Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
Prochain SlideShare
Облачные технологии и виртуализация
Suivant
Télécharger pour lire hors ligne et voir en mode plein écran

2

Partager

Télécharger pour lire hors ligne

ZN27112015

Télécharger pour lire hors ligne

Slides from our talk at Zero Nights 2015 about hooked-browser network with BeEF and Google Drive

ZN27112015

  1. 1. HOOKED-BROWSER NETWORK WITH BEEF AND GOOGLE DRIVE Denis Kolegov, Oleg Broslavsky, Nikita Oleksov Tomsk State University Information Security and Cryptography Department
  2. 2. Hooked-browser network with BeEF and Google Drive Post-exploitation After vulnerability exploitation and taking control over victim’s system intruder should find a way to establish communication between browser and C&C server Common communication channels in web application are: • XML HTTP Request • WebSockets • WebRTC ?
  3. 3. Hooked-browser network with BeEF and Google Drive Not long ago Christian Frichot (aka @xntrik) in his talk at Kiwicon 2014 presented BeEF WebRTC extension “One of the biggest issues with BeEF is that each hooked browser has to talk to your BeEF server. To try and avoid detection, you often want to try and obfuscate or hide your browsers. Using this bleeding-edge web technology, we can now mesh all those hooked browsers, tunneling all your BeEF come through a single sacrificial beach- head.” Prehistory WebRTC XHR/WS
  4. 4. Hooked-browser network with BeEF and Google Drive The last direct communication channel can be tracked or blocked by IDS/IPS. So we decided to find out a way to get rid of it The main idea is to use some trusted server as a communication channel as it is done in projects like • Gcat • Twittor Not totally invisible WebRTC XHR/WS I can still detect you, man
  5. 5. Hooked-browser network with BeEF and Google Drive Our team have researched a new type of covert timing channels based on HTTP cache control headers and couple of ways to implement it in different environments One of such environments was Google Drive, so we decided to use it in a communication channel one more time Our previous researches
  6. 6. Hooked-browser network with BeEF and Google Drive Sometimes BeEF need to send a really huge amount of data so why not to use something that is designed to work with it? Cloud storage services like Google Drive or Dropbox are trusted (not marked as suspicious activity) in most networks and have a nice API to work with them using JavaScript We need a cloud WebRTC XHR/WS
  7. 7. Hooked-browser network with BeEF and Google Drive Let’s understand what’s going on in the BeEF Under the BeEF’s hood Intruder BeEF server consisted of 2 parts Zombie browser UI server is used by an intruder and makes BeEF to look awesome Command server does all the stuff with zombies hook.js forces browser to do the bad things
  8. 8. Hooked-browser network with BeEF and Google Drive Command server can be viewed as a bunch of handlers each of which is doing its own job Command server details Command server Zombie browser ‘/init’ handler – processes the information from new zombies ‘/event’ handler – stores logs sent by zombies ‘/’ handler – provides new commands Command handlers – separate handlers that processes results each of his command Send the browser details Log user’s activity Get new commands Send results
  9. 9. Hooked-browser network with BeEF and Google Drive As we can we BeEF is designed as common network application with active client and passive server So the first of all we should teach the server to tell with zombies via cloud using polling model The beginning of indirect communication Polling Polling
  10. 10. Hooked-browser network with BeEF and Google Drive Indirect communication on the server side Init Answers Zombie1 Zombie2 Get an initial information about new coming zombies Receive answers Send commands to zombie browsers Trash old files, empty the trash
  11. 11. Hooked-browser network with BeEF and Google Drive Indirect communication on the client side Init Answers Zombie1 Zombie2 Send browser default as a first request to the server Store all information for command server Pull commands from its own folder and move read commands to the trash
  12. 12. Hooked-browser network with BeEF and Google Drive To perform action via Google Drive API we need 3 different keys: One more thing is access Master key – used by server to update Auth key via OAuth Auth key – used by client and server to perform any write access on the Google Drive API key – used by client to read renewed Auth key from special keychain file
  13. 13. Hooked-browser network with BeEF and Google Drive Proof of Concept: https://youtu.be/_RfBUEcvynM https://github.com/tsu-iscd/beef-drive
  14. 14. Hooked-browser network with BeEF and Google Drive Thank you for the attention!
  • AlanOliveira10

    Feb. 13, 2017
  • ssusera0a306

    Nov. 30, 2015

Slides from our talk at Zero Nights 2015 about hooked-browser network with BeEF and Google Drive

Vues

Nombre de vues

2 582

Sur Slideshare

0

À partir des intégrations

0

Nombre d'intégrations

105

Actions

Téléchargements

25

Partages

0

Commentaires

0

Mentions J'aime

2

×