From dd811ca234645cbb5c81e1c4737f6cb83ddfed40 Mon Sep 17 00:00:00 2001 From: bcoles Date: Mon, 8 Jul 2013 00:25:49 +0930 Subject: [PATCH 1/2] Add proxy detection using http headers to browser details Add proxy details to browser log Part of issue #527 Note: does not work for transparent proxies --- core/main/handlers/browserdetails.rb | 51 ++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) diff --git a/core/main/handlers/browserdetails.rb b/core/main/handlers/browserdetails.rb index 46a3b610d..7f851c923 100644 --- a/core/main/handlers/browserdetails.rb +++ b/core/main/handlers/browserdetails.rb @@ -68,6 +68,7 @@ module BeEF } zombie.httpheaders = @http_headers.to_json zombie.save + #puts "HTTP Headers: #{zombie.httpheaders}" # add a log entry for the newly hooked browser BeEF::Core::Logger.instance.register('Zombie', "#{zombie.ip} just joined the horde from the domain: #{log_zombie_domain}:#{log_zombie_port.to_s}", "#{zombie.id}") @@ -79,6 +80,56 @@ module BeEF self.err_msg "Invalid browser name returned from the hook browser's initial connection." end + # detect browser proxy + using_proxy = false + [ + 'CLIENT_IP', + 'FORWARDED_FOR', + 'FORWARDED', + 'FORWARDED_FOR_IP', + 'PROXY_CONNECTION', + 'PROXY_AUTHENTICATE', + 'X_FORWARDED', + 'X_FORWARDED_FOR', + 'VIA' + ].each do |header| + unless JSON.parse(zombie.httpheaders)[header].nil? + using_proxy = true + break + end + end + + # retrieve proxy client IP + proxy_clients = [] + [ + 'CLIENT_IP', + 'FORWARDED_FOR', + 'FORWARDED', + 'FORWARDED_FOR_IP', + 'X_FORWARDED', + 'X_FORWARDED_FOR' + ].each do |header| + proxy_clients << "#{JSON.parse(zombie.httpheaders)[header]}" unless JSON.parse(zombie.httpheaders)[header].nil? + end + + # retrieve proxy server + proxy_server = JSON.parse(zombie.httpheaders)['VIA'] unless JSON.parse(zombie.httpheaders)['VIA'].nil? + + # store and log proxy details + if using_proxy == true + BD.set(session_id, 'UsingProxy', "#{using_proxy}") + proxy_log_string = "#{zombie.ip} is using a proxy" + unless proxy_clients.nil? + BD.set(session_id, 'ProxyClient', "#{proxy_clients.sort.uniq.join(',')}") + proxy_log_string += " [client: #{proxy_clients.sort.uniq.join(',')}]" + end + unless proxy_server.nil? + BD.set(session_id, 'ProxyServer', "#{proxy_server}") + proxy_log_string += " [server: #{proxy_server}]" + end + BeEF::Core::Logger.instance.register('Zombie', "#{proxy_log_string}", "#{zombie.id}") + end + # get and store browser version browser_version = get_param(@data['results'], 'BrowserVersion') if BeEF::Filters.is_valid_browserversion?(browser_version) From 2c2b9a85f4d3b52da1ef9d6c6a4a0a63843efa31 Mon Sep 17 00:00:00 2001 From: bcoles Date: Mon, 8 Jul 2013 10:57:02 +0930 Subject: [PATCH 2/2] Update browser fingerprinting module firefox signatures --- modules/browser/browser_fingerprinting/command.js | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/browser/browser_fingerprinting/command.js b/modules/browser/browser_fingerprinting/command.js index e60b5df5e..20a959d08 100644 --- a/modules/browser/browser_fingerprinting/command.js +++ b/modules/browser/browser_fingerprinting/command.js @@ -34,6 +34,10 @@ beef.execute(function() { new Array("Firefox","4+","resource:///chrome/browser/skin/classic/browser/Geolocation-16.png"), new Array("Firefox","7+","resource:///chrome/browser/content/browser/aboutHome-snippet1.png"), new Array("Firefox","8+","resource:///chrome/browser/skin/classic/aero/browser/Toolbar-inverted.png"), + new Array("Firefox","9+","resource:///chrome/browser/skin/classic/aero/browser/identity.png"), + new Array("Firefox","10+","chrome://browser/skin/sync-128.png"), + new Array("Firefox","13+","chrome://browser/content/abouthome/noise.png"), + new Array("Firefox","18+","resource:///chrome/browser/skin/classic/aero/browser/webRTC-shareDevice-16.png"), new Array("Internet Explorer","5-6","res://shdoclc.dll/pagerror.gif"), new Array("Internet Explorer","7-9","res://ieframe.dll/ielogo.png"), new Array("Internet Explorer","7+","res://ieframe.dll/info_48.png")