Tuesday, January 15, 2013

BeEF QR Fun

With two hooks (customhook and qrcode), you can have quite a bit of fun in a pentest. Today's blog post uses these together for some fun(ny) and useful pentest ideas.

This post was contributed by Christian Frichot (@xntrik).



Where would BeEF be without hooking? Not very far. The concept of utilising a browser to gain information on a target, or better yet, compromise other systems, relies on a very important first step: hooking the browser. In BeEF parlance, this is the moment a browser executes the initial JavaScript payload (/hook.js) successfully and sets up a persistent communication channel back to the BeEF server. During BeEF’s early days as a young, unwieldy PHP app (hehe, you know I’m joking Wade, it kicked ass even back then), this initial hook was often times a cross-site scripting (XSS) flaw that was being exploited to inject the hook into a vulnerable website, which was then subsequently executed by a victim browser.

These days exploiting XSS flaws, whilst still common, is not as easy as it used to be. What, with the number of preventative controls really starting to stack up, you can see why attackers (read: pen testers :P) are starting to look at other means to entice a victim (read: authorising party) to bite on their hook. The following are just a few of those XSS controls:
  • Developers slowly starting to use input/output encoding/escaping;
  • Development frameworks slowly making it more and more difficult to accept or output unfiltered codes by default;
  • Browser in-built XSS controls, such as those within IE and Chrome;
  • Add-on XSS controls, such as NoScript;
  • Content-Security-Policy headers.
So what other means does an attacker have? Well, plenty in fact. Primarily these are currently split into two families, Man-in-the-Middle (MitM) style injections, or social engineering tactics. We’ve blogged about some of these previously, including:
Both of which offer great insight into the different ways you can execute that initial hook against your victim.

In addition to Michele’s social engineering extensions, a couple of other extensions exist within BeEF that allow an attacker can hook a victim. These are the ‘Custom Hook Point with iFrame Impersonation’ (the customhook extension), and the ‘QR Code Generator’ (the qrcode extension). You can use these extensions separately, but combining them really helps an attacker successfully perform a browser-based social engineering attack. The customhook extension simply offers the attacker a custom mount point (beefserver.com/thisisacustommountpoint) within BeEF that when visited by a browser loads up the BeEF hook, and then loads a full-screen iframe of the target website. While similar in concept to the web cloning extension, this extension does not require a downloading of the target website. Due to how the extension displays the target website in an iFrame, it only works when the target site does not utilise any frame-busting code. We here at BeEF prefer diversity in the ways in which you can use the tool, just like we enjoy a variety of different cuts (top, sirloin, shankle, tongue, tenderloin etc).

You could use a customhook by itself quite nicely, fire up BeEF, trick a user (using shortened URLs for example) into visiting the custom mount point and away you go. But why stop there? You know how much we love hooking mobile devices right? This is where the qrcode extension can come into play. For those who haven’t seen QR codes before they’re the new fad in mobile/advertising that are meant to be trivial for mobile devices to point at and then perform an action, such as visit a URL. The qrcode extension itself is very basic, all it does is take a URL, and then give you back a Google Chart URL which generates the QR code for you. While you can use the extension if you wish, you can just as easily hit up https://chart.googleapis.com/chart?cht=qr&chs=300x300&chl=<inserttargeturlhere>

Tying it all together now, edit the beef/extensions/customhook/config.yaml file:

customhook config.yaml
Modify the enable to be ‘true’, then configure your customhook_path (this will be the mount point), the customhook_target (what we’re going to shove into an iFrame) and the customhook_title (this will be what we set the HTML Title of the page to). If you want to add another layer of obfuscation you can wrap this custom hook URL in a shortened URL, go on, hit up bit.ly and generate a shortened URL for http://yourbeefserver.com/yougotchipmunked .

To leverage the QR code extension, edit beef/extensions/qrcode/config.yaml file:

qrcode config.yaml


Modify the enable to ‘true’ then drop your URL into the target setting.

When you start BeEF you should see the console respond with:

console response with custom hook and qrcode links
You can see a rough demo of this in action from my OWASP AppSec APAC 2012 YouTube demo here:

Happy fishing BeEFers!

-Christian ‘@xntrik’ Frichot

15 comments:

  1. There's also a web design company in Long island which performs this kind of website security protection to avoid any unwanted malwares in penetrating to the site itself. Good way to ensure that the site you got will not be hacked or infected.

    Luisa Will

    ReplyDelete
  2. This comment has been removed by the author.

    ReplyDelete
  3. If you want to start a small online advertising agency then you should contact a person with this kind of knowledge with Browser Exploitation Framework (BeEF). There is a high risk that your website can be hacked or injected from an unknown source so security is the priority.

    Lara Thompson

    ReplyDelete
  4. Thanks for this brief lesson in manipulating the codes. Web designers are much aware of the possible attacks so we need security. - Ben Griffiths

    ReplyDelete
  5. There's one tiny detail that developers keep forgetting here. Thanks for pointing that out!

    - Claudia Lacey

    ReplyDelete
  6. can anyone explain how to setup static ip for beef?for using it over internet? . . iam wondering this and can't find any info about it . i think it is a lot of peoples problem too . thanks

    ReplyDelete

  7. Thanks for posting this useful content, Good to know about new things here, Let me share this, . Hadoop training in pune

    ReplyDelete
  8. Andolasoft gives devoted group of java designers to help clients to fabricate their applications per their detail. java programming

    ReplyDelete
  9. Well, it's not just fun, it's an actual topic, so better check out this entry, mate.

    ReplyDelete
  10. Every day begins with big challenges at your college or university. These can be preparing a speech or writing an essay. It seems simple enough. But when you start working, you sometimes realize you have no idea where to begin. Sometimes, your mind just goes blank. If this is you, then a website like www.123helpme.com will be very helpful. If you seek information about “www 123helpme”, welcome to Scamfighter.

    ReplyDelete
  11. When it comes to getting into nursing school, a good admission essay is at the center of the decision. An admission essay can help or hurt students who wish to get into nursing school. The essay is not only about the content but about other important components that let the admission board know that students are serious about entering their programs and that they will be valuable assets as well. It is important for potential nursing students to know that there are important elements needed to write the perfect admission essay to get into nursing school. writing an impressive nursing entrance essay for those who need academic assistance.

    ReplyDelete
  12. شركة تركيب عفش بالرياض.......شركة خبراء المملكة
    شركة تركيب عفش بالرياض
    من الطبيعي أننا نتعامل مع الاثاث وكأنة سيبقي بشكل ابدي ، فنقوم بتركيب أثاث غرف النوم بعناية شديدة ، وكذلك اجهزة التكيفات وخزائن المطابخ والغسالات الخاصة بالملابس وغسلات والأطباق، فبخصوص تلك الامرعلى قدر ما يشعرنا القيام بذلك بالاستقرار والراحة ولكن علي النقيض يسبب لنا التفكير في نقله إلى مكان جديد من معاناة وقلق،عندما ننظر الي حجم المجهود والوقت الذي تحتاجه عملية النقل من جهة وحجم المخاطر التي تقع على الأثاث من جهة أخرى، ولكن هذة الطريقة تنطبق على الأساليب المعتادة في نقل الأثاث أوالقيام بعملية نقل الأثاث بمفردك دون الاستعانة بشركة متخصصة في ذلك، ولكن ذلك بإمكانه أن ينتهي تماما عند الاستعانة بشركة متخصصة في نقل الأثاث.
    شركة خبراء المملكة ، شركة صاحبة علامات تميز مشهودة في مجال نقل العفش، لخبرتها الطويلة وخدمتها الممتازة، وذلك من خلال الآتي
    شركة تركيب باركية بالرياض
    شركة تركيب اثاث ايكيا بالرياض
    شركة تركيب ستائر بالرياض
    شركة تنظيف مكيفات بالرياض
    شركة تركيب غرف نوم بالرياض

    ReplyDelete
  13. I have never dealt with user interaction pieces. I have been more focused on systems security posture versus users(awful as always). Customer would like me to test this tool out, so here goes nothing mobdro.io

    ReplyDelete
  14. Good Post! Thank you so much for sharing this pretty post, it was so good to read and useful to improve my knowledge as updated one, keep blogging.

    Selenium with python Training in Electronic City

    ReplyDelete