Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

DEEPSEC: Ground BeEF: Cutting, devouring and digesting the legs off a browser

Ground BeEF: Cutting, devouring and digesting the legs off a browser

Michele Orru

So who thinks XSS attacks are lame?

Real-Life XSS Pwning :

  • 2005: Samy Worm
  • 2006: Yamanner worm
  • 2008 XSS in Obama Website
  • 2010: Apache pwned through XSS in Jira
  • 2010: Stored XSS in YouTube
  • 2011: Multiple XSS on Google,com

What is BeEF

Browser Exploitation Framework

Created in 2005 by Wade Alcorn. Rewritten recently to Ruby.

Powerful platform for client-side pwnage, XSS Post Exploitation and generally victim browser security context abuse.

Framework for penetration testers to select specific real-time attacks on browsers to demonstrate vulnerabilities and impact

Example: Using the browser behind a corporate firewall to access internal resources

  • Ping sweeps
  • DNS enumeration
  • Port Scanning
  • Network Fingerprinting

Exploiting Internal Services

– Exploits/JbossJmxUploadExploit
Takes advantage of the verb tampering issue in JMX console versions to send a HEAD request and perform unauthenticated actions on the remote JMX console.
Using the client system owned with BeEF through an XSS to perform this attack on internal systems. Use them as a pivot point.
Video of the attack –> YouTube

Achieving persistence

Once a user browsers away we lose the JavaScript injection!
2 ways to avoid this :
  • Create a 100% iFrame containing the real page
    • Second module also allows key logging in the iFrame
    • Frame Busting breaks this
  • Man in the Browser
    • CORS abuse (HTML5)
      • history.push
      • window.open

Module Autorun

Ported into the new version from the older PHP version
Add autorun: true in the command module config.yaml to autorun modules on hooking
Imagine autorun with Metasploit autopwn!

Tunneling Proxy

Once you’ve hooked a browser, you can use the tunneling proxy function to route requests through the hooked browser.
  • Receive requests as a proxy on BeEF
  • Translate these requests to XHRs (in-domain) and execute them in the hooked browser
  • Parse XHRs responses and send the data back through the proxy
Works like a charm on same-domain… needs to be extended further (plans are to port malaRIA to BeEF for cross-domain resources using Flash liberal cross-domain policies)
To activate the proxy, right-click a hooked host and select proxy through
Video of the Tunneling proxy –> YouTube


100% JavaScript based XSS scanner

Works cross-domain

Integrated into BeEF to scan for href based XSS in a browsers session. If a possible XSS injection point is found then the XSS is set to the BeEF hook.

Future DEV and Ideas

  • Optimisation for performance
  • Obfuscation, polymorphism and URL randomization
  • Improve XSSRAYS
  • Improve BeEF console
We want YOU! If you want to help develop BeEF get in touch!

Links :

  • Ground BeEF: Cutting, devouring and digesting the legs off a browser –> Overview
  • Ground BeEF slides –> PDF
  • BeEF Project Homepage
  • BeEF Twitter Account –> @beefproject 

Comments are closed.

%d bloggers like this: