Browser Exploit Framework

Post on 06-May-2015

1.248 views 6 download

Preview:

Click to see full reader

Tags:

Report this document
SHARE

description

null Bangalore Chapter - June 2014 Meet

Transcript of Browser Exploit Framework

-Prashanth Sivarajan Prash.siv@gmail.com

What is BeEF?

BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser. Amid growing concerns about web-borne attacks against clients, including mobile clients, BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack vectors. Unlike other security frameworks, BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser. BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context.

How it works

UI Overview

Information Gathering

Network Discovery

Social Engineering

Exploit

Persistence

Command Modules

Information Gathering

Network Discovery

Social Engineering

Exploit

Persistence

Browser Fingerprinting

Detect Plugins (Quicktime/VLC/Silverlight)

Host Fingerprinting

Detect logged in sessions

Command Modules

Information Gathering

Network Discovery

Social Engineering

Exploit

Persistence

Internal IP Address

Ping Sweep

DNS Enumeration

Port Scanning

Network Fingerprinting

NAT Pinning

Command Modules

Information Gathering

Network Discovery

Social Engineering

Exploit

Persistence

Prompt Fake Login Page

Redirect

Embed iFrames

Fake flash/browser Updates

Flash camera & Mic permission

Click jacking assist

Command Modules

Information Gathering

Network Discovery

Social Engineering

Exploit

Persistence

Several Device specific CSRF modules

Command Modules

Information Gathering

Network Discovery

Social Engineering

Exploit

Persistence

Foreground iframe

Popup Under

Man in the browser

Command Modules

Metasploit Integration

• Start msgrpc on metasploit

• Enable metasploit in config.yaml

• Configure BeEF with msgrpc username and pwd in extensions/metasploit/config.yaml

• Start beef

Tunnelling Proxy

• Doesn’t work like it used to thanks to same origin policy of browsers

• Make request in the context of the hooked browser.

BeEF API Example

• Authenticate

• List hooked browsers

• Make persistent (popup under)

• Determine the type of browser

• if browser.match(/^IE/) { add iframe with URL for Metasploit module ms10_046_shortcut_icon_dllloader}

Else

{execute a different module}

Top related

Exploit Automation with the Metasploit Framework James Lee · 2015-05-28 · Exploit Automation with the Metasploit Framework James Lee 1 # whoami ... Not written in PHP ... Just
 Documents
Metasploit (Some Fun Stuff) - Carnal0wnage by · PDF fileDay 1 Recap Metasploit Framework Background Framework Interfaces Exploit Types Payload Types Auxiliary Modules Examples
 Documents
Hunting and Browser Bug Mobile - pic.huodongjia.compic.huodongjia.com/ganhuodocs/2017-06-16/1497579668.82.pdf · Kernel, persistence Privilege Escalation Browser Typical Exploit-Chain
 Documents
EKFiddle: a framework to study Exploit Kits
 Internet
Green Economy Policy Framework and Employment Opportunity ... · PDF fileGreen Economy Policy Framework and Employment Opportunity: ... South Africa is in a unique position to exploit
 Documents
Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser
 Documents
Automated web patrol with strider honey monkeys finding web sites that exploit browser vulnerabilities
 Documents
Browser Exploit Packs - Virus Bulletin · ─Browser Malware Taxonomy ... –Web application vulnerability analysis ... –Harnessing the power of two different frameworks to deliver
 Documents
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
 Technology
HKG15-411: Browser Testing Framework for LHG
 Software
OWASP Xenotix XSS Exploit Framework v3 : Nullcon Goa 2013
 Technology
EyeSite: A Framework for Browser-Based Eye Tracking Studies€¦ · EyeSite is an open-source framework for running browser-based eye tracking studies that improves on existing tools
 Documents
Mantra – Security Framework Free and Open Source Browser based Security Framework.
 Documents
Tytuł oryginału: Web Penetration Testing with Kali Linux ...pdf.helion.pl/kalil2/kalil2.pdf · Metasploit Browser Exploit 212 Tabnabbing Attack 212 Browser Exploitation Framework
 Documents
Dissecting CSRF Attacks & Defensesconference.hitb.org/hitbsecconf2013kul/materials/D1T3 - Mike Shema... · CSRF Mechanism vs. Exploit 4 Force a victim’s browser to request a resource
 Documents
Exploit Kit - IWSEC · Exploit Kit Drive-by Download Exploit Kit Exploit Kit MWS2015 Improving Cyber Attack Detection System To Adopt The Changing Of Exploit Kit ... Angler Exploit
 Documents
Exploit-based Bandwidth/Network Analysis Framework Matt Weaver UCCS Spring 2007.
 Documents
Introduction to the ExtJS Javascript framework for rich apps in every browser
 Technology
A Framework for Feature Selection to Exploit Feature Group … · 2020. 5. 8. · A Framework for Feature Selection to Exploit Feature Group Structures Kushani Perera1(B), Jeffrey
 Documents
Chapter 6 — e Diagram framework & Loops Scoreopenendedgroup.com/wp-content/uploads/pdf/06_diagram-framework.pdf · artwork to exploit this framework — Loops Score, the music for
 Documents

Copyright © 2022 FDOCUMENTS