Hooked Browser Meshed-Networks with WebRTC and BeEF

Presented at DEF CON 23 (2015), Aug. 7, 2015, 6 p.m. (60 minutes)

One of the biggest issues with BeEF is that each hooked browser has to talk to your BeEF server. To try and avoid detection, you often want to try and obfuscate or hide your browsers, particularly if you're heavily targeting a single organization. Don't worry Internet-friends, those crazy pioneers at Google, Mozilla and Opera have solved this problem for you with the introduction of Web Real-Time Communications (WebRTC). Initially designed to allow browsers to stream multimedia to each other, the spec has made its way into most Chrome and Firefox browsers, not to mention it's enabled by default. Using this bleeding-edge web technology, we can now mesh all those hooked browsers, funnelling all your BeEF comms through a single sacrificial beach-head. Leveraging WebRTC technologies (such as STUN/TURN and even the fact the RTC-enabled browsers on local subnets can simply UDP each other), meshing browsers together can really throw a spanner into an incident-responders work. The possibilities for a browser-attacker are fairly endless, channeling comms through a single browser, or, making all the browsers communicate with each other in round-robin. This is just another tool tucked into your belt to try and initiate and maintain control over browsers. This presentation will present a background into WebRTC, and then demonstrate the WebRTC BeEF extension. (Bloody JavaScript...)


Presenters:

  • Christian Frichot / xntrik - Principal Security Consultant at Asterisk Information Security   as Christian (@xntrik) Frichot
    Christian is an Australian security professional and founder of Asterisk Information Security based in Perth. He is one of the co-authors of the recently published Browser Hacker’s Handbook (by Wiley), and long-term code-funkerer of the BeEF project. When not performing application security or penetration testing gigs, Christian spends his time either ranting about appsec or pining to get behind his drumkit. He has a deep love/hate relationship with web browsers and JavaScript. Christian has presented at numerous Australian security conferences, including OWASP AppSec APAC, the Australian Information Security Association's Perth Con, ISACA's Perth Con, OWASP Melbourne, and Ruxmon. In addition, Christian was fortunate to present at Kiwicon 8 in New Zealand at the end of 2014.s that Christian has been involved with include BeEF, OWASP's SAMM Self Assessment Tool, Prenus (the pretty Nessus thing), Burpdot (graphing connectivity between URLs from Burp), and the Devise Google Authenticator extension. Christian has been blogging on un-excogitate.org and labs.asteriskinfosec.com.aufor ages now, and is often found on twitter (@xntrik) raging about various security topics. Twitter: @xntrik

Links:

Similar Presentations: