Wednesday, June 8, 2016

Mapping your LAN from a web browser: Introducing the Network extension for BeEF

Today's blog post brought to you by Brendan Coles:

How many tabs do you have open in your browser right now? For how long have they been open - more than 10 minutes? Any one of them could have mapped your local networks and launched exploits against your outdated or misconfigured software.

From the BeEF laboratory comes a new extension for BeEF - the Network extension. Tying together many of the existing network discovery modules[1] to assist with mapping and exploiting hosts on a hooked browser's local area networks, this extension adds a RESTful interface and adds a pretty interface to the web UI for interacting with a zombie's local networks.

Network Map of BeEF attack. BeEF outside the firewall, hooked browser behind the firewall among multiple other hosts.
Network Map of BeEF attack


Thanks to WebRTC (and the Get Internal IP (WebRTC)[2] module by @xntrik based on work by @natevw) it's easy to grab the local IP address for all network interfaces on the hooked host (including VPN interfaces) in Firefox and Chrome. The module adds the internal IP addresses to the network map[3][4] automatically.

Listing of hosts in the BeEF GUI. 127.0.0.1 highlighted, last seen for five additional hosts in 127 and 10 ranges
BeEF Host Listing
Identifying web servers on the zombie's local network is easy too. All network hosts identified during scanning are added to the network map. Likewise, identified hosts and services are also added to the Hosts and Services tabs respectively.

Options are: Get Internal IP Address, Discover Proxies, Discover Routers, Discover Web Servers (submenu), Fingerprint HTTP (submenu), CORS Scan (submenu), and Flash Cross-Origin Scan (submenu)
BeEF Host interaction menu

Right-click context menus in the Host and Services tabs offer a few options for discovery of hosts and services. Each option scans a hard-coded list of common LAN IP addresses or a user-supplied target IP range.

Two cross-origin scanners exist to detect overly permissive cross-origin policies:

  • CORS Scan wraps the Cross-Origin Scanner (CORS) module which sends CORS requests and returns the IP address, port, HTTP status code, page title and page contents for each web server identified with a permissive CORS policy.
  • Similarly, Flash Cross-Origin Scan wraps the Cross-Origin Scanner (Flash) module (based on CrossSiteContentHijacking[5] by Soroush Dalili) which sends requests using Flash and returns the IP address, port, page title and page contents for each web server identified with a permissive flash cross-origin policy.


A few other options are available to identify network services and devices:

  • Discover Web Servers wraps the Get HTTP Servers (Favicon) module which loads favicon images from predictable paths (/favicon.ico, /favicon.png, /images/favicon.ico, /images/favicon.png). Web servers are identified if the image is loaded succesfully. However, be aware that this technique may be noticed by the user if any of the hosts pop a 401 Authentication Required prompt. Fortunately, favicon images are typically not protected by authentication.
  • Discover Routers wraps the Fingerprint Routers module (a port of jslanscanner by Gareth Heyes) which attempts to identify routers on known common router IP addresses. However, be aware that this technique may be noticed by the user if any of the hosts pop a 401 Authentication Required prompt.
  • Fingerprint HTTP wraps the Network Fingerprinting module which uses a database of signatures to fingerprint network services based on default image paths. However, be aware that this technique may be noticed by the user if any of the hosts pop a 401 Authentication Required prompt.

Services shown for 10. and 172. addresses, including ports 80 and 8080, with Protocol and Type identified (e.g. Apache 2.x, HTTP Server (CORS))
BeEF Services Window

Below are a few autorun rules that exist, which make use of the new autorun rules engine (thanks @antisnatchor) to automate scanning and fingerprinting the LAN for Firefox and Chrome zombies. Each rule grabs the internal IP address with WebRTC and scans the zombie's local subnet. Simply copying the desired ARE rules from the arerules directory to arerules/enabled should be enough to get started.

  • https://github.com/beefproject/beef/blob/master/arerules/lan_cors_scan_common.json
  • https://github.com/beefproject/beef/blob/master/arerules/lan_cors_scan.json
  • https://github.com/beefproject/beef/blob/master/arerules/lan_fingerprint_common.json
  • https://github.com/beefproject/beef/blob/master/arerules/lan_fingerprint.json
  • https://github.com/beefproject/beef/blob/master/arerules/lan_flash_scan_common.json
  • https://github.com/beefproject/beef/blob/master/arerules/lan_flash_scan.json
  • https://github.com/beefproject/beef/blob/master/arerules/lan_http_scan_common.json
  • https://github.com/beefproject/beef/blob/master/arerules/lan_http_scan.json
  • https://github.com/beefproject/beef/blob/master/arerules/lan_ping_sweep.json
  • https://github.com/beefproject/beef/blob/master/arerules/lan_ping_sweep_common.json


A REST interface also exists[6] with some examples[7] if you wish to script attacks against the LAN.

No functionality exists for automated exploitation of identified devices or services as yet, however a couple of spray-and-pray options exist:


  • ShellShock Scan attempts to gain a reverse shell by exploiting ShellShock using a list of ~400 known vulnerable CGI paths (from Shocker [8] by Tom Watson). Given the frequency with which embedded devices are usually updated (which is to say: not at all), this can be surprisingly effective.
  • RFI Scan attempts to gain a reverse shell by exploiting remote file inclusion vulnerabilities using RSnake's list of 2000+ known vulnerable RFI paths.

Identified hosts and services are also logged to the console if debugging is enabled. Some example console output is shown below. Note that hosts were identified in the wired LAN subnets 10.1.1.0/24 and 10.0.0.0/24 even though the hooked browser was running in a VM (172.16.191.0/24).
[ 1:11:53][>] Hooked browser has network interface 172.16.191.135
[ 1:11:53][>] Event: Hooked browser [id:1, ip:172.16.191.135] has executed instructions (status: SUCCESS) from command module [cid:1, mod: 83, name:'Get Internal IP WebRTC']
[ 1:11:53][*] Hooked browser [id:1, ip:172.16.191.135] has executed instructions (status: SUCCESS) from command module [cid:1, mod: 83, name:'Get Internal IP WebRTC']
[ 1:12:01][>] Hooked browser found host 172.16.191.1
[ 1:12:01][>] Event: Hooked browser [id:1, ip:172.16.191.135] has executed instructions (status: SUCCESS) from command module [cid:2, mod: 60, name:'Cross-Origin Scanner (Flash)']
[ 1:12:01][*] Hooked browser [id:1, ip:172.16.191.135] has executed instructions (status: SUCCESS) from command module [cid:2, mod: 60, name:'Cross-Origin Scanner (Flash)']
[ 1:12:01][>] Hooked browser found host 172.16.191.2
[ 1:12:01][>] Event: Hooked browser [id:1, ip:172.16.191.135] has executed instructions (status: SUCCESS) from command module [cid:2, mod: 60, name:'Cross-Origin Scanner (Flash)']
[ 1:12:01][*] Hooked browser [id:1, ip:172.16.191.135] has executed instructions (status: SUCCESS) from command module [cid:2, mod: 60, name:'Cross-Origin Scanner (Flash)']
[ 1:12:06][>] Hooked browser found host 172.16.191.1
[ 1:12:06][>] Event: Hooked browser [id:1, ip:172.16.191.135] has executed instructions (status: SUCCESS) from command module [cid:2, mod: 60, name:'Cross-Origin Scanner (Flash)']
[ 1:12:06][*] Hooked browser [id:1, ip:172.16.191.135] has executed instructions (status: SUCCESS) from command module [cid:2, mod: 60, name:'Cross-Origin Scanner (Flash)']
[ 1:12:06][>] Hooked browser found host 172.16.191.2
[ 1:12:06][>] Event: Hooked browser [id:1, ip:172.16.191.135] has executed instructions (status: SUCCESS) from command module [cid:2, mod: 60, name:'Cross-Origin Scanner (Flash)']
[ 1:12:06][*] Hooked browser [id:1, ip:172.16.191.135] has executed instructions (status: SUCCESS) from command module [cid:2, mod: 60, name:'Cross-Origin Scanner (Flash)']
[ 1:12:29][>] Hooked browser found host 10.0.0.1
[ 1:12:29][>] Event: Hooked browser [id:1, ip:172.16.191.135] has executed instructions (status: SUCCESS) from command module [cid:3, mod: 60, name:'Cross-Origin Scanner (Flash)']
[ 1:12:29][*] Hooked browser [id:1, ip:172.16.191.135] has executed instructions (status: SUCCESS) from command module [cid:3, mod: 60, name:'Cross-Origin Scanner (Flash)']
[ 1:12:30][>] Hooked browser found host 10.1.1.1
[ 1:12:30][>] Event: Hooked browser [id:1, ip:172.16.191.135] has executed instructions (status: SUCCESS) from command module [cid:3, mod: 60, name:'Cross-Origin Scanner (Flash)']
[ 1:12:30][*] Hooked browser [id:1, ip:172.16.191.135] has executed instructions (status: SUCCESS) from command module [cid:3, mod: 60, name:'Cross-Origin Scanner (Flash)']
[ 1:12:35][>] Hooked browser found host 10.1.1.1
[ 1:12:35][>] Event: Hooked browser [id:1, ip:172.16.191.135] has executed instructions (status: SUCCESS) from command module [cid:3, mod: 60, name:'Cross-Origin Scanner (Flash)']
[ 1:12:35][*] Hooked browser [id:1, ip:172.16.191.135] has executed instructions (status: SUCCESS) from command module [cid:3, mod: 60, name:'Cross-Origin Scanner (Flash)']
[ 1:22:40][>] Hooked browser found HTTP server 172.16.191.129:80
[ 1:22:40][>] Event: Hooked browser [id:1, ip:172.16.191.135] has executed instructions (status: SUCCESS) from command module [cid:2, mod: 60, name:'Cross-Origin Scanner (Flash)']
[ 1:22:40][*] Hooked browser [id:1, ip:172.16.191.135] has executed instructions (status: SUCCESS) from command module [cid:2, mod: 60, name:'Cross-Origin Scanner (Flash)']
[ 1:22:44][>] Event: 652.706s - [Blur] Browser window has lost focus.
[ 1:23:00][>] Hooked browser found HTTP server 172.16.191.133:80
[ 1:23:00][>] Event: Hooked browser [id:1, ip:172.16.191.135] has executed instructions (status: SUCCESS) from command module [cid:2, mod: 60, name:'Cross-Origin Scanner (Flash)']
[ 1:23:00][*] Hooked browser [id:1, ip:172.16.191.135] has executed instructions (status: SUCCESS) from command module [cid:2, mod: 60, name:'Cross-Origin Scanner (Flash)']
[ 1:23:06][>] Hooked browser found host 172.16.191.133
[ 1:23:06][>] Event: Hooked browser [id:1, ip:172.16.191.135] has executed instructions (status: SUCCESS) from command module [cid:2, mod: 60, name:'Cross-Origin Scanner (Flash)']
[ 1:23:06][*] Hooked browser [id:1, ip:172.16.191.135] has executed instructions (status: SUCCESS) from command module [cid:2, mod: 60, name:'Cross-Origin Scanner (Flash)']
[ 1:23:11][>] Hooked browser found host 172.16.191.135
[ 1:23:11][>] Event: Hooked browser [id:1, ip:172.16.191.135] has executed instructions (status: SUCCESS) from command module [cid:2, mod: 60, name:'Cross-Origin Scanner (Flash)']
[ 1:23:11][*] Hooked browser [id:1, ip:172.16.191.135] has executed instructions (status: SUCCESS) from command module [cid:2, mod: 60, name:'Cross-Origin Scanner (Flash)']
[ 1:23:16][>] Hooked browser found host 172.16.191.135
[ 1:23:16][>] Event: Hooked browser [id:1, ip:172.16.191.135] has executed instructions (status: SUCCESS) from command module [cid:2, mod: 60, name:'Cross-Origin Scanner (Flash)']
[ 1:23:16][*] Hooked browser [id:1, ip:172.16.191.135] has executed instructions (status: SUCCESS) from command module [cid:2, mod: 60, name:'Cross-Origin Scanner (Flash)']
LAN scanning with the default settings is slow, as the modules are configured to take into account high-latency networks, background network traffic and the browser's maximum connection capacity. The timing for each module can be tweaked, as each module has options for controlling the number of simultaneous workers, wait time between requests and request timeout. The default settings should be sufficient for use in high-latency networks, such as wifi.
This module scans an IP range to locate web servers with a permissive Flash cross-origin policy. The HTTP response is returned to BeEF. Note: Set the IP address range to 'common' to scan a list of common LAN addresses. This module uses ContentHijacking.swf by Soroush Dalili (@irsdi). Id: 59, Scan IP range (field), Ports (field), Workers (field), Timeout for each request (field), Execute button
Module Options for Cross-Origin Scanner (Flash)
Have fun mapping your LAN from a browser!

---

[1] https://github.com/beefproject/beef/wiki/Network-Discovery
[2] https://github.com/beefproject/beef/tree/master/modules/host/get_internal_ip_webrtc
[3] https://github.com/beefproject/beef/wiki/Network-Discovery#admin-ui
[4] https://github.com/beefproject/beef/pull/1178
[5] https://github.com/nccgroup/CrossSiteContentHijacking
[6] https://github.com/beefproject/beef/blob/master/extensions/network/rest/network.rb
[7] https://github.com/beefproject/beef/blob/master/tools/rest_api_examples/network
[8] https://github.com/nccgroup/shocker

13 comments:

  1. Great and useful article. Creating content regularly is very tough. Your points are motivated me to move on.


    SEO Company in Chennai

    ReplyDelete
  2. Great article and good information. if anyone need any help for networking computer Antivirus and accoutning software help like quickbooks, quicken Visit here.

    ReplyDelete
  3. You made some decent factors there. I looked on the internet for the difficulty and found most individuals will associate with along with your website.Keep update more excellent posts.

    Linux Training in Chennai Adyar

    ReplyDelete

  4. That is very interesting; you are a very skilled blogger. I have shared your website in my social networks!


    Cloud Computing Training in Chennai

    ReplyDelete
  5. Very useful content for Browser. I suggest you Visit Here for solve your browser and computer internet related issues

    ReplyDelete
  6. This idea is mind blowing. I think everyone should know such information like you have described on this post. Thank you for sharing this explanation.Your final conclusion was good. We are sowing seeds and need to be patiently wait till it blossoms.

    Online Training in Chennai

    ReplyDelete
  7. I am expecting more interesting topics from you. And this was nice content and definitely it will be useful for many people.

    Email Marketing Chennai

    ReplyDelete
  8. This content creates a new hope and inspiration with in me. Thanks for sharing article like this. The way you have stated everything above is quite awesome. Keep blogging like this. Thanks.
    SMO Services Chennai

    ReplyDelete
  9. Great information shared in this blog. Helps in gaining concepts about new information and concepts.Awsome information provided.Very useful for the beginners.
    SEO Training in Chennai

    ReplyDelete
  10. This blog explains the details about changing the ways of doing that business. That is understand well and doing some different process. Provides he best output of others. Thanks for this blog.
    Web Designing Training in Chennai

    ReplyDelete
  11. There were some concepts by the author which were essential. I have stored your blog.sharepoint alternative

    ReplyDelete