Certain browser details are considered as invalid

[jme418]

First Steps

BeEF Version: 0.5.4.0
Ruby Version: ruby 3.1.2p20 (2022-04-12 revision 4491bb740a) [x86_64-linux-gnu]
Browser Details (e.g. Chrome v81.0): Causing problems with all I've tried (FF - 115.8.0esr, O - 108.0.5067.29, C - 123.0.6312.86, 123.0.6312.58, 121.0.6167.178)
Operating System: Linux, Windows and Android

Configuration

1. Have you made any changes to your BeEF configuration? Yes.
2. Have you enabled or disabled any BeEF extensions? Yes, Metasploit one but I do not remember if anyone else, I've been using BeEF for a while.

Steps to Reproduce

I did the installation guided by this page: https://null-byte.wonderhowto.com/how-to/hack-web-browsers-with-beef-control-webcams-phish-for-credentials-more-0159961/

1. I always start with this commands secuence:

msfconsole
load msgrpc ServerHost=127.0.0.1 User=msf Pass=kali SSL=y
sudo netstat -tuln | grep LISTEN
sudo ./beef

and all it's looking great, with metasploit exploits correctly loaded.

2. Then I do the one for the ngrok tunnel and no problems here.
3. It is now, when accessing an infected domain, where the mentioned in the title issue appears. I get this type of messages:

[removed]

Something strange I can see is that the plugins one appears only when accessing via Android.

[stephenakq]

Thank you for bringing this to our attention.

The image has been removed because it contained a routable IP address, but the discussion can continue with the image omitted. Could you clarify if the issue pertains to the console message "browser: UNKNOWN -121.0.0.0"?

[stephenakq]

You can also join our Discord for assistance with this issue. Here's the link: https://discord.gg/ugmKmHarKc

[jme418]

Thank you for bringing this to our attention.

The image has been removed because it contained a routable IP address, but the discussion can continue with the image omitted. Could you clarify if the issue pertains to the console message "browser: UNKNOWN -121.0.0.0"?

Well, the messages I want to get rid off are the ones with the following structure:

[!] Browser Details Invalid browser name/versions/plugins from the hook browser's initial connection.

And also, as a consecuence of them, the one you mentioned:

browser: UNKNOWN -121.0.0.0

[stephenakq]

Thank you for pointing this out. We'll look into that bug.

[zinduolis]

Hi @jme418 , I'm investigating this and will try to reproduce it. Are you still experiencing the issue?

[zinduolis]

I have reproduced the issue on Ubuntu 24.04.1 LTS (64-bit) with Firefox 130.0 (64-bit) and Chrome 129.0.6668.58 (Official Build) (64-bit) as the victim browser.

I've got the below regardless of whether metasploit is integrated or not. The only condition needed for this, is for the victim browser not to be in the 'hooked register' as it happens at the initial hooking stage. If the browser is hooked, then goes offline, then is hooked again the issue does not happen.

When printing out @DaTa['results'] during the hooking phase, i can see "browser.name"=>"UNKNOWN"

[zinduolis]

Investigating is_valid_browsername conditions in core>main>handlers>browserdetails.rb and core>filters>browser.rb

Also, looking at how the data is collected in core>main>client>browser.js

[zinduolis]

Added fix for version and renamed the PR.

[zinduolis]

Trying to reproduce the plugins issue.

[jme418]

@zinduolis

Thanks for your help! I'm sorry I couldn't get back to you sooner to answer your questions, it's been a busy week for me. Let me know if you need anything.

[zinduolis]

All good, @jme418, as you can see I have invalid name and version fix in the PR already. It's pending for the approval and merge.

I've also setup myself an android VM for the first time and managed to reproduce the invalid plugin issue on Chrome there.

[17:32:33][!] [Browser Details] Invalid browser plugins returned from the hook browser's initial connection.

I'm looking now how to fix it.

[zinduolis]

When printing out and comparing the plugin details with other browsers, seems that Android browser either doesn't have any or it gets somewhere removed on the way. Investigating further.

[20:31:01][] BROWSER PLUGIN: []
[20:31:01][!] [Browser Details] Invalid browser plugins returned from the hook browser's initial connection.
[20:31:01][] New Hooked Browser [id:60, ip:xx, browser:C-75.0.3770.101, os:Android-], hooked domain [xx:3000]
[20:39:11][] BROWSER PLUGIN: PDF Viewer-v.undefined,Chrome PDF Viewer-v.undefined,Chromium PDF Viewer-v.undefined,Microsoft Edge PDF Viewer-v.undefined,WebKit built-in PDF-v.undefined
[20:39:11][] New Hooked Browser [id:61, ip:127.0.0.1, browser:FF-130.0, os:Linux-], hooked domain [localhost:3000]
[20:39:57][] BROWSER PLUGIN: PDF Viewer,Chrome PDF Viewer,Chromium PDF Viewer,Microsoft Edge PDF Viewer,WebKit built-in PDF
[20:39:57][] New Hooked Browser [id:62, ip:127.0.0.1, browser:O-114.0.0.0, os:Linux-], hooked domain [localhost:3000]
[20:40:11][] BROWSER PLUGIN: PDF Viewer,Chrome PDF Viewer,Chromium PDF Viewer,Microsoft Edge PDF Viewer,WebKit built-in PDF
[20:40:11][] New Hooked Browser [id:63, ip:127.0.0.1, browser:C-129.0.0.0, os:Linux-], hooked domain [localhost:3000]

[bcoles]

When printing out and comparing the plugin details with other browsers, seems that Android browser either doesn't have any or it gets somewhere removed on the way. Investigating further.

It is probably empty. Browser details, such as name and plugins, are validated with filters (Core::Filter) which check for nil or empty values, hence the resulting error message.

[zinduolis]

According to my investigation, it appears that mobile browsers do not support plugins. I'll adjust the code in browserdetails.rb and browser.rb to account for this scenario.

[zinduolis]

I believe this is now resolved, waiting for merge.