search

beefproject / beef

The Browser Exploitation Framework Project
https://beefproject.com
9.86k stars 2.18k forks source link

Certain browser details are considered as invalid #3051

Open jme418 opened 7 months ago

jme418 commented 7 months ago

First Steps

BeEF Version: 0.5.4.0 Ruby Version: ruby 3.1.2p20 (2022-04-12 revision 4491bb740a) [x86_64-linux-gnu] Browser Details (e.g. Chrome v81.0): Causing problems with all I've tried (FF - 115.8.0esr, O - 108.0.5067.29, C - 123.0.6312.86, 123.0.6312.58, 121.0.6167.178) Operating System: Linux, Windows and Android

Configuration

  1. Have you made any changes to your BeEF configuration? Yes.
  2. Have you enabled or disabled any BeEF extensions? Yes, Metasploit one but I do not remember if anyone else, I've been using BeEF for a while.

Steps to Reproduce

I did the installation guided by this page: https://null-byte.wonderhowto.com/how-to/hack-web-browsers-with-beef-control-webcams-phish-for-credentials-more-0159961/

  1. I always start with this commands secuence:
msfconsole
load msgrpc ServerHost=127.0.0.1 User=msf Pass=kali SSL=y
sudo netstat -tuln | grep LISTEN
sudo ./beef

and all it's looking great, with metasploit exploits correctly loaded.

  1. Then I do the one for the ngrok tunnel and no problems here.
  2. It is now, when accessing an infected domain, where the mentioned in the title issue appears. I get this type of messages:

[removed]

Something strange I can see is that the plugins one appears only when accessing via Android.

stephenakq commented 7 months ago

Thank you for bringing this to our attention.

The image has been removed because it contained a routable IP address, but the discussion can continue with the image omitted. Could you clarify if the issue pertains to the console message "browser: UNKNOWN -121.0.0.0"?

stephenakq commented 7 months ago

You can also join our Discord for assistance with this issue. Here's the link: https://discord.gg/ugmKmHarKc

jme418 commented 7 months ago

Thank you for bringing this to our attention.

The image has been removed because it contained a routable IP address, but the discussion can continue with the image omitted. Could you clarify if the issue pertains to the console message "browser: UNKNOWN -121.0.0.0"?

Well, the messages I want to get rid off are the ones with the following structure:

[!] Browser Details Invalid browser name/versions/plugins from the hook browser's initial connection.

And also, as a consecuence of them, the one you mentioned:

browser: UNKNOWN -121.0.0.0

stephenakq commented 7 months ago

Thank you for pointing this out. We'll look into that bug.

zinduolis commented 2 months ago

Hi @jme418 , I'm investigating this and will try to reproduce it. Are you still experiencing the issue?

zinduolis commented 2 months ago

I have reproduced the issue on Ubuntu 24.04.1 LTS (64-bit) with Firefox 130.0 (64-bit) and Chrome 129.0.6668.58 (Official Build) (64-bit) as the victim browser.

I've got the below regardless of whether metasploit is integrated or not. The only condition needed for this, is for the victim browser not to be in the 'hooked register' as it happens at the initial hooking stage. If the browser is hooked, then goes offline, then is hooked again the issue does not happen.

Screenshot 2024-09-20 at 6 52 31 pm

When printing out @data['results'] during the hooking phase, i can see "browser.name"=>"UNKNOWN"

zinduolis commented 2 months ago

Investigating is_valid_browsername conditions in core>main>handlers>browserdetails.rb and core>filters>browser.rb

Also, looking at how the data is collected in core>main>client>browser.js

zinduolis commented 1 month ago

Added fix for version and renamed the PR.

zinduolis commented 1 month ago

Trying to reproduce the plugins issue.

jme418 commented 1 month ago

@zinduolis

Thanks for your help! I'm sorry I couldn't get back to you sooner to answer your questions, it's been a busy week for me. Let me know if you need anything.

zinduolis commented 1 month ago

All good, @jme418, as you can see I have invalid name and version fix in the PR already. It's pending for the approval and merge.

I've also setup myself an android VM for the first time and managed to reproduce the invalid plugin issue on Chrome there.

[17:32:33][!] [Browser Details] Invalid browser plugins returned from the hook browser's initial connection.

I'm looking now how to fix it.

zinduolis commented 1 month ago

When printing out and comparing the plugin details with other browsers, seems that Android browser either doesn't have any or it gets somewhere removed on the way. Investigating further.

[20:31:01][] BROWSER PLUGIN: [] [20:31:01][!] [Browser Details] Invalid browser plugins returned from the hook browser's initial connection. [20:31:01][] New Hooked Browser [id:60, ip:xx, browser:C-75.0.3770.101, os:Android-], hooked domain [xx:3000] [20:39:11][] BROWSER PLUGIN: PDF Viewer-v.undefined,Chrome PDF Viewer-v.undefined,Chromium PDF Viewer-v.undefined,Microsoft Edge PDF Viewer-v.undefined,WebKit built-in PDF-v.undefined [20:39:11][] New Hooked Browser [id:61, ip:127.0.0.1, browser:FF-130.0, os:Linux-], hooked domain [localhost:3000] [20:39:57][] BROWSER PLUGIN: PDF Viewer,Chrome PDF Viewer,Chromium PDF Viewer,Microsoft Edge PDF Viewer,WebKit built-in PDF [20:39:57][] New Hooked Browser [id:62, ip:127.0.0.1, browser:O-114.0.0.0, os:Linux-], hooked domain [localhost:3000] [20:40:11][] BROWSER PLUGIN: PDF Viewer,Chrome PDF Viewer,Chromium PDF Viewer,Microsoft Edge PDF Viewer,WebKit built-in PDF [20:40:11][] New Hooked Browser [id:63, ip:127.0.0.1, browser:C-129.0.0.0, os:Linux-], hooked domain [localhost:3000]

bcoles commented 1 month ago

When printing out and comparing the plugin details with other browsers, seems that Android browser either doesn't have any or it gets somewhere removed on the way. Investigating further.

It is probably empty. Browser details, such as name and plugins, are validated with filters (Core::Filter) which check for nil or empty values, hence the resulting error message.

zinduolis commented 1 month ago

According to my investigation, it appears that mobile browsers do not support plugins. I'll adjust the code in browserdetails.rb and browser.rb to account for this scenario.

zinduolis commented 1 month ago

I believe this is now resolved, waiting for merge.

stephenakq commented 1 month ago

@jme418 before I proceed to close the ticket, could you kindly confirm if the issue has been resolved and if the recent fix has been merged into the main branch?

zinduolis commented 1 month ago

Hi @stephenakq , the PR is currently addressing just the invalid version and plugins issues. Since we can't use userAgent to confirm browser name, i had to remove that part and couldn't find an alternative yet.

The PR is not merged yet, I'm waiting for that.

zinduolis commented 1 month ago

Added fix for FF browser name into the PR.

zinduolis commented 1 month ago

https://github.com/beefproject/beef/pull/3149 has all the fixes, waiting for it to be merged.

zinduolis commented 2 weeks ago

Hi @jme418 , could you please confirm your issue is now resolved? Thanks