BeEF Browser Exploitation
Browser Exploitation Framework (BeEF)
BeEF comes bundled with Kali Linux. Iβm going to assume you have access to a Kali Linux instance and if not I recommend setting it up by following my other article, βEthical Hacking (Part 2): Introducing Kali Linuxβ. You can also download it here on other Linux variants.
The location of BeEF in Kali Linux is, β/usr/share/beef-xssβ.
We will need to configure BeEF before we are able to use it. Please open, β/usr/share/beef-xss/config.yamlβ which is a symbolic link back to β/etc/beef-xss/config.yamlβ.
Please locate the βcredentialsβ section of the configuration.
These are the credentials we will use to access the framework GUI. BeEF wonβt start unless you change these. I recommend changing both the username and password to something non-standard and strong.
Please locate the βhttpβ section of the configuration.
You need to set the host IP of your Kali Linux server where the hacked browser will connect back to. In my case Iβm going to set the host to, β192.168.1.2β.
Now run BeEFβ¦
The two important bits of information are:
Hook URL: http://192.168.1.2:3000/hook.js
UI URL: http://192.168.1.2:3000/ui/panel
The, βHook URLβ is the Javascript you need to try and get your victim to run. You could look at something advanced like XSS but really the scary thing is any page you browse could just include this in the script tags to allow full access to your machine!
The, βUI URLβ is the GUI for BeEF and where weβll be able to monitor and carry out the attack once an unsuspecting browser connects.
In order to demonstrate this Iβm going to create a very basic HTML page called βbeef.htmlβ to load the Javascript. This could be placed on a web server, put on a file server, emailed to someone etc. If someone opens this file they will be open for the attack. No warnings will be given, the browser wonβt complain, and the virus scanner wonβt pick it up :(
I saved the βbeef.htmlβ on my desktop and double-clicked on it to open it.
As soon as I opened it I can see the BeEF console reported the new connection.
Letβs open the βUI URLβ and take a look.
Sign in with the credentials from, βconfig.yamlβ.
Firstly, just clicking on the host which connected shows a stack of information about the victim.
Please click on the, βCommandsβ tab.
There is a huge amount of options in each of those sections but Iβm just going to point out a few.
As you can see, many options!
Iβll demonstrate how a couple of them work.
Browser, Hooked Domain, Create Alert Dialog
I will βExecuteβ and send the βAlert textβ of βBeEF Alert Dialogβ to my victim browser.
Social Engineering, Pretty Theft
Iβm going to pop up a window that looks like Facebook login page in my victim browser.
Iβm going to add some fake credentials and see what happens.
As you can see β[email protected]β and βsecretpwβ was recorded!
There are literally loads of nasty options there from fake session timeouts on many popular services, fake Flash update modals to upload exploits, accessing webcams, taking screenshots, playing sounds, creating users, and much more.
Protecting against BeEF
There are a few browser extensions which help prevent against BeEF attacks. They arenβt really that pleasant to use as it involves βwhitelistingβ safe Javascript to run on sites.
Chrome
Firefox
Both of these arenβt all that great and will cause problems with normal browsing. If anyone knows any good ways to prevent against BeEF attacks please leave a comment :)
Last updated