We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

Hooked Browser: Meshed-Networks with WebRTC and BeEF

59
 Zitieren
 Teilen
 Herunterladen
 Bestellen
Kein Logo verfügbarDEF CON
 Frichot, Christian

Formale Metadaten

Titel
Hooked Browser: Meshed-Networks with WebRTC and BeEF
Untertitel
The sad tale of vegetarian browsers
Serientitel
Anzahl der Teile
109
Autor
Lizenz
CC-Namensnennung 3.0 Unported:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen.
Identifikatoren
Herausgeber
Erscheinungsjahr
Sprache

Inhaltliche Metadaten

Fachgebiet
Genre
Abstract
One of the biggest issues with BeEF is that each hooked browser has to talk to your BeEF server. To try and avoid detection, you often want to try and obfuscate or hide your browsers, particularly if you're heavily targeting a single organization. Don’t worry Internet-friends, those crazy pioneers at Google, Mozilla and Opera have solved this problem for you with the introduction of Web Real-Time Communications (WebRTC). Initially designed to allow browsers to stream multimedia to each other, the spec has made its way into most Chrome and Firefox browsers, not to mention it’s enabled by default. Using this bleeding-edge web technology, we can now mesh all those hooked browsers, funnelling all your BeEF comms through a single sacrificial beach-head. Leveraging WebRTC technologies (such as STUN/TURN and even the fact the RTC-enabled browsers on local subnets can simply UDP each other), meshing browsers together can really throw a spanner into an incident-responders work. The possibilities for a browser-attacker are fairly endless, channeling comms through a single browser, or, making all the browsers communicate with each other in round-robin. This is just another tool tucked into your belt to try and initiate and maintain control over browsers. This presentation will present a background into WebRTC, and then demonstrate the WebRTC BeEF extension. (Bloody JavaScript...) Speaker Bio: Christian is an Australian security professional and founder of Asterisk Information Security based in Perth. He is one of the co-authors of the recently published Browser Hacker’s Handbook (by Wiley), and long-term code-funkerer of the BeEF project. When not performing application security or penetration testing gigs, Christian spends his time either ranting about appsec or pining to get behind his drumkit. He has a deep love/hate relationship with web browsers and JavaScript. Christian has presented at numerous Australian security conferences, including OWASP AppSec APAC, the Australian Information Security Association's Perth Con, ISACA's Perth Con, OWASP Melbourne, and Ruxmon. In addition, Christian was fortunate to present at Kiwicon 8 in New Zealand at the end of 2014. s that Christian has been involved with include BeEF, OWASP's SAMM Self Assessment Tool, Prenus (the pretty Nessus thing), Burpdot (graphing connectivity between URLs from Burp), and the Devise Google Authenticator extension. Christian has been blogging on un-excogitate.org and labs.asteriskinfosec.com.aufor ages now, and is often found on twitter (@xntrik) raging about various security topics. Twitter: @xntrik