Thursday, October 11, 2012

BeEF and Pwnies - The Pwn Plug!


As a Pentester, you sometimes need to think out of the box and use multiple techniques in order to prove to a client that they are vulnerable even in their internal network.  I was recently working with a client which had a XSS vulnerability in one of their internal web applications that just was not accessible from the internet...

Until I introduced the client to BeEF and the Pwn Plug Elite.


I knew I could use BeEF to show the client the vulnerability, but, I needed the BeEF server to be accessible on their internal network. That was where the Pwn Plug came to mind. But, it did not come with BeEF out of the box. With BeEF being so flexible I was able to install it on the Pwn Plug and I wanted to share how I did that.

Here is the code to install all the requirements and setup the beef_launcher script.

All the commands should be typed while logged in to the Pwn Plug.

Code:


# update and install requirements
sudo apt-get update
sudo apt-get install curl git-core ruby subversion
sudo apt-get libssl-dev libsqlite3-dev ruby1.9.2

# PwnPlug 1.1.1 has a directory called storage 
# that is on the SD CARD with Metaspolit
cd /storage/

# Downloading rvm-installer
# bash >> curl would not work
curl -sk https://raw.github.com/wayneeseguin/rvm/master/binscripts/rvm-installer >> rvm-installer
chmod +x rvm-installer
./rvm-installer

# /usr/local/rvm is the install location
echo '[[ -s "/usr/local/rvm/scripts/rvm" ]] && . "/usr/local/rvm/scripts/rvm"' >> ~/.bashrc
source ~/.bashrc
source /usr/local/rvm/scripts/rvm

# Installing rvm....
/usr/local/rvm/scripts/rvm install 1.9.2

# q needs to be pressed during install 
rvm use 1.9.2 --default

# Download BeEF..
git clone git://github.com/beefproject/beef.git
cd beef

# Installing Ruby Gems
gem install bundler
bundle install

The beef_launcher.sh script should be created separately.

# create beef_launcher.sh in pentest / folder 
#################################################
#beef_launcher.sh
#!/bin/bash

export gem paths
export GEM_PATH=/usr/local/rvm/gems/ruby-1.9.2-p320/gems/
export GEM_HOME=/usr/local/rvm/gems/ruby-1.9.2-p320/gems/

# enter beef directory
cd /storage/beef

# print default password information
echo 'DEFAULT USER/PASSWORD: beef/beef'
echo ''

# launch
ruby-1.9.2-p320 beef –x

#end of beef_launcher.sh

And now...

#make /pentest/beef_launcher executable
chmod +x /pentest/beef_launcher.sh

#To run beef type
/pentest/beef_launcher.sh

By installing BeEF onto the Pwn Plug I was able to inject the BeEF hook into the vulnerable web application and remotely control users’ browsers thanks to the tunneling ability of the Pwn Plug. I couldn’t have landed the contract without the use of BeEF and the Pwn Plug.

This post contributed by:

Tobias Mccurry
Independent Security Consultant
Twitter - @lordsaibat
LinkedIn - http://www.linkedin.com/pub/tobias-mccurry-a-security-gsna-gcih/10/b81/477

P.S.
We have it on good authority from the Pwnie Express team that BeEF might be integrated in one or more of the Pwn Plugs soonish. Exciting! Keep an ear to the ground. You'll hear us running.

No comments:

Post a Comment