Ethical Hacking: How to Hack (Part 11) using Browser Exploitation Framework (BeEF)
Out of all the attacks I’ve covered in my articles so far, I think this is one of my worst. I don’t like it because it is so difficult to prevent. The other attacks I’ve shown you have a light at the end of the tunnel in the sense if you know what the attack is you can put measures in place to prevent it. The only way I know of to stop this attack is to make the browsing experience extremely limited and restricting for users and that isn’t much fun.
Browser Exploitation Framework (BeEF)
BeEF comes bundled with Kali Linux. I’m going to assume you have access to a Kali Linux instance and if not I recommend setting it up by following my other article, “Ethical Hacking (Part 2): Introducing Kali Linux”. You can also download it here on other Linux variants.
The location of BeEF in Kali Linux is, “/usr/share/beef-xss”.
root@kali:~# cd /usr/share/beef-xss
We will need to configure BeEF before we are able to use it. Please open, “/usr/share/beef-xss/config.yaml” which is a symbolic link back to “/etc/beef-xss/config.yaml”.
root@kali:/usr/share/beef-xss# vi /etc/beef-xss/config.yaml
Please locate the “credentials” section of the configuration.
These are the credentials we will use to access the framework GUI. BeEF won’t start unless you change these. I recommend changing both the username and password to something non-standard and strong.
Please locate the “http” section of the configuration.
debug: false #Thin::Logging.debug, very verbose. Prints also full exception stack trace.
You need to set the host IP of your Kali Linux server where the hacked browser will connect back to. In my case I’m going to set the host to, “192.168.1.2”.
Now run BeEF…
root@kali:/usr/share/beef-xss# ./beef [22:07:06][*] Browser Exploitation Framework (BeEF) 0.5.0.0 [22:07:06] | Twit: @beefproject [22:07:06] | Site: https://beefproject.com [22:07:06] | Blog: http://blog.beefproject.com [22:07:06] |_ Wiki: https://github.com/beefproject/beef/wiki [22:07:06][*] Project Creator: Wade Alcorn (@WadeAlcorn) -- migration_context() -> 0.0032s [22:07:06][*] BeEF is loading. Wait a few seconds... [22:07:09][*] 8 extensions enabled: [22:07:09] | Proxy [22:07:09] | Demos [22:07:09] | XSSRays [22:07:09] | Events [22:07:09] | Admin UI [22:07:09] | Social Engineering [22:07:09] | Network [22:07:09] |_ Requester [22:07:09][*] 303 modules enabled. [22:07:09][*] 1 network interfaces were detected. [22:07:09][*] running on network interface: 192.168.1.2 [22:07:09] | Hook URL: http://192.168.1.2:3000/hook.js [22:07:09] |_ UI URL: http://192.168.1.2:3000/ui/panel [22:07:09][*] RESTful API key: 43f6880f37e0c0b41b1e98935862bb2cf6a63266 [22:07:09][!] [GeoIP] Could not find MaxMind GeoIP database: '/var/lib/GeoIP/GeoLite2-City.mmdb' [22:07:09] |_ Run geoipupdate to install [22:07:09][*] HTTP Proxy: http://127.0.0.1:6789 [22:07:09][*] BeEF server started (press control+c to stop)
The two important bits of information are:
- Hook URL: http://192.168.1.2:3000/hook.js
- UI URL: http://192.168.1.2:3000/ui/panel
The, “UI URL” is the GUI for BeEF and where we’ll be able to monitor and carry out the attack once an unsuspecting browser connects.
I saved the “beef.html” on my desktop and double-clicked on it to open it.
As soon as I opened it I can see the BeEF console reported the new connection.
[22:19:31][*] New Hooked Browser [id:3, ip:192.168.1.1, browser:C-86.0.4240.80, os:OSX-], hooked domain [Unknown:0]
Let’s open the “UI URL” and take a look.
Sign in with the credentials from, “config.yaml”.
Firstly, just clicking on the host which connected shows a stack of information about the victim.
Please click on the, “Commands” tab.
There is a huge amount of options in each of those sections but I’m just going to point out a few.
As you can see, many options!
I’ll demonstrate how a couple of them work.
Browser, Hooked Domain, Create Alert Dialog
I will “Execute” and send the “Alert text” of “BeEF Alert Dialog” to my victim browser.
Social Engineering, Pretty Theft
I’m going to pop up a window that looks like Facebook login page in my victim browser.
I’m going to add some fake credentials and see what happens.
As you can see “email@example.com” and “secretpw” was recorded!
There are literally loads of nasty options there from fake session timeouts on many popular services, fake Flash update modals to upload exploits, accessing webcams, taking screenshots, playing sounds, creating users, and much more.
Protecting against BeEF