Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[WebSocket] Error: Must be GET request #2768

Open
Auzgame opened this issue Mar 28, 2023 · 20 comments
Open

[WebSocket] Error: Must be GET request #2768

Auzgame opened this issue Mar 28, 2023 · 20 comments

Comments

@Auzgame
Copy link

Auzgame commented Mar 28, 2023

First Steps

  1. Confirm that your issue has not been posted previously by searching here: https://github.com/beefproject/beef/issues
  2. Confirm that the wiki does not contain the answers you seek: https://github.com/beefproject/beef/wiki
  3. Check the FAQ: https://github.com/beefproject/beef/wiki/FAQ
  4. BeEF Version: v0.5.4.0
  5. Ruby Version: 2.7
  6. Browser Details (e.g. Chrome v81.0): Chrome latest
  7. Operating System (e.g. OSX Catalina): Linux Debian

Configuration

  1. Have you made any changes to your BeEF configuration? Yes - Modified how beEF handles cookies
  2. Have you enabled or disabled any BeEF extensions? No

Steps to Reproduce

  1. Install/Setup everything
  2. Use public host settings under beef.http.public
  3. start the server
  4. Connect client
  5. Hook browser
  6. Try and run a command

Debugging Message

Nonce Incorrect
Nonce Incorrect

I keep getting this debug message when I try and use a command. I was wondering if you could help and also tell me how the commands in ruby work. (e.g how they flow in code)
Also should mention I was debugging and found out that events under extensions/events/handler.rb return the following error

#<Thread:0x0000000003daac20 /home/runner/beef/core/main/network_stack/handlers/dynamicreconstruction.rb:45 run> terminated with exception (report_on_exception is true):
Traceback (most recent call last):
    11: from /home/runner/beef/core/main/network_stack/handlers/dynamicreconstruction.rb:46:in `block (2 levels) in <class:DynamicReconstruction>'
    10: from /home/runner/beef/core/main/network_stack/handlers/dynamicreconstruction.rb:53:in `check_packets'
     9: from /home/runner/beef/core/main/network_stack/handlers/dynamicreconstruction.rb:53:in `each'
     8: from /home/runner/beef/core/main/network_stack/handlers/dynamicreconstruction.rb:74:in `block in check_packets'
     7: from /home/runner/beef/core/main/network_stack/handlers/dynamicreconstruction.rb:100:in `execute'
     6: from /home/runner/beef/core/main/network_stack/handlers/dynamicreconstruction.rb:100:in `new'
     5: from /home/runner/beef/extensions/events/handler.rb:17:in `initialize'
     4: from /home/runner/beef/extensions/events/handler.rb:42:in `setup'
     3: from /home/runner/beef/extensions/events/handler.rb:42:in `each'
     2: from /home/runner/beef/extensions/events/handler.rb:43:in `block in setup'
     1: from /home/runner/beef/extensions/events/handler.rb:49:in `parse'
/home/runner/beef/extensions/events/handler.rb:49:in `[]': no implicit conversion of String into Integer (TypeError)
#<Thread:0x0000000003ba24a0 /home/runner/beef/core/main/network_stack/handlers/dynamicreconstruction.rb:45 run> terminated with exception (report_on_exception is true):
Traceback (most recent call last):
    11: from /home/runner/beef/core/main/network_stack/handlers/dynamicreconstruction.rb:46:in `block (2 levels) in <class:DynamicReconstruction>'
    10: from /home/runner/beef/core/main/network_stack/handlers/dynamicreconstruction.rb:53:in `check_packets'
     9: from /home/runner/beef/core/main/network_stack/handlers/dynamicreconstruction.rb:53:in `each'
     8: from /home/runner/beef/core/main/network_stack/handlers/dynamicreconstruction.rb:74:in `block in check_packets'
     7: from /home/runner/beef/core/main/network_stack/handlers/dynamicreconstruction.rb:100:in `execute'
     6: from /home/runner/beef/core/main/network_stack/handlers/dynamicreconstruction.rb:100:in `new'
     5: from /home/runner/beef/extensions/events/handler.rb:17:in `initialize'
     4: from /home/runner/beef/extensions/events/handler.rb:42:in `setup'
     3: from /home/runner/beef/extensions/events/handler.rb:42:in `each'
     2: from /home/runner/beef/extensions/events/handler.rb:43:in `block in setup'
     1: from /home/runner/beef/extensions/events/handler.rb:49:in `parse'
/home/runner/beef/extensions/events/handler.rb:49:in `[]': no implicit conversion of String into Integer (TypeError)
#<Thread:0x0000000003b29aa0 /home/runner/beef/core/main/network_stack/handlers/dynamicreconstruction.rb:45 run> terminated with exception (report_on_exception is true):
Traceback (most recent call last):
    11: from /home/runner/beef/core/main/network_stack/handlers/dynamicreconstruction.rb:46:in `block (2 levels) in <class:DynamicReconstruction>'
    10: from /home/runner/beef/core/main/network_stack/handlers/dynamicreconstruction.rb:53:in `check_packets'
     9: from /home/runner/beef/core/main/network_stack/handlers/dynamicreconstruction.rb:53:in `each'
     8: from /home/runner/beef/core/main/network_stack/handlers/dynamicreconstruction.rb:74:in `block in check_packets'
     7: from /home/runner/beef/core/main/network_stack/handlers/dynamicreconstruction.rb:100:in `execute'
     6: from /home/runner/beef/core/main/network_stack/handlers/dynamicreconstruction.rb:100:in `new'
     5: from /home/runner/beef/extensions/events/handler.rb:17:in `initialize'
     4: from /home/runner/beef/extensions/events/handler.rb:42:in `setup'
     3: from /home/runner/beef/extensions/events/handler.rb:42:in `each'
     2: from /home/runner/beef/extensions/events/handler.rb:43:in `block in setup'
     1: from /home/runner/beef/extensions/events/handler.rb:49:in `parse'
/home/runner/beef/extensions/events/handler.rb:49:in `[]': no implicit conversion of String into Integer (TypeError)
@bcoles
Copy link
Collaborator

bcoles commented Mar 28, 2023

Have you made any changes to your BeEF configuration? Yes - Modified how beEF handles cookies

The issue is most likely due to your changes to the code base.

@Auzgame
Copy link
Author

Auzgame commented Mar 28, 2023

Have you made any changes to your BeEF configuration? Yes - Modified how beEF handles cookies

The issue is most likely due to your changes to the code base.

The changes I made to the cookies just made it so you don't need to login with a username/password.

@bcoles
Copy link
Collaborator

bcoles commented Mar 28, 2023

Have you made any changes to your BeEF configuration? Yes - Modified how beEF handles cookies

The issue is most likely due to your changes to the code base.

The changes I made to the cookies just made it so you don't need to login with a username/password.

Presumably your changes do not set the user logged in, thus never creating a session with an associated @nonce.

# grep -rni "nonce incorrect" .
./extensions/admin_ui/controllers/modules/modules.rb:281:              print_error 'nonce incorrect'
./extensions/admin_ui/controllers/modules/modules.rb:338:              print_error 'nonce incorrect'
./extensions/admin_ui/controllers/modules/modules.rb:389:              print_error 'nonce incorrect'
./extensions/admin_ui/controllers/modules/modules.rb:423:              print_error 'nonce incorrect'

#
# set the session logged in
#
def set_logged_in(ip)
@id = BeEF::Core::Crypto.secure_token
@nonce = BeEF::Core::Crypto.secure_token
@ip = ip
end

@Auzgame
Copy link
Author

Auzgame commented Mar 28, 2023

Have you made any changes to your BeEF configuration? Yes - Modified how beEF handles cookies

The issue is most likely due to your changes to the code base.

The changes I made to the cookies just made it so you don't need to login with a username/password.

Presumably your changes do not set the user logged in, thus never creating a session with an associated @nonce.

# grep -rni "nonce incorrect" .
./extensions/admin_ui/controllers/modules/modules.rb:281:              print_error 'nonce incorrect'
./extensions/admin_ui/controllers/modules/modules.rb:338:              print_error 'nonce incorrect'
./extensions/admin_ui/controllers/modules/modules.rb:389:              print_error 'nonce incorrect'
./extensions/admin_ui/controllers/modules/modules.rb:423:              print_error 'nonce incorrect'

#
# set the session logged in
#
def set_logged_in(ip)
@id = BeEF::Core::Crypto.secure_token
@nonce = BeEF::Core::Crypto.secure_token
@ip = ip
end

Ok quick update. I reverted the changes back to default and did more debugging and it looks like in the session.rb @ip and @id are returning nil.

@Auzgame
Copy link
Author

Auzgame commented Mar 28, 2023

Think I found the issue. In the session.rb, the @ip and request.ip don't match, which is causing the log out.

return false unless @ip.to_s.eql? request.ip

Could you explain what these to variables are and how I can fix the issue

@bcoles
Copy link
Collaborator

bcoles commented Mar 28, 2023

What are you trying to do?

Also, exposing BeEF to the Internet without requiring a username and password is not a smart move.

@Auzgame
Copy link
Author

Auzgame commented Mar 28, 2023

What are you trying to do?

Also, exposing BeEF to the Internet without requiring a username and password is not a smart move.

Nevermind just found out that I needed to enable allow_reverse_proxy to fix the @ip != request.ip

@Auzgame
Copy link
Author

Auzgame commented Mar 28, 2023

More errors appeared upon fixing that inside the extensions/events/handler.rb regarding def parse(event)

#<Thread:0x0000000003e54478 /home/runner/beef/core/main/network_stack/handlers/dynamicreconstruction.rb:45 run> terminated with exception (report_on_exception is true):
Traceback (most recent call last):
    11: from /home/runner/beef/core/main/network_stack/handlers/dynamicreconstruction.rb:46:in `block (2 levels) in <class:DynamicReconstruction>'
    10: from /home/runner/beef/core/main/network_stack/handlers/dynamicreconstruction.rb:53:in `check_packets'
     9: from /home/runner/beef/core/main/network_stack/handlers/dynamicreconstruction.rb:53:in `each'
     8: from /home/runner/beef/core/main/network_stack/handlers/dynamicreconstruction.rb:74:in `block in check_packets'
     7: from /home/runner/beef/core/main/network_stack/handlers/dynamicreconstruction.rb:100:in `execute'
     6: from /home/runner/beef/core/main/network_stack/handlers/dynamicreconstruction.rb:100:in `new'
     5: from /home/runner/beef/extensions/events/handler.rb:17:in `initialize'
     4: from /home/runner/beef/extensions/events/handler.rb:42:in `setup'
     3: from /home/runner/beef/extensions/events/handler.rb:42:in `each'
     2: from /home/runner/beef/extensions/events/handler.rb:43:in `block in setup'
     1: from /home/runner/beef/extensions/events/handler.rb:49:in `parse'
/home/runner/beef/extensions/events/handler.rb:49:in `[]': no implicit conversion of String into Integer (TypeError)

@bcoles
Copy link
Collaborator

bcoles commented Mar 28, 2023

git pull

@Auzgame
Copy link
Author

Auzgame commented Mar 28, 2023

Thanks for the patch. Fixed most of my issues. I'll come back if i need more help!

@Auzgame Auzgame closed this as completed Mar 28, 2023
@Auzgame
Copy link
Author

Auzgame commented Mar 29, 2023

Hey man I was doing more testing and got pretty far. I'm at the issue where I'm getting the following error on repeat:

[ 0:55:41][!] [WebSocket] Error: Must be GET request
[ 0:55:41][!] [WebSocket] Error: Not an upgrade request

This occurs after I send a command to a client. The command will get executed by the client but the client can't send back any info. So things like overwriting the html body work, like the rick roll, but everything else is broken.

@Auzgame Auzgame reopened this Mar 29, 2023
@Auzgame Auzgame changed the title Nonce Incorrect WebSocket] Error: Must be GET request Mar 29, 2023
@Auzgame Auzgame changed the title WebSocket] Error: Must be GET request [WebSocket] Error: Must be GET request Mar 29, 2023
@bcoles
Copy link
Collaborator

bcoles commented Mar 29, 2023

Please stop changing the issue and issue name. It makes this thread useless to everyone else.

I suggest disabling web sockets.

enable: false

@Auzgame
Copy link
Author

Auzgame commented Mar 29, 2023

Please stop changing the issue and issue name. It makes this thread useless to everyone else.

I suggest disabling web sockets.

enable: false

I already had WebSockets disabled. To avoid confusion i'll just post my config below

#
# Copyright (c) 2006-2023 Wade Alcorn - [email protected]
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
# BeEF Configuration file

beef:
    version: '0.5.4.0'
    # More verbose messages (server-side)
    debug: true
    # More verbose messages (client-side)
    client_debug: true
    # Used for generating secure tokens
    crypto_default_value_length: 80

    # Credentials to authenticate in BeEF.
    # Used by both the RESTful API and the Admin interface
    credentials:
        user:   "auzzie"
        passwd: "auzzie"

    # Interface / IP restrictions
    restrictions:
        # subnet of IP addresses that can hook to the framework
        permitted_hooking_subnet: ["0.0.0.0/0", "::/0"]
        # subnet of IP addresses that can connect to the admin UI
        #permitted_ui_subnet: ["127.0.0.1/32", "::1/128"]
        permitted_ui_subnet: ["0.0.0.0/0", "::/0"]
        # subnet of IP addresses that cannot be hooked by the framework
        excluded_hooking_subnet: []
        # slow API calls to 1 every  api_attempt_delay  seconds
        api_attempt_delay: "0.05"

    # HTTP server 
    http:
        debug: false #Thin::Logging.debug, very verbose. Prints also full exception stack trace.
        host: "0.0.0.0"
        port: "80"

        # Decrease this setting to 1,000 (ms) if you want more responsiveness
        #  when sending modules and retrieving results.
        # NOTE: A poll timeout of less than 5,000 (ms) might impact performance
        #  when hooking lots of browsers (50+).
        # Enabling WebSockets is generally better (beef.websocket.enable)
        xhr_poll_timeout: 1000

        # Host Name / Domain Name
        # If you want BeEF to be accessible via hostname or domain name (ie, DynDNS),
        # These settings will be used to create a public facing URL
        # This public facing URL will be used for all hook related calls
        # set the public setting below:
        public:
             host: "<my site>" 
             # public hostname/IP address
             port: "443" # public port will default to 80 if no https 443 if https 
                      # and local if not set but there is a public host
             https: true # true/false

        # Reverse Proxy / NAT
        # If you want BeEF to be accessible behind a reverse proxy or NAT,
        #   set both the publicly accessible hostname/IP address and port below:
        # NOTE: Allowing the reverse proxy will enable a vulnerability where the ui/panel can be spoofed
        #   by altering the X-FORWARDED-FOR ip address in the request header.
        allow_reverse_proxy: true

        # Hook
        hook_file: "/hook.js"
        hook_session_name: "BEEFHOOK"

        # Allow one or multiple origins to access the RESTful API using CORS
        # For multiple origins use: "http://browserhacker.com, http://domain2.com"
        restful_api:
            allow_cors: true
            cors_allowed_domains: "http://browserhacker.com"

        # Prefer WebSockets over XHR-polling when possible.
        websocket:
            enable: false
            port: 61985 # WS: good success rate through proxies
            # Use encrypted 'WebSocketSecure'
            # NOTE: works only on HTTPS domains and with HTTPS support enabled in BeEF
            secure: false
            secure_port: 61986 # WSSecure
            ws_poll_timeout: 5000 # poll BeEF every x second, this affects how often the browser can have a command execute on it
            ws_connect_timeout: 500 # useful to help fingerprinting finish before establishing the WS channel

        # Imitate a specified web server (default root page, 404 default error page, 'Server' HTTP response header)
        web_server_imitation:
            enable: true
            type: "apache" # Supported: apache, iis, nginx
            hook_404: false # inject BeEF hook in HTTP 404 responses
            hook_root: false # inject BeEF hook in the server home page
        # Experimental HTTPS support for the hook / admin / all other Thin managed web services
        https:
            enable: false
            # Enabled this config setting if you're external facing uri is using https
            public_enabled: false
            # In production environments, be sure to use a valid certificate signed for the value
            # used in beef.http.public (the domain name of the server where you run BeEF)
            key: "beef_key.pem"
            cert: "beef_cert.pem"

    database:
        file: "beef.db"

    # Autorun Rule Engine
    autorun:
        # this is used when rule chain_mode type is nested-forward, needed as command results are checked via setInterval
        # to ensure that we can wait for async command results. The timeout is needed to prevent infinite loops or eventually
        # continue execution regardless of results.
        # If you're chaining multiple async modules, and you expect them to complete in more than 5 seconds, increase the timeout.
        result_poll_interval: 300
        result_poll_timeout: 5000

        # If the modules doesn't return status/results and timeout exceeded, continue anyway with the chain.
        # This is useful to call modules (nested-forward chain mode) that are not returning their status/results.
        continue_after_timeout: true

    # Enables DNS lookups on zombie IP addresses
    dns_hostname_lookup: false

    # IP Geolocation
    geoip:
        enable: true
        # GeoLite2 City database created by MaxMind, available from https://www.maxmind.com
        database: '/usr/share/GeoIP/GeoLite2-City.mmdb'

    # Integration with PhishingFrenzy
    # If enabled BeEF will try to get the UID parameter value from the hooked URI, as this is used by PhishingFrenzy
    # to uniquely identify the victims. In this way you can easily associate phishing emails with hooked browser.
    integration:
        phishing_frenzy:
            enable: false

    # You may override default extension configuration parameters here
    # Note: additional experimental extensions are available in the 'extensions' directory
    #       and can be enabled via their respective 'config.yaml' file
    extension:
        admin_ui:
            enable: true
            base_path: "/ui"
        demos:
            enable: true
        events:
            enable: true
        evasion:
            enable: false
        requester:
            enable: true
        proxy:
            enable: true
        network:
            enable: true
        metasploit:
            enable: false
        social_engineering:
            enable: true
        xssrays:
            enable: true

@bcoles
Copy link
Collaborator

bcoles commented Mar 29, 2023

Are you still modifying the BeEF source or have you reverted your changes?

Those errors should only ever be raised when websockets are enabled:

https://github.com/beefproject/beef/blob/master/core/main/network_stack/websocket/websocket.rb

@Auzgame
Copy link
Author

Auzgame commented Mar 29, 2023

Idk why but I copied and pasted the WebSocket.rb and everything works now. I don't recall ever making changes but I guess I did. Anyway thanks for your help again this seemed to fix the issue.

@Auzgame Auzgame closed this as completed Mar 29, 2023
@bcoles
Copy link
Collaborator

bcoles commented Mar 29, 2023

If you make changes to the configuration file (ie, if websockets were enabled then you disable them) the changes won't be applied to browsers which are already hooked. The hooked page will need to be refreshed.

@Auzgame
Copy link
Author

Auzgame commented Mar 29, 2023

Turns out I lied and the error still keeps occurring, however, it seems I can execute like 2 commands before it occurs. Any idea what the problem could be?

Edit: I should also mention that on the client side, the error happens when it's trying to make a request to:

https://<my-site>/dh?bh=R0dzbqMT7qx3uqyoEmJZPBlvtVEoRZpqceegseoNSU7ekGnYZffWFWw3FhHBrY7WSUM686Jl4Gxlyicb&sid=8&pid=1&pc=1&d=W3siY2lkIjoxOCwicmVzdWx0cyI6IiAhXCIjJCUmJygpKissLS4vMDEyMzQ1Njc4OTo7PD0%2BP0BBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWltcXF1eX2BhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5ent8fX5%2FIiwic3RhdHVzIjoxLCJoYW5kbGVyIjoiL2NvbW1hbmQvdGVzdF9yZXR1cm5fYXNjaWlfY2hhcnMuanMifV0%3D&_=168005449807

@Auzgame Auzgame reopened this Mar 29, 2023
@bcoles
Copy link
Collaborator

bcoles commented Mar 29, 2023

There is nowhere near enough information here to diagnose your issue. You have changed you story multiple times. Please complete the issue template. Please provide debug output.

Do you see any debug output printed to terminal when BeEF starts stating that websockets are enabled?

Are you absolutely certain that you have not enabled websockets and that all hooked pages have been reloaded after disabling web sockets?

The websocket errors should only ever occur when the websocket handler is executed.

@bcoles
Copy link
Collaborator

bcoles commented Mar 31, 2023

Edit: I should also mention

You should also mention that you were trying to get BeEF running on a cloud based platform running in Docker. That is important context.

@bcoles
Copy link
Collaborator

bcoles commented Mar 31, 2023

Definitely a bug. BeEF decides to initialize the WebSocket server every time it receives a connect back for some idiotic reason.

Here's a temporary workaround:

diff --git a/core/main/network_stack/websocket/websocket.rb b/core/main/network_stack/websocket/websocket.rb
index 65fa3680..997faa8c 100644
--- a/core/main/network_stack/websocket/websocket.rb
+++ b/core/main/network_stack/websocket/websocket.rb
@@ -24,6 +24,8 @@ module BeEF
         MOUNTS = BeEF::Core::Server.instance.mounts
 
         def initialize
+          return unless @@config.get('beef.websocket.enable')
+
           secure = @@config.get('beef.http.websocket.secure')
 
           # @note Start a WSS server socket

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants