SlideShare a Scribd company logo

Dark Fairytales from a Phisherman (Vol. II)

Michele Orru
Michele Orru

The document outlines techniques for automating phishing campaigns using tools like PhishingFrenzy and the Browser Exploitation Framework (BeEF). It describes how phishing is similar to fishing in that it involves preparing bait (in the form of phishing templates) and casting it out to catch victims. It then introduces PhishLulz, an automated phishing tool built on PhishingFrenzy and BeEF that can be run cheaply on Amazon EC2. It also discusses the new BeEF Autorun Rule Engine, which allows defining rules to trigger client-side attacks and modules based on conditions like the browser or OS of hooked victims. Examples are given of how this could be used

Internet
1 of 52
Download to read offline
Dark Fairytales from a Phisherman (Vol. II) @antisnatchor
Outline •  whoami •  Fishing === Phishing •  Badass phishing at cost (almost) zero •  Fairytalessss •  the new BeEF Autorun Rule Engine •  Outro
whoami •  Pentester & Vuln researcher •  BeEF lead core developer •  Browser Hacker’s Handbook co-author •  44Con 2012 (I'm The Butcher, Would You Like Some BeEF?) •  (ex) Surf Casting pro fisherman •  (current) Phisherman
Phisherman     prepara,on  
Fishing === Phishing (F): Prepare bait and cast it (P): Prepare pretext, phishing strategy, and send emails (F): Wait for something interested on the bait (P): Wait for victims to click on your links, enter credentials, open/execute stuff (F): you got a big fish (P): you got a shell on the company’s CFO laptop
Fishing === Phishing
•  End-users are sometimes more stupid than saltwater fishes –  Fishes do evolve: you have to use smaller hooks and Fluorocarbon lines for increased stealth –  Humans apparently do not evolve: we’re doing phishing with 15 years old attacks that still work •  MS Office macros •  HTA files •  Custom .exe files Fishing === Phishing
Badass phishing at cost (almost) zero •  If you do phishing, you know that: – Every time it’s a different story – Configuration overhead sometimes is a killer – You can identify repeatable patterns – You need automation – Speed is key once you got access to victims assets
Badass phishing at cost (almost) zero •  Meet PhishLulz – phishing automation in Ruby •  Puts together PhishingFrenzy + BeEF on a dedicated Amazon EC2 image – Cheers @zeknox for creating PF !!!
•  Current features: –  Mass mailing with HTML templates (SET… LOL) –  Highly configurable template system –  HTTP/HTTPS support, Credential harvesting –  BeEF integration •  Correlate victim name/email with OS/browser fingerprinting including geolocation •  Automate client-side attacks via the new BeEF ARE –  Reporting Badass phishing at cost (almost) zero
•  What is left to the consultant as a manual step: –  Register and configure new domain if (provider !== NameCheap). •  One of the few providers with a RESTful API (still sucks) –  Eventually creating/modifying a phishing template or client-side vector –  Wait for browser hooks, harvested credentials and shells Badass phishing at cost (almost) zero
•  Amazon advantages: –  domain/IP blacklisted? –  Fixed with 2 steps: •  Reboot the AWS instance •  Update the A record for your main phishing domain –  Good IP block reputation –  Cheap, zero maintenance •  T2.small -> 0.026$/hours -> 0.6$/day -> 3.12 $/ 5days Badass phishing at cost (almost) zero
Fairytale 1 (s/lulz/real_target_name/) •  Target: www.lulz.wa.gov.au (GMT+8) – Discovered during reconnaissance: •  Webmail.lulz.com: Outlook WebAccess •  Vpn1.lulz.com: Checkpoint SSL VPN – OWA template (phishing + email pretext) available in PF – Registered lulz-wa-gov-au.com (note dashes instead of dots)
•  Started campaign with 46 targets at 13:30 target time Fairytale 1
•  Started campaign with 46 targets at 13:30 target time Fairytale 1
•  In less than 3 hours (by 5PM COB in the target timezone): 39% success rate Harvested credentials Domain credentials VPN credentials Fairytale 1
Fairytale 1
Fairytale 1
•  Results: –  Gov network compromised (including AD) Blackbox client internal External side network Access attack access –  Overall time spent: •  4 hours preparation/recon •  2 days harvesting/pwning –  Total cost: •  About 2 $ for the EC2 cost •  About 8 $ for the domain registration 10 $ total cost Fairytale 1
•  Results: –  Gov network compromised (including AD) –  Pure blackbox -> client-side -> internal pentest –  Overall time spent: •  4 hours preparation/recon •  2 days harvesting/pwning –  Total cost: •  About 2 $ for the EC2 cost •  About 8 $ for the domain registration 10 $ total cost Fairytale 1
•  The Telegraph UK asked us to target a specific journalist (Sept 2014). Info provided: –  Name: Sophie Curtis –  Not much info from reconnaissance –  Target writes about IT stuff, breaches, and so on –  Together with a brazilian friend of mine we did the engagement •  You will not find our names here: http:// www.telegraph.co.uk/technology/internet- security/11153381/How-hackers-took-over-my- computer.html Fairytale 2
•  Attack plan: – Generic LinkedIn invite phishing campaign •  Aim: profile the journalist OS/browser/ plugins with BeEF •  Aim 2: detect mail provider/tech – After fingerprinting, 3 client-side attacks options 1.  Custom encoded .exe inside password encrypted .rar 2.  Word document with Powershell macro 3.  HTA attack targeted to Internet Explorer Fairytale 2
•  LinkedIn attack (template in PF): •  This still works, but LinkedIn Changed the mail look&feel, and also the auth behavior… Fairytale 2
•  OS, browser and plugin fingerprint via BeEF – Note: Office 2012, Java 1.7u51, Citrix ICA Client Fairytale 2
•  Credible Pretext (snip 1/2): Fairytale 2
•  Credible Pretext (snip 2/2): Fairytale 2
•  Via the initial fingerprinting we identified that the victim was using Gmail for Business –  Encrypted .zip is not an option, filename leak –  “Good” antispam/AV –  Phishing domain with SPF/DKIM –  Encrypted .rar with custom .exe inside Fairytale 2
•  Payload: – .exe file with 3 connect-back mechanisms •  Reverse https •  Reverse DNS •  OOB extrusion via Outlook profile – Custom encoding – Adobe PDF modified icon + long Win filename trick – Custom MsgBox with PDF icon (msg: “Adobe Reader could not open xxx.pdf”) Fairytale 2
•  The victim believed in the pretext, she even replied back once double clicked the payload asking for more clarification •  Camera/microphone access. Game over Fairytale 2
•  Plan-B was ready in case of Plan-A failure Fairytale 2
•  Plan-B was ready in case of Plan-A failure Fairytale 2
PhishingFrenzy + BeEF FTW •  PhishLulz phishing with BeEF ARE video demo
•  If you do phishing, you know that: – Every time it’s a different story – Configuration overhead sometimes is a killer – You can identify repeatable patterns – You need automation – Speed is key once you got access to victims assets Badass phishing at cost (almost) zero. Once Again!
Autorun Rule Engine •  Released to public in end of July 2015 •  Define rules to trigger module(s) if certain conditions are matched, with two execution modes – Sequential – Nested-forward
Autorun Rule Engine •  Sequential –  Call N modules with specified inputs and different delays via setTimeout() •  Nested-forward –  Call N modules with specified inputs. –  Module N is executed only if N-1 return a certain status. Module N can use as input the output from module N-1 (eventually mangling it before processing it)
Autorun Rule Engine Nested-forward
Autorun Rule Engine Nested-forward
Autorun Rule Engine Nested-forward
Autorun Rule Engine Nested-forward
Autorun Rule Engine Nested-forward
•  Match – Browser type, version – OS type, version – (WIP) Plugin type/version •  Trigger – If (browser == IE && os >= Windows 7) •  Powershell stuff (HTA) – If (browser == FF && os == Linux) •  Firefox fake notification + extension dropper (Linux payload) Autorun Rule Engine
•  Sequential mode: •  Call hta_powershell with 0.5 seconds delay, after displaying the fake notification bar with custom text) Autorun Rule Engine
•  Fake notification and HTA powershell rule (and Avast Premium AV lol) video Autorun Rule Engine
•  Nested-forward mode: –  Fingerprint internal network using hooked browser internal IP for subnet mapping. •  no IP is returned (i.e.: WebRTC disabled)? –  don’t run the fingerprinting. Autorun Rule Engine
•  Get internal IP via WebRTC bug, then fingerprint internal network Autorun Rule Engine
•  RESTful API for it – Load rules at BeEF startup, or add them at runtime •  Example: you notice many new hooked browsers, and you don’t have any pre- loaded rules for them yet. – Once new rule is dynamically loaded, trigger it •  Of course only on hooked browsers matching the rule Autorun Rule Engine
•  Missing plugin notification dropper and Pretty Theft with windows theme Autorun Rule Engine
•  How I imagine the usage of BeEF ARE: – Write rulesets to cover most of your client-side exploitation needs – Have 2/3 rules for each browser, at least – Use beef.browser.isX() to detect browser and plugins, then launch appropriate Metasploit module (latest Flash??) – Have generic rules without payload droppers Autorun Rule Engine
•  How I imagine the usage of BeEF ARE: – Get internal IP via WebRTC bug (C/FF), scan internal network, blindly launch cross-origin ShellShock requests and have your listeners ready – Have PF Phishing campaign pre- configured for specific phishing scenario with BeEF ARE rules pre- loaded and ready to trigger as soon as email is received Autorun Rule Engine
More on BeEF •  @byt3bl33d3r talk tomorrow, 14:00 MITMf: Bringing Man-In-The-Middle attacks to the 21'st century – See how you can inject the BeEF hook in MITM situations, leveraging the new ARE. – Detect OS/architecture more reliable via network fingerprint, then feed back to BeEF ;-)
PhishingFrenzy + BeEF FTW …  BTW  That’s  not  the  ISIS  black  flag,  just  BeEF  offline  browsers  …  
Outro Hope you enjoyed the dark fairytales!

Recommended

Dark Fairytales from a Phisherman
Dark Fairytales from a PhishermanDark Fairytales from a Phisherman
Dark Fairytales from a Phisherman
Michele Orru
 
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Michele Orru
 
I'm the butcher would you like some BeEF
I'm the butcher would you like some BeEFI'm the butcher would you like some BeEF
I'm the butcher would you like some BeEF
Michele Orru
 
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Michele Orru
 
Practical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon XPractical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon X
Michele Orru
 
Buried by time, dust and BeEF
Buried by time, dust and BeEFBuried by time, dust and BeEF
Buried by time, dust and BeEF
Michele Orru
 
Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)
Krzysztof Kotowicz
 
ZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchorZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchor
Michele Orru
 

Recommended

Dark Fairytales from a Phisherman
Dark Fairytales from a PhishermanDark Fairytales from a Phisherman
Dark Fairytales from a Phisherman
Michele Orru
 
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Michele Orru
 
I'm the butcher would you like some BeEF
I'm the butcher would you like some BeEFI'm the butcher would you like some BeEF
I'm the butcher would you like some BeEF
Michele Orru
 
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Michele Orru
 
Practical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon XPractical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon X
Michele Orru
 
Buried by time, dust and BeEF
Buried by time, dust and BeEFBuried by time, dust and BeEF
Buried by time, dust and BeEF
Michele Orru
 
Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)
Krzysztof Kotowicz
 
ZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchorZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchor
Michele Orru
 
SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMI
Joe Slowik
 
WordPress security for everyone
WordPress security for everyoneWordPress security for everyone
WordPress security for everyone
Vladimír Smitka
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
Will Schroeder
 
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsI'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
Krzysztof Kotowicz
 
Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5
DefconRussia
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Rob Fuller
 
Obfuscating The Empire
Obfuscating The EmpireObfuscating The Empire
Obfuscating The Empire
Ryan Cobb
 
Dmk Bo2 K7 Web
Dmk Bo2 K7 WebDmk Bo2 K7 Web
Dmk Bo2 K7 Web
royans
 
Design Reviewing The Web
Design Reviewing The WebDesign Reviewing The Web
Design Reviewing The Web
amiable_indian
 
Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)
Darren Duke
 
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015 Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
lokeshpidawekar
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)
Larry Cashdollar
 
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
Jeremy Brown
 
BSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPointBSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPoint
Andrew McNicol
 
A @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNSA @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNS
Rob Fuller
 
NotaCon 2011 - Networking for Pentesters
NotaCon 2011 - Networking for PentestersNotaCon 2011 - Networking for Pentesters
NotaCon 2011 - Networking for Pentesters
Rob Fuller
 
Get-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for EvilGet-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for Evil
jaredhaight
 
Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014
Rob Fuller
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)
ClubHack
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNED
Chris Gates
 
Antisnatchor all you ever wanted to know about beef
Antisnatchor all you ever wanted to know about beefAntisnatchor all you ever wanted to know about beef
Antisnatchor all you ever wanted to know about beef
DefconRussia
 
Federated Identity for IoT with OAuth2
Federated Identity for IoT with OAuth2Federated Identity for IoT with OAuth2
Federated Identity for IoT with OAuth2
Paul Fremantle
 

More Related Content

What's hot

Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5
DefconRussia
 
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
Jeremy Brown
 
NotaCon 2011 - Networking for Pentesters
NotaCon 2011 - Networking for PentestersNotaCon 2011 - Networking for Pentesters
NotaCon 2011 - Networking for Pentesters
Rob Fuller
 

What's hot (20)

SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMI
 
WordPress security for everyone
WordPress security for everyoneWordPress security for everyone
WordPress security for everyone
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
 
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsI'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
 
Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 
Obfuscating The Empire
Obfuscating The EmpireObfuscating The Empire
Obfuscating The Empire
 
Dmk Bo2 K7 Web
Dmk Bo2 K7 WebDmk Bo2 K7 Web
Dmk Bo2 K7 Web
 
Design Reviewing The Web
Design Reviewing The WebDesign Reviewing The Web
Design Reviewing The Web
 
Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)
 
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015 Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)
 
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
 
BSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPointBSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPoint
 
A @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNSA @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNS
 
NotaCon 2011 - Networking for Pentesters
NotaCon 2011 - Networking for PentestersNotaCon 2011 - Networking for Pentesters
NotaCon 2011 - Networking for Pentesters
 
Get-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for EvilGet-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for Evil
 
Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNED
 

Similar to Dark Fairytales from a Phisherman (Vol. II)

Antisnatchor all you ever wanted to know about beef
Antisnatchor all you ever wanted to know about beefAntisnatchor all you ever wanted to know about beef
Antisnatchor all you ever wanted to know about beef
DefconRussia
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface Device
Positive Hack Days
 
Taylor Santiago - ECE 561 - Smart Home Controller
Taylor Santiago - ECE 561 - Smart Home ControllerTaylor Santiago - ECE 561 - Smart Home Controller
Taylor Santiago - ECE 561 - Smart Home Controller
tsant928
 
Custom Tile Generation in PCF
Custom Tile Generation in PCFCustom Tile Generation in PCF
Custom Tile Generation in PCF
Dustin Ruehle
 
Custom Tile Generation in PCF
Custom Tile Generation in PCFCustom Tile Generation in PCF
Custom Tile Generation in PCF
VMware Tanzu
 
Socially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorSocially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front Door
Mike Felch
 
Php through the eyes of a hoster phpbnl11
Php through the eyes of a hoster phpbnl11Php through the eyes of a hoster phpbnl11
Php through the eyes of a hoster phpbnl11
Combell NV
 
Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device Insecurity
Jeremy Brown
 

Similar to Dark Fairytales from a Phisherman (Vol. II) (20)

Antisnatchor all you ever wanted to know about beef
Antisnatchor all you ever wanted to know about beefAntisnatchor all you ever wanted to know about beef
Antisnatchor all you ever wanted to know about beef
 
Federated Identity for IoT with OAuth2
Federated Identity for IoT with OAuth2Federated Identity for IoT with OAuth2
Federated Identity for IoT with OAuth2
 
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
 
BOX of Illusion MOSEC'17
BOX of Illusion MOSEC'17BOX of Illusion MOSEC'17
BOX of Illusion MOSEC'17
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface Device
 
Taylor Santiago - ECE 561 - Smart Home Controller
Taylor Santiago - ECE 561 - Smart Home ControllerTaylor Santiago - ECE 561 - Smart Home Controller
Taylor Santiago - ECE 561 - Smart Home Controller
 
Honeycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicHoneycon2016-honeypot updates for public
Honeycon2016-honeypot updates for public
 
BSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersBSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathers
 
Deep Exploit@Black Hat Europe 2018 Arsenal
Deep Exploit@Black Hat Europe 2018 ArsenalDeep Exploit@Black Hat Europe 2018 Arsenal
Deep Exploit@Black Hat Europe 2018 Arsenal
 
Protractor: The Hacker way (NG-MY 2019)
Protractor: The Hacker way (NG-MY 2019)Protractor: The Hacker way (NG-MY 2019)
Protractor: The Hacker way (NG-MY 2019)
 
Green Code Lab Challenge 2015 Subject Details
Green Code Lab Challenge 2015 Subject DetailsGreen Code Lab Challenge 2015 Subject Details
Green Code Lab Challenge 2015 Subject Details
 
Custom Tile Generation in PCF
Custom Tile Generation in PCFCustom Tile Generation in PCF
Custom Tile Generation in PCF
 
Custom Tile Generation in PCF
Custom Tile Generation in PCFCustom Tile Generation in PCF
Custom Tile Generation in PCF
 
CIRCUIT 2015 - Monitoring AEM
CIRCUIT 2015 - Monitoring AEMCIRCUIT 2015 - Monitoring AEM
CIRCUIT 2015 - Monitoring AEM
 
Socially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorSocially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front Door
 
Php through the eyes of a hoster phpbnl11
Php through the eyes of a hoster phpbnl11Php through the eyes of a hoster phpbnl11
Php through the eyes of a hoster phpbnl11
 
Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device Insecurity
 
story_of_bpf-1.pdf
story_of_bpf-1.pdfstory_of_bpf-1.pdf
story_of_bpf-1.pdf
 

More from Michele Orru

When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the masses
Michele Orru
 
Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012
Michele Orru
 
DeepSec2011_GroundBeEF
DeepSec2011_GroundBeEFDeepSec2011_GroundBeEF
DeepSec2011_GroundBeEF
Michele Orru
 
Hacktivity2011 be ef-preso_micheleorru
Hacktivity2011 be ef-preso_micheleorruHacktivity2011 be ef-preso_micheleorru
Hacktivity2011 be ef-preso_micheleorru
Michele Orru
 

More from Michele Orru (6)

When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the masses
 
BeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-OrruBeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-Orru
 
Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012
 
DeepSec2011_GroundBeEF
DeepSec2011_GroundBeEFDeepSec2011_GroundBeEF
DeepSec2011_GroundBeEF
 
Hacktivity2011 be ef-preso_micheleorru
Hacktivity2011 be ef-preso_micheleorruHacktivity2011 be ef-preso_micheleorru
Hacktivity2011 be ef-preso_micheleorru
 
Be ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruBe ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orru
 

Recently uploaded

Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Monica Sydney
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
ayvbos
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理
F
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
JOHNBEBONYAP1
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Monica Sydney
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
F
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Monica Sydney
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
ydyuyu
 
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
EleniIlkou
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
ayvbos
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
pxcywzqs
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Priya Reddy
 

Recently uploaded (20)

Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理
 
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.
 
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime BalliaBallia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
 
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
 

Dark Fairytales from a Phisherman (Vol. II)

  • 1. Dark Fairytales from a Phisherman (Vol. II) @antisnatchor
  • 2. Outline •  whoami •  Fishing === Phishing •  Badass phishing at cost (almost) zero •  Fairytalessss •  the new BeEF Autorun Rule Engine •  Outro
  • 3. whoami •  Pentester & Vuln researcher •  BeEF lead core developer •  Browser Hacker’s Handbook co-author •  44Con 2012 (I'm The Butcher, Would You Like Some BeEF?) •  (ex) Surf Casting pro fisherman •  (current) Phisherman
  • 5. Fishing === Phishing (F): Prepare bait and cast it (P): Prepare pretext, phishing strategy, and send emails (F): Wait for something interested on the bait (P): Wait for victims to click on your links, enter credentials, open/execute stuff (F): you got a big fish (P): you got a shell on the company’s CFO laptop
  • 7. •  End-users are sometimes more stupid than saltwater fishes –  Fishes do evolve: you have to use smaller hooks and Fluorocarbon lines for increased stealth –  Humans apparently do not evolve: we’re doing phishing with 15 years old attacks that still work •  MS Office macros •  HTA files •  Custom .exe files Fishing === Phishing
  • 8. Badass phishing at cost (almost) zero •  If you do phishing, you know that: – Every time it’s a different story – Configuration overhead sometimes is a killer – You can identify repeatable patterns – You need automation – Speed is key once you got access to victims assets
  • 9. Badass phishing at cost (almost) zero •  Meet PhishLulz – phishing automation in Ruby •  Puts together PhishingFrenzy + BeEF on a dedicated Amazon EC2 image – Cheers @zeknox for creating PF !!!
  • 10. •  Current features: –  Mass mailing with HTML templates (SET… LOL) –  Highly configurable template system –  HTTP/HTTPS support, Credential harvesting –  BeEF integration •  Correlate victim name/email with OS/browser fingerprinting including geolocation •  Automate client-side attacks via the new BeEF ARE –  Reporting Badass phishing at cost (almost) zero
  • 11. •  What is left to the consultant as a manual step: –  Register and configure new domain if (provider !== NameCheap). •  One of the few providers with a RESTful API (still sucks) –  Eventually creating/modifying a phishing template or client-side vector –  Wait for browser hooks, harvested credentials and shells Badass phishing at cost (almost) zero
  • 12. •  Amazon advantages: –  domain/IP blacklisted? –  Fixed with 2 steps: •  Reboot the AWS instance •  Update the A record for your main phishing domain –  Good IP block reputation –  Cheap, zero maintenance •  T2.small -> 0.026$/hours -> 0.6$/day -> 3.12 $/ 5days Badass phishing at cost (almost) zero
  • 13. Fairytale 1 (s/lulz/real_target_name/) •  Target: www.lulz.wa.gov.au (GMT+8) – Discovered during reconnaissance: •  Webmail.lulz.com: Outlook WebAccess •  Vpn1.lulz.com: Checkpoint SSL VPN – OWA template (phishing + email pretext) available in PF – Registered lulz-wa-gov-au.com (note dashes instead of dots)
  • 14. •  Started campaign with 46 targets at 13:30 target time Fairytale 1
  • 15. •  Started campaign with 46 targets at 13:30 target time Fairytale 1
  • 16. •  In less than 3 hours (by 5PM COB in the target timezone): 39% success rate Harvested credentials Domain credentials VPN credentials Fairytale 1
  • 19. •  Results: –  Gov network compromised (including AD) Blackbox client internal External side network Access attack access –  Overall time spent: •  4 hours preparation/recon •  2 days harvesting/pwning –  Total cost: •  About 2 $ for the EC2 cost •  About 8 $ for the domain registration 10 $ total cost Fairytale 1
  • 20. •  Results: –  Gov network compromised (including AD) –  Pure blackbox -> client-side -> internal pentest –  Overall time spent: •  4 hours preparation/recon •  2 days harvesting/pwning –  Total cost: •  About 2 $ for the EC2 cost •  About 8 $ for the domain registration 10 $ total cost Fairytale 1
  • 21. •  The Telegraph UK asked us to target a specific journalist (Sept 2014). Info provided: –  Name: Sophie Curtis –  Not much info from reconnaissance –  Target writes about IT stuff, breaches, and so on –  Together with a brazilian friend of mine we did the engagement •  You will not find our names here: http:// www.telegraph.co.uk/technology/internet- security/11153381/How-hackers-took-over-my- computer.html Fairytale 2
  • 22. •  Attack plan: – Generic LinkedIn invite phishing campaign •  Aim: profile the journalist OS/browser/ plugins with BeEF •  Aim 2: detect mail provider/tech – After fingerprinting, 3 client-side attacks options 1.  Custom encoded .exe inside password encrypted .rar 2.  Word document with Powershell macro 3.  HTA attack targeted to Internet Explorer Fairytale 2
  • 23. •  LinkedIn attack (template in PF): •  This still works, but LinkedIn Changed the mail look&feel, and also the auth behavior… Fairytale 2
  • 24. •  OS, browser and plugin fingerprint via BeEF – Note: Office 2012, Java 1.7u51, Citrix ICA Client Fairytale 2
  • 25. •  Credible Pretext (snip 1/2): Fairytale 2
  • 26. •  Credible Pretext (snip 2/2): Fairytale 2
  • 27. •  Via the initial fingerprinting we identified that the victim was using Gmail for Business –  Encrypted .zip is not an option, filename leak –  “Good” antispam/AV –  Phishing domain with SPF/DKIM –  Encrypted .rar with custom .exe inside Fairytale 2
  • 28. •  Payload: – .exe file with 3 connect-back mechanisms •  Reverse https •  Reverse DNS •  OOB extrusion via Outlook profile – Custom encoding – Adobe PDF modified icon + long Win filename trick – Custom MsgBox with PDF icon (msg: “Adobe Reader could not open xxx.pdf”) Fairytale 2
  • 29. •  The victim believed in the pretext, she even replied back once double clicked the payload asking for more clarification •  Camera/microphone access. Game over Fairytale 2
  • 30. •  Plan-B was ready in case of Plan-A failure Fairytale 2
  • 31. •  Plan-B was ready in case of Plan-A failure Fairytale 2
  • 32. PhishingFrenzy + BeEF FTW •  PhishLulz phishing with BeEF ARE video demo
  • 33. •  If you do phishing, you know that: – Every time it’s a different story – Configuration overhead sometimes is a killer – You can identify repeatable patterns – You need automation – Speed is key once you got access to victims assets Badass phishing at cost (almost) zero. Once Again!
  • 34. Autorun Rule Engine •  Released to public in end of July 2015 •  Define rules to trigger module(s) if certain conditions are matched, with two execution modes – Sequential – Nested-forward
  • 35. Autorun Rule Engine •  Sequential –  Call N modules with specified inputs and different delays via setTimeout() •  Nested-forward –  Call N modules with specified inputs. –  Module N is executed only if N-1 return a certain status. Module N can use as input the output from module N-1 (eventually mangling it before processing it)
  • 41. •  Match – Browser type, version – OS type, version – (WIP) Plugin type/version •  Trigger – If (browser == IE && os >= Windows 7) •  Powershell stuff (HTA) – If (browser == FF && os == Linux) •  Firefox fake notification + extension dropper (Linux payload) Autorun Rule Engine
  • 42. •  Sequential mode: •  Call hta_powershell with 0.5 seconds delay, after displaying the fake notification bar with custom text) Autorun Rule Engine
  • 43. •  Fake notification and HTA powershell rule (and Avast Premium AV lol) video Autorun Rule Engine
  • 44. •  Nested-forward mode: –  Fingerprint internal network using hooked browser internal IP for subnet mapping. •  no IP is returned (i.e.: WebRTC disabled)? –  don’t run the fingerprinting. Autorun Rule Engine
  • 45. •  Get internal IP via WebRTC bug, then fingerprint internal network Autorun Rule Engine
  • 46. •  RESTful API for it – Load rules at BeEF startup, or add them at runtime •  Example: you notice many new hooked browsers, and you don’t have any pre- loaded rules for them yet. – Once new rule is dynamically loaded, trigger it •  Of course only on hooked browsers matching the rule Autorun Rule Engine
  • 47. •  Missing plugin notification dropper and Pretty Theft with windows theme Autorun Rule Engine
  • 48. •  How I imagine the usage of BeEF ARE: – Write rulesets to cover most of your client-side exploitation needs – Have 2/3 rules for each browser, at least – Use beef.browser.isX() to detect browser and plugins, then launch appropriate Metasploit module (latest Flash??) – Have generic rules without payload droppers Autorun Rule Engine
  • 49. •  How I imagine the usage of BeEF ARE: – Get internal IP via WebRTC bug (C/FF), scan internal network, blindly launch cross-origin ShellShock requests and have your listeners ready – Have PF Phishing campaign pre- configured for specific phishing scenario with BeEF ARE rules pre- loaded and ready to trigger as soon as email is received Autorun Rule Engine
  • 50. More on BeEF •  @byt3bl33d3r talk tomorrow, 14:00 MITMf: Bringing Man-In-The-Middle attacks to the 21'st century – See how you can inject the BeEF hook in MITM situations, leveraging the new ARE. – Detect OS/architecture more reliable via network fingerprint, then feed back to BeEF ;-)
  • 51. PhishingFrenzy + BeEF FTW …  BTW  That’s  not  the  ISIS  black  flag,  just  BeEF  offline  browsers  …  
  • 52. Outro Hope you enjoyed the dark fairytales!