Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hooked-browser network with BeEF and Google Drive

Denis Kolegov
November 27, 2015

Hooked-browser network with BeEF and Google Drive

Denis Kolegov

November 27, 2015
Tweet

More Decks by Denis Kolegov

Other Decks in Research

Transcript

  1. HOOKED-BROWSER NETWORK WITH BEEF AND GOOGLE DRIVE Denis Kolegov, Oleg

    Broslavsky, Nikita Oleksov Tomsk State University Information Security and Cryptography Department
  2. Hooked-browser network with BeEF and Google Drive Post-exploitation After vulnerability

    exploitation and taking control over victim’s system intruder should find a way to establish communication between browser and C&C server Common communication channels in web application are: • XML HTTP Request • WebSockets • WebRTC ?
  3. Hooked-browser network with BeEF and Google Drive Not long ago

    Christian Frichot (aka @xntrik) in his talk at Kiwicon 2014 presented BeEF WebRTC extension “One of the biggest issues with BeEF is that each hooked browser has to talk to your BeEF server. To try and avoid detection, you often want to try and obfuscate or hide your browsers. Using this bleeding-edge web technology, we can now mesh all those hooked browsers, tunneling all your BeEF come through a single sacrificial beach- head.” Prehistory WebRTC XHR/WS
  4. Hooked-browser network with BeEF and Google Drive The last direct

    communication channel can be tracked or blocked by IDS/IPS. So we decided to find out a way to get rid of it The main idea is to use some trusted server as a communication channel as it is done in projects like • Gcat • Twittor Not totally invisible WebRTC XHR/WS I can still detect you, man
  5. Hooked-browser network with BeEF and Google Drive Our team have

    researched a new type of covert timing channels based on HTTP cache control headers and couple of ways to implement it in different environments One of such environments was Google Drive, so we decided to use it in a communication channel one more time Our previous researches
  6. Hooked-browser network with BeEF and Google Drive Sometimes BeEF need

    to send a really huge amount of data so why not to use something that is designed to work with it? Cloud storage services like Google Drive or Dropbox are trusted (not marked as suspicious activity) in most networks and have a nice API to work with them using JavaScript We need a cloud WebRTC XHR/WS
  7. Hooked-browser network with BeEF and Google Drive Let’s understand what’s

    going on in the BeEF Under the BeEF’s hood Intruder BeEF server consisted of 2 parts Zombie browser UI server is used by an intruder and makes BeEF to look awesome Command server does all the stuff with zombies hook.js forces browser to do the bad things
  8. Hooked-browser network with BeEF and Google Drive Command server can

    be viewed as a bunch of handlers each of which is doing its own job Command server details Command server Zombie browser ‘/init’ handler – processes the information from new zombies ‘/event’ handler – stores logs sent by zombies ‘/’ handler – provides new commands Command handlers – separate handlers that processes results each of his command Send the browser details Log user’s activity Get new commands Send results
  9. Hooked-browser network with BeEF and Google Drive As we can

    we BeEF is designed as common network application with active client and passive server So the first of all we should teach the server to tell with zombies via cloud using polling model The beginning of indirect communication Polling Polling
  10. Hooked-browser network with BeEF and Google Drive Indirect communication on

    the server side Init Answers Zombie1 Zombie2 Get an initial information about new coming zombies Receive answers Send commands to zombie browsers Trash old files, empty the trash
  11. Hooked-browser network with BeEF and Google Drive Indirect communication on

    the client side Init Answers Zombie1 Zombie2 Send browser default as a first request to the server Store all information for command server Pull commands from its own folder and move read commands to the trash
  12. Hooked-browser network with BeEF and Google Drive To perform action

    via Google Drive API we need 3 different keys: One more thing is access Master key – used by server to update Auth key via OAuth Auth key – used by client and server to perform any write access on the Google Drive API key – used by client to read renewed Auth key from special keychain file
  13. Hooked-browser network with BeEF and Google Drive Proof of Concept:

    https://youtu.be/_RfBUEcvynM https://github.com/tsu-iscd/beef-drive