An engineer has devised a new way to help combat BeEF, or browser exploit framework attacks.
The tool, a Chrome extension, detects and blocks hooks from BeEF–an exploit tool similar to Metasploit–that uses JavaScript to control browsers. Routinely used by researchers, pen testers, and attackers, the tool has a multifunctional control panel that allows for the deployment of attacks and siphoning of data.
Brian Wallace, a security researcher and engineer with Cylance’s advanced research team SPEAR released the cleverly titled extension, Vegan, on Wednesday in the Chrome Store.
I found it weird that I couldn’t find a working method to avoid BeEF hooks in my browser…so I made one. https://t.co/h4o4clbk3M
— bwall: Brian Wallace (@botnet_hunter) June 25, 2015
Wallace points out in a blog entry about the tool that Vegan is open source, proof of concept, and acknowledges while it can detect and block attacks it can’t stop them outright.
That’s because the tool is largely built on a truncated Snort rule that with a little work, can be bypassed. The rule looks for HTTP clients communicating with remote HTTP servers and helps detect any instances of BeEF running with a default configuration or communicating over unencrypted HTTP.
If an attacker wanted to go out of their way to modify a configuration file, or change the name of the cookie that Vegan drops, they could bypass the rule.
“From the BeEF configuration file, we can see that we can change not only this cookie name, but quite a few other values, including other cookie names,” Wallace writes.
Wallace admits the tool isn’t failsafe. Developers for BeEF could change their tool to avoid detection from Vegan down the line if they wanted to as well, Wallace says, and for that reason is encouraging those looking to use his extension to do so at their own discretion.
For now the tool works though. In addition to detection, Wallace also added a prevention mechanism to the tool that blocks any domain attempts to set the cookie Vegan is detecting.
“While a detection method is important, it really only tells the user they are now at the will of the attacker, and there is not much the victim can do,” Wallace writes, “This will prevent the browser from being able to communicate with the BeEF panel.”
Wallace, who’s a fan of BeEF, came up with the extension because he wanted to make it easier to know when he’s been hooked.
I'd like make it very clear, I'm a fan of @beefproject but I want to ensure I know if I get hooked. re: http://t.co/h4o4clbk3M
— bwall: Brian Wallace (@botnet_hunter) June 25, 2015
“[BeEF] is a useful tool for offensive security researchers looking to test out attacks against browsers, as well as further gaining access during penetration testing. While this tool is well known, any protections against it are not,” Wallace writes.
