Hiddenden/beef
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

log progress on testing modules

Browse Source
This commit is contained in:
zinduolis
2026-01-12 09:29:55 +10:00
parent 1108bf52c2
commit 44b0c0aadc
2 changed files with 217 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

72
testing/manual_testing_plan.md
View File

@@ -39,21 +39,16 @@ Test these modules using **Firefox** on your local Linux VM. They leverage stand
| [x] | **Create Pop Under** | 1. Set `Clickjack` to `on` (waits for click) or `off` (immediate).<br>2. Execute module.<br>3. If Clickjack=on, click anywhere on page.<br>4. Check for small hidden window in taskbar (or DevTools: new window to `/demos/plain.html`).<br>5. Verify BeEF shows 2nd hooked browser. | Close pop-under window. | |
| [-] | **Cross-Origin Scanner (CORS)** | 1. Set `Scan IP range` (e.g., `127.0.0.1-127.0.0.1`) and `Ports` (e.g., `80,443,8080`).<br>2. Execute module.<br>3. Check command results for list of discovered web servers allowing CORS. | None. | See [CORS-001](testing_errors.md#cors-001-cross-origin-scanner-cors-module-error) |
| [x] | **DNS Enumeration** | 1. Configure: `DNS (comma separated)`, `Timeout (ms)`<br>2. Click Execute.<br><br>_Discover DNS hostnames within the victim's network using dictionary and timing attacks._ | None. | |
| [ ] | **DOSer** | 1. Configure: `URL`, `Delay between requests (ms)`, `HTTP Method`...<br>2. Click Execute.<br><br>_Do infinite GET or POST requests to a target._ | None. | |
| [ ] | **Detect Antivirus** | 1. Execute module.<br>2. Check command results for detected AV products (e.g., Norton, McAfee, Avast JS signatures). | None. | |
| [ ] | **Detect Extensions** | 1. Execute module.<br>2. Check command results for list of detected Chrome/Firefox extensions. | None. | |
| [ ] | **Detect FireBug** | 1. Click Execute.<br><br>_This module checks if the Mozilla Firefox Firebug extension is being use._ | None. | |
| [ ] | **Detect LastPass** | 1. Click Execute.<br><br>_This module checks if the LastPass extension is installed and active._ | None. | |
| [ ] | **Detect MIME Types** | 1. Click Execute.<br><br>_This module retrieves the browser's supported MIME types._ | None. | |
| [ ] | **Detect Popup Blocker** | 1. Execute module.<br>2. Check command result: "Popup blocker enabled" or "Popup blocker not detected". | None. | |
| [ ] | **Detect Toolbars** | 1. Click Execute.<br><br>_Detects which browser toolbars are installed._ | None. | |
| [ ] | **ETag Tunnel: Server-to-Client** | 1. Configure: `Payload Name`, `Message`<br>2. Click Execute.<br><br>_This module sends data from server to client using ETag HTTP header._ | None. | |
| [ ] | **Fetch Port Scanner** | 1. Set `Scan IP or Hostname` (e.g., `127.0.0.1`) and `Specific port(s)` (e.g., `22,80,443,3000`).<br>2. Execute module.<br>3. Check command results for open/closed port status. | None. | |
| [ ] | **Fingerprint Browser (PoC)** | 1. Execute module.<br>2. Check command results for browser name, version, and platform. | None. | |
| [ ] | **Fingerprint Browser** | 1. Execute module.<br>2. Check command results for detailed fingerprint (canvas, WebGL, fonts, plugins, etc.). | None. | |
| [ ] | **Fingerprint Local Network** | 1. Configure: `Scan IP range (C class)`, `Ports to test`, `Workers`...<br>2. Click Execute.<br><br>_Discover devices and applications in the victim's Local Area Network._ | None. | |
| [ ] | **Fingerprint Routers** | 1. Click Execute.<br><br>_This module attempts to discover network routers on the local network._ | None. | |
| [ ] | **Get Geolocation (API)** | 1. Execute module.<br>2. Allow/deny location permission in browser popup.<br>3. If allowed, check results for latitude/longitude coordinates. | None. | |
| [x] | **DOSer** | 1. Set `URL` to `http://127.0.0.1:3000/demos/plain.html`.<br>2. Set `Delay between requests (ms)` to `100`.<br>3. Set `HTTP Method` to `GET`.<br>4. Execute module.<br>5. Wait for status report in results (appears every 10s: "Requests sent: X").<br>6. Verify ongoing requests in browser DevTools → Network tab. | Refresh hooked page to stop worker. | |
| [-] | **Detect Extensions** | 1. Execute module.<br>2. Check command results for list of detected Chrome/Firefox extensions. | None. | See [EXT-001](testing_errors.md#ext-001-detect-extensions-module-failure) |
| [x] | **Detect MIME Types** | 1. Click Execute.<br><br>_This module retrieves the browser's supported MIME types._ | None. | |
| [x] | **Detect Popup Blocker** | 1. Execute module.<br>2. Check command result: "Popup blocker enabled" or "Popup blocker not detected". | None. | |
| [x] | **Fetch Port Scanner** | 1. Set `Scan IP or Hostname` (e.g., `127.0.0.1`) and `Specific port(s)` (e.g., `22,80,443,3000`).<br>2. Execute module.<br>3. Check command results for open/closed port status. | None. | |
| [-] | **Fingerprint Browser (PoC)** | 1. Execute module.<br>2. Check command results for browser name, version, and platform. | None. | See [FP-001](testing_errors.md#fp-001-fingerprint-browser-poc-module-failure) |
| [x] | **Fingerprint Browser** | 1. Execute module.<br>2. Check command results for detailed fingerprint (canvas, WebGL, fonts, plugins, etc.). | None. | |
| [-] | **Fingerprint Local Network** | 1. Run `hostname -I` to find your IP (e.g., `192.168.1.5`).<br>2. Set `Scan IP range` to `common` (or specific IP).<br>3. Open Browser DevTools -> Network tab.<br>4. Execute module.<br>5. **Verify**: You will see many requests in DevTools (red/failed is normal).<br>6. **Duration**: `common` scan takes ~10-30s. Full /24 scan takes minutes.<br>7. Check BeEF results for any detected devices. | Refresh page to stop early. | See [NET-001](testing_errors.md#net-001-fingerprint-local-network-no-feedback) |
| [-] | **Fingerprint Routers** | 1. Click Execute.<br><br>_This module attempts to discover network routers on the local network._ | None. | See [NET-002](testing_errors.md#net-002-fingerprint-routers-module-error) |
| [x] | **Get Geolocation (API)** | 1. Execute module.<br>2. Allow/deny location permission in browser popup.<br>3. If allowed, check results for latitude/longitude coordinates. | None. | |
| [ ] | **Get HTTP Servers (Favicon)** | 1. Configure: `Remote IP(s)`, `Ports`, `Workers`...<br>2. Click Execute.<br><br>_Attempts to discover HTTP servers on the specified IP range by checking for a favicon._ | None. | |
| [ ] | **Get Internal IP WebRTC** | 1. Execute module.<br>2. Check command results for local/private IP address (e.g., `192.168.x.x`). | None. | |
| [ ] | **Get Protocol Handlers** | 1. Configure: `Link Protocol(s)`, `Link Address`<br>2. Click Execute.<br><br>_This module attempts to identify protocol handlers present on the hooked browser._ | None. | |
@@ -207,7 +202,7 @@ Requires the user to be logged into valid accounts (Gmail, Facebook, etc.) or su
| [ ] | **Fake Notification Bar (Chrome)**| 1. Configure: `URL`, `Notification text`<br>2. Click Execute.<br><br>_Displays a fake Chrome notification bar._ | None. | |
| [ ] | **Fake Notification Bar (Firefox)**| 1. Configure: `Plugin URL`, `Notification text`<br>2. Click Execute.<br><br>_Displays a fake Firefox notification bar._ | None. | |
| [ ] | **Fake Notification Bar (IE)** | 1. Configure: `URL`, `Notification text`<br>2. Click Execute.<br><br>_Displays a fake IE notification bar._ | None. | |
| [ ] | **Google Phishing** | 1. Configure: `XSS hook URI`, `Gmail logout interval`...<br>2. Click Execute.<br><br>_XSRF logout of Gmail, show phishing page._ | None. | |
| [x] | **Google Phishing** | 1. Configure: `XSS hook URI`, `Gmail logout interval`...<br>2. Click Execute.<br><br>_XSRF logout of Gmail, show phishing page._ | None. | |
| [ ] | **Read Gmail** | 1. Click Execute.<br><br>_Grabs unread message ids from gmail atom feed._ | None. | |
| [ ] | **Send Gvoice SMS** | 1. Configure: `To`, `Message`<br>2. Click Execute.<br><br>_Send a text message (SMS) through Google Voice._ | None. | |
| [ ] | **Skype iPhone XSS** | 1. Click Execute.<br><br>_Steals iPhone contacts using a Skype XSS vuln._ | None. | |
@@ -223,6 +218,51 @@ Requires specific network configurations (e.g., DNS, Tor, Proxy, WPAD).
| [ ] | **Detect Tor** | 1. Configure: `What Tor resource to request`, `Detection timeout`<br>2. Click Execute.<br><br>_This module will detect if the zombie is currently using Tor._ | None. | |
| [ ] | **Get Proxy Servers (WPAD)** | 1. Click Execute.<br><br>_This module retrieves proxy server addresses for the zombie browser's local network using WPAD._ | None. | |
#### 3.2.6 Antivirus (Requires Specific AV/Extension)
The "Detect Antivirus" module looks for artifacts (injected scripts, user-agent changes, or specific DOM elements) created by commercial antivirus products or their browser extensions.
**Setup Steps (Local VM):**
1. **Install Browser Extension**: BeEF detects specfic artifacts in the DOM or User-Agent string. A free option to test is the **Avast Online Security** extension.
- Open Firefox in the VM.
- Navigate to the [Avast Online Security & Privacy](https://addons.mozilla.org/en-US/firefox/addon/avast-online-security/) addon page.
- Click **Add to Firefox**.
2. **Execute**: Run the module.
- *Note: valid detection depends on the extension injecting specific signatures (e.g. `ASW/` in User-Agent) which may vary by version.*
| Status | Module Name | Instructions / Description | Cleanup Needed | Comments |
| :---: | :--- | :--- | :--- | :--- |
| [ ] | **Detect Antivirus** | 1. Install Avast extension (see above).<br>2. Execute module.<br>3. Check results for "Avast" or other detected AV. | Uninstall extension. | |
#### 3.2.7 Browser Extensions (Requires Installation)
These modules detect specific browser extensions which must be installed in the hooked browser to be detectable.
**Setup Steps:**
1. **LastPass**: Install the [LastPass Password Manager](https://addons.mozilla.org/en-US/firefox/addon/lastpass-password-manager/) extension in Firefox.
2. **FireBug**: Note that FireBug is legacy/obsolete. This module may only work on older browser versions or specific legacy environments.
| Status | Module Name | Instructions / Description | Cleanup Needed | Comments |
| :---: | :--- | :--- | :--- | :--- |
| [x] | **Detect FireBug** | 1. Execute module.<br>2. Verify detection if legacy FireBug is present. | None. | |
| [ ] | **Detect LastPass** | 1. Install LastPass extension.<br>2. Execute module.<br>3. Verify results show "Detected LastPass...". | Uninstall extension. | |
| [ ] | **Detect Toolbars** | 1. Install a supported toolbar (e.g. legacy Google Toolbar, Alexa Toolbar).<br>2. Execute module.<br>3. Verify results show the detected toolbar name. | Uninstall toolbar. | |
#### 3.2.8 BeEF Extensions (Requires Configuration)
Some modules require specific BeEF extensions to be enabled in the server configuration.
**Setup Steps:**
1. **Enable ETag Extension**:
- Open `config.yaml` in the BeEF root directory.
- Find the `extension: etag:` section.
- Set `enable: true`.
2. **Enable S2C DNS Tunnel Extension** (if testing DNS Tunnel S2C):
- In `config.yaml`, find `extension: s2c_dns_tunnel:`.
- Set `enable: true`.
3. **Restart BeEF**: You must restart the BeEF server for these changes to take effect.
| Status | Module Name | Instructions / Description | Cleanup Needed | Comments |
| :---: | :--- | :--- | :--- | :--- |
| [ ] | **ETag Tunnel: Server-to-Client** | 1. Enable **ETag extension** in `config.yaml` and restart BeEF.<br>2. Set `Payload Name` and `Message`.<br>3. Execute module.<br>4. Verify message is delivered (check browser results/window property). | Disable extension in `config.yaml` (optional). | |
### 3.3 Phase 3: Other Browsers & Specialized Extensions
Test these modules **only if they cannot be tested in Firefox**. Use Chrome, Safari, or Edge.

163
testing/testing_errors.md
View File

@@ -32,8 +32,8 @@ Did you mean? ntype=
### Stack Trace (Key Lines)
```
from /home/zinduolis/repos/beef/modules/network/cross_origin_scanner_cors/module.rb:24:in `post_execute'
from /home/zinduolis/repos/beef/core/main/handlers/commands.rb:59:in `setup'
from /beef/modules/network/cross_origin_scanner_cors/module.rb:24:in `post_execute'
from /beef/core/main/handlers/commands.rb:59:in `setup'
```
### Steps to Reproduce
@@ -66,3 +66,162 @@ In `modules/network/cross_origin_scanner_cors/module.rb`, change `type:` to `nty
### Related Files
- Module source: `modules/network/cross_origin_scanner_cors/command.js`
## EXT-001: Detect Extensions Module Failure
**Module**: Detect Extensions
**Category**: Browser
**Date**: 2026-01-12
**Browser**: Firefox / Chrome (Modern)
**Status**: ❌ Not Passed
### Test Configuration
- **Browser**: Firefox/Chrome (Latest)
- **Extensions Installed**: Standard set (e.g. uBlock Origin, "Avast Online Security" from previous test)
### Error Description
The module executes but returns no results, even when known extensions from its list are installed.
**Root Cause**:
1. **Outdated Extension IDs**: The module uses a hardcoded list of extension IDs (e.g., `blpcfgokakmgnkcojhhkbfbldkacnbeo` for YouTube) which may be obsolete.
2. **Browser Security**: Modern browsers (Chrome, Firefox) block external access to extension resources (`chrome-extension://...`) unless they are explicitly listed in `web_accessible_resources` in the extension's manifest. This prevents simple enumeration by checking for the existence of files.
### Steps to Reproduce
1. Install a known extension.
2. Execute "Detect Extensions" module.
3. Observe Command Results.
### Expected Result
List of detected extensions.
### Actual Result
No output / "No extensions detected".
### Suggested Fix
- Update the list of Extension IDs.
- Investigate modern side-channel attacks for extension detection.
## UI-001: Module Search Broad Matching
**Module**: BeEF UI (Module Tree Search)
**Category**: User Interface
**Date**: 2026-01-12
**Status**: ⚠️ Usability Issue
### Error Description
The module search bar in the "Commands" tab does not perform exact phrase matching or prioritized relevance sorting. Searching for a multi-word module name (e.g., "Detect FireBug") returns all modules matching the first word (e.g., "Detect"), resulting in a cluttered list of irrelevant modules.
### Steps to Reproduce
1. Open the BeEF UI (`/ui/panel`).
2. Select a hooked browser and navigate to the **Commands** tab.
3. In the "Search capability..." input, type `Detect FireBug`.
### Expected Result
The module tree should filter to show only modules matching "Detect FireBug".
### Actual Result
The tree shows all modules containing "Detect" (e.g., "Detect Antivirus", "Detect Tor", etc.), making it difficult to find the specific module aimed for.
### Suggested Fix
- Update the javascript search filter logic to strictly match the full search string or support quoted exact searches.
- Modify the search to `AND` search terms instead of `OR` or partial matching on the first token.
## FP-001: Fingerprint Browser (PoC) Module Failure
**Module**: Fingerprint Browser (PoC)
**Category**: Browser
**Date**: 2026-01-12
**Browser**: Firefox / Chrome (Modern)
**Status**: ❌ Not Passed
### Test Configuration
- **Browser**: Firefox/Chrome (Latest)
- **Environment**: Local VM
### Error Description
The module executes successfully but fails to properly identify the browser type and version, returning "unknown" for both fields.
### Steps to Reproduce
1. Start BeEF.
2. Hook a modern browser (e.g., Firefox).
3. Execute "Fingerprint Browser (PoC)" module.
4. Check command results.
### Expected Result
Parsed browser name (e.g., Firefox) and version (e.g., 120.0).
### Actual Result
`data: browser_type=unknown&browser_version=unknown`
### Suggested Fix
Update the browser identification logic in `modules/browser/fingerprint_browser_poc/command.js` to support modern User-Agent strings or use a more robust detection library.
## NET-001: Fingerprint Local Network No Feedback
**Module**: Fingerprint Local Network
**Category**: Network
**Date**: 2026-01-12
**Browser**: Firefox (Linux)
**Status**: ❌ Not Passed / ⚠️ UX Issue
### Test Configuration
- **Scan IP range**: `common` or specific local IP (e.g., `192.168.x.x`)
- **Environment**: Local VM
### Error Description
The module executes (visible via browser DevTools generating network requests), but provides absolutely no feedback in the BeEF UI.
1. **No Progress Indicator**: There is no indication that the scan is running, how far along it is, or if it has finished.
2. **No Final Status**: Command results remain empty even after the scan (presumably) finishes.
3. **No Interruption Feedback**: If the user refreshes the browser to stop the scan, the BeEF UI does not register this change or update the command status; it simply hangs or stays empty.
### Steps to Reproduce
1. Open DevTools -> Network tab in the hooked browser.
2. Execute "Fingerprint Local Network" (range: `common`).
3. Observe network requests in DevTools (module is running).
4. Observe BeEF Command module results (remains empty).
5. Refresh hooked browser.
6. Observe BeEF Command module results (remains empty/no status update).
### Expected Result
- The module should provide real-time or periodic status updates (e.g., "Scanning 10/20 IPs...").
- It should report "No devices found" if nothing is detected, rather than staying silent.
- It should handle browser disconnections/refreshes gracefully.
### Actual Result
BeEF UI shows command as executing (or just sent), but no data is returned to the results panel. DevTools confirms the activity, but the operator is left blind.
### Suggested Fix
- Implement `beef.net.send` calls within the JavaScript worker queue to report progress % back to the controller.
- Ensure a final summary report is sent even if 0 positive matches are found.
## NET-002: Fingerprint Routers Module Error
**Module**: Fingerprint Routers
**Category**: Network
**Date**: 2026-01-12
**Browser**: Firefox (Linux)
**Status**: ❌ Not Passed
### Test Configuration
- **Browser**: Firefox
- **Execution**: Standard execute (click button)
### Error Description
The module crashes the BeEF server thread with an `ActiveModel::UnknownAttributeError` when attempting to save results to the database.
**Root Cause**: The module's `post_execute` method in `modules/network/jslanscanner/module.rb:29` attempts to create a `NetworkService` record using attribute `type`, but the model expects `ntype`.
### Console Error
```
ActiveModel::UnknownAttributeError: unknown attribute 'type' for BeEF::Core::Models::NetworkService.
...
from /beef/modules/network/jslanscanner/module.rb:29:in `post_execute'
```
### Suggested Fix
In `modules/network/jslanscanner/module.rb`:
- Change line 29: `type: service` -> `ntype: service`
- Check line 37: `type: device` -> `ntype: device` (if NetworkHost model also uses ntype).