This is a special version of the [BeEF] (https://github.com/beefproject/beef) implementing all communications with its hooked browsers (zombies) via Google Drive service.
At the present time Browser Exploitation Framework (BeEF) implements communications with hooked browsers using standard mechanisms (e.g., XMLHttpRequest, WebSockets). It also supports experimental WebRTC-based mechanism for creation a hooked browser meshed-network. The main purpose of the last mechanism is avoiding tracking of post-exploitation communication with BeEF command and control server.
We propose to use an alternate approach against tracking of BeEF servers and its post-exploatation communications with zombies. The main idea is to use storage covert channel communications over known and popular cloud web services, for example Google Drive, by using it as shared resources between BeEF server and hooked browsers. In this case there is no direct communication between BeEF server and zombies: All of them communicate only with Google API servers. The implementation is based on Google Drive file system primitives and its API.
-
Create an API key and OAuth 2.0 client ID using Google Developers Console.
-
In your Drive create a folder with name
answers
to store answers from zombies, a folder with nameinit
to store initial information from zombies, and a file with namekeychain.txt
to store your API key. Save IDs of these folders and file. You can use any names for folders and file. The above names are used as an example only. -
Clone the beef-drive. Install all dependencies that are required for BeEF.
-
Add the IDs from step 2 to the following files:
-
core/main/client/gdrive.js:
api_key
- Google OAuth2.0 API keyanswers_folder_id
- ID of theanswers
folderinit_folder_id
- ID of theinit
folderkeychain_file_id
- ID of thekeychain.txt
file
-
extensions/gdrive/gdrive.rb
client_id
- Google OAuth 2.0 client IDrefresh_token
- Google OAuth 2.0 refresh tokenclient_secret
- Google OAuth 2.0 client's secret@@answer_folder_id
- ID of theanswers
folder@@init_folder_id
- ID of theinit
folder@@key_file_id
- ID of thekeychain.txt
file
-
-
Run the beef:
ruby beef
The slides from our talk at Zero Nights 2015 are available [here] (http://www.slideshare.net/dnkolegov/zn27112015).
The demonstration is available here.
- Denis Kolegov
- Oleg Broslavsky
- Nikita Oleksov
- [The Browser Exploitation Framework Project] (https://github.com/beefproject/beef)
- [Hooked-Browser Meshed-Networks with WebRTC. Part 1] (http://blog.beefproject.com/2015/01/hooked-browser-meshed-networks-with.html)
- Hooked-Browser Meshed-Networks with WebRTC. Part 2