Having Fun With BeEF, The Browser Exploitation Framework

Tue, 22 Feb 2011 11:40:26 GMT
by pagvac

We haven't featured any guest bloggers in a while, but we're glad to be featuring Chirstian Frichot this month! Christian is a security professional based in Perth, Western Australia. He's currently working in the finance industry as part of a tight-knit internal team of security consultants doing their best to protect their business and customers from technical threats such as malware or insecure web applications.

After having met Wade Alcorn (the initial author and project lead of BeEF), Christian mentioned his interest in helping out on the project where he could, which eventually led to Wade accepting his offer. The discussion was held over a couple of bottles of wine, so perhaps Wade's regretting the decision now!

Christian's role within the BeEF project, if it were to be defined, is odd-jobs-go-to-boy, command-module implementer, Ext-JS-fighter and twitter maintainer. When Christian is not working on BeEF, he's doing his best to represent the Perth OWASP Chapter, or laying down crunchy beats on the drum-kit.

What follows are Chritian's words on the BeEF project.

Sorry vegetarians, but BeEF is back. That's right, the Browser Exploitation Framework is back, and it has now been rewritten from the ground up in Ruby. For those unfortunate people who haven't had a chance to explore the older, PHP version of BeEF you're only missing out on one of the greatest, most extensible XSS-payload management and exploitation frameworks out there, and the Ruby re-write is no different.

The Browser Exploitation Framework (BeEF) is a powerful, professional security tool. BeEF is pioneering techniques that provide the experienced penetration tester with practical client side attack vectors. Unlike other security frameworks, BeEF focuses on leveraging browser vulnerabilities to assess the security posture of a target.

One of the newer modules implemented in BeEF utilises the insecure handling of URL schemes in Apple's iOS to trick Skype into starting an outbound call. This vulnerability was first written about by Nitesh Dhanjani and highlights that with the growing popularity of these devices these sorts of issues may lead to losses of information or other negative impacting events. The module itself is as simple as:

beef.execute(function() {
    document.body.innerHTML = "<iframe src=skype:<%= @tel_num %>?call></iframe>";
    beef.net.sendback("<%= @command_url %>", <%= @command_id %>, "result=IFrame Created!");

which, once added to a particular hooked browsers command queue will simply execute upon next poll, and if they automatically authenticate to the Skype application, will initiate a call. Due to iOS' multi-tasking the Skype app does pop up to the top, so the end user is aware that the activity is occurring, but they're not prompted to "confirm" the action. You can see this module demonstrated bellow:

The current release is, but by release 0.5 (the Sirloin Release) we're expecting to have at least all of the PHP BeEF functionality provided plus much more, including:

  1. jQuery included as part of the hooking process
  2. Metasploit integration
  3. Evercookie's for persistence even after a hooked browser has been closed
  4. Full event logging, not just keystroke logging, to include window activation/deactivation, mouse clicks, etc
  5. Arbitrary HTTP requester
  6. Proxying
  7. Persistence modules (subtle popups or 100%x100% iframes)
  8. Detecting of social networking authentication status (as per this)

You can find out more about beef over at http://beef.googlecode.com or by following the @beefproject.

BeEF - Get it into ya!

Archived Comments

Nice reminder... might be time to take another look at BeEF.