• Aucun résultat trouvé

HOOKED-BROWSER NETWORK

N/A
N/A
Info
Télécharger
Protected

Academic year: 2022

Partager "HOOKED-BROWSER NETWORK"

Copied!
14
0
0

Chargement.... (Voir le texte intégral maintenant)

Texte intégral

(1)

WITH BEEF AND GOOGLE DRIVE

Denis Kolegov, Oleg Broslavsky, Nikita Oleksov

Tomsk State University

Information Security and Cryptography Department

(2)

Post-exploitation

After vulnerability exploitation and taking control over victim’s system intruder should find a way to establish communication between browser and C&C server

Common communication channels in web application are:

• XML HTTP Request

• WebSockets

• WebRTC

?

(3)

Not long ago Christian Frichot (aka @xntrik) in his talk at Kiwicon 2014 presented BeEF WebRTC extension

“One of the biggest issues with BeEF is that each hooked browser has to talk to your BeEF server. To try and avoid detection, you often want to try and obfuscate or hide your browsers. Using this bleeding-edge web technology, we can now mesh all those hooked browsers, tunneling all your BeEF come through a single sacrificial beach- head.”

Prehistory

WebRTC XHR/WS

(4)

The last direct communication channel can be tracked or blocked by IDS/IPS. So we decided to find out a way to get rid of it The main idea is to use some trusted

server as a communication channel as it is done in projects like

• Gcat

• Twittor

Not totally invisible

WebRTC XHR/WS I can still detect you,

man

(5)

Our team have researched a new type of covert timing channels based on HTTP cache control headers and

couple of ways to implement it in different environments One of such environments was Google Drive, so we

decided to use it in a communication channel one more time

Our previous researches

(6)

Sometimes BeEF need to send a really huge amount of data so why not to use something that is designed to work with it?

Cloud storage services like Google Drive or Dropbox are trusted (not marked as

suspicious activity) in most networks and have a nice API to work with them using JavaScript

We need a cloud

WebRTC XHR/WS

(7)

Let’s understand what’s going on in the BeEF

Under the BeEF’s hood

Intruder BeEF server consisted of 2 parts Zombie browser

UI server is used by an intruder and makes BeEF to look

awesome

Command server does all the stuff

with zombies hook.js forces browser to do the

bad things

(8)

Command server can be viewed as a bunch of handlers each of which is doing its own job

Command server details

Command server

Zombie browser

‘/init’ handler – processes the information from new zombies

‘/event’ handler – stores logs sent by zombies

‘/’ handler – provides new commands

Command handlers – separate handlers that processes results

each of his command

Send the browser details

Log user’s activity Get new commands

Send results

(9)

As we can we BeEF is designed as common network application with active client and passive server

So the first of all we should teach the

server to tell with zombies via cloud using polling model

The beginning of indirect communication

Polling Polling

(10)

Indirect communication on the server side

Init Answers Zombie1 Zombie2

Get an initial information about new coming zombies

Receive answers

Send commands to zombie browsers

Trash old files, empty the trash

(11)

Indirect communication on the client side

Init Answers Zombie1 Zombie2

Send browser default as a first request to the

server

Store all information for command server

Pull commands from its own folder and move read commands to the trash

(12)

To perform action via Google Drive API we need 3 different keys:

One more thing is access

Master key – used by server to update Auth

keyvia OAuth

Auth key – used by client and server to perform any write access on the Google

Drive

API key – used by client to read renewed Auth

key from special keychain file

(13)

Proof of Concept: https://youtu.be/_RfBUEcvynM

https://github.com/tsu-iscd/beef-drive

(14)

Thank you for the attention!

Références

Télécharger maintenant ( PDF - 14 Page - 1.21 MB )

Documents relatifs

Control of a remote system over network including delays and packet dropout

Theorem 1 allows the robust stability of the global remote system to be guaranteed with respect to the packet dropout and for observer and controller gains given in Seuret et al..

A self-correcting information flow control model for the web-browser

When a function writes a secret value into a public variable, this variable is split and added as a dependent node to the dependency graph.. If this split variable becomes dependent

Next generation ontology browser

The Clinical Informatics team at the Medical College of Wisconsin has developed ClinMiner, a clinical research portal for clinical and diagnostic information on patients in

A Database Browser Based on Pattern Concepts

Each concept intent corresponds to a logical formula (or query) in one or more free variables, using relational expressions over function terms with variables where the functions

Ontobee: A Linked Data Server and Browser for Ontology Terms

[r]

Exploitation of a displacement survey to detect road network use vulnerability

In their paper [8], the authors have presented a model to estimate the time required to evacuate a neighborhood according to the population, the number of vehicles and roads

Log Skeleton Filter and Browser

Allowing a noise level of 50% or more makes hardly any sense, as this could allow multiple contradicting constraints between two activities. As such, we have chosen a maximal

Tuning Browser-to-Browser Offloading for Heterogeneous Stream Processing Web Applications

In this paper, we take the offloading concept and apply it in a distributed streaming infrastructure [4] where clients and the cloud are tightly coupled to form stream