athcon.org
Athens, 3-4 May, 2012
Day2, Track1, 18:00-18:50
"Advances in BeEF: RESTful API, WebSockets, XssRays enhancements",
Michele Orru

"Advances in BeEF: RESTful API, WebSockets, XssRays enhancements"

BeEF

Demo Using the BeEF restuful api
1. beef programatically accessing metasploit
2. injects beef into some victim browser
3. inject an applet, then use the javascript to java communication to ge tthe hava version based on the hdk
4. then in meterpreter sysinfo to get the system info
5. then inject the "execute calc.exe" in the victim's machien thru the injjected java applet

New additions
    ajax calls posioning (xml request object is overriding)
    the module can have the target+_blank not to lose the victim
    getting the Persistence (history) from the civtim vrowsaer

New feature (in a testing branch - to be added soon)
    websocket support
    currently beef uses XHR, but for speed needs websocket

XHR in beef
pro - works everywhere (ie, chrome)
cons - (TODO)

if beef.browser.hasWebSocket(), don't use XHR pollin, open a websocket channel
support: firefox, chrome, safari, also mozwebsocket
https://github.com/radoen/beef-radoen - the experimental phase

Possibilities with WS
    real time VNC like hooked browser control
    faster tunneling proxy (fuzzin thru the hooked browser 4-5 times faster)
    general faster communication


Demo - BeEF with WS
    launch 1000 XHR-polling vs WS-based request

XssRays
    originally as pure JS-based XSS scanner, then integarted in beef

xssrays operation
    a page with links/forms which do get/post request intra or cross domain
    it adds the hidden iframe for each of the requests
    if the iframe is loading, then the resource was XSS-vulnerable
    it also works CROSS-DOMAINS (respecting the SOP!)