Network Discovery
With JavaScript hacks, it is possible to launch network attacks through a hooked browser.
- Get Internal IP Addresses
- Identify LAN Subnets
- Get HTTP Servers
- Ping Sweep
- Cross-Origin Scanner (CORS)
- Cross-Origin Scanner (Flash)
- DNS Enumeration
- Port Scanning
- Network Fingerprinting
- Remote CSRFs
- IRC NAT Pinning
- Admin UI
- RESTful API
Two modules exist to retrieve the IP addresses in use by the zombie browser's host system.
From these IP addresses it becomes possible to imagine the internal network addressing plan and more effectively utilise other BeEF modules.
- The Get Internal IP (WebRTC) module for Firefox and Chrome uses WebRTC to retrieve the IP address for each network interface.
- The Get Internal IP Address (Java) module uses a Java applet to retrieve the IP address. Since Java introduced click-to-play the user must allow the unsigned Java applet to run.
- Note that modern Java (as of Java 7u51) will outright refuse to execute unsigned Java applets, and will also reject self-signed Java applets unless they're added to the exception list.
The Identify LAN Subnets module uses time-based XHR to determine whether any commonly used LAN IP addresses are in use on the zombie's local area network(s).
From these IP addresses, it becomes possible to imagine the internal addressing plan and more effectively utilise other BeEF modules.
This module works only with Firefox and Chrome.
The Get HTTP Servers module loads favicon images from predictable paths (/favicon.ico, /favicon.png, /images/favicon.ico, /images/favicon.png) on specified IP address(es) to detect web servers on the zombie's local area network(s).
From these IP addresses, it becomes possible to imagine the internal addressing plan and more effectively utilise other BeEF modules.
This module should be invisible to the user in Internet Explorer and Safari, however with other browsers the user may notice if any of the scanned hosts pop a 401 Authentication Required prompt.
Then it is possible to launch ping request and identify alive hosts on the network. These modules exist in three versions:
-
The Ping Sweep module uses time-based JavaScript XHR requests to identify live hosts. This module works only in Firefox.
-
The Ping Sweep (FF) module uses the Java API directly to send requests and time the response. This module works only in Firefox with Java installed.
-
The Ping Sweep (Java) module loads an unsigned Java applet. Since Java introduced click-to-play the user must allow the unsigned Java applet to run.
- Note that modern Java (as of Java 7u51) will outright refuse to execute unsigned Java applets, and will also reject self-signed Java applets unless they're added to the exception list.
The Cross-Origin Scanner (CORS) module sends CORS requests to a specified IP range and returns the IP address, port, HTTP status code, page title and page contents for each web server identified with a permissive CORS policy.
This module should work on all modern browsers which support CORS.
The Cross-Origin Scanner (Flash) module sends requests to a specified IP range using Flash and returns the IP address, port, page title and page contents for each web server identified with a permissive flash cross-origin policy.
This module works only in Firefox and Chrome with Flash installed.
By playing with timers, it is possible to detect whether a given hostname exists or not with Firefox and Chrome:
- In the first case, the request will take longer as the DNS resolution will be done and then the TCP connection will start (and probably fail).
- In the second case, the DNS request will return an error quickly, thus the browser is able to detect that there is no such DNS entry.
See the corresponding BeEF module.
Now that we know the IP address of the hooked system and several hostnames, it would be interesting to launch port scanning. Several security researchers have found that it is possible to use the same timing hack to scan ports by loading images into the browser with Firefox and Chrome.
This attack was included in the Port Scanner module.
The Network Fingerprinting module uses the URL of default images to fingerprint the devices used on the network.
It embeds a list of default pictures for Web servers (Apache, IIS) and network devices (Linksys NAS, printers, etc) and checks to see if any of the pictures listed are available.
This module should work in all browsers.
Note that the user may notice if any of the scanned hosts pop a 401 Authentication Required prompt.
CSRF is still a vulnerability seldom taken into account by developers, especially considering how serious of an impact can be made via it's exploitation.
BeEF includes a lot of CSRF modules, especially targeting personal routes (Linksys, Dlink, etc). We just detected one of those routers when fingerprinting the network during the previous step.
Most CSRF attacks allow for modifying the admin password, however there are several that can be used to gain a reverse shell or open external ports on the box.
You can see the list of CSRF modules in the module page.
By simulating IRC communication from the browser, it is possible to deceive the user's firewall into opening TCP ports.
This hack is called NAT Pinning and it is included in the BeEF IRC NAT Pinning module.
You can find more information and example on the BeEF's blog.
The Network Map, available under the Network -> Map tab in Admin UI, presents a dynamic map of the zombie browser's local network(s). Identified network hosts are added to the map automatically.
The Network Map makes use of HTML5 canvas which allows you to save the map as an image.
- C: Chrome
- FF: Firefox
- S: Safari
- IE: Internet Explorer
Right-clicking anywhere in the Network -> Hosts grid provides a context menu which provides options for host discovery.
The first two menu items (for Chrome and Firefox) attempt to detect the local network IP address ranges:
- Get Internal IP (WebRTC) (C, FF)
- Identify LAN Subnets (C, FF)
The remaining options perform host discovery on a user-specified IP address range or a predefined list of commonly used LAN IP addresses:
- Discover Routers (S, FF)
- Discover Web Servers (ALL)
- Fingerprint HTTP (C, FF, IE, S)
- Cross-Origin CORS Scan (IE10+, C, FF, S)
- Cross-Origin Flash Scan (C, FF)
Identified network hosts are available in the Network -> Hosts panel.
Right-clicking a network host allows you to perform various actions on the host or all hosts in its local subnet, such as:
- Scan for HTTP servers (ALL)
- Fingerprint HTTP servers (C, FF, IE, S)
- Cross-Origin scan for CORS enabled HTTP servers (IE10+, C, FF, S)
- Cross-Origin scan for Flash cross-origin enabled HTTP servers (C, FF)
- Scan for open TCP ports (C, FF)
Identified network services are available in the Network -> Services panel.
Right-clicking a network service allows you to perform various actions, such as:
- Fingerprint HTTP servers
- Cross-Origin scan host for CORS enabled HTTP servers
- Cross-Origin scan host for Flash cross-origin enabled HTTP servers
- Scan for remote file inclusion (reverse shell)
- Scan for known vulnerable Shell Shock CGIs (reverse shell)
The Network Extension RESTful API allows retrieval of the identified network hosts and services.
# Returns the entire list of network hosts for all zombies
curl http://127.0.0.1:3000/api/network/hosts?token=[token]
# Returns the entire list of network services for all zombies
curl http://127.0.0.1:3000/api/network/services?token=[token]
# Returns all hosts given a specific hooked browser id
curl http://127.0.0.1:3000/api/network/hosts/[id]?token=[token]
# Returns all services given a specific hooked browser id
curl http://127.0.0.1:3000/api/network/services/[id]?token=[token]
# Returns a specific network host given its id
curl http://127.0.0.1:3000/api/network/host/[id]?token=[token]
# Returns a specific network service given its id
curl http://127.0.0.1:3000/api/network/service/[id]?token=[token]