Why BeEF PHP is discontinued, and what's new in BeEF Ruby?

BeEF Project Home - GitHub - Source Control - Bug Reporting - Wiki - Twitter - YouTube - LinkedIn - Mailing List

Thursday, April 19, 2012

Why BeEF PHP is discontinued, and what's new in BeEF Ruby?

I'm sure a lot of you out there are still using the PHP version of BeEF. Actually, when I was speaking in various conferences about BeEF I realized that many people didn't know about the new Ruby BeEF.

The PHP version has been discontinued for various reasons:

It wasn't easy to extend from a core perspective.
When adding new modules, code was duplicated; you had to copy and paste a lot of code from previous modules, then add maybe 3 lines of Javascript as the new code, resulting in an anti-patterns.
There was no decent API.
IMHO PHP sucks for many reasons: it's got a ton of security issues, like Sendmail; it's not a true OO language, and programming with objects makes life easier. Ruby instead is OO, and the new BeEF heavily relies on that.

The new BeEF Ruby development started around mid-2010, with Wade's first post announcing it in October 2010. Rewriting BeEF from scratch was in Wade's to-do list for quite some time. It required a bunch of developers and a good language.

Ruby was the choice, for many reasons:

It's fully Object Oriented, flexible and easy to code.
It does not require an external web server to run, so you have maximum flexibility with Ruby-written application servers. Features like the Tunneling Proxy would have been difficult to implement with Apache + PHP.

Lets be honest. Until 6 months ago, BeEF Ruby was experimental and unstable. It was using WebRick, the default application server that comes with Ruby (without additional gems). WebRick is not thread-safe. That's why mutexes were used in class constructors. LOL, don't blame me :-). Add to it sqlite, another piece of software that isn't thread-safe, and bam...we had to have XHR-polling (that's basically the communication channel we currently use) every 8-10 seconds.

So yeah, BeEF was damn slow and we had complaints over twitter, email, and so on. To add to the grief, BackTrack and other pentesting distros were still including the old PHP BeEF. This is now no longer true, read this if you are upgrading to BackTrack5-r2, or just use BT5-r2 to enjoy BeEF.

In November 2011, we had a programming sprint. We rewrote parts of the BeEF core to replace WebRick and custom "servlets" (for those of you coming from a JEE background, like me, this will sound familiar) with Thin, Rack, and recently Sinatra.

The performance advantages were massive, and all the concurrency and lock errors we had with sqlite went magically away :-) Thin is using Mongrel's parser and Event Machine, so it's handling tons of requests faster and consuming less resources because it's a state machine.

Rack and Sinatra really help you code your web application easier, faster and more securely. Take a look at the code of the RESTful API for an example.

Having this new powerful core, we could change the XHR-polling to execute every second, so 10 times faster than before :D Also, now BeEF can be easily used with tens (or more) of hooked browsers without the need to worry too much about performance.

Other big differences with the old PHP BeEF are the modularity and extensibility of the framework. We have command modules and extensions, so code duplication is minimized.

You write an extension, if you need to add a fairly tightly coupled functionality into the core, with the ability to switch it on or off when starting the framework. Tunneling Proxy, XssRays, and even the Admin User Interface are currently extensions.

You write a module when you need to add a new attack/exploit to be launched through BeEF. Basically anything you want to do in Javascript, HTML, Java, (insert arbitrary browser acceptable language) can be done through a command module.

There are also currently three APIs:

one API is internal to the core, used by extensions and modules;
the RESTful API we already discussed in previous blog posts, used to expose framework functionality externally;
and the Javascript API, with many useful helper methods to create invisible or overlay iframes, send requests, attach applets, manipulated the DOM in various ways, etc..

The old PHP BeEF lacked API support completely.

Last, but not least, we use an agile development process with unit and functional testing, including continuous integration. Writing tests is boring and sometimes more difficult than the code they are supposed to test, but they are effective at spotting errors and changes that break the core or modules. We are constantly adding new tests. Expect a cool blog post in the next week about this topic.

All the modules that were present in the PHP version, including the Metasploit integration, have been ported (when possible, some of them were old and not working in recent browsers).

So next time I will hear someone saying "mate, I'm still using the PHP version" I will scream :D No, seriously, give the Ruby BeEF a try by cloning or forking it from github. You will not be disappointed.