Browser Exploitation Framework (BeEF)
BeEF is short for The Browser Exploitation Framework. it’s a testing tool designed to enable penetration testers to launch client-side attacks against target browsers. By using techniques similar to common drive-by malware, testers can assess the security of a target’s internal environment, bypassing the hardened perimeter.
Growing concerns about web-borne attacks against clients, including mobile clients, BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack vectors.
Unlike other security frameworks, BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser. BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context.
In this post, I’ll show you the quickest way to get up and running with BeEF using Kali Linux. Then we’ll explore the basic structure of the program. By the end of the post you should be able to begin using BeEF in your own testing.
Installation on Kali is very simple. Since they’ve created a nice package we can simply use apt-get to install it. Just to make sure we’ve got the most recent version, we’ll update our package list first.
#apt-get install beef-xss
Once the install is finished, we can change to its directory and launch BeEF:
You should see the following:
This screen tells us that BeEF is running on two different interfaces, locally and internally, both on port 3000. It also provides the link for the “hook” and the user interface control panel. All of these settings and more are customizable via the “config.yaml” file found in the program’s root directory.
Now that BeEF is up and running, let’s check out the control panel. Using a web browser we’ll browse to the link listed above. In my case it’s http://192.168.31.20:3000/ui/panel. You should be able to access this link from any machine on the same local network, but if you have a host-based firewall turned on you may need to open the appropriate ports to access it. The user name and password are beef:beef.
Once logged in we’re greeted with a helpful Getting Started page that explains some of the additional options. But the most important point is in the first paragraph. Here we learn how to “hook” a browser. BeEF provides two example pages in order to test with.
In a real-world test, you could insert this link in a page via a compromised web server, inject it into traffic after a successful man-in-the-middle attack, or use social engineering techniques such as phone calls, emails, or social network links to get the target to visit the page.
For demonstration, we going to use demo page IP:3000/demos/butcher/index.html in BeEF. The page shows some delicious looking beef, and nothing really seems awry. But what the user can’t tell, is that this particular webpage contained a hook. A malicious program that allows an attacker to hook the browser and, well, pretty much take over complete control of the browser.
As soon as the visitor simply visits the page, the hook is set. Notice that the user does not have to run anything or mouse over anything for the attack to work. Just visiting the page triggers the attack.
Go back to the BeEF Control Panel and click on “Online Browsers” on the top left. After a few seconds you should see the IP address pop-up representing a hooked browser. Hovering over the IP will quickly provide information such as the browser version, operating system, and what plugins are installed.
Now click on the Commands tab. You’ll find a wide range of commands and exploits that can be launched against your target. Try them out, but be patient; sometimes it takes awhile for commands to finish and report their results. The more you experiment with each command, the more you’ll know how reliable it is and how best to use it.
Notice that some of the commands have different colored icons. If you click back to the Getting Started tab, there’s an explanation of what each of the colors represent.
Now that you’re up and running there’s a lot more that you can do with BeEF. Experiment with the different options in your lab so that you’ll be ready to go when the opportunity presents itself during an engagement.
In addition to the exploits listed, BeEF can also be integrated with Metasploit in order to launch a wider range of exploits against the host system. That’ll be another blog post.