BeEF not working for in WAN

[ZehWusrtje]

Hello.

BeEF is not working correctly over WAN for me. I'm using it with a VPN. The VPN is working correctly, and canyouseeme tells me the port is open. Also! Dubble clicking beef gives a crash, typing "ruby BeEF" makes it say "another process already running"

---

Config looks like this

Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net

Browser Exploitation Framework (BeEF) - http://beefproject.com

See the file 'doc/COPYING' for copying permission

BeEF Configuration file

beef: version: '0.4.4.9-alpha'

More verbose messages (server-side)

debug: false
# More verbose messages (client-side)
client_debug: false

restrictions:
    # subnet of browser ip addresses that can hook to the framework
    permitted_hooking_subnet: "0.0.0.0/0"
    # subnet of browser ip addresses that can connect to the UI
    # permitted_ui_subnet: "127.0.0.1/32"
    permitted_ui_subnet: "0.0.0.0/0"

http:
    debug: false #Thin::Logging.debug, very verbose. Prints also full exception stack trace.
    host: 10.4.xxx.xx < I guess this one is the internal adress."
    port: "3625 <same af the other one"
    # Decrease this setting up to 1000 if you want more responsiveness when sending modules and retrieving results.
    # It's not advised to decrease it with tons of hooked browsers (more than 50),
    # because it might impact performance. Also, enable WebSockets is generally better.
    xhr_poll_timeout: 5000
    # if running behind a nat set the public ip address here
    #public: "178.248.xx.xxx I guess that's the public adress."
    #public_port: "3625<same " # port setting is experimental
    # DNS
    dns_host: "localhost"
    dns_port: 53
    web_ui_basepath: "/ui"
    hook_file: "/hook.js"
    hook_session_name: "BEEFHOOK"
    session_cookie_name: "BEEFSESSION"

    # Allow one or multiple domains to access the RESTful API using CORS
    # For multiple domains use: "http://browserhacker.com, http://domain2.com"
    restful_api:
        allow_cors: false
        cors_allowed_domains: "http://browserhacker.com"

    # Prefer WebSockets over XHR-polling when possible.
    websocket:
      enable: false
      secure: true # use 'WebSocketSecure' works only on HTTPS domains and with HTTPS support enabled in BeEF
      port: 61985 # WS: good success rate through proxies
      secure_port: 61986 # WSSecure
      ws_poll_timeout: 1000 # poll BeEF every second

    # Imitate a specified web server (default root page, 404 default error page, 'Server' HTTP response header)
    web_server_imitation:
        enable: true
        type: "apache" #supported: apache, iis

    # Experimental HTTPS support for the hook / admin / all other Thin managed web services
    https:

---

The result of running beef with the ruby command

ruby beef [20:54:01][] Bind socket [imapeudora1] listening on [10.4.xxx.xx:2000]. [20:54:01][] Browser Exploitation Framework (BeEF) 0.4.4.9-alpha [20:54:01] | Twit: @beefproject [20:54:01] | Site: http://beefproject.com [20:54:01] | Blog: http://blog.beefproject.com [20:54:01] | Wiki: https://github.com/beefproject/beef/wiki [20:54:01][] Project Creator: Wade Alcorn (@WadeAlcorn) [20:54:02][] BeEF is loading. Wait a few seconds... [20:54:08][] 10 extensions enabled. [20:54:08][] 196 modules enabled. [20:54:08][*] 1 network interfaces were detected. [20:54:08][+] running on network interface: 10.4.xxx.xx [20:54:08] | Hook URL: http://10.4.xxx.xx:3625/hook.js [20:54:08] | UI URL: http://10.4.xxx.xx:3625/ui/panel [20:54:08][] RESTful API key: 91b27b0ff33e0df0cfe43222 [20:54:08][] HTTP Proxy: http://127.0.0.1:6789 [20:54:08][*] BeEF server started (press control+c to stop) [20:54:08][!] Another process is already listening on port 3625. [20:54:08][!] Is BeEF already running? Exiting...

[bcoles]

Hi @ZehWusrtje

It looks like you're using an old version of BeEF. Try git pull if all else fails.

BeEF does not do any port forwarding by itself. Ensure that the WAN port is correctly forwarded to your BeEF server on 178.248.xx.xx.

In the config, you've got:

    # if running behind a nat set the public ip address here
    #public: "178.248.xx.xxx I guess that's the public adress."
    #public_port: "3625<same " # port setting is experimental

If you're using these values you'll need to un-comment them - ie, remove the # like so:

    # if running behind a nat set the public ip address here
    public: "178.248.xx.xx"
    public_port: "3625"

Regarding the error with double-clicking - what operating system are you using and what crash do you get?

Regarding the already running error, this means that something is already running on port 3625. You'll need to stop this process or configure BeEF to listen on a different port. You can check what's listening on port 3625:

• on Linux with lsof -i :3625
• on Windows with netstat -an | find "3625"

[ZehWusrtje]

What a great read, thank you for your time. I'm running Kali Linux Il let you know how it went tonight. !

[ZehWusrtje]

I removed the Host and Port, and opend the Public one. Now, it does not crash, starts up, but in the terminal is shows no Port, and therefor it's not working. ( Oh and yes, i did change my IP compaird to the last config/terminal i posted )

Config file --------

debug: false #Thin::Logging.debug, very verbose. Prints also full exception stack trace.

host: "192.96.xxx.xx"

    #port: "17148"
    # Decrease this setting up to 1000 if you want more responsiveness when sending modules and retrieving results.
    # It's not advised to decrease it with tons of hooked browsers (more than 50),
    # because it might impact performance. Also, enable WebSockets is generally better.
    xhr_poll_timeout: 5000
    # if running behind a nat set the public ip address here
    public: "192.96.xxx.xx"
    public_port: "17148" # port setting is experimental
    # DNS
    dns_host: "localhost"
    dns_port: 53
    web_ui_basepath: "/ui"
    hook_file: "/hook.js"
    hook_session_name: "BEEFHOOK"
    session_cookie_name: "BEEFSESSION"

Terminal --------

[10:01:35][] Bind socket [imapeudora1] listening on [:2000]. [10:01:35][] Browser Exploitation Framework (BeEF) 0.4.4.9-alpha [10:01:35] | Twit: @beefproject [10:01:35] | Site: http://beefproject.com [10:01:35] | Blog: http://blog.beefproject.com [10:01:35] | Wiki: https://github.com/beefproject/beef/wiki [10:01:35][] Project Creator: Wade Alcorn (@WadeAlcorn) [10:01:35][] BeEF is loading. Wait a few seconds... [10:01:42][] 10 extensions enabled. [10:01:42][] 196 modules enabled. [10:01:42][*] 1 network interfaces were detected. [10:01:42][+] running on network interface: 192.96.xxx.xx [10:01:42] | Hook URL: http://192.96.xxx.xx:/hook.js [10:01:42] | UI URL: http://192.96.xxx.xx:/ui/panel [10:01:42][] RESTful API key: 1fe8062b8428165611e41cc0d069f6c5dde4fc1c [10:01:42][] HTTP Proxy: http://127.0.0.1:6789 [10:01:42][*] BeEF server started (press control+c to stop)

Thank you again for taking your time to help me.

[antisnatchor]

Can you clarify what you mean by "using it with a VPN"?

The public/public_port settings do work perfectly for me in NAT situations, or more complex setups like Apache mod_proxy with multiple BeEF instances behind on Amazon EC2.

Also, if you use these settings, you should still leave host/port setup. For example my setups are usually: host = 127.0.0.1, port = 8080, public= www.example.com, public_port = 80. This works great if you then use Apache mod_proxy to redirect traffic to BeEF listening on loopback only.

Hope it helps.

[ZehWusrtje]

Hello antisnatchor, Thank you for your time!

By "using it with a VPN" i'm meaning to say that i use my Kali Linux with OpenVPN using a paid VPN server. In VPN server looks like this:

Protocol: TCP & UDP Local port: 17148 DDNS:
Connected to server: United States xxxx Mapped to public IP: 207.244.xx.xxx Forwarded to: 10.5.xx.xx Since: 12m 17s ago

I now updated the config as you said. But it does not work and makes /panel/ unreachable even when the server is running.

Config ----------

http: debug: false #Thin::Logging.debug, very verbose. Prints also full exception stack trace. host: "127.0.0.1" port: "17148"

Decrease this setting up to 1000 if you want more responsiveness when sending modules and retrieving results.

    # It's not advised to decrease it with tons of hooked browsers (more than 50),
    # because it might impact performance. Also, enable WebSockets is generally better.
    xhr_poll_timeout: 5000
    # if running behind a nat set the public ip address here
    public: "10.5.xx.xx"  << - both internal and public ip do the same thing. <<---
    public_port: "17148" # port setting is experimental
    # DNS
    dns_host: "localhost"

Terminal ----- [15:12:06][] Bind socket [imapeudora1] listening on [127.0.0.1:2000]. [15:12:06][] Browser Exploitation Framework (BeEF) 0.4.4.9-alpha [15:12:06] | Twit: @beefproject [15:12:06] | Site: http://beefproject.com [15:12:06] | Blog: http://blog.beefproject.com [15:12:06] | Wiki: https://github.com/beefproject/beef/wiki [15:12:06][] Project Creator: Wade Alcorn (@WadeAlcorn) [15:12:07][] BeEF is loading. Wait a few seconds... [15:12:13][] 10 extensions enabled. [15:12:13][] 196 modules enabled. [15:12:13][*] 1 network interfaces were detected. [15:12:13][+] running on network interface: 10.5.xx.xxx [15:12:13] | Hook URL: http://10.5.xx.xxx:17148/hook.js [15:12:13] | UI URL: http://10.5.xx.xxx:17148/ui/panel [15:12:13][] RESTful API key: 1e1c295ace1be2e36da122b2771f1257e10720be [15:12:13][] HTTP Proxy: http://127.0.0.1:6789 [15:12:13][*] BeEF server started (press control+c to stop)

Result------

Page not even loading :(

[ZehWusrtje]

I was testing every single command/option/whatever/port/ip and found this!

Could this be breaking BeEF? I see terms like Connection. As far as i know, i'f updated every ruby ect depenedency

/usr/lib/ruby/vendor_ruby/dm-do-adapter/adapter.rb:114:in execute_non_query': disk I/O error (DataObjects::ConnectionError) from /usr/lib/ruby/vendor_ruby/dm-do-adapter/adapter.rb:114:inblock (2 levels) in create' from /usr/lib/ruby/vendor_ruby/dm-do-adapter/adapter.rb:276:in with_connection' from /usr/lib/ruby/vendor_ruby/dm-do-adapter/adapter.rb:113:inblock in create' from /usr/lib/ruby/vendor_ruby/dm-do-adapter/adapter.rb:85:in each' from /usr/lib/ruby/vendor_ruby/dm-do-adapter/adapter.rb:85:increate' from /usr/lib/ruby/vendor_ruby/dm-core/repository.rb:146:in create' from /usr/lib/ruby/vendor_ruby/dm-core/resource/persistence_state/transient.rb:74:increate_resource' from /usr/lib/ruby/vendor_ruby/dm-core/resource/persistence_state/transient.rb:25:in commit' from /usr/lib/ruby/vendor_ruby/dm-core/resource.rb:963:in_persist' from /usr/lib/ruby/vendor_ruby/dm-core/resource.rb:977:in block in create_with_hooks' from /usr/lib/ruby/vendor_ruby/dm-core/resource.rb:974:incatch' from /usr/lib/ruby/vendor_ruby/dm-core/resource.rb:974:in create_with_hooks' from /usr/lib/ruby/vendor_ruby/dm-core/resource.rb:1028:insave_self' from /usr/lib/ruby/vendor_ruby/dm-core/resource.rb:1013:in block in _save' from /usr/lib/ruby/vendor_ruby/dm-core/resource.rb:1229:inrun_once' from /usr/lib/ruby/vendor_ruby/dm-core/resource.rb:1012:in _save' from /usr/lib/ruby/vendor_ruby/dm-core/resource.rb:412:insave' from /usr/share/beef-xss/core/main/migration.rb:33:in block in update_commands!' from /usr/share/beef-xss/core/main/migration.rb:32:ineach' from /usr/share/beef-xss/core/main/migration.rb:32:in update_commands!' from /usr/share/beef-xss/core/main/migration.rb:19:inupdate_db!'

[antisnatchor]

That disk I/O error is something related to your VPS, I can't help with that. Also, why are you using a VPN?

I suggest doing the following:

• use a normal VPS, such as Amazon EC2, RackSpace or whatever you like which allows you to run Ruby 2.1.x.
• use the normal host/port without the public_host/port settings
• when you connect to the BeEF admin UI, use an SSH tunnel. If you use BeEF with port 3000 (I suggest using 80 or 443), then something like the following will work:

ssh -f -o "ServerAliveInterval 180" your_ssh_user@your_vps_ip -L 3000:your_vps_ip:3000 -N

Then configure Firefox on your local machine to use 127.0.0.1:3000 as a SOCKS5 proxy, and then connect to http://your_vps_ip:3000/ui/panel.

[ZehWusrtje]

Good Morning Antisnatchor,

Interesting, so the next-step for me is to go back to the vpn provider and ask for a cash back. Haha. The reason i use a vpn is because I want to test our services on xss-exploitation from outter networks. We want to make it as realistic as possible, i cant use my own ip, because that would litterley trace it back to my own pc. So that's why i used a VPN. But what you are basicly saying is that a need a virtual private server instead of a network. But is that even 100% anonymously?

[antisnatchor]

You need a VPS, for some degree of anonymity you should buy it via BitCoin for example, then connect to it via VPN+Tor (see Grugq presentations).

Btw, if you do anything illegal with BeEF, it's up to you ;-) Me and and rest of the BeEF team don't support (and don't help) such things ;-)

[Aniruddh9]

Hi When I try to connect to beef ui panel, "Unable to connect" error message is displayed. pleases help

[horllste]

hello antisnatchor, i connect to my vps through ssh as you said, configure my browser and use my vps ip as the url but somehow its not working, am getting the error below on the terminal i run the ssh on

channel 1: open failed: connect failed: Connection refused channel 1: open failed: connect failed: Connection refused channel 1: open failed: connect failed: Connection refused channel 1: open failed: connect failed: Connection refused channel 1: open failed: connect failed: Connection refused channel 1: open failed: connect failed: Connection refused channel 1: open failed: connect failed: Connection refused channel 1: open failed: connect failed: Connection refused channel 1: open failed: connect failed: Connection refused channel 1: open failed: connect failed: Connection refused channel 1: open failed: connect failed: Connection refused channel 1: open failed: connect failed: Connection refused channel 1: open failed: connect failed: Connection refused channel 1: open failed: connect failed: Connection refused channel 1: open failed: connect failed: Connection refused channel 2: open failed: connect failed: Connection refused channel 3: open failed: connect failed: Connection refused

[Comancheroo]

Dear antisnatchor,

I want to set up port 80. I'm using ubuntu vps. My vps has a ssl domain and plesk panel. How can I apache mod_proxy redirect traffic to BeEF? Would you please share the .conf file?

Thanks.