Bug: Core - 1785 Fixed public hook url configuration settings #2163
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…logic from public_port
…logic from public_port
…/beef into feature/1785_public_host_port
…essing a config variable
…cated usage of public
|
Will need to update wiki Web Server ConfigurationThe web server can be fully configured, this is done in the HTTP subsection of the http:
debug: false # Will print verbose message in BeEF console
host: "0.0.0.0" # IP address of the web server
port: "3000" #Port of the web server
# If BeEF is running behind a reverse proxy or NAT
# set the public hostname and port here & protocol
public:
host: "example.com"
port: "3000"
https: true/false
dns: "localhost" # Address of DNS server
hook_file: "/hook.js" # Path for hooking script
hook_session_name: "BEEFHOOK" #Name of session
session_cookie_name: "BEEFSESSION" # Name of BeEF cookie |
Closed
How do I configure BeEF with ngrok?Download ngrok, then tunnel your BeEF port (default: This can be achieved with the following command, which tells ngrok to open a tunnel from port Specify the public domain name debug: false # Will print verbose message in BeEF console
host: "localhost" # IP address of the web server
port: "3000" #Port of the web server
public:
host: "<your-id>.ngrok.io" # public hostname/IP address
port: "443"
https: true
# Reverse Proxy / NAT
# If you want BeEF to be accessible behind a reverse proxy or NAT,
# set both the publicly accessible hostname/IP address and port below:
# NOTE: Allowing the reverse proxy will enable a vulnerability where the ui/panel can be spoofed
# by altering the X-FORWARDED-FOR ip address in the request header.
allow_reverse_proxy: trueYou should then be able to access BeEF using the following URL: |
DeezyE
reviewed
Sep 9, 2021
core/main/configuration.rb
Outdated
| # Returns the configuration value for the local https enabled | ||
| # If nothing is set it should default to false | ||
| def local_https_enabled | ||
| get('beef.http.https.enabled') || false |
There was a problem hiding this comment.
it's singular 'enable' in the config.yaml
There was a problem hiding this comment.
updated and resolved
Co-authored-by: bcoles <bcoles@gmail.com>
…t/beef into feature/1785_public_host_port
wheatley
changed the title
wheatley
added a commit
that referenced
this pull request
Sep 12, 2021
* fixed offline zombie not deleting * Bump jsdoc-to-markdown from 6.0.1 to 7.0.1 (#2161) Bumps [jsdoc-to-markdown](https://github.com/jsdoc2md/jsdoc-to-markdown) from 6.0.1 to 7.0.1. - [Release notes](https://github.com/jsdoc2md/jsdoc-to-markdown/releases) - [Commits](jsdoc2md/jsdoc-to-markdown@v6.0.1...v7.0.1) --- updated-dependencies: - dependency-name: jsdoc-to-markdown dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bug: Core - 1785 Fixed public hook url configuration settings (#2163) * added spec file for testing changes * added local host getter to configuration class * added default value 0.0.0.0 for local host if it's not set * added port config getter with default * added port config getter with default * fixed spelling errors for port * added public configuration values and validation * removed logic from public port as it was not required * added beef host to configuration class * added beef port to configuration class and removed default http.port logic from public_port * fixed rubocop errors and refactored spec tests * added beef host configuration values used for external resources * added beef url to configuration * added spec file for testing changes * added local host getter to configuration class * added default value 0.0.0.0 for local host if it's not set * added port config getter with default * added port config getter with default * fixed spelling errors for port * added public configuration values and validation * removed logic from public port as it was not required * added beef host to configuration class * added beef port to configuration class and removed default http.port logic from public_port * fixed rubocop errors and refactored spec tests * added beef host configuration values used for external resources * added beef url to configuration * created command spec file * add before statement to load all enabled modules to test command class * add spec to check if configuration instance exists by setting and accessing a config variable * updated http proto for beef host * reverting changes on this file, dev values set * removed some unessessary checks * fixed grammar test now we're only testing one configuration attribute * added hook url for contextual usage * refactoring admin_ui with new code usage * fixed issue with the location of the beef.http.https.public_enabled * refactored powershell module and extension * adding the new config setting for public https beign enabled * refactor qrcode extension * replace video fake plugin refactor * social engineering refactoring * phonegap module refactoring * exploit refactoing * network module refactoing * ipec module refactoring * host module refactoring * debug refactoring * browser refactoring * social engineering extension refactoring * core main server refactoring * core main console banner refactoring * removing dev test * fixed area with location of http.https.enabled * changed the hook url definition to return the hook file path * updated banners to use new configuration getters * updated extensions and modules with the hook url change * added new public.host configuration settings and validations for depicated usage of public * updated to use public.port configuration * added validation for old configuration public_port * updated to use public https configuration setting * updated config with new settings format * fixed get to point to new locations * fixed pointer to hook_file_path * Update extensions/social_engineering/web_cloner/web_cloner.rb Co-authored-by: bcoles <bcoles@gmail.com> * updated enabled to enable * making sure default configuration file does not have preset values Co-authored-by: bcoles <bcoles@gmail.com> * bumped versions to 0.5.2.0 * Usability: #2145. Added user input request for beef update within 'beef' install script (#2162) * added user input request for beef update * swaped git pull from system to backticks * flags added for auto update and timout to input * updated install.txt to reference the update-beef script (#2160) Co-authored-by: Andrew Wheatley <a@andrews-mini.home> Co-authored-by: Isaac Powell <36595182+DeezyE@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: bcoles <bcoles@gmail.com>
wheatley
added a commit
that referenced
this pull request
Sep 12, 2021
* fixed offline zombie not deleting * Bump jsdoc-to-markdown from 6.0.1 to 7.0.1 (#2161) Bumps [jsdoc-to-markdown](https://github.com/jsdoc2md/jsdoc-to-markdown) from 6.0.1 to 7.0.1. - [Release notes](https://github.com/jsdoc2md/jsdoc-to-markdown/releases) - [Commits](jsdoc2md/jsdoc-to-markdown@v6.0.1...v7.0.1) --- updated-dependencies: - dependency-name: jsdoc-to-markdown dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bug: Core - 1785 Fixed public hook url configuration settings (#2163) * added spec file for testing changes * added local host getter to configuration class * added default value 0.0.0.0 for local host if it's not set * added port config getter with default * added port config getter with default * fixed spelling errors for port * added public configuration values and validation * removed logic from public port as it was not required * added beef host to configuration class * added beef port to configuration class and removed default http.port logic from public_port * fixed rubocop errors and refactored spec tests * added beef host configuration values used for external resources * added beef url to configuration * added spec file for testing changes * added local host getter to configuration class * added default value 0.0.0.0 for local host if it's not set * added port config getter with default * added port config getter with default * fixed spelling errors for port * added public configuration values and validation * removed logic from public port as it was not required * added beef host to configuration class * added beef port to configuration class and removed default http.port logic from public_port * fixed rubocop errors and refactored spec tests * added beef host configuration values used for external resources * added beef url to configuration * created command spec file * add before statement to load all enabled modules to test command class * add spec to check if configuration instance exists by setting and accessing a config variable * updated http proto for beef host * reverting changes on this file, dev values set * removed some unessessary checks * fixed grammar test now we're only testing one configuration attribute * added hook url for contextual usage * refactoring admin_ui with new code usage * fixed issue with the location of the beef.http.https.public_enabled * refactored powershell module and extension * adding the new config setting for public https beign enabled * refactor qrcode extension * replace video fake plugin refactor * social engineering refactoring * phonegap module refactoring * exploit refactoing * network module refactoing * ipec module refactoring * host module refactoring * debug refactoring * browser refactoring * social engineering extension refactoring * core main server refactoring * core main console banner refactoring * removing dev test * fixed area with location of http.https.enabled * changed the hook url definition to return the hook file path * updated banners to use new configuration getters * updated extensions and modules with the hook url change * added new public.host configuration settings and validations for depicated usage of public * updated to use public.port configuration * added validation for old configuration public_port * updated to use public https configuration setting * updated config with new settings format * fixed get to point to new locations * fixed pointer to hook_file_path * Update extensions/social_engineering/web_cloner/web_cloner.rb Co-authored-by: bcoles <bcoles@gmail.com> * updated enabled to enable * making sure default configuration file does not have preset values Co-authored-by: bcoles <bcoles@gmail.com> * bumped versions to 0.5.2.0 * Usability: #2145. Added user input request for beef update within 'beef' install script (#2162) * added user input request for beef update * swaped git pull from system to backticks * flags added for auto update and timout to input * updated install.txt to reference the update-beef script (#2160) Co-authored-by: wheatley <wheatand@gmail.com> Co-authored-by: Isaac Powell <36595182+DeezyE@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: bcoles <bcoles@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Category
Bug: Core
Feature/Issue Description
As mentioned in #1785 there is currently a bug that prevents BeEF from hooking browsers when the BeEF hook (public) URL is different from the BeEF host (local) URL ((ie, behind a reverse proxy, or when used via services such as ngrok, or when using port forwarding from a border gateway)
To resolve this issue the PR completely decouples the local host settings from the public settings.
This means that if a user sets anything in the public section within the configuration.
It will automatically use these values when referencing the hook (public) URL.
These values can be seen in the Configuration object used through the application.
Beef Host
Beef Port
Beef protocol (http/https)
A contributor can now new some new configuration values that will reference the full hooking url
These new configuration getters can be used through the code base reducing the code repetition found through the code base
Can now simply be the following
The most common issue that would be raised due to this bug was when a users was trying to implement ngrok.
Ngrok would use the https protocol and if the user did not setup the beef local host using https it would cause mixed content errors preventing browser hooking.
With the net configuration items, the user can now have a https proxy that redirects to a http local host please see the new setup instructions for ngrok here
Test Cases
Tests have been developed in the specs area. spec/beef/core/main/configuration_spec.rb
These will need to be improved as they set and retrieve within the scope.
They should in theory only read config files that have been pre-populated with the testing scenarios
Wiki Page
https://github.com/beefproject/beef/wiki/Configuration#web-server-configuration has been updated below
https://github.com/beefproject/beef/wiki/FAQ#how-do-i-configure-beef-with-ngrok