Certain browser details are considered as invalid
jme418 opened this issue · 20 comments
First Steps
BeEF Version: 0.5.4.0
Ruby Version: ruby 3.1.2p20 (2022-04-12 revision 4491bb740a) [x86_64-linux-gnu]
Browser Details (e.g. Chrome v81.0): Causing problems with all I've tried (FF - 115.8.0esr, O - 108.0.5067.29, C - 123.0.6312.86, 123.0.6312.58, 121.0.6167.178)
Operating System: Linux, Windows and Android
Configuration
- Have you made any changes to your BeEF configuration? Yes.
- Have you enabled or disabled any BeEF extensions? Yes, Metasploit one but I do not remember if anyone else, I've been using BeEF for a while.
Steps to Reproduce
I did the installation guided by this page: https://null-byte.wonderhowto.com/how-to/hack-web-browsers-with-beef-control-webcams-phish-for-credentials-more-0159961/
- I always start with this commands secuence:
msfconsole
load msgrpc ServerHost=127.0.0.1 User=msf Pass=kali SSL=y
sudo netstat -tuln | grep LISTEN
sudo ./beef
and all it's looking great, with metasploit exploits correctly loaded.
- Then I do the one for the ngrok tunnel and no problems here.
- It is now, when accessing an infected domain, where the mentioned in the title issue appears. I get this type of messages:
[removed]
Something strange I can see is that the plugins one appears only when accessing via Android.
Thank you for bringing this to our attention.
The image has been removed because it contained a routable IP address, but the discussion can continue with the image omitted. Could you clarify if the issue pertains to the console message "browser: UNKNOWN -121.0.0.0"?
You can also join our Discord for assistance with this issue. Here's the link: https://discord.gg/ugmKmHarKc
Thank you for bringing this to our attention.
The image has been removed because it contained a routable IP address, but the discussion can continue with the image omitted. Could you clarify if the issue pertains to the console message "browser: UNKNOWN -121.0.0.0"?
Well, the messages I want to get rid off are the ones with the following structure:
[!] Browser Details Invalid browser name/versions/plugins from the hook browser's initial connection.
And also, as a consecuence of them, the one you mentioned:
browser: UNKNOWN -121.0.0.0
Thank you for pointing this out. We'll look into that bug.
Hi @jme418 , I'm investigating this and will try to reproduce it. Are you still experiencing the issue?
I have reproduced the issue on Ubuntu 24.04.1 LTS (64-bit) with Firefox 130.0 (64-bit) and Chrome 129.0.6668.58 (Official Build) (64-bit) as the victim browser.
I've got the below regardless of whether metasploit is integrated or not. The only condition needed for this, is for the victim browser not to be in the 'hooked register' as it happens at the initial hooking stage. If the browser is hooked, then goes offline, then is hooked again the issue does not happen.
When printing out @DaTa['results'] during the hooking phase, i can see "browser.name"=>"UNKNOWN"
Investigating is_valid_browsername conditions in core>main>handlers>browserdetails.rb and core>filters>browser.rb
Also, looking at how the data is collected in core>main>client>browser.js
Added fix for version and renamed the PR.
Trying to reproduce the plugins issue.
Thanks for your help! I'm sorry I couldn't get back to you sooner to answer your questions, it's been a busy week for me. Let me know if you need anything.
All good, @jme418, as you can see I have invalid name and version fix in the PR already. It's pending for the approval and merge.
I've also setup myself an android VM for the first time and managed to reproduce the invalid plugin issue on Chrome there.
[17:32:33][!] [Browser Details] Invalid browser plugins returned from the hook browser's initial connection.
I'm looking now how to fix it.
When printing out and comparing the plugin details with other browsers, seems that Android browser either doesn't have any or it gets somewhere removed on the way. Investigating further.
[20:31:01][] BROWSER PLUGIN: []
[20:31:01][!] [Browser Details] Invalid browser plugins returned from the hook browser's initial connection.
[20:31:01][] New Hooked Browser [id:60, ip:xx, browser:C-75.0.3770.101, os:Android-], hooked domain [xx:3000]
[20:39:11][] BROWSER PLUGIN: PDF Viewer-v.undefined,Chrome PDF Viewer-v.undefined,Chromium PDF Viewer-v.undefined,Microsoft Edge PDF Viewer-v.undefined,WebKit built-in PDF-v.undefined
[20:39:11][] New Hooked Browser [id:61, ip:127.0.0.1, browser:FF-130.0, os:Linux-], hooked domain [localhost:3000]
[20:39:57][] BROWSER PLUGIN: PDF Viewer,Chrome PDF Viewer,Chromium PDF Viewer,Microsoft Edge PDF Viewer,WebKit built-in PDF
[20:39:57][] New Hooked Browser [id:62, ip:127.0.0.1, browser:O-114.0.0.0, os:Linux-], hooked domain [localhost:3000]
[20:40:11][] BROWSER PLUGIN: PDF Viewer,Chrome PDF Viewer,Chromium PDF Viewer,Microsoft Edge PDF Viewer,WebKit built-in PDF
[20:40:11][] New Hooked Browser [id:63, ip:127.0.0.1, browser:C-129.0.0.0, os:Linux-], hooked domain [localhost:3000]
When printing out and comparing the plugin details with other browsers, seems that Android browser either doesn't have any or it gets somewhere removed on the way. Investigating further.
It is probably empty. Browser details, such as name and plugins, are validated with filters (Core::Filter) which check for nil or empty values, hence the resulting error message.
According to my investigation, it appears that mobile browsers do not support plugins. I'll adjust the code in browserdetails.rb and browser.rb to account for this scenario.
I believe this is now resolved, waiting for merge.
@jme418 before I proceed to close the ticket, could you kindly confirm if the issue has been resolved and if the recent fix has been merged into the main branch?
Hi @stephenakq , the PR is currently addressing just the invalid version and plugins issues. Since we can't use userAgent to confirm browser name, i had to remove that part and couldn't find an alternative yet.
The PR is not merged yet, I'm waiting for that.
Added fix for FF browser name into the PR.