Ground BeEF: Cutting, devouring and digesting the legs off a browser
So who thinks XSS attacks are lame?
Real-Life XSS Pwning :
- 2005: Samy Worm
- 2006: Yamanner worm
- 2008 XSS in Obama Website
- 2010: Apache pwned through XSS in Jira
- 2010: Stored XSS in YouTube
- 2011: Multiple XSS on Google,com
What is BeEF
Browser Exploitation Framework
Created in 2005 by Wade Alcorn. Rewritten recently to Ruby.
Powerful platform for client-side pwnage, XSS Post Exploitation and generally victim browser security context abuse.
Framework for penetration testers to select specific real-time attacks on browsers to demonstrate vulnerabilities and impact
Example: Using the browser behind a corporate firewall to access internal resources
- Ping sweeps
- DNS enumeration
- Port Scanning
- Network Fingerprinting
Exploiting Internal Services
Takes advantage of the verb tampering issue in JMX console versions to send a HEAD request and perform unauthenticated actions on the remote JMX console.
Using the client system owned with BeEF through an XSS to perform this attack on internal systems. Use them as a pivot point.
2 ways to avoid this :
- Create a 100% iFrame containing the real page
- Second module also allows key logging in the iFrame
- Frame Busting breaks this
- Man in the Browser
Ported into the new version from the older PHP version
Add autorun: true in the command module config.yaml to autorun modules on hooking
Imagine autorun with Metasploit autopwn!
Once you’ve hooked a browser, you can use the tunneling proxy function to route requests through the hooked browser.
- Receive requests as a proxy on BeEF
- Translate these requests to XHRs (in-domain) and execute them in the hooked browser
- Parse XHRs responses and send the data back through the proxy
Works like a charm on same-domain… needs to be extended further (plans are to port malaRIA to BeEF for cross-domain resources using Flash liberal cross-domain policies)
To activate the proxy, right-click a hooked host and select proxy through
< DEMO OF BeEF HOOKING THROUGH REFLECTIVE XSS >
Video of the Tunneling proxy –> YouTube
Integrated into BeEF to scan for href based XSS in a browsers session. If a possible XSS injection point is found then the XSS is set to the BeEF hook.
Future DEV and Ideas
- Optimisation for performance
- Obfuscation, polymorphism and URL randomization
- Improve XSSRAYS
- Improve BeEF console
We want YOU! If you want to help develop BeEF get in touch!
- Ground BeEF: Cutting, devouring and digesting the legs off a browser –> Overview
- Ground BeEF slides –> PDF
- BeEF Project Homepage
- BeEF Twitter Account –> @beefproject