Exploiting Local Dev Envs
Table Of Contents
Running Locally
BeEF
- Browser Exploitation Framework (BeEF)
- Creates a browser botnet that can be controlled by a central server
- "BeEF looks past the hardened network perimeter and examines exploitability within the context of the one open door: the web browser"
- What security assumption does this exploit?
- Our VPN protects our network from the public internet
How does BeEF work?
- Bob visits a page with malicious Javascript
- Ex: Mallory's DOM XSS loaded
evil.example.com:3000/hook.js
hook.js
interacts with Mallory's Command and Control (C&C) server
- Through the C&C server, Mallory launches attacks from the victim's browser
- BeEF allows Mallory to…
- Find servers on the victim's local area network (LAN)
- Including servers listening on
localhost
- Make REST requests to these servers if CORS isn't strict
- Execute arbitrary Javascript payloads within the victim's browser
Demo: How To Find A Dev's ES Instance
- Leverage BeEF Cross-Origin Scanner Module
- Check for an Elasticsearch (ES) instance running locally with a permissive CORS policy
- If ES has a permissive CORS policy, BeEF can
- Send any type of REST request to the DEV ES instance
- ES 5.6 Community Edition currently has no authentication built in
- Includes clustering interface
Demo: Finding A Prod ES Instance
- Scenario
- Dev is on VPN
- VPN contains a Prod ES instance
- Prod ES instance doesn't allow CORS
- Its "locked down" so BeEf attacks won't work
- "Its safe because its on the VPN"
- BeEF Port Scanner Module
- Uses methods to avoid blocked ports or Same Origin Policy
- If a server doesn't allow CORS, it can still see if it exists
- Uses WebSockets,
<img src="">
tags, etc.
Demo: Finding A Prod ES Instance (CONT.)
- Future: Script to scan subnet for hosts
- Port Scanner module currently scans 1 host at a time
- For simplicity we'll scan
prod.example.com:9201
- Leverage DNS just for easier separation
Exfiltrating Data
- Due to PROD ES CORS Policy, BeEF can't directly connect…
- How could Mallory exfiltrate data while covering her tracks?
- Have DEV ES join PROD ES as a cluster member?
- Leverage Cross Cluster Search to query Prod ES without joining as a cluster member
- No syncing of complete dataset
Demo: Cross Cluster Search
Demo: Searching The PROD Cluster
- Pre-seeded with
sensitive-data
index with passwords
- Leverage CORS Request Module
- Will initiate this request on the victim's computer
Assumption Recap
- How did this all happen?
- DOM XSS allowed Mallory to control the victim's browser
- "Client-side XSS validation is a bad practice"
- Permissive CORS policy within DEV environment
- Allowed Mallory to establish a connection with a PROD ES instance
- "The outside internet cant interact with a process listening on
localhost
"
- Leveraging CE software with no authentication
- Allowed Mallory to exfiltrate data out of production ES instance
- "Our authentication is our VPN"
Mitigations
Knowledge Dependency Tree
0 comments