# # Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net # Browser Exploitation Framework (BeEF) - http://beefproject.com # See the file 'doc/COPYING' for copying permission # require 'test/unit' require 'rest_client' require 'json' require '../common/test_constants' # @todo RESTful API for the social engineering extension lacks some serious test coverage. class TC_SocialEngineeringRest < Test::Unit::TestCase class << self # Login to API before performing any tests def startup json = {:username => BEEF_USER, :password => BEEF_PASSWD}.to_json @@headers = {:content_type => :json, :accept => :json} response = RestClient.post("#{RESTAPI_ADMIN}/login", json, @@headers) result = JSON.parse(response.body) @@token = result['token'] $root_dir = '../../' $:.unshift($root_dir) require 'core/loader' BeEF::Core::Configuration.new(File.join($root_dir, 'config.yaml')) BeEF::Core::Configuration.instance.load_extensions_config @@config = BeEF::Core::Configuration.instance end def shutdown $root_dir = nil end end # Tests DNS spoofing of cloned webpages def test_1_dns_spoof url = 'http://beefproject.com' mount = '/beefproject' dns_spoof = true json = {:url => url, :mount => mount, :dns_spoof => dns_spoof}.to_json response = RestClient.post("#{RESTAPI_SENG}/clone_page?token=#{@@token}", json, @@headers) check_response(response) ip = Socket.ip_address_list.detect { |i| !(i.ipv4_loopback? || i.ipv6_loopback?) } domain = url.gsub(%r{^http://}, '') regex = %r{ ^#{domain}\.\t+ \d+\t+ IN\t+ A\t+ #{ip.ip_address}$ }x # Send DNS request to server to verify that a new rule was added dns_address = @@config.get('beef.extension.dns.address') dns_port = @@config.get('beef.extension.dns.port') dig_output = `dig @#{dns_address} -p #{dns_port} -t A #{domain}` assert_match(regex, dig_output) end private # Assertions for verifying a response from the RESTful API def check_response(response) assert_not_nil(response.body) assert_equal(200, response.code) result = JSON.parse(response.body) assert(result['success']) assert(result['mount']) end end