Monday, April 30, 2012

Fresh meat: Release

Here at the BeEF project, we like to give props to our contributors and to those who inspire us. So, here's some info about our new release, and a little about the folks who made it happen:In addition to a major move, and taking a new job, Michele has made updates to the RESTful API Wiki, including two new endpoints:
  • /api/admin/login (added by Christian) which will get the api token by passing BeEF user/pass. As a consequence of this, the BeEF credentials have been moved to the main config.yaml. (they were in the config.yaml of the admin_ui extension before)
  • /api/hooks/:session gets all the hooked browser details (like plugins, technologies enabled and so on)
We'll probably be making a longer post about some tests we added for debug_modules, too.
Also, he's made XSSRays work with IE now, too (IE6 through IE9). A special thanks to Brendan for helping in testing.

Really, there have been a slew of other changes Michele has made, including:
  • The initialization extension has been moved into the core.
  • Added get_internal_ip module. Using an unsigned applet we can detect the internal ip of the victim. The previous module (Beffeine) had issues and this is the new replacement that works great.
  • Every HTTP endpoint of the framework, except for the admin_ui and the XssRays extension, now extends the Router class. This means that routes are managed by Sinatra, and when the web_imitation features are turned on those handlers will respond like an IIS or Apache server.
But, Michele isn't the only contributor to BeEF! For example, Brendan has given us the ability to detect whether anyone is using any of the 1,000 most popular Chrome extensions with the Get Chrome Extensions module. And, we now log a copy of the clipboard whenever a user copies or pastes text (IE6 only) with the Event Logger.

So, here's a shout out to all of the BeEF contributors, and the folks who inspire us. If you want to read more about the release or those who contributed, download the new version, or help out, check out our github or visit the project website.

Thank you for keeping up with us! Please let us know what you want to see, and what you find useful. We want your feedback, too!

Thursday, April 19, 2012

Why BeEF PHP is discontinued, and what's new in BeEF Ruby?

I'm sure a lot of you out there are still using the PHP version of BeEF. Actually, when I was speaking in various conferences about BeEF I realized that many people didn't know about the new Ruby BeEF.

The PHP version has been discontinued for various reasons:
  • It wasn't easy to extend from a core perspective.
  • When adding new modules, code was duplicated; you had to copy and paste a lot of code from previous modules, then add maybe 3 lines of Javascript as the new code, resulting in an anti-patterns.
  • There was no decent API.
  • IMHO PHP sucks for many reasons: it's got a ton of security issues, like Sendmail; it's not a true OO language, and programming with objects makes life easier. Ruby instead is OO, and the new BeEF heavily relies on that.
The new BeEF Ruby development started around mid-2010, with Wade's first post announcing it in October 2010. Rewriting BeEF from scratch was in Wade's to-do list for quite some time. It required a bunch of developers and a good language.

Friday, April 13, 2012

Cloudy with a chance of BeEF

Running BeEF from a local workstation poses some problems during a penetration test: it doesn't have a static IP address, the workstation gets turned on and off, and it really doesn't demonstrate the impact of Internet-borne threats. Pentesters have been turning more and more to online VPS services, or Amazon's EC2. For example, check out the lightning talk that I did at CloudCamp: leveraging the "cloud" during penetration tests 

This is where the idea of running BeEF on an Amazon EC2 instance started to simmer.

These days, the BeEF project uses IaaS and other cloud-esque services for a lot of the work. We have our continuous integration server running tests against our github hosted source code, heck, even this blog utilises SaaS (note to readers: if you think *aaS isn't already used throughout your organisation, you are sorely mistaken).

So here's a quick and dirty method to get you running the latest version of BeEF with an Amazon EC2 instance in no time. Before we begin though, this installation method is heavily inspired from RVM's installation method, so this will look familiar to RVM users.

You might be thinking, why not just create a canned Amazon Machine Image (AMI) of BeEF? When we considered all the different Amazon regions in which we'd have to host an AMI image, this method was just as simple, especially when dealing with all the changes to the framework over time. This process is still in its infancy though, so expect it to change in the future as the framework matures.

Tuesday, April 3, 2012

New and improved BeEF

Are you ready to thin the herd? It's a new release of BeEF! Here's what you'll get with today's release:
  • The much anticipated RESTful API we've been blogging about
  • QRCode extension (curiosity fed the BeEF!) 
  • Load configurations at the command line with a new -c function, as you requested, @_sid77
  • History extraction from IE and Firefox.

Read about it in this prior blog post.

QRCode extension

This module will generate a BeEF hook QRCode, so that you can hook nosy smartphone users with posters or other social engineering tactics. Devious devious! If you're lucky, you can check out Christian at this month's OWASP AppSec APAC where he'll be speaking about BeEF. Maybe he'll include some tasty bits about this.

The -c command line option

This will load a different master config.yaml file, that will be automatically ignored by GIT. We saw a bunch of people asking for this on Twitter, so we added it.

History Extraction

You should be able to see what sites have been visited if your zombies are using something IE or Firefox. We're working on support for Chrome and Opera, too. But, note, some of the privacy settings in Chrome may still prevent this from working, but where there is not specific blocking software or settings in place, this should get the history data accurately.

Other Stuff

... And we made fixes to the Rickroll module. Youtube keeps adding geo restrictions. But, BeEF is never going to give you up, never going to let you down.

Download the latest BeEF.