Certain browser details are considered as invalid

[jme418-ual]

First Steps

BeEF Version: 0.5.4.0
Ruby Version: ruby 3.1.2p20 (2022-04-12 revision 4491bb740a) [x86_64-linux-gnu]
Browser Details (e.g. Chrome v81.0): Causing problems with all I've tried (FF - 115.8.0esr, O - 108.0.5067.29, C - 123.0.6312.86, 123.0.6312.58, 121.0.6167.178)
Operating System: Linux, Windows and Android

Configuration

1. Have you made any changes to your BeEF configuration? Yes.
2. Have you enabled or disabled any BeEF extensions? Yes, Metasploit one but I do not remember if anyone else, I've been using BeEF for a while.

Steps to Reproduce

I did the installation guided by this page: https://null-byte.wonderhowto.com/how-to/hack-web-browsers-with-beef-control-webcams-phish-for-credentials-more-0159961/

1. I always start with this commands secuence:

msfconsole
load msgrpc ServerHost=127.0.0.1 User=msf Pass=kali SSL=y
sudo netstat -tuln | grep LISTEN
sudo ./beef

and all it's looking great, with metasploit exploits correctly loaded.

2. Then I do the one for the ngrok tunnel and no problems here.
3. It is now, when accessing an infected domain, where the mentioned in the title issue appears. I get this type of messages:

[removed]

Something strange I can see is that the plugins one appears only when accessing via Android.

[stephenakq]

Thank you for bringing this to our attention.

The image has been removed because it contained a routable IP address, but the discussion can continue with the image omitted. Could you clarify if the issue pertains to the console message "browser: UNKNOWN -121.0.0.0"?

[stephenakq]

You can also join our Discord for assistance with this issue. Here's the link: https://discord.gg/ugmKmHarKc

[jme418-ual]

Thank you for bringing this to our attention.

The image has been removed because it contained a routable IP address, but the discussion can continue with the image omitted. Could you clarify if the issue pertains to the console message "browser: UNKNOWN -121.0.0.0"?

Well, the messages I want to get rid off are the ones with the following structure:

[!] Browser Details Invalid browser name/versions/plugins from the hook browser's initial connection.

And also, as a consecuence of them, the one you mentioned:

browser: UNKNOWN -121.0.0.0

[stephenakq]

Thank you for pointing this out. We'll look into that bug.

[zinduolis]

Hi @jme418 , I'm investigating this and will try to reproduce it. Are you still experiencing the issue?

[zinduolis]

I have reproduced the issue on Ubuntu 24.04.1 LTS (64-bit) with Firefox 130.0 (64-bit) and Chrome 129.0.6668.58 (Official Build) (64-bit) as the victim browser.

I've got the below regardless of whether metasploit is integrated or not. The only condition needed for this, is for the victim browser not to be in the 'hooked register' as it happens at the initial hooking stage. If the browser is hooked, then goes offline, then is hooked again the issue does not happen.

When printing out @DaTa['results'] during the hooking phase, i can see "browser.name"=>"UNKNOWN"

[zinduolis]

Investigating is_valid_browsername conditions in core>main>handlers>browserdetails.rb and core>filters>browser.rb

Also, looking at how the data is collected in core>main>client>browser.js

[zinduolis]

Added fix for version and renamed the PR.