Skip to content

Fixes issue/remove-ARE (#3475)#3482

Open
kaitozaw wants to merge 9 commits intobeefproject:masterfrom
kaitozaw:issue/3475-remove-ARE
Open

Fixes issue/remove-ARE (#3475)#3482
kaitozaw wants to merge 9 commits intobeefproject:masterfrom
kaitozaw:issue/3475-remove-ARE

Conversation

@kaitozaw
Copy link
Collaborator

@kaitozaw kaitozaw commented Dec 29, 2025
edited
Loading

Pull Request

Category

Auto-Run Engine

Feature/Issue Description

Q: Please give a brief summary of your feature/fix
A: Removes the Auto-Run Engine (ARE) - a legacy feature that auto-executed module chains when browsers hooked based on browser/OS rules.

Client-side changes:

  • Refactored misleading beef.are.status_() namespace to beef.status.() across 61 modules
  • Removed obsolete ARE comments and deleted Admin UI components

Server-side changes:

  • Deleted ARE engine, parser, rule loader, models, and REST handlers
  • Removed ARE triggers from browser hook and WebSocket handlers
  • Created migration 026 to drop executions and rules database tables

Configuration and assets:

  • Deleted arerules/ directory
  • Removed ARE config section from config.yaml
  • Unregistered /api/autorun REST endpoint

Q: Give a technical rundown of what you have changed (if applicable)
A:
Phase 1: Module Status Code Migration
Phase 2: Remove Client-Side ARE Code
Phase 3: Remove Admin UI Components
Phase 4: Remove Server-Side Core
Phase 5: Remove Configuration and Assets

Test Cases

Q: Describe your test cases, what you have covered and if there are any use cases that still need addressing.
A:
Automated tests (bundle exec rake short):

  • No new failure: 131 examples, 0 failures, 3 pending

Manual tests:

  • BeEF startup: No ARE-related errors, HTTP server responds
  • Database migration: Migration 026 ran, executions/rules tables dropped successfully
  • Hook script: beef.status namespace present, beef.are removed (verified in 709KB hook.js)
  • Access admin UI: verify no ARE tab
  • Execute modules: check if they can be implemented without error
  • REST API: /api/autorun returns 404, other endpoints functional
  • Code cleanup: No ARE remnants found via grep

Detailed File Changes

Phase 1: Module Status Code Migration

Objective: Replace misleading beef.are.status_*() namespace with accurate beef.status.*().

Created Files (1)

core/main/client/status.js                                    [NEW, 42 lines]
  └─ Defines beef.status.success(), .error(), .unknown()

Modified Files (64)

Handler files:

core/main/handlers/modules/beefjs.rb                          [MODIFIED]
  └─ Line 26: are.js → status.js

core/main/handlers/modules/legacybeefjs.rb                     [MODIFIED]
  └─ Line 26: are.js → status.js

core/main/handlers/modules/multistagebeefjs.rb                 [MODIFIED]
  └─ Line 26: are.js → status.js

Module command.js files:

modules/browser/*/command.js                                   [MODIFIED, 12 files]
  └─ beef.are.status_success() → beef.status.success()
  └─ beef.are.status_error() → beef.status.error()
  └─ beef.are.status_unknown() → beef.status.unknown()

modules/debug/*/command.js                                     [MODIFIED, 2 files]
  └─ Removed ARE chaining code (_mod_output variables)

modules/exploits/*/command.js                                  [MODIFIED, 9 files]
modules/host/*/command.js                                        [MODIFIED, 11 files]
modules/misc/*/command.js                                       [MODIFIED, 2 files]
modules/network/*/command.js                                 [MODIFIED, 14 files]
modules/persistence/*/command.js                           [MODIFIED, 4 files]
modules/phonegap/*/command.js                              [MODIFIED, 1 files]
modules/social_engineering/*/command.js               [MODIFIED, 6 files]

Deleted Files (1)

core/main/client/are.js                                        [DELETED, 42 lines]
  └─ Old ARE status namespace, replaced by status.js

Phase 2: Remove Client-Side ARE Code

Objective: Remove outdated ARE reference from client initialization.

Modified Files (1)

core/main/client/init.js                                       [MODIFIED]
  └─ Line 69: Removed comment "- the Autorun Engine is initialized"
     (Comment was inaccurate - ARE was never initialized in init.js)

Phase 3: Remove Admin UI Components

Objective: Remove Auto Run tab and related UI components from admin panel.

Modified Files (2)

extensions/admin_ui/media/javascript/ui/panel/MainPanel.js    [MODIFIED]
  ├─ Line 41: Removed AutoRunTab instantiation
  └─ Lines 82-90: Removed Auto Run tab definition from tabs array

extensions/admin_ui/api/handler.rb                             [MODIFIED]
  └─ Lines 93-95: Removed AutoRun UI files from asset loader

Deleted Files (3)

extensions/admin_ui/media/javascript/ui/panel/AutoRunTab.js   [DELETED, 185 lines]
  └─ Main rules management interface

extensions/admin_ui/media/javascript/ui/panel/AutoRunRuleForm.js [DELETED, 181 lines]
  └─ Single rule editor form

extensions/admin_ui/media/javascript/ui/panel/AutoRunModuleForm.js [DELETED, 172 lines]
  └─ Module configuration form for rules

Phase 4: Remove Server-Side Core

Objective: Remove ARE engine, models, REST handlers, triggers, and tests.

Modified Files (5)

beef                                                           [MODIFIED]
  └─ Lines 265-268: Removed ARE rule loader initialization

core/bootstrap.rb                                              [MODIFIED]
  ├─ Lines 32-35: Removed ARE engine requires
  └─ Line 52: Removed ARE REST handler require

core/core.rb                                                   [MODIFIED]
  ├─ Line 20: Removed require 'core/main/models/rule'
  └─ Line 21: Removed require 'core/main/models/execution'

core/main/handlers/browserdetails.rb                           [MODIFIED]
  └─ Lines 561-563: Removed ARE trigger when browser hooks via XHR
     (Only triggered if WebSocket disabled)

core/main/network_stack/websocket/websocket.rb                 [MODIFIED]
  ├─ Line 111: Removed ARE error message
  ├─ Line 115: Removed ARE trigger on WebSocket connection
  └─ Lines 143-150: Removed ARE execution delivery code

Deleted Files (7)

ARE Engine Core:

core/main/autorun_engine/engine.rb                             [DELETED, 590 lines]
  └─ Main ARE orchestration engine (singleton)

core/main/autorun_engine/parser.rb                             [DELETED, 82 lines]
  └─ JSON rule file parser

core/main/autorun_engine/rule_loader.rb                        [DELETED, 220 lines]
  └─ Rule discovery and loading from arerules/

ARE Models:

core/main/models/execution.rb                                  [DELETED, 14 lines]
  └─ ActiveRecord model for executions table

core/main/models/rule.rb                                       [DELETED, 16 lines]
  └─ ActiveRecord model for rules table

ARE REST API:

core/main/rest/handlers/autorun_engine.rb                      [DELETED, 158 lines]
  └─ REST API handlers for /api/autorun/* endpoints

ARE Tests:

spec/beef/core/main/autorun_engine/autorun_engine_spec.rb     [DELETED, entire directory]
  └─ RSpec tests for ARE functionality

Created Files (1)

core/main/ar-migrations/026_remove_autorun_tables.rb          [NEW, 16 lines]
  └─ Database migration to drop executions and rules tables

Phase 5: Remove Configuration and Assets

Objective: Remove ARE configuration, rule files, and REST API registration.

Modified Files (2)

config.yaml                                                    [MODIFIED]
  └─ Lines 105-116: Removed autorun configuration section
     - result_poll_interval
     - result_poll_timeout
     - continue_after_timeout

core/main/rest/api.rb                                          [MODIFIED]
  ├─ Lines 51-55: Removed RegisterAutorunHandler module
  └─ Line 64: Removed Autorun handler API registration

Deleted Files (26)

ARE Rule Files:

arerules/                                                      [DELETED, entire directory]
  ├─ alert.json
  ├─ c_osx_test-return-mods.json
  ├─ confirm_close_tab.json
  ├─ enabled/README
  ├─ ff_osx_extension-dropper.json
  ├─ get_cookie.json
  ├─ ie_win_fakenotification-clippy.json
  ├─ ie_win_htapowershell.json
  ├─ ie_win_missingflash-prettytheft.json
  ├─ ie_win_test-return-mods.json
  ├─ lan_cors_scan.json
  ├─ lan_cors_scan_common.json
  ├─ lan_fingerprint.json
  ├─ lan_fingerprint_common.json
  ├─ lan_flash_scan.json
  ├─ lan_flash_scan_common.json
  ├─ lan_http_scan.json
  ├─ lan_http_scan_common.json
  ├─ lan_ping_sweep.json
  ├─ lan_ping_sweep_common.json
  ├─ lan_port_scan.json
  ├─ lan_sw_port_scan.json
  ├─ man_in_the_browser.json
  ├─ raw_javascript.json
  ├─ record_snapshots.json
  └─ win_fake_malware.json

@kaitozaw kaitozaw temporarily deployed to Integrate Pull Request December 29, 2025 05:39 — with GitHub Actions Inactive
@kaitozaw
Copy link
Collaborator Author

kaitozaw commented Dec 29, 2025
edited
Loading

Once the PR is accepted, I will do the following before merging

@kaitozaw kaitozaw force-pushed the issue/3475-remove-ARE branch from 20d79c6 to a22ee24 Compare December 30, 2025 02:15
@kaitozaw kaitozaw temporarily deployed to Integrate Pull Request December 30, 2025 02:15 — with GitHub Actions Inactive
@kaitozaw kaitozaw force-pushed the issue/3475-remove-ARE branch from a22ee24 to e9ce6a9 Compare December 31, 2025 05:16
@kaitozaw kaitozaw temporarily deployed to Integrate Pull Request December 31, 2025 05:17 — with GitHub Actions Inactive
@kaitozaw kaitozaw linked an issue Jan 2, 2026 that may be closed by this pull request
Remove / Deprecate ARE (Attack Runtime Engine) #3475
Closed
9 tasks
@kaitozaw kaitozaw force-pushed the issue/3475-remove-ARE branch from e9ce6a9 to 1d7160f Compare January 2, 2026 23:35
@kaitozaw kaitozaw temporarily deployed to Integrate Pull Request January 2, 2026 23:35 — with GitHub Actions Inactive
@kaitozaw kaitozaw force-pushed the issue/3475-remove-ARE branch from 1d7160f to 4e6de7a Compare January 12, 2026 06:56
@kaitozaw kaitozaw temporarily deployed to Integrate Pull Request January 12, 2026 06:56 — with GitHub Actions Inactive
zinduolis
zinduolis reviewed Jan 30, 2026
View reviewed changes
core/core.rb
require 'core/main/models/optioncache'
require 'core/main/models/browserdetails'
require 'core/main/models/rule'
require 'core/main/models/execution'
Copy link
Contributor

@zinduolis zinduolis Jan 30, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just to confirm - is the execution just the part of ARE or is doing some other activity to?

Copy link
Collaborator Author

@kaitozaw kaitozaw Jan 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes they are only used for ARE.

Summary

  • core/main/models/rule.rb (BeEF::Core::Models::Rule)
    • Comment states: "Table stores the rules for the Distributed Engine" (ARE's other name)
    • Has relationship: has_many :executions
    • Only referenced in ARE-specific files:
      • autorun_engine.rb
      • engine.rb
      • rule_loader.rb
  • core/main/models/execution.rb (BeEF::Core::Models::Execution)
    • Comment explicitly states: "Stored info about the execution of the ARE on hooked browsers"
    • Only used by the ARE engine

zinduolis
zinduolis reviewed Jan 30, 2026
View reviewed changes
core/main/client/status.js
@@ -0,0 +1,42 @@
//
// Copyright (c) 2006-2025 Wade Alcorn - wade@bindshell.net
Copy link
Contributor

@zinduolis zinduolis Jan 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Old copyright information probably because this PR was created before this updated, should be up to 2026

@zinduolis zinduolis temporarily deployed to Integrate Pull Request January 30, 2026 04:03 — with GitHub Actions Inactive
@zinduolis
Copy link
Contributor

zinduolis commented Jan 30, 2026

Summary

Removes the Auto-Run Engine (ARE) - a legacy feature that auto-executed module chains on browser hook. 116 files changed, +202/-2,565 lines.

Phase Changes
1 Created beef.status.*() namespace, migrated 64 modules
2 Removed ARE client-side code from init.js
3 Removed Admin UI AutoRun tab + 3 JS files
4 Deleted ARE engine, models, REST handlers; added migration 026
5 Deleted arerules/ directory, removed config section

✅ What's Good

  • Well-structured phased approach - refactor first, then systematic cleanup
  • Proper DB migration - uses table_exists? guards, marked irreversible
  • Clean namespace - beef.status.success/error/unknown() is more intuitive
  • Comprehensive testing - 131 examples pass, manual verification documented

⚠️ Required Changes

1. Minified JS Not Regenerated

web_ui_all.js still contains ~5 "autorun" references.

Fix:

# 1. Remove from handler.rb panel array (lines 93-95):
#    ui/panel/AutoRunTab.js, AutoRunRuleForm.js, AutoRunModuleForm.js

# 2. Delete source files (still exist!):
rm extensions/admin_ui/media/javascript/ui/panel/AutoRun*.js

# 3. Restart BeEF (auto-regenerates minified JS):
ruby ./beef

# 4. Verify:
grep -c "autorun" extensions/admin_ui/media/javascript-min/web_ui_all.js  # Should be 0

2. REST API Examples Not Updated

tools/rest_api_examples/lib/beef_rest_api.rb still has 5 autorun_* methods that will 404.

Fix: Delete methods on lines 468-531.

� Acceptance Criteria

Criteria Status
No ARE code in JS ⚠️ Minified JS has refs
No ARE code in Ruby ⚠️ REST examples not updated
Modules work normally ✅ Tests pass
DB migration works ✅ Verified

Verdict: 👍 APPROVE with Required Changes

Well-executed removal. Address the two issues above before merge.

Post-merge: Delete wiki page, add CHANGELOG entry.

@zinduolis zinduolis mentioned this pull request Jan 30, 2026
Merged
@zinduolis zinduolis temporarily deployed to Integrate Pull Request February 5, 2026 00:40 — with GitHub Actions Inactive
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zinduolis zinduolis zinduolis left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Remove / Deprecate ARE (Attack Runtime Engine)

2 participants

@kaitozaw @zinduolis