SlideShare une entreprise Scribd logo

BeEF

A
AlexandraLacatus

Initial assessment presentation about the Browser Exploitation Framework

Technologie
1  sur  15
Télécharger pour lire hors ligne
BeEF The Browser Exploitation Framework alexandra.lacatus@info.uaic.ro FCS Iasi, Software Security
Overview What is BeEF Installation and requirements How it works Case studies & examples Advantages 2 Software Security, FCS Iasi, 2013-2014
What is BeEF? http://beefproject.com/ open-source penetration testing tool used to test and exploit web application and browser-based vunerabilities. Main developer: Wade Alcorn, security expert Last stable release: 0.4.4.7 / August 2013 3 Software Security, FCS Iasi, 2013-2014
Installation and requirements OSX 10.5.0 or higher, Modern Linux, Windows XP or higher Ruby 1.9.2 RVM or higher SQLite 3.x A list of ruby gems [...] 4 Software Security, FCS Iasi, 2013-2014
How it works BeEF uses a javascript file hook.js that will hook one or more browsers and will use them for launching directed command modules and further attacks against the system though a open door: the web browser context Uses a web interface to manage and send commands (attacks) to the browser zombies 5 Software Security, FCS Iasi, 2013-2014
BeEF Architecture 6 Software Security, FCS Iasi, 2013-2014 [3]
BeEF Features The official page lists 128 modules (exploits) Modular framework, can be easily extended with custom browser exploitation commands Provides RESTFul API that allows to control BeEF throuth HTTp requests (in JSON format) Can be configured to be integrated with Metasploit 7 Software Security, FCS Iasi, 2013-2014
BeEF Commands Modify the target's page html content (all the content, or alter only the hrefs) redirect the victim's browser to an arbitrary site generate dialog boxes/ fake notifications / request missing plugin installation as a context for placing and executing malicious code browser fingerprinting, detect plugins (ActiveX, Java, Flash, etc.) detect valid sessions of applications such as Twitter, Facebook and GMail. 8 Software Security, FCS Iasi, 2013-2014
Ex 1 - Malicious code injection Fake Notification Bar (e.g. Firefox) Displays a fake notification bar at the top of the screen. If the user clicks the notification they will be prompted to download a malicious Firefox extension (by default). Raw Javascript Sends the code to the selected hooked browsers where it will be executed. Code is run inside an anonymous function and the return value is passed to the framework. Multiline scripts are allowed, no special encoding is required. 9 Software Security, FCS Iasi, 2013-2014
Ex 2 - Web page defacement Replace content (Deface webpage) Overwrite the page, title and shortcut icon on the hooked page. Replace HREFs Rewrite all the href attributes of all matched links. TabNabbing This module redirects to the specified URL after the tab has been inactive for a specified amount of time. 10 Software Security, FCS Iasi, 2013-2014
Ex 3 - Keystroke Logging iFrame Event Logger Creates a 100% by 100% iFrame overlay with event logging. Fake LastPass Displays a fake LastPass user dialog which will log all the user's key strokes. 11 Software Security, FCS Iasi, 2013-2014
Ex 4 – Exporing the network Detect Social Networks This module will detect if the Hooked Browser is currently authenticated to GMail, Facebook and Twitter. (specify detection timeout) Network / Port Scanner Scan ports in a given hostname, using WebSockets, CORS and img tags. It uses the three methods to avoid blocked ports or Same Origin Policy. 12 Software Security, FCS Iasi, 2013-2014
Ex 5 – Browser fingerprinting Spider Eye Creates a snapshot of the victim's window Detect Firebug Detect Silverlight Detect Windows Media Player Detect ActiveX Detect toolbars Etc.. 13 Software Security, FCS Iasi, 2013-2014
Metasploit / w3af / BeEF Metasploit w3af BeEF Language Perl → Ruby Python Ruby Supported OS cross-platform cross-platform cross-platform Pen-testing target network Web applications browser $ Open source + paid Open source Open source Firewall 14 Software Security, FCS Iasi, 2013-2014
Bibliography [1] BeEF project main page: http://beefproject.com/ [2] BeEF project Github page: https://github.com/beefproject/beef [3] BeEF achitecture diagram: https://github.com/beefproject/beef/wiki/Architecture

Recommandé

Advanced Client Side Exploitation Using BeEF
Advanced Client Side Exploitation Using BeEFAdvanced Client Side Exploitation Using BeEF
Advanced Client Side Exploitation Using BeEF1N3
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security AttacksSajid Hasan
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security FundamentalsJosé Haro Peralta
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTIONAnoop T
 
Command injection
Command injectionCommand injection
Command injectionpenetration Tester
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Ssrf
SsrfSsrf
SsrfIlan Mindel
 
IPSec and VPN
IPSec and VPNIPSec and VPN
IPSec and VPNAbdullaziz Tagawy
 

Recommandé

Advanced Client Side Exploitation Using BeEF
Advanced Client Side Exploitation Using BeEFAdvanced Client Side Exploitation Using BeEF
Advanced Client Side Exploitation Using BeEF1N3
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security AttacksSajid Hasan
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security FundamentalsJosé Haro Peralta
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTIONAnoop T
 
Command injection
Command injectionCommand injection
Command injectionpenetration Tester
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Ssrf
SsrfSsrf
SsrfIlan Mindel
 
IPSec and VPN
IPSec and VPNIPSec and VPN
IPSec and VPNAbdullaziz Tagawy
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applicationsAdeel Javaid
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationshipn|u - The Open Security Community
 
OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017Michael Furman
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guideSudhanshu Chauhan
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurationsMegha Sahu
 
Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)LJ PROJECTS
 
Intrusion prevention system(ips)
Intrusion prevention system(ips)Intrusion prevention system(ips)
Intrusion prevention system(ips)Papun Papun
 
Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Irfad Imtiaz
 
HSM (Hardware Security Module)
HSM (Hardware Security Module)HSM (Hardware Security Module)
HSM (Hardware Security Module)Umesh Kolhe
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Cross Site Request Forgery
Cross Site Request ForgeryCross Site Request Forgery
Cross Site Request ForgeryTony Bibbs
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101Narudom Roongsiriwong, CISSP
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingn|u - The Open Security Community
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)Ritesh Gupta
 
File upload-vulnerability-in-fck editor
File upload-vulnerability-in-fck editorFile upload-vulnerability-in-fck editor
File upload-vulnerability-in-fck editorPaolo Dolci
 
An Introduction to Hashing and Salting
An Introduction to Hashing and SaltingAn Introduction to Hashing and Salting
An Introduction to Hashing and SaltingRahul Singh
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
Suricata
SuricataSuricata
Suricatatex_morgan
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples42Crunch
 
Beef
BeefBeef
BeefManah Chhabra
 
Man02 10 tab napping
Man02 10 tab nappingMan02 10 tab napping
Man02 10 tab nappingXIMO GOMIS
 

Contenu connexe

Tendances

Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applicationsAdeel Javaid
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guideSudhanshu Chauhan
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurationsMegha Sahu
 
Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)LJ PROJECTS
 
Intrusion prevention system(ips)
Intrusion prevention system(ips)Intrusion prevention system(ips)
Intrusion prevention system(ips)Papun Papun
 
Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Irfad Imtiaz
 
HSM (Hardware Security Module)
HSM (Hardware Security Module)HSM (Hardware Security Module)
HSM (Hardware Security Module)Umesh Kolhe
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Cross Site Request Forgery
Cross Site Request ForgeryCross Site Request Forgery
Cross Site Request ForgeryTony Bibbs
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)Ritesh Gupta
 
File upload-vulnerability-in-fck editor
File upload-vulnerability-in-fck editorFile upload-vulnerability-in-fck editor
File upload-vulnerability-in-fck editorPaolo Dolci
 
An Introduction to Hashing and Salting
An Introduction to Hashing and SaltingAn Introduction to Hashing and Salting
An Introduction to Hashing and SaltingRahul Singh
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples42Crunch
 

Tendances (20)

Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applications
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guide
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurations
 
Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)
 
Intrusion prevention system(ips)
Intrusion prevention system(ips)Intrusion prevention system(ips)
Intrusion prevention system(ips)
 
Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )
 
HSM (Hardware Security Module)
HSM (Hardware Security Module)HSM (Hardware Security Module)
HSM (Hardware Security Module)
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
 
Cross Site Request Forgery
Cross Site Request ForgeryCross Site Request Forgery
Cross Site Request Forgery
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)
 
File upload-vulnerability-in-fck editor
File upload-vulnerability-in-fck editorFile upload-vulnerability-in-fck editor
File upload-vulnerability-in-fck editor
 
An Introduction to Hashing and Salting
An Introduction to Hashing and SaltingAn Introduction to Hashing and Salting
An Introduction to Hashing and Salting
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
 
Suricata
SuricataSuricata
Suricata
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples
 

En vedette

Man02 10 tab napping
Man02 10 tab nappingMan02 10 tab napping
Man02 10 tab nappingXIMO GOMIS
 
Carcass grading
Carcass gradingCarcass grading
Carcass gradingDr Neo
 
Carcass Grade
Carcass GradeCarcass Grade
Carcass GradeRizza Muh
 
Phishing--The Entire Story of a Dark World
Phishing--The Entire Story of a Dark WorldPhishing--The Entire Story of a Dark World
Phishing--The Entire Story of a Dark WorldAvishek Datta
 
Man-In-The-Browser attacks
Man-In-The-Browser attacksMan-In-The-Browser attacks
Man-In-The-Browser attacksMário Almeida
 
Classification of fruits
Classification of fruitsClassification of fruits
Classification of fruitsLucia Martinez
 
Fruits: Parts and Classification
Fruits: Parts and ClassificationFruits: Parts and Classification
Fruits: Parts and ClassificationAlyssaBumanglag
 

En vedette (13)

Beef
BeefBeef
Beef
 
Man02 10 tab napping
Man02 10 tab nappingMan02 10 tab napping
Man02 10 tab napping
 
Carcass grading
Carcass gradingCarcass grading
Carcass grading
 
Carcass Grade
Carcass GradeCarcass Grade
Carcass Grade
 
Beef Lecture
Beef LectureBeef Lecture
Beef Lecture
 
Phishing--The Entire Story of a Dark World
Phishing--The Entire Story of a Dark WorldPhishing--The Entire Story of a Dark World
Phishing--The Entire Story of a Dark World
 
Man-In-The-Browser attacks
Man-In-The-Browser attacksMan-In-The-Browser attacks
Man-In-The-Browser attacks
 
Types of fruits
Types of fruitsTypes of fruits
Types of fruits
 
Fruits
FruitsFruits
Fruits
 
Classification of fruits
Classification of fruitsClassification of fruits
Classification of fruits
 
FRUITS
FRUITS FRUITS
FRUITS
 
Types Of Fruits
Types Of FruitsTypes Of Fruits
Types Of Fruits
 
Fruits: Parts and Classification
Fruits: Parts and ClassificationFruits: Parts and Classification
Fruits: Parts and Classification
 

Similaire à BeEF

Hacking The World With Flash
Hacking The World With FlashHacking The World With Flash
Hacking The World With Flashjoepangus
 
Abusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAbusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAjin Abraham
 
AbusingExploitingAndPWN-ingWithFirefoxAdd-Ons
AbusingExploitingAndPWN-ingWithFirefoxAdd-OnsAbusingExploitingAndPWN-ingWithFirefoxAdd-Ons
AbusingExploitingAndPWN-ingWithFirefoxAdd-Onsachettih
 
Be ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruBe ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruMichele Orru
 
Become fully aware of the potential dangers of ActiveX attacks
Become fully aware of the potential dangers of ActiveX attacksBecome fully aware of the potential dangers of ActiveX attacks
Become fully aware of the potential dangers of ActiveX attacksHigh-Tech Bridge SA (HTBridge)
 
Bshield osdi2006
Bshield osdi2006Bshield osdi2006
Bshield osdi2006losalamos
 
Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012Roberto Suggi Liverani
 
Français Patch Tuesday – Novembre
Français Patch Tuesday – NovembreFrançais Patch Tuesday – Novembre
Français Patch Tuesday – NovembreIvanti
 
Phonegap android angualr material design
Phonegap android angualr material designPhonegap android angualr material design
Phonegap android angualr material designSrinadh Kanugala
 
Patch Tuesday Italia Novembre
Patch Tuesday Italia NovembrePatch Tuesday Italia Novembre
Patch Tuesday Italia NovembreIvanti
 
Abusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-onsAbusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-onsAjin Abraham
 
Web application framework
Web application frameworkWeb application framework
Web application frameworkPankaj Chand
 
Trabajo de jose
Trabajo de jose Trabajo de jose
Trabajo de jose josemgg
 
Rethinking-Security-of-Web-Based-System-Apps
Rethinking-Security-of-Web-Based-System-AppsRethinking-Security-of-Web-Based-System-Apps
Rethinking-Security-of-Web-Based-System-AppsMartin Georgiev
 
Cq3210191021
Cq3210191021Cq3210191021
Cq3210191021IJMER
 
Patch Tuesday de Noviembre
Patch Tuesday de NoviembrePatch Tuesday de Noviembre
Patch Tuesday de NoviembreIvanti
 

Similaire à BeEF (20)

Hacking The World With Flash
Hacking The World With FlashHacking The World With Flash
Hacking The World With Flash
 
Abusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAbusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox Addons
 
AbusingExploitingAndPWN-ingWithFirefoxAdd-Ons
AbusingExploitingAndPWN-ingWithFirefoxAdd-OnsAbusingExploitingAndPWN-ingWithFirefoxAdd-Ons
AbusingExploitingAndPWN-ingWithFirefoxAdd-Ons
 
Cisco WebEx vulnerability: it’s a kind of magic
Cisco WebEx vulnerability: it’s a kind of magicCisco WebEx vulnerability: it’s a kind of magic
Cisco WebEx vulnerability: it’s a kind of magic
 
Be ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruBe ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orru
 
Become fully aware of the potential dangers of ActiveX attacks
Become fully aware of the potential dangers of ActiveX attacksBecome fully aware of the potential dangers of ActiveX attacks
Become fully aware of the potential dangers of ActiveX attacks
 
Bshield osdi2006
Bshield osdi2006Bshield osdi2006
Bshield osdi2006
 
Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012
 
News bytes Oct-2011
News bytes Oct-2011News bytes Oct-2011
News bytes Oct-2011
 
Français Patch Tuesday – Novembre
Français Patch Tuesday – NovembreFrançais Patch Tuesday – Novembre
Français Patch Tuesday – Novembre
 
Phonegap android angualr material design
Phonegap android angualr material designPhonegap android angualr material design
Phonegap android angualr material design
 
Patch Tuesday Italia Novembre
Patch Tuesday Italia NovembrePatch Tuesday Italia Novembre
Patch Tuesday Italia Novembre
 
Abusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-onsAbusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-ons
 
Web application framework
Web application frameworkWeb application framework
Web application framework
 
Project Presentation
Project Presentation Project Presentation
Project Presentation
 
Trabajo de jose
Trabajo de jose Trabajo de jose
Trabajo de jose
 
Rethinking-Security-of-Web-Based-System-Apps
Rethinking-Security-of-Web-Based-System-AppsRethinking-Security-of-Web-Based-System-Apps
Rethinking-Security-of-Web-Based-System-Apps
 
Cq3210191021
Cq3210191021Cq3210191021
Cq3210191021
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
 
Patch Tuesday de Noviembre
Patch Tuesday de NoviembrePatch Tuesday de Noviembre
Patch Tuesday de Noviembre
 

Dernier

What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 

Dernier (20)

What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 

BeEF

  • 1. BeEF The Browser Exploitation Framework alexandra.lacatus@info.uaic.ro FCS Iasi, Software Security
  • 2. Overview What is BeEF Installation and requirements How it works Case studies & examples Advantages 2 Software Security, FCS Iasi, 2013-2014
  • 3. What is BeEF? http://beefproject.com/ open-source penetration testing tool used to test and exploit web application and browser-based vunerabilities. Main developer: Wade Alcorn, security expert Last stable release: 0.4.4.7 / August 2013 3 Software Security, FCS Iasi, 2013-2014
  • 4. Installation and requirements OSX 10.5.0 or higher, Modern Linux, Windows XP or higher Ruby 1.9.2 RVM or higher SQLite 3.x A list of ruby gems [...] 4 Software Security, FCS Iasi, 2013-2014
  • 5. How it works BeEF uses a javascript file hook.js that will hook one or more browsers and will use them for launching directed command modules and further attacks against the system though a open door: the web browser context Uses a web interface to manage and send commands (attacks) to the browser zombies 5 Software Security, FCS Iasi, 2013-2014
  • 6. BeEF Architecture 6 Software Security, FCS Iasi, 2013-2014 [3]
  • 7. BeEF Features The official page lists 128 modules (exploits) Modular framework, can be easily extended with custom browser exploitation commands Provides RESTFul API that allows to control BeEF throuth HTTp requests (in JSON format) Can be configured to be integrated with Metasploit 7 Software Security, FCS Iasi, 2013-2014
  • 8. BeEF Commands Modify the target's page html content (all the content, or alter only the hrefs) redirect the victim's browser to an arbitrary site generate dialog boxes/ fake notifications / request missing plugin installation as a context for placing and executing malicious code browser fingerprinting, detect plugins (ActiveX, Java, Flash, etc.) detect valid sessions of applications such as Twitter, Facebook and GMail. 8 Software Security, FCS Iasi, 2013-2014
  • 9. Ex 1 - Malicious code injection Fake Notification Bar (e.g. Firefox) Displays a fake notification bar at the top of the screen. If the user clicks the notification they will be prompted to download a malicious Firefox extension (by default). Raw Javascript Sends the code to the selected hooked browsers where it will be executed. Code is run inside an anonymous function and the return value is passed to the framework. Multiline scripts are allowed, no special encoding is required. 9 Software Security, FCS Iasi, 2013-2014
  • 10. Ex 2 - Web page defacement Replace content (Deface webpage) Overwrite the page, title and shortcut icon on the hooked page. Replace HREFs Rewrite all the href attributes of all matched links. TabNabbing This module redirects to the specified URL after the tab has been inactive for a specified amount of time. 10 Software Security, FCS Iasi, 2013-2014
  • 11. Ex 3 - Keystroke Logging iFrame Event Logger Creates a 100% by 100% iFrame overlay with event logging. Fake LastPass Displays a fake LastPass user dialog which will log all the user's key strokes. 11 Software Security, FCS Iasi, 2013-2014
  • 12. Ex 4 – Exporing the network Detect Social Networks This module will detect if the Hooked Browser is currently authenticated to GMail, Facebook and Twitter. (specify detection timeout) Network / Port Scanner Scan ports in a given hostname, using WebSockets, CORS and img tags. It uses the three methods to avoid blocked ports or Same Origin Policy. 12 Software Security, FCS Iasi, 2013-2014
  • 13. Ex 5 – Browser fingerprinting Spider Eye Creates a snapshot of the victim's window Detect Firebug Detect Silverlight Detect Windows Media Player Detect ActiveX Detect toolbars Etc.. 13 Software Security, FCS Iasi, 2013-2014
  • 14. Metasploit / w3af / BeEF Metasploit w3af BeEF Language Perl → Ruby Python Ruby Supported OS cross-platform cross-platform cross-platform Pen-testing target network Web applications browser $ Open source + paid Open source Open source Firewall 14 Software Security, FCS Iasi, 2013-2014
  • 15. Bibliography [1] BeEF project main page: http://beefproject.com/ [2] BeEF project Github page: https://github.com/beefproject/beef [3] BeEF achitecture diagram: https://github.com/beefproject/beef/wiki/Architecture