Description: EXPLOITING INTERNAL NETWORK VULNS VIA THE BROWSER USING BEEF BIND
Browser exploits are a primary attack vector to compromise a victims internal network, but they have major restrictions including; limited current browser exploits; the huge price for 0-day browser exploits; and exploit complexity due to sandboxing. So, instead of exploiting the victims browser, what if the victims browser exploited internal systems for you?
The new "BeEF Bind Exploit Proxy" module does this! This BeEF (Browser Exploitation Framework) module will allow penetration testers to proxy exploits through a victims web browser to compromise internal services. Not only this, but the new "BeEF Bind" shellcode also enables the communication channel to the attacker to pass back through the existing browser session.
This attack technique (Inter-protocol Exploitation) removes browser-based attacks from being dependent upon browser vulnerabilities. It increases the number of potential exploits to include many service vulnerabilities throughout the internal corporate network. This includes whatever service can be contacted via a browser request. This increases the success rate of client-side exploitation attempts by dramatically increasing the number of vulnerabilities accessible to the attacker.
So how does the new BeEF Bind Exploit Proxy work? BeEF is configured to use the BeEF Bind Exploit Proxy, and is set as the payload for XSS exploits or Phishing attacks. Once the victim visits the malicious site, their web browser becomes hooked and performs JavaScript port scanning across the internal corporate network looking for chosen open ports. Once a server has been identified, the BeEF server is notified and begins to send exploits through the hooked web browser to the service on the internal server. Each of these exploits are configured to use the new BeEF Bind shellcode.
Once an exploit has successfully triggered a vulnerability within the internal service, the BeEF Bind shellcode is executed. This shellcode is designed to setup a web-listener that proxies commands through to a shell on the compromised server. This allows the attacker to send commands through the hooked web browser to the BeEF Bind payload. The command is executed on the compromised server and returned to the web browser in HTTP responses. The hooked web browser is then able to receive the command output and proxy it back to the attacker at the BeEF server.
Penetration testers can now inject steroids into their XSS exploits by replacing simple alert boxes with demonstrations of actual compromised internal machines. They can also now increase the scope and success rate of their Phishing attacks to compromise internal servers. This new approach also minimizes the likelihood of IDS/IPS detection, and does not require an additional socket open back to the attacker via the firewall.
Come and see our live demonstration of this new attack technique in action!
TY MILLER & MICHELE ORRU BIO
Ty Miller
Ty is the instructor for his Black Hat training course "The Shellcode Lab". He performs independent security research, some of which he presented at Black Hat USA 2008 on his development of Reverse DNS Tunneling Shellcode. He is also a co-author of the book Hacking Exposed Linux 3rd Edition. Ty runs the popular shellcoding site Project Shellcode (www.projectshellcode.com) and was also involved in the design of the bootable CHAOS Linux cluster distribution.
Ty Miller is the Chief Technology Officer at Pure Hacking in Sydney Australia. He leads their specialist security team to ensure that his team is at the forefront of specialist information security services. Ty has been in the IT security area for around ten years and has run numerous training courses to clients around the world and at various security conferences. These courses include web application penetration testing, web application secure coding, and infrastructure penetration testing.
Michele Orru
Michele Orru a.k.a. antisnatchor is an IT and ITalian security guy. Lead core developer of the BeEF project, he mainly focuses his research on web applications security and related exploitation techniques. He is a frequent speaker at hacking conferences, including CONFidence, DeepSec, Hacktivity, SecurityByte, AthCon, HackPra, OWASP and more we just can't disclose. Besides having a passion for hacking and being a Senior Spider (for Trustwave SpiderLabs), he enjoys leaving his Mac alone, whilst fishing on salted water and praying for Kubrick's resurrection.
For More Information please visit : - http://2012.ruxcon.org.au/speakers
Tags: securitytube , hacking , hackers , information security , convention , computer security , ruxcon-2012 ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.