beef behind mod_proxy

[mcjon3z]

I have a beef server which is behind a separate apache server running mod_proxy which is internet facing. At one point this configuration was working, however I can no longer get a session across the proxy. You can browse the landing page (and hook test pages) through the proxy, however there is no hook traffic when a victim clicks on the hook page.

If I run a tcpdump on the proxy server, I see connection traffic flowing on both the ui pages and the hook, however it looks like the ui pages are using the proxy port but the hook is using the default 3000 port:

UI page entry: IP 172.xxx.xxx.xxx.58114 > 172.xxx.xxx.xxx.http

Hook entry: IP 172.xxx.xxx.xxx.58114 > 172.xxx.xxx.xxx.3000

Applicable portions of the configurations:

• beef config.yaml

#
# Copyright (c) 2006-2015 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
# BeEF Configuration file

beef:
    version: '0.4.6.1-alpha'
    # More verbose messages (server-side)
    debug: false
    # More verbose messages (client-side)
    client_debug: false
    # Used for generating secure tokens
    crypto_default_value_length: 80

    # Interface / IP restrictions
    restrictions:
        # subnet of IP addresses that can hook to the framework
        permitted_hooking_subnet: "0.0.0.0/0"
        # subnet of IP addresses that can connect to the admin UI
        #permitted_ui_subnet: "127.0.0.1/32"
        permitted_ui_subnet: "0.0.0.0/0"

    # HTTP server
    http:
        debug: false #Thin::Logging.debug, very verbose. Prints also full exception stack trace.
        host: "0.0.0.0"
        port: "3000"

        # Decrease this setting to 1,000 (ms) if you want more responsiveness
        #  when sending modules and retrieving results.
        # NOTE: A poll timeout of less than 5,000 (ms) might impact performance
        #  when hooking lots of browsers (50+).
        # Enabling WebSockets is generally better (beef.websocket.enable)
        xhr_poll_timeout: 1000

        # Reverse Proxy / NAT
        # If BeEF is running behind a reverse proxy or NAT
        #  set the public hostname and port here
        public: "beef.mydomain.com"      # public hostname/IP address
        public_port: "80" # experimental

        # DNS
        dns_host: "localhost"
        dns_port: 53

        # Web Admin user interface URI
        web_ui_basepath: "/ui"

        # Hook
        hook_file: "/hook.js"
        hook_session_name: "BEEFHOOK"
        session_cookie_name: "BEEFSESSION"

        # Allow one or multiple origins to access the RESTful API using CORS
        # For multiple origins use: "http://browserhacker.com, http://domain2.com"
        restful_api:
            allow_cors: false
            cors_allowed_domains: "http://browserhacker.com"

        # Prefer WebSockets over XHR-polling when possible.
        websocket:
            enable: false
            port: 61985 # WS: good success rate through proxies
            # Use encrypted 'WebSocketSecure'
            # NOTE: works only on HTTPS domains and with HTTPS support enabled in BeEF
            secure: true
            secure_port: 61986 # WSSecure
            ws_poll_timeout: 1000 # poll BeEF every second

        # Imitate a specified web server (default root page, 404 default error page, 'Server' HTTP response header)
        web_server_imitation:
            enable: true
            type: "apache" # Supported: apache, iis, nginx
            hook_404: false # inject BeEF hook in HTTP 404 responses
            hook_root: false # inject BeEF hook in the server home page

        # Experimental HTTPS support for the hook / admin / all other Thin managed web services
        https:
            enable: false
            # In production environments, be sure to use a valid certificate signed for the value
            # used in beef.http.dns_host (the domain name of the server where you run BeEF)
            key: "beef_key.pem"
            cert: "beef_cert.pem"

    database:
        # For information on using other databases please read the
        # README.databases file

        # supported DBs: sqlite, mysql, postgres
        # NOTE: you must change the Gemfile adding a gem require line like:
        #   gem "dm-postgres-adapter"
        # or
        #   gem "dm-mysql-adapter"
        # if you want to switch drivers from sqlite to postgres (or mysql).
        # Finally, run a 'bundle install' command and start BeEF.
        driver: "sqlite"

        # db_file is only used for sqlite
        db_file: "db/beef.db"

        # db connection information is only used for mysql/postgres
        db_host: "localhost"
        db_port: 5432
        db_name: "beef"
        db_user: "beef"
        db_passwd: "beef123"
        db_encoding: "UTF-8"

    # Credentials to authenticate in BeEF.
    # Used by both the RESTful API and the Admin_UI extension
    credentials:
        user:   "beef"
        passwd: "mysupersecretpasswordblahblahblah"

    # Autorun modules as soon the browser is hooked.
    # NOTE: only modules with target type 'working' or 'user_notify' can be run automatically.
    autorun:
        enable: true
        # set this to TRUE if you want to allow auto-run execution for modules with target->user_notify
        allow_user_notify: true

    # Enables DNS lookups on zombie IP addresses
    dns_hostname_lookup: false

    # IP Geolocation
    # NOTE: requires MaxMind database:
    #   curl -O http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
    #   gunzip GeoLiteCity.dat.gz && mkdir /opt/GeoIP && mv GeoLiteCity.dat /opt/GeoIP
    geoip:
        enable: false
        database: '/opt/GeoIP/GeoLiteCity.dat'

    # Integration with PhishingFrenzy
    # If enabled BeEF will try to get the UID parameter value from the hooked URI, as this is used by PhishingFrenzy
    # to uniquely identify the victims. In this way you can easily associate phishing emails with hooked browser.
    integration:
        phishing_frenzy:
            enable: false

    # You may override default extension configuration parameters here
    extension:
        requester:
            enable: true
        proxy:
            enable: true
            key: "beef_key.pem"
            cert: "beef_cert.pem"
        metasploit:
            enable: false
        social_engineering:
            enable: true
        evasion:
            enable: false
        console:
             shell:
                enable: false
        ipec:
            enable: true
        # this is still experimental, we're working on it..
        dns:
            enable: true

• Apache site configuration:

ServerName beef.mydomain.com
ProxyPass / http://172.xxx.xxx.xxx:3000/
ProxyPassReverse / http://172.xxx.xxx.xxx:3000/
ProxyPreserveHost On
<Location />
  Order allow,deny
  Allow from all
</Location>

[mcjon3z]

I managed to figure it out, at least partially. The box I am running it on is Kali, and I was launching beef using the beef-xss script in /usr/bin instead of directly launching beef. That script launches beef using the init.d script.

In kali, if I start beef using /usr/bin/beef-xss or "service beef-xss start" then beef does not work properly behind the proxy. If started directly from /usr/share/beef then it works just fine.

[antisnatchor]

Thanks, I use BeEF behind mod_proxy from years and I never experienced any issues.

[tieumap]

where location apache i config sir?