Hiddenden/beef
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'master' into master

Browse Source
This commit is contained in:
Brendan Coles
2018-03-09 17:42:01 +11:00
committed by GitHub
parent 0045fe66c0 b279382768
commit e44ead9550
16 changed files with 439 additions and 344 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
Gemfile
View File

@@ -88,23 +88,23 @@ end
# For running unit tests
group :test do
if ENV['BEEF_TEST']
gem 'test-unit'
gem 'test-unit-full'
gem 'curb'
gem 'selenium'
# selenium-webdriver 3.x is incompatible with Firefox version 48 and prior
gem 'selenium-webdriver', '~> 2.53.4'
gem 'rspec'
gem 'bundler-audit'
# nokogirl is needed by capybara which may require one of the below commands
# sudo apt-get install libxslt-dev libxml2-dev
# sudo port install libxml2 libxslt
gem 'capybara'
# RESTful API tests/generic command module tests
gem 'rest-client', '>= 2.0.1'
gem 'byebug'
end
if ENV['BEEF_TEST']
gem 'test-unit'
gem 'test-unit-full'
gem 'curb'
gem 'selenium'
# selenium-webdriver 3.x is incompatible with Firefox version 48 and prior
gem 'selenium-webdriver', '~> 2.53.4'
gem 'rspec'
gem 'bundler-audit'
# nokogirl is needed by capybara which may require one of the below commands
# sudo apt-get install libxslt-dev libxml2-dev
# sudo port install libxml2 libxslt
gem 'capybara'
# RESTful API tests/generic command module tests
gem 'rest-client', '>= 2.0.1'
gem 'byebug'
end
end
source 'https://rubygems.org'

132
INSTALL.txt
View File

@@ -6,98 +6,66 @@
===============================================================================
Source
------
Obtain application source code either by downloading the latest archive:
$ wget https://github.com/beefproject/beef/archive/master.zip
Or cloning the Git repository from Github:
$ git clone https://github.com/beefproject/beef
Prerequisites
--------------
BeEF requires Ruby 2.3+.
If your operating system package manager does not support Ruby version 2.3,
you can add the brightbox ppa repository for the latest version of Ruby:
$ sudo apt-add-repository -y ppa:brightbox/ruby-ng
Alternatively, consider using a Ruby environment manager such as rbenv or rvm
to manager your Ruby versions. Refer to the following for more information:
* rbenv: https://github.com/rbenv/rbenv
* rvm: https://rvm.io/rvm/install'
Installation
------------
1. Prerequisites (platform independent)
2. Prerequisites (Windows)
3. Prerequisites (Linux)
4. Prerequisites (Mac OSX)
5. Install instructions
6. Run instructions
Once Ruby is installed, run the install script in the BeEF directory:
./install
This script installs the required operating system packages and all the
prerequisite Ruby gems.
Upon successful installation, be sure to read the Configuration page
on the wiki for important details on configuring and securing BeEF.
https://github.com/beefproject/beef/wiki/Configuration
Start BeEF
----------
1. Prerequisites (platform independent)
To start BeEF, simply run:
BeEF requires Ruby 2.2+ and the "bundler" gem. Bundler can be installed by:
gem install bundler
2. Prerequisites (Windows)
Windows is no longer supported. The following instructions are outdated.
!!! This must be done PRIOR to running the bundle install command !!!
Windows requires the sqlite.dll. Simply grab the zip file below and extract it to your Ruby bin directory:
http://www.sqlite.org/sqlitedll-3_7_0_1.zip
Other than that, you also need TheRubyRacer. As it's painful to install it on Windows, you can download 2 pre-compiled V8 DLLs and 2 gems from https://github.com/eakmotion/therubyracer_for_windows.
Finally, edit beef's gem lock file by replacing the required ruby racer version with the version downloaded from the link above.
3. Prerequisites (Linux)
!!! This must be done PRIOR to running the bundle install command !!!
On linux you will need to find the packages specific to your distribution for sqlite. An example build script for Ubuntu 14.04 systems is:
# Set your prefered build dir
BUILDDIR=/opt && \
cd $BUILDDIR && \
\
# Install dependences
sudo apt-get update && \
sudo apt-get install -y \
build-essential \
git \
libsqlite3-dev \
software-properties-common \
sqlite3 \
sqlite3-doc && \
\
# Add brightbox ppa for the latest version of ruby
sudo apt-add-repository -y \
ppa:brightbox/ruby-ng && \
\
# Install ruby (2.2 in this example)
sudo apt-get update && \
sudo apt-get install -y \
ruby2.2 \
ruby2.2-dev && \
\
# Install bundler using gem
sudo gem install bundler
3.1. It is recommended not to use rvm. If you use rvm the ruby binaries are installed to locations outside of your default path which may cause problems later.
4. Prerequisites (Mac OSX)
- XCode: provides the sqlite support BeEF needs
- Ruby 2.1
To install RVM and Ruby 2.1.5 on Mac OS:
$ bash -s stable < <(curl -Ls https://raw.githubusercontent.com/wayneeseguin/rvm/master/binscripts/rvm-installer) source ~/.bash_profile
$ rvm install 2.1.5
$ rvm use 2.1.5
$ ./beef
5. Install instructions
Obtain application code either by downloading an archive from https://github.com/beefproject/beef/archive/master.zip or cloning the GIT repo https://github.com/beefproject/beef.git
Updating
--------
Enter into the newly created BeEF directory, and type:
Due to the fast-paced nature of web browser development and webappsec landscape,
it's best to regularly update BeEF to the latest version.
bundle install
If you're using BeEF from the GitHub repository, updating is as simple as:
Bundler installs all the pre-requisite gems.
6. Run instructions
Simply run:
./beef -x
$ git pull

12
README.md
View File

@@ -36,9 +36,9 @@ __Twitter:__ @beefproject
Requirements
------------
* OSX 10.5.0 or higher, modern Linux
* [Ruby](http://rubylang.org) version 2.2 or newer
* [SQLite](http://sqlite.org) 3.x
* Operating System: Mac OSX 10.5.0 or higher / modern Linux
* [Ruby](http://rubylang.org): 2.3 or newer
* [SQLite](http://sqlite.org): 3.x
* The gems listed in the Gemfile: https://github.com/beefproject/beef/blob/master/Gemfile
* brew install selenium-server-standalone (See https://github.com/shvets/selenium)
@@ -47,12 +47,14 @@ Quick Start
__The following is for the impatient.__
The `install` script installs the required operating system packages and all the prerequisite Ruby gems:
$ ./install
For full installation details, please refer to [INSTALL.txt](https://github.com/beefproject/beef/blob/master/INSTALL.txt).
We also have an [Installation](https://github.com/beefproject/beef/wiki/Installation) page on the wiki.
$ curl -L https://raw.githubusercontent.com/beefproject/beef/a6a7536e/install-beef | bash -s stable
Upon successful installation, be sure to read the [Configuration](https://github.com/beefproject/beef/wiki/Configuration) page on the wiki for important details on configuring and securing BeEF.

47
Rakefile
View File

@@ -3,6 +3,8 @@
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
require 'yaml'
require 'pry-byebug'
task :default => ["quick"]
@@ -50,6 +52,14 @@ task :rdoc do
Rake::Task['rdoc:rerdoc'].invoke
end
desc 'rest test examples'
task :rest_test do
Rake::Task['beef_start'].invoke
sh 'cd test/api/; ruby -W2 1333_auth_rate.rb'
Rake::Task['beef_stop'].invoke
end
################################
# run bundle-audit
@@ -155,28 +165,53 @@ end
task :xserver_stop do
puts "\nShutting down X11 Server...\n"
sh "ps -ef|grep Xvfb|grep -v grep|awk '{print $2}'|xargs kill"
sh "ps -ef|grep Xvfb|grep -v grep|grep -v rake|awk '{print $2}'|xargs kill"
end
################################
# BeEF environment set up
@beef_process_id = nil;
@beef_config_file = 'tmp/rk_beef_conf.yaml';
task :beef_start => 'beef' do
# read environment param for creds or use bad_fred
test_user = ENV['TEST_BEEF_USER'] || 'bad_fred'
test_pass = ENV['TEST_BEEF_PASS'] || 'bad_fred_no_access'
# write a rake config file for beef
config = YAML.load(File.read('./config.yaml'))
config['beef']['credentials']['user'] = test_user
config['beef']['credentials']['passwd'] = test_pass
File.open(@beef_config_file, 'w') { |f| YAML.dump(config, f) }
# set the environment creds -- in case we're using bad_fred
ENV['TEST_BEEF_USER'] = test_user
ENV['TEST_BEEF_PASS'] = test_pass
config = nil
puts "Using config file: #{@beef_config_file}\n"
printf "Starting BeEF (wait a few seconds)..."
@beef_process_id = IO.popen("ruby ./beef -x 2> /dev/null", "w+")
delays = [10, 10, 5, 5, 4, 4, 3, 2, 1, 1, 1, 1, 1, 1, 1, 1, 1]
@beef_process_id = IO.popen("ruby ./beef -c #{@beef_config_file} -x 2> /dev/null", "w+")
delays = [5, 5, 5, 4, 4, 3, 2, 1, 1, 1, 1, 1, 1, 1, 1, 1]
delays.each do |i| # delay for a few seconds
printf '.'
sleep (i)
end
puts '.'
puts ".\n\n"
end
task :beef_stop do
puts "\nShutting down BeEF...\n"
sh "ps -ef|grep beef|grep -v grep|awk '{print $2}'|xargs kill"
# cleanup tmp/config files
puts "\nCleanup config file:\n"
rm_f @beef_config_file
ENV['TEST_BEEF_USER'] = nil
ENV['TEST_BEEF_PASS'] = nil
# shutting down
puts "Shutting down BeEF...\n"
sh "ps -ef|grep beef|grep -v grep|grep -v rake|awk '{print $2}'|xargs kill"
end
################################

6
beef
View File

@@ -12,11 +12,11 @@
$VERBOSE = nil
#
# @note Version check to ensure BeEF is running Ruby 2.2+
# @note Version check to ensure BeEF is running Ruby 2.3+
#
if RUBY_VERSION < '2.2'
if RUBY_VERSION < '2.3'
puts
puts "Ruby version #{RUBY_VERSION} is no longer supported. Please upgrade to Ruby version 2.2 or later."
puts "Ruby version #{RUBY_VERSION} is no longer supported. Please upgrade to Ruby version 2.3 or later."
puts
exit 1
end

2
config.yaml
View File

@@ -27,6 +27,8 @@ beef:
# subnet of IP addresses that can connect to the admin UI
#permitted_ui_subnet: "127.0.0.1/32"
permitted_ui_subnet: "0.0.0.0/0"
# slow API calls to 1 every api_attempt_delay seconds
api_attempt_delay: "0.05"
# HTTP server
http:

28
core/main/rest/api.rb
View File

@@ -63,7 +63,7 @@ module BeEF
# This is from extensions/admin_ui/controllers/authentication/authentication.rb
#
def self.permitted_source?(ip)
# get permitted subnet
# get permitted subnet
permitted_ui_subnet = BeEF::Core::Configuration.instance.get("beef.restrictions.permitted_ui_subnet")
target_network = IPAddr.new(permitted_ui_subnet)
@@ -74,6 +74,32 @@ module BeEF
return target_network.include?(ip)
end
#
# Rate limit through timeout
# This is from extensions/admin_ui/controllers/authentication/
#
# Brute Force Mitigation
# Only one login request per config_delay_id seconds
#
# @param config_delay_id <string> configuration name for the timeout
# @param last_time_attempt <Time> last time this was attempted
# @param time_record_set_fn <lambda> callback, setting time on failure
#
# @return <boolean>
def self.timeout?(config_delay_id, last_time_attempt, time_record_set_fn)
success = true
time = Time.now()
config = BeEF::Core::Configuration.instance
fail_delay = config.get(config_delay_id)
if (time - last_time_attempt < fail_delay.to_f)
time_record_set_fn.call(time)
success = false
end
success
end
end
end
end

15
core/main/rest/handlers/admin.rb
View File

@@ -10,10 +10,20 @@ module BeEF
class Admin < BeEF::Core::Router::Router
config = BeEF::Core::Configuration.instance
time_since_last_failed_auth = 0
before do
# error 401 unless params[:token] == config.get('beef.api_token')
halt 401 if not BeEF::Core::Rest.permitted_source?(request.ip)
# halt if requests are inside beef.restrictions.api_attempt_delay
if time_since_last_failed_auth != 0
halt 401 if not BeEF::Core::Rest.timeout?('beef.restrictions.api_attempt_delay',
time_since_last_failed_auth,
lambda { |time| time_since_last_failed_auth = time})
end
headers 'Content-Type' => 'application/json; charset=UTF-8',
'Pragma' => 'no-cache',
'Cache-Control' => 'no-cache',
@@ -46,6 +56,9 @@ module BeEF
# check username and password
if not (data['username'].eql? config.get('beef.credentials.user') and data['password'].eql? config.get('beef.credentials.passwd') )
BeEF::Core::Logger.instance.register('Authentication', "User with ip #{request.ip} has failed to authenticate in the application.")
# failed attempts
time_since_last_failed_auth = Time.now()
halt 401
else
{ "success" => true,
@@ -62,4 +75,4 @@ module BeEF
end
end
end
end
end

67
extensions/admin_ui/controllers/authentication/authentication.rb
View File

@@ -12,33 +12,33 @@ module Controllers
# The authentication web page for BeEF.
#
class Authentication < BeEF::Extension::AdminUI::HttpController
#
# Constructor
#
def initialize
super({
'paths' => {
'/' => method(:index),
'/' => method(:index),
'/login' => method(:login),
'/logout' => method(:logout)
}
})
@session = BeEF::Extension::AdminUI::Session.instance
end
# Function managing the index web page
def index
def index
@headers['Content-Type']='text/html; charset=UTF-8'
@headers['X-Frame-Options']='sameorigin'
end
#
# Function managing the login
#
def login
username = @params['username-cfrm'] || ''
password = @params['password-cfrm'] || ''
config = BeEF::Core::Configuration.instance
@@ -46,54 +46,52 @@ class Authentication < BeEF::Extension::AdminUI::HttpController
@headers['X-Frame-Options']='sameorigin'
ua_ip = @request.ip # get client ip address
@body = '{ success : false }' # attempt to fail closed
# check if source IP address is permited to authenticate
if not permited_source?(ua_ip)
BeEF::Core::Logger.instance.register('Authentication', "IP source address (#{@request.ip}) attempted to authenticate but is not within permitted subnet.")
return
end
# check if under brute force attack
time = Time.new
if not timeout?(time)
@session.set_auth_timestamp(time)
return
end
# check if under brute force attack
return if not BeEF::Core::Rest.timeout?('beef.extension.admin_ui.login_fail_delay',
@session.get_auth_timestamp(),
lambda { |time| @session.set_auth_timestamp(time)})
# check username and password
if not (username.eql? config.get('beef.credentials.user') and password.eql? config.get('beef.credentials.passwd') )
BeEF::Core::Logger.instance.register('Authentication', "User with ip #{@request.ip} has failed to authenticate in the application.")
return
end
# establish an authenticated session
# set up session and set it logged in
@session.set_logged_in(ua_ip)
# create session cookie
@session.set_logged_in(ua_ip)
# create session cookie
session_cookie_name = config.get('beef.http.session_cookie_name') # get session cookie name
Rack::Utils.set_cookie_header!(@headers, session_cookie_name, {:value => @session.get_id, :path => "/", :httponly => true})
BeEF::Core::Logger.instance.register('Authentication', "User with ip #{@request.ip} has successfully authenticated in the application.")
@body = "{ success : true }"
end
#
# Function managing the logout
#
def logout
# test if session is unauth'd
(print_error "invalid nonce";return @body = "{ success : true }") if not @session.valid_nonce?(@request)
(print_error "invalid session";return @body = "{ success : true }") if not @session.valid_session?(@request)
@headers['Content-Type']='application/json; charset=UTF-8'
@headers['X-Frame-Options']='sameorigin'
# set the session to be log out
@session.set_logged_out
# clean up UA and expire the session cookie
config = BeEF::Core::Configuration.instance
session_cookie_name = config.get('beef.http.session_cookie_name') # get session cookie name
@@ -101,14 +99,14 @@ class Authentication < BeEF::Extension::AdminUI::HttpController
BeEF::Core::Logger.instance.register('Authentication', "User with ip #{@request.ip} has successfully logged out.")
@body = "{ success : true }"
end
#
# Check the UI browser source IP is within the permitted subnet
#
def permited_source?(ip)
# get permitted subnet
# get permitted subnet
config = BeEF::Core::Configuration.instance
permitted_ui_subnet = config.get('beef.restrictions.permitted_ui_subnet')
target_network = IPAddr.new(permitted_ui_subnet)
@@ -117,18 +115,7 @@ class Authentication < BeEF::Extension::AdminUI::HttpController
# test if ip within subnet
return target_network.include?(ip)
end
#
# Brute Force Mitigation
# Only one login request per login_fail_delay seconds
#
def timeout?(time)
config = BeEF::Core::Configuration.instance
login_fail_delay = config.get('beef.extension.admin_ui.login_fail_delay') # get fail delay
# test if the last login attempt was less then login_fail_delay seconds
time - @session.get_auth_timestamp > login_fail_delay.to_i
end
end

135
install
View File

@@ -1,26 +1,133 @@
#!/usr/bin/env ruby
#!/bin/bash
#
# Copyright (c) 2006-2018 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
puts "\nWelcome to the BeEF installer!"
set -euo pipefail
IFS=$'\n\t'
if RUBY_VERSION < '2.2'
puts "\n"
puts "Ruby version #{RUBY_VERSION} is no longer supported. Please upgrade to Ruby version 2.2 or later."
puts "\n"
exit 1
end
clear
puts "\nPlease make sure you have installed SQLite before proceeding. For instructions on how to do this please see the README file"
if [ -f core/main/console/beef.ascii ] ; then
cat core/main/console/beef.ascii
echo
fi
puts "\nInstall Bundler: gem install bundler"
echo "#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#"
echo " -- [ BeEF Installer ] -- "
echo "#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#"
echo
puts "\nRun bundler in your BeEF folder: bundle install"
command_exists () {
command -v "$1" /dev/null 2&>1
}
puts "\nRun BeEF: ./beef"
info() { echo "[INFO] $*"; }
warn() { echo "[WARN] $*"; }
error() { echo "[ERROR] $*"; }
fatal() { echo "[FATAL] $*"; exit 1 ; }
warn 'This script will install BeEF and its required dependencies (including operating system packages).'
read -p "Are you sure you wish to continue (Y/n)? "
if [ "`echo ${REPLY} | tr [:upper:] [:lower:]`" = "n" ] ; then
fatal 'Installation aborted'
fi
install_linux () {
info "Detecting Linux OS distribution..."
Distro=''
if [ -f /etc/redhat-release ] ; then
Distro='RedHat'
elif [ -f /etc/debian_version ] ; then
Distro='Debian'
elif [ -f /etc/os-release ] ; then
DISTRO_ID=`grep ^ID= /etc/os-release | cut -d= -f2-`
if [ "$DISTRO_ID" = 'kali' ] ; then
Distro='Kali'
fi
fi
if [ -z $Distro ] ; then
fatal "Unable to locate installer for your $OS distribution"
fi
readonly Distro
info "OS Distribution: $Distro"
info "Installing $Distro prerequisite packages..."
if [ "$Distro" = "Debian" -o "$Distro" = "Kali" ]; then
sudo apt-get update
sudo apt-get install curl git build-essential openssl libreadline6-dev zlib1g zlib1g-dev libssl-dev libyaml-dev libsqlite3-0 libsqlite3-dev sqlite3 libxml2-dev libxslt1-dev autoconf libc6-dev libncurses5-dev automake libtool bison subversion nodejs
elif [ "$Distro" = "RedHat" ]; then
sudo yum install -y git make gcc openssl-devel gcc-c++ patch readline readline-devel zlib zlib-devel libyaml-devel libffi-devel bzip2 autoconf automake libtool bison iconv-devel sqlite-devel nodejs
fi
}
install_mac () {
echo
}
info "Detecting OS..."
OS=`uname`
readonly OS
info "Operating System: $OS"
if [ "${OS}" = "Linux" ] ; then
info "Launching Linux install..."
install_linux
elif [ "$OS" = "Darwin" ]; then
info "Launching Mac OSX install..."
install_mac
else
fatal "Unable to locate installer for your Operating system: $OS"
fi
info 'Detecting Ruby environment...'
MIN_RUBY_VER='2.3'
if command_exists ruby
then
RUBY_VERSION=`ruby -e "puts RUBY_VERSION"`
info "Ruby version ${RUBY_VERSION} is installed"
if [ `ruby -e "puts RUBY_VERSION.to_f >= ${MIN_RUBY_VER}"` = 'false' ]
then
fatal "Ruby version ${RUBY_VERSION} is not supported. Please install Ruby ${MIN_RUBY_VER} (or newer) and restart the installer."
fi
else
fatal "Ruby is not installed. Please install Ruby ${MIN_RUBY_VER} (or newer) and restart the installer."
fi
#if command_exists rbenv
#then
# info 'rbenv is installed'
#elif command_exists rvm
#then
# info 'rvm is installed'
#else
# fatal 'Could not find Ruby environment manager!
#Please install either RVM or rbenv and restart the installer
#For more information:
# * rbenv: https://github.com/rbenv/rbenv
# * rvm: https://rvm.io/rvm/install'
#fi
info 'Detecting bundler gem...'
if command_exists bundler
then
info 'bundler gem is installed'
else
info 'Installing bundler gem'
gem install bundler
fi
echo "Installing required Ruby gems..."
bundle install --without test development
echo
echo "=========================================="
echo
info "Install completed successfully!"
info "Run './beef' to launch BeEF"
echo
echo "=========================================="
echo
#Testing fork regroup

170
install-beef
View File

@@ -1,170 +0,0 @@
#!/bin/bash
#
# Copyright (c) 2006-2018 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
set -e
clear
echo "======================================"
echo " BeEF Installer "
echo "======================================"
echo ""
echo "CAUTION: This installation script will install a number of BeEF dependencies including the Ruby-RVM environment and its dependencies."
echo ""
echo "In rare cases, this may lead to unexpected behaviour or package conflicts on some systems."
echo ""
read -p "Are you sure you wish to continue (Y/n)? "
if [ "`echo ${REPLY} | tr [:upper:] [:lower:]`" == "n" ] ; then
exit;
fi
echo ""
echo "Detecting OS..";
OS=`uname`
if [ "${OS}" = "Linux" ] ; then
if [ -f /etc/redhat-release ] ; then
Distro='RedHat'
elif [ -f /etc/debian_version ] ; then
Distro='Debian'
fi
readonly OS
readonly Distro
fi
if [ "$OS" == "Darwin" ]; then
echo "Mac OSX Detected"
echo "Installing Ruby Version Manager (RVM) & Ruby 2.3.0.."
bash -s stable < <(curl -Ls https://raw.githubusercontent.com/wayneeseguin/rvm/master/binscripts/rvm-installer)
source ~/.bash_login
rvm install 2.3.0 --with-gcc=clang
rvm use 2.3.0
echo ""
echo "Downloading BeEF.."
git clone git://github.com/beefproject/beef.git
cd beef
echo ""
echo "Installing Ruby Gems.."
bundle install
OK="yes"
./beef
echo ""
echo "=========================================="
echo " Install Complete"
echo "Please restart Terminal and Run BeEF with:"
echo " $ ./beef "
echo "=========================================="
echo ""
fi
if [ "$Distro" == "Debian" ]; then
echo "Debian/Ubuntu Detected"
echo "Installing Prerequisite Packages.."
sudo apt-get update
sudo apt-get install curl git
sudo apt-get install build-essential openssl libreadline6 libreadline6-dev zlib1g zlib1g-dev libssl-dev libyaml-dev libsqlite3-0 libsqlite3-dev sqlite3 libxml2-dev libxslt1-dev autoconf libc6-dev libncurses5-dev automake libtool bison subversion nodejs
curl -Lsk https://raw.githubusercontent.com/wayneeseguin/rvm/master/binscripts/rvm-installer | bash
echo '[[ -s "$HOME/.rvm/scripts/rvm" ]] && . "$HOME/.rvm/scripts/rvm"' >> ~/.bashrc
source ~/.bashrc
if [ -e $HOME/.rvm/scripts/rvm ]; then
source $HOME/.rvm/scripts/rvm
elif [ -e /usr/local/rvm/scripts/rvm ]; then
source /usr/local/rvm/scripts/rvm
else
source /etc/profile.d/rvm.sh
fi
rvm install 2.3.0
rvm use 2.3.0 --default
echo "Downloading BeEF.."
git clone git://github.com/beefproject/beef.git
cd beef
echo "Installing Ruby Gems"
gem install bundler
bundle install
./beef
OK="yes"
echo ""
echo "=========================================="
echo " Install Complete"
echo "=========================================="
echo ""
fi
if [ "$Distro" == "RedHat" ]; then
echo "Redhat/Fedora Detected"
echo "Installing Prerequisite Packages.."
sudo yum install -y git make gcc openssl-devel gcc-c++ patch readline readline-devel zlib zlib-devel libyaml-devel libffi-devel bzip2 autoconf automake libtool bison iconv-devel sqlite-devel nodejs
echo ""
echo "Installing Ruby Version Manager (RVM) & Ruby 2.3.0"
wget https://raw.githubusercontent.com/wayneeseguin/rvm/master/binscripts/rvm-installer
bash ./rvm-installer
source ~/.rvm/scripts/rvm
rvm pkg install openssl
rvm install 2.3.0 --with-openssl-dir=$rvm_path/usr
source ~/.rvm/scripts/rvm
rvm use 2.3.0 --default
echo "Downloading BeEF.."
git clone git://github.com/beefproject/beef.git
cd beef
gem install bundler
bundle
source ~/.bash_profile
./beef
OK="yes"
echo ""
echo "=========================================="
echo " Install Complete"
echo "=========================================="
echo ""
fi
if [ "$OK" == "yes" ]; then
echo ""
else
echo ""
echo "======================================="
echo " Install Failed"
echo "Unable to locate installer for your OS:"
echo $OS
echo $Distro
echo "======================================="
echo ""
fi

73
test/api/1333_auth_rate.rb Normal file
View File

@@ -0,0 +1,73 @@
#
# Copyright (c) 2006-2017 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
require 'test/unit'
require 'pry-byebug'
require 'rest-client'
require 'json'
require 'optparse'
require 'pp'
require '../common/test_constants'
require_relative './lib/beef_rest_client'
class TC_1333_auth_rate < Test::Unit::TestCase
def test_auth_rate
# tests rate of auth calls
# this takes some time - with no output
# beef must be running
passwds = (1..9).map { |i| "broken_pass"}
passwds.push BEEF_PASSWD
apis = passwds.map { |pswd| BeefRestClient.new('http', ATTACK_DOMAIN, '3000', BEEF_USER, pswd) }
l = apis.length
# t0 = Time.now()
(0..2).each do |again| # multiple sets of auth attempts
# first pass -- apis in order, valid passwd on 9th attempt
# subsequent passes apis shuffled
# puts "speed requesets" # all should return 401
(0..50).each do |i|
# t = Time.now()
# puts "#{i} : #{t - t0} : #{apis[i%l].auth()[:payload]}"
test_api = apis[i%l]
assert_match("401", test_api.auth()[:payload]) # all (unless the valid is first 1 in 10 chance)
# t0 = t
end
# again with more time between calls -- there should be success (1st iteration)
# puts "delayed requests"
(0..(l*2)).each do |i|
# t = Time.now()
# puts "#{i} : #{t - t0} : #{apis[i%l].auth()[:payload]}"
test_api = apis[i%l]
if (test_api.is_pass?(BEEF_PASSWD))
assert(test_api.auth()[:payload]["success"]) # valid pass should succeed
else
assert_match("401", test_api.auth()[:payload])
end
sleep(0.5)
# t0 = t
end
apis.shuffle! # new order for next iteration
apis.reverse if (apis[0].is_pass?(BEEF_PASSWD)) # prevent the first from having valid passwd
end # multiple sets of auth attempts
end # test_auth_rate
end

49
test/api/lib/beef_rest_client.rb Normal file
View File

@@ -0,0 +1,49 @@
#
# Copyright (c) 2006-2017 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
# less noisy verson of BeeRestAPI found in tools.
class BeefRestClient
def initialize proto, host, port, user, pass
@user = user
@pass = pass
@url = "#{proto}://#{host}:#{port}/api/"
@token = nil
end
def is_pass?(passwd)
@pass == passwd
end
def auth
begin
response = RestClient.post "#{@url}admin/login",
{ 'username' => "#{@user}",
'password' => "#{@pass}" }.to_json,
:content_type => :json,
:accept => :json
result = JSON.parse(response.body)
@token = result['token']
{:success => result['success'], :payload => result}
rescue => e
{:success => false, :payload => e.message }
end
end
def version
return {:success => false, :payload => 'no token'} if @token.nil?
begin
response = RestClient.get "#{@url}server/version", {:params => {:token => @token}}
result = JSON.parse(response.body)
{:success => result['success'], :payload => result}
rescue => e
print_error "Could not retrieve BeEF version: #{e.message}"
{:success => false, :payload => e.message}
end
end
end

4
test/common/test_constants.rb
View File

@@ -12,8 +12,8 @@ ATTACK_URL = "http://" + ATTACK_DOMAIN + ":3000/ui/panel"
VICTIM_URL = "http://" + VICTIM_DOMAIN + ":3000/demos/basic.html"
# Credentials
BEEF_USER = "beef"
BEEF_PASSWD = "test"
BEEF_USER = ENV["TEST_BEEF_USER"] || 'beef'
BEEF_PASSWD = ENV["TEST_BEEF_PASS"] || "beef"
# RESTful API root endpoints
RESTAPI_HOOKS = "http://" + ATTACK_DOMAIN + ":3000/api/hooks"

4
test/common/ts_common.rb
View File

@@ -5,9 +5,9 @@
#
# @note Version check to ensure BeEF is running Ruby 2.0+
if RUBY_VERSION < '2.2'
if RUBY_VERSION < '2.3'
puts "\n"
puts "Ruby version #{RUBY_VERSION} is no longer supported. Please upgrade to Ruby version 2.2 or later."
puts "Ruby version #{RUBY_VERSION} is no longer supported. Please upgrade to Ruby version 2.3 or later."
puts "\n"
exit 1
end

5
test/integration/ts_integration.rb
View File

@@ -17,6 +17,7 @@ require './tc_debug_modules' # RESTful API tests (as well as debug modules)
require './tc_login' # Basic log in and log out tests
require './tc_proxy' # Basic tests for Proxy extension
require './tc_network_rest' # Basic tests for Network extension RESTful API interface
require '../api/1333_auth_rate' # API rate testing issue #1333'
# Experimental extensions
#require './tc_jools' # Basic tests for jools
@@ -34,6 +35,9 @@ class TS_BeefIntegrationTests
suite << TC_Proxy.suite
suite << TC_NetworkRest.suite
# issue raised
suite << TC_1333_auth_rate.suite
# Tests for experimental extensions
#suite << TC_SocialEngineeringRest.suite
#suite << TC_Jools.suite
@@ -45,4 +49,3 @@ class TS_BeefIntegrationTests
end
Test::Unit::UI::Console::TestRunner.run(TS_BeefIntegrationTests)