31. BeEF and putting all together §  If you liked this talk, support BeEF buying: §  Pre-order on Amazon available, out March 2014 §  50% of revenues will be used for the BeEF project (testing infrastructure, etc..)
  • 32. Wrap-up §  Thanks to Wade Alcorn for inspiration, research motivation, and for being awesome! §  Thanks to Bernardo Damele (SQLmap) §  Thanks Chris and RuxCon crew §  Thanks Trustwave for paying my trip here §  BeE(F)R time now!