Tuesday, January 15, 2013

BeEF QR Fun

With two hooks (customhook and qrcode), you can have quite a bit of fun in a pentest. Today's blog post uses these together for some fun(ny) and useful pentest ideas.

This post was contributed by contributed by Christian Frichot (@xntrik).



Where would BeEF be without hooking? Not very far. The concept of utilising a browser to gain information on a target, or better yet, compromise other systems, relies on a very important first step: hooking the browser. In BeEF parlance, this is the moment a browser executes the initial JavaScript payload (/hook.js) successfully and sets up a persistent communication channel back to the BeEF server. During BeEF’s early days as a young, unwieldy PHP app (hehe, you know I’m joking Wade, it kicked ass even back then), this initial hook was often times a cross-site scripting (XSS) flaw that was being exploited to inject the hook into a vulnerable website, which was then subsequently executed by a victim browser.

These days exploiting XSS flaws, whilst still common, is not as easy as it used to be. What, with the number of preventative controls really starting to stack up, you can see why attackers (read: pen testers :P) are starting to look at other means to entice a victim (read: authorising party) to bite on their hook. The following are just a few of those XSS controls:
  • Developers slowly starting to use input/output encoding/escaping;
  • Development frameworks slowly making it more and more difficult to accept or output unfiltered codes by default;
  • Browser in-built XSS controls, such as those within IE and Chrome;
  • Add-on XSS controls, such as NoScript;
  • Content-Security-Policy headers.
So what other means does an attacker have? Well, plenty in fact. Primarily these are currently split into two families, Man-in-the-Middle (MitM) style injections, or social engineering tactics. We’ve blogged about some of these previously, including:
Both of which offer great insight into the different ways you can execute that initial hook against your victim.

In addition to Michele’s social engineering extensions, a couple of other extensions exist within BeEF that allow an attacker can hook a victim. These are the ‘Custom Hook Point with iFrame Impersonation’ (the customhook extension), and the ‘QR Code Generator’ (the qrcode extension). You can use these extensions separately, but combining them really helps an attacker successfully perform a browser-based social engineering attack. The customhook extension simply offers the attacker a custom mount point (beefserver.com/thisisacustommountpoint) within BeEF that when visited by a browser loads up the BeEF hook, and then loads a full-screen iframe of the target website. While similar in concept to the web cloning extension, this extension does not require a downloading of the target website. Due to how the extension displays the target website in an iFrame, it only works when the target site does not utilise any frame-busting code. We here at BeEF prefer diversity in the ways in which you can use the tool, just like we enjoy a variety of different cuts (top, sirloin, shankle, tongue, tenderloin etc).

You could use a customhook by itself quite nicely, fire up BeEF, trick a user (using shortened URLs for example) into visiting the custom mount point and away you go. But why stop there? You know how much we love hooking mobile devices right? This is where the qrcode extension can come into play. For those who haven’t seen QR codes before they’re the new fad in mobile/advertising that are meant to be trivial for mobile devices to point at and then perform an action, such as visit a URL. The qrcode extension itself is very basic, all it does is take a URL, and then give you back a Google Chart URL which generates the QR code for you. While you can use the extension if you wish, you can just as easily hit up https://chart.googleapis.com/chart?cht=qr&chs=300x300&chl=<inserttargeturlhere>

Tying it all together now, edit the beef/extensions/customhook/config.yaml file:

customhook config.yaml
Modify the enable to be ‘true’, then configure your customhook_path (this will be the mount point), the customhook_target (what we’re going to shove into an iFrame) and the customhook_title (this will be what we set the HTML Title of the page to). If you want to add another layer of obfuscation you can wrap this custom hook URL in a shortened URL, go on, hit up bit.ly and generate a shortened URL for http://yourbeefserver.com/yougotchipmunked .

To leverage the QR code extension, edit beef/extensions/qrcode/config.yaml file:

qrcode config.yaml


Modify the enable to ‘true’ then drop your URL into the target setting.

When you start BeEF you should see the console respond with:

console response with custom hook and qrcode links
You can see a rough demo of this in action from my OWASP AppSec APAC 2012 YouTube demo here:

Happy fishing BeEFers!

-Christian ‘@xntrik’ Frichot

6 comments:

  1. There's also a web design company in Long island which performs this kind of website security protection to avoid any unwanted malwares in penetrating to the site itself. Good way to ensure that the site you got will not be hacked or infected.

    Luisa Will

    ReplyDelete
  2. This comment has been removed by the author.

    ReplyDelete
  3. If you want to start a small online advertising agency then you should contact a person with this kind of knowledge with Browser Exploitation Framework (BeEF). There is a high risk that your website can be hacked or injected from an unknown source so security is the priority.

    Lara Thompson

    ReplyDelete
  4. Thanks for this brief lesson in manipulating the codes. Web designers are much aware of the possible attacks so we need security. - Ben Griffiths

    ReplyDelete
  5. There's one tiny detail that developers keep forgetting here. Thanks for pointing that out!

    - Claudia Lacey

    ReplyDelete
  6. can anyone explain how to setup static ip for beef?for using it over internet? . . iam wondering this and can't find any info about it . i think it is a lot of peoples problem too . thanks

    ReplyDelete