The Evolution of Chrome Extensions Detection

Today's blog post is by guest blogger Giovanni Cattani.

The Old Technique

Detecting which Chrome extensions are installed has always been a trivial matter of finding a specific extension ID and trying to load the manifest.json file, which is always located in the same spot:

chrome-extension://abcdefghijklmnopqrstuvwxyz012345/manifest.json

However, in the latest Chrome versions, attempting to load the manifest usually fails and the JavaScript console returns the following error:

Denying load of chrome-extension://abcdefghijklmnopqrstuvwxyz012345/manifest.json. Resources must be listed in the web_accessible_resources manifest key in order to be loaded by pages outside the extension.

Load Error

What happened to the good old detection code that used to work seamlessly? And what is the web_accessible_resources manifest key?

Exploiting m0n0wall 1.33 with BeEF

Today's post is a guest post from Bart Leppens.

What is m0n0wall? m0n0wall is a free software firewall distribution that often runs on embedded hardware like Alixor Soekris boards.  It is based on a bare-bones version of FreeBSD. There is no netcat, socat, perl, python, ruby or even telnet present on the system.  I actually don't know if this is due to security considerations or just to save some diskspace since m0n0wall was longtime fitting on a 8 MB CF-card, now it requires just a 16 MB card. And we figured out how to exploit it with BeEF.

Subverting a cloud-based infrastructure with XSS and BeEF

Well, the world is changing. You can probably do a lot more direct damage with a XSS in a high-value site than with a local privilege escalation in sudo [...] - lcamtuf@coredump.cx

If you are intrigued by sophisticated exploits and advanced techniques, Cross-Site Scripting is probably not the most appealing topic for you. Nevertheless, recent events demonstrated how this class of vulnerabilities has been used to compromise applications and even entire servers.

Today, we are going to present a possible attack scenario based on a real-life vulnerability that has been recently patched by the Meraki team. Although the vulnerability itself isn't particularly interesting, it is revealing how a trivial XSS flaw can be abused to subvert an entire network infrastructure.

About the latest Rack vulnerability and how it affected BeEF

A friend of mine, Louis @snyff Nyffenegger, recently found an XSS in Rack default 404 page. By default, Rack is reflecting the value of the not found URI in the page, without applying proper output escaping. This leads to reflected XSS.

A simple patch suggested by him is the following:
https://github.com/snyff/rack/commit/66b41c8394569e87b85122d7b2cdf194017b82c3

So how does this affect BeEF?

The bug is present when using Rack::File or similar directives to mount content in the Thin web server. We use that directive to mount the static content served via the /demos URI.

beef_server.mount('/demos/', Rack::File.new(dir))

The affected code in the file.rb Rack library is:

BeEF QR Fun

With two hooks (customhook and qrcode), you can have quite a bit of fun in a pentest. Today's blog post uses these together for some fun(ny) and useful pentest ideas.

This post was contributed by contributed by Christian Frichot (@xntrik).

BeEF Live - The quick and easy way to get your BeEF

Today's post is brought to you by Ben Waugh (@bw_z)

By far the most common queries or issues our users encounter is how to get BeEF dependencies running with a minimum of hassle on their systems. While our installation guide includes instructions for most *Nix distributions, we also put together a LiveCD which includes a working install or BeEF, Metasploit and sqlmap.

Using the LiveCD
Download here: http://downloads.beefproject.com/BeEFLive1.2.iso

To run, simply:

• Download 
• Create a new VM using your virtualisation software of choice
• Boot from the ISO. 
• The console will automatically login with user "beef" and present you with a few options at startup:
• Install & Setup SSH: this will enable SSH for remote access to the VM and prompt you to create a password. 
• Update BeEF (or metasploit/sqlmap) will update to the latest version available in GitHub.
• Start beef.

Known Issues
Due to some issues running Ubuntu on VirtualBox, users of VirtualBox may have to toggle PAE Support

About the LiveCD
The liveCD is based on Ubuntu 12.04 LTS and is configured to use Ruby 1.9.3p194. Apart from the standard install instructions (above) there is very little custom configuration of the OS.
Ruby Version Manager was used (https://rvm.io/) to install and ruby versions, users can customise further and download, install and switch between Ruby versions with the rvm command on the LiveCD.

The LiveCD was generated using Remastersys and it's dist command, which generates the 850MB ISO file above. The custom splash screen and grub text are also customised by providing a custom splash.png and isolinug.cfg files.

A reference to the liveCD/BeEFLive.sh file in the BeEF repository is added to the default user profile to provide the user with a series of friendly prompts, including updating or running beef.

Any suggestions for other customisations or feature requests for the BeEF LiveCD? Let us know @beefproject or raise issues for us in GitHub.

BeEF Shank - BeEF MitM for Pentests

Happy New Year, everyone!

This guest post is brought to you by Ryan Linn.

At BlackHat Briefings this past summer, Steve Ocepek and I released Ruby code that would assist folks who want to use BeEF on internal penetration tests. Some may wonder, why would you want to do that? More and more internal resources are moving to Sharepoint, tools moving to web based intranet sites, and personal information moving away from mainframes and thick clients into web clients with database back-ends. Being able to attack the browser effectively on internal tests is going to become more crucial in giving realistic feedback on potential impact of an intrusion.

So our goal at BlackHat this year was to demonstrate how to effectively utilize the browser among local machines on the network. We created two tools to help utilize BeEF effectively on internal tests. The first was a tool called shank. Shank is an ARP Spoofing tool used to execute smarter Man-In-The-Middle (MITM) attacks injecting the BeEF hook into browsers surfing on the network.