如何在nginx反向代理后面正确运行BeEF

Question

我目前在debian10VPS上运行BeEF -版本：'0.5.0.0-alpha-pre‘，使用标准安装脚本安装在GitHub上。archive.It在配置了SSL的VirtualHost上的nginx反向代理后面运行(由certbot提供)。BeEF正在监听一个内部接口(不能直接从互联网路由)，并且nginx将请求代理到该接口的IP。一切都很正常--管理浏览器UI，甚至使用http时的钩子。但是，当我尝试将钩子嵌入到https页面上时，钩子不起作用。在浏览器控制台(Linux上最新的firefox )中，当浏览器尝试通过http URL连接到钩子/处理程序时，我反复收到消息'Blocked Active Content‘。be的config.yaml文件中存在SSL选项，但这似乎是在BeEF没有在反向代理后面运行时使用的。有没有人可以解释一下如何正确配置BeEF，以便在nginx反向代理后面运行。

我的config.yaml文件在下面，我将为相关的特定服务器块粘贴我的nginx配置文件。

BeEF配置文件

beef:
    version: '0.5.0.0-alpha-pre'
    # More verbose messages (server-side)
    debug: false
    # More verbose messages (client-side)
    client_debug: false
    # Used for generating secure tokens
    crypto_default_value_length: 80

# Credentials to authenticate in BeEF.
# Used by both the RESTful API and the Admin interface
credentials:
    user:   "beef"
    passwd: "*********************"

# Interface / IP restrictions
restrictions:
    # subnet of IP addresses that can hook to the framework
    permitted_hooking_subnet: ["0.0.0.0/0", "::/0"]
    # subnet of IP addresses that can connect to the admin UI
    #permitted_ui_subnet: ["127.0.0.1/32", "::1/128"]
    permitted_ui_subnet: ["0.0.0.0/0", "::/0"]
    # slow API calls to 1 every  api_attempt_delay  seconds
    api_attempt_delay: "0.05"

# HTTP server
http:
    debug: false #Thin::Logging.debug, very verbose. Prints also full exception stack trace.
    host: "172.17.0.1"
    port: "3000"

    # Decrease this setting to 1,000 (ms) if you want more responsiveness
    #  when sending modules and retrieving results.
    # NOTE: A poll timeout of less than 5,000 (ms) might impact performance
    #  when hooking lots of browsers (50+).
    # Enabling WebSockets is generally better (beef.websocket.enable)
    xhr_poll_timeout: 1000

    # Host Name / Domain Name
    # If you want BeEF to be accessible via hostname or domain name (ie, DynDNS),
    #   set the public hostname below:
    #public: "my.domain.org"      # public hostname/IP address

    # Reverse Proxy / NAT
    # If you want BeEF to be accessible behind a reverse proxy or NAT,
    #   set both the publicly accessible hostname/IP address and port below:
    # NOTE: Allowing the reverse proxy will enable a vulnerability where the ui/panel can be spoofed
    #   by altering the X-FORWARDED-FOR ip address in the request header.
    allow_reverse_proxy: true
    public: "my.domain.org"      # public hostname/IP address
    public_port: "443" # public port (experimental)

    # Hook
    hook_file: "/hook.js"
    hook_session_name: "BEEFHOOK"

    # Allow one or multiple origins to access the RESTful API using CORS
    # For multiple origins use: "http://browserhacker.com, http://domain2.com"
    restful_api:
        allow_cors: false
        cors_allowed_domains: "https://my.domain.org"

    # Prefer WebSockets over XHR-polling when possible.
    websocket:
        enable: false
        port: 61985 # WS: good success rate through proxies
        # Use encrypted 'WebSocketSecure'
        # NOTE: works only on HTTPS domains and with HTTPS support enabled in BeEF
        secure: true
        secure_port: 61986 # WSSecure
        ws_poll_timeout: 1000 # poll BeEF every second
        ws_connect_timeout: 500 # useful to help fingerprinting finish before establishing the WS channel

    # Imitate a specified web server (default root page, 404 default error page, 'Server' HTTP response header)
    web_server_imitation:
        enable: true
        type: "apache" # Supported: apache, iis, nginx
        hook_404: false # inject BeEF hook in HTTP 404 responses
        hook_root: false # inject BeEF hook in the server home page
    # Experimental HTTPS support for the hook / admin / all other Thin managed web services
    https:
        enable: false
        # In production environments, be sure to use a valid certificate signed for the value
        # used in beef.http.public (the domain name of the server where you run BeEF)
        key: "beef_key.pem"
        cert: "beef_cert.pem"

database:
    file: "beef.db"

# Autorun Rule Engine
autorun:
    # this is used when rule chain_mode type is nested-forward, needed as command results are checked via setInterval
    # to ensure that we can wait for async command results. The timeout is needed to prevent infinite loops or eventually
    # continue execution regardless of results.
    # If you're chaining multiple async modules, and you expect them to complete in more than 5 seconds, increase the timeout.
    result_poll_interval: 300
    result_poll_timeout: 5000

    # If the modules doesn't return status/results and timeout exceeded, continue anyway with the chain.
    # This is useful to call modules (nested-forward chain mode) that are not returning their status/results.
    continue_after_timeout: true

# Enables DNS lookups on zombie IP addresses
dns_hostname_lookup: false

# IP Geolocation
# NOTE: requires MaxMind database. Run ./updated-geoipdb to install.
geoip:
    enable: true
    database: '/opt/GeoIP/GeoLite2-City.mmdb'

# Integration with PhishingFrenzy
# If enabled BeEF will try to get the UID parameter value from the hooked URI, as this is used by PhishingFrenzy
# to uniquely identify the victims. In this way you can easily associate phishing emails with hooked browser.
integration:
    phishing_frenzy:
        enable: false

# You may override default extension configuration parameters here
# Note: additional experimental extensions are available in the 'extensions' directory
#       and can be enabled via their respective 'config.yaml' file
extension:
    admin_ui:
        enable: true
        base_path: "/ui"
    demos:
        enable: true
    events:
        enable: true
    evasion:
        enable: false
    requester:
        enable: true
    proxy:
        enable: true
    network:
        enable: true
    metasploit:
        enable: false
    social_engineering:
        enable: true
    xssrays:
        enable: true

下面是我对该虚拟主机的NGINX配置

server {
            server_name my.domain.org;
            set $upstream 172.17.0.1:3000;
        location / {
        proxy_pass_header Authorization;
        proxy_pass http://$upstream;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    #    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
        proxy_set_header Connection “”;
        proxy_buffering off;
        client_max_body_size 0;
        proxy_read_timeout 36000s;
        proxy_redirect off;
        }
        listen 80;
        listen [::]:80;

        listen [::]:443 ssl; # managed by Certbot
        listen 443 ssl; # managed by Certbot
        ssl_certificate /etc/letsencrypt/live/my.domain.org/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/my.domain.org/privkey.pem; # managed by Certbot
        include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    }

我确信SSL是正确设置的，因为我已经以多种方式调试和测试了一切。任何帮助都将不胜感激。谢谢

Answer 1

遇到了完全相同的问题，你的代理配置实际上帮助我解决了我自己的一个问题。

为了使其正常工作，您需要修改./core/main/client/net.js，并将发送到javascript处理程序的协议硬编码为https。这将允许整个系统在没有SSL的情况下运行，但仍然会生成SSL链接供反向代理处理。

显然是一种黑客行为，但它会让它在短时间内发挥作用。

./core/main/client/net.js：

port: "<%= @beef_port %>",
hook: "<%= @beef_hook %>",
httpproto: "https",//"<%= @beef_proto %>", //<- Hardcoded to HTTPS
handler: '/dh',
chop: 500,