Showing posts with label BeEF. Show all posts
Showing posts with label BeEF. Show all posts

Wednesday, April 20, 2016

Harden your Intranet, BeEF Bind Shellcode says so!

I was reading the Browser Hackers Handbook and thought it gave a great example of why you should take hardening your internal INTRANET seriously. By INTRANET, I mean all those servers inside your network, such as the ones that handle employee email, payroll, ERP systems, file servers, print servers, database servers, collaboration, etc. Why? Well my story starts with BeEF, the Browser Explotation Framework, which automates and simplifies attacking a browser for the bad guys. In many cases it can turn an attack against a browser from lots of lines of complex scripting language code into a simple mouse & click for the attacker. One feature in BeEF is the BeEF Bind shellcode which as I see it is a great example of why you need to take hardening your internal INTRANET seriously. Here is a diagram of how it works. I'll walk through in a bit more detail below.



Phase 1, the click-happy employee
Imagine you have 1000s of employees at your company, but just 1 gullible employee. That's all the attacker needs. Imagine they tricked that user via a phishing email to click a single malicious link. That link hooks the user's browser (could be Chrome, FireFox, Internet Explorer, etc.) with the BeEF framework. Now you're probably thinking that the user's workstation could get compromised somehow, maybe some ransomware gets installed, etc. But what if there were more possibilities?

Phase 2, a compromised browser can be as powerful as a compromised computer
Now imagine if from the BeEF framework you could take control of that user's browser (I'm not even talking about controlling the workstation, I'm saying JUST THE BROWSER is hooked by the attacker). Now image if they could use that hooked browser to attack your internal network. Guess what? The capabilities are all there in BeEF and a book like the Browser Hacker's Handbook has working examples to show you how to do it. The attacker could actually launch a network sweep (via javascript) from that 1 gullible user's browser against the servers on your INTRANET. The attacker can then launch port scans (via javascript) right from that 1 gullible user's browser against the interesting INTRANET servers it found. It gets worse. The attacker can then generate and send vulnerability scanner-like requests via javascript (such as SQL injection discovery) again right out of the browser against a server. Finally, from that 1 gullible user's browser the attacker could send an exploit payload (such as a SQL injection request) directly to a vulnerable server on your INTRANET and compromise it. Yeah, that one Windows NT database server you thought it was safe not to patch. Here's one way it could get popped.

Phase 3, the compromised server never phones home, it just talks to the employee's browser!
Now all of that is fascinating and scary especially since it's highly like that of your 1000s of employees, at least one of them is going to accidentally click on a malicious email. But what if there was more? Imagine that the attacker somehow managed to successfully use the scenario above and compromise an internal server. What if your networking team was amazing and awesome and has egress (outbound) network traffic from servers locked down tight. So the attacker is stuck. He has a compromised box, but he can't actually get it to communicate out or phone home to his C&C (command and control). No problem, the BeEF Bind Shellcode actually delivers a solution to that problem. That compromised server can still communicate with the gullible user's workstation, right? So the BeEF Bind Shellcode actually proxies or funnels all communication in and out to that compromised server via that 1 gullible user's browser. That is the part I find fascinating and the scariest of all is that all this malicious traffic, compromised activity, command and control traffic, data exfiltration, etc. is all essentially happening through a browser over port 80/443. That's a big problem.

Imagine you were the good guy trying to determine when this type of activity happens. It might be a bit of work but relatively speaking not too difficult to lock out egress (outbound) traffic from servers or to monitor it with an IDS or other devices looking for suspicious traffic. But it becomes harder to monitor a user's workstation web traffic. There's just soooo much of it, every page generates soooo many requests. But it becomes incredibly more difficult if you also have to also watch the traffic from a user workstations to internal INTRANET servers. And it also makes it hard if that traffic you have to watch is web traffic (port 80, 443) and intermingled and mixed in on the same port and protocol as all the legit normal traffic. Yikes.

While several monitoring tools like IDS, endpoint agents, etc. can do a lot towards catching this kind of traffic, one of the most important pro-active steps you need to take in order to prevent this type of issue is to harden your INTRANET just like it's the wild west, just like it's on the Internet, patch early and often. Assume that your internal INTRANET has attackers already inside lurking around every corner, hooking random browsers , workstations, and other devices ... and harden your systems to make it difficult for them from to pivot and move around and find what they want.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. php injection ali.txt walk-thru


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Posted by at No comments:
Labels: , , , , ,

Tuesday, January 12, 2016

XSS Flaws lead to Keylogging,Webcams, & more

I've enjoyed talking about XSS many times on this blog. Today is another one of those days! We're going to bring it hopefully full circle this time. First just as a heads up I'm working in my VM environment with networking configured like this to have a Kali linux box with Apache Web Server and also with BeEF and a windows 7 box with chrome.

Let's say a developer wrote a vulnerable PHP user page on his goodsite.com with this line of code. It's vulnerable to XSS because it's just echoing the user-controlled input back to the screen. This can be really bad as we'll see in a minute.

echo sprintf("User: %s", $_GET['userid']);

Now an evil attacker may swoop in, discover this flaw, and try to get one of your users of the website to click on a link that looks like this



Notice the javascript that tries to load a hook.js file from an evil site. We'll get to what that is later. First you should know that by default Chrome and many modern browsers actually would've saved your life already. Chrome's XSS auditor would've caught this and silently blocked it. You can see this if you view source and find the red highlighted text.



But let's say I was running an older insecure browser, the vulnerability was actually somewhere else and Chrome didn't catch it, or I'm evil and know how to evade the XSS Auditor, or I simply disabled the xss auditor feature (don't do this) in chrome like below.



Then truly bad things will happen as you see below. The evil attacker got my end user to go to my goodsite, but per the Chromes developer tab (F12) I'm able to see that even though my good page loaded, in the background, something else more evil loaded. A hook.js file from evilsite.com which came from the XSS injection of the script src tag. In addition, notice that the hook.js isn't done yet. It's actually created persistence. It's now running over and over every few seconds. This looks bad.



Over on the BeEF console the attacker probably sees some log like this showing him that you've joined his party



And at his disposal he can do whatever he wants as long as your browser and plugin versions support it including evil stuff like enabling your webcam



Or if you happen to type in a password or credit card



He's going to see that as well



One thing I found really cool about BeEF is that you can view all the javascript code behind the scenes making these hooks, keylogging, etc. work is all write there for you to view.



So if you're like me and have a background in web development as a good guy, then you can figure out exactly what code some of the bad guys are taking advantage of.

And finally I'll harp on it again, if you're a web developer, hopefully this blog post gives you another good reason to take XSS flaws seriously for the sake of your end user.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. php injection ali.txt walk-thru
  3. php injection exfil walk-thru


Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Posted by at No comments:
Labels: , , , , , , , , ,
Subscribe to: Posts (Atom)