Author - Daniels Kenneth In category - Software development Publish time - 21 October 2022

The key to success with BeEF is to “hook” a browser. This basically means that we need the victim to visit a vulnerable web app. This injected code in the “hooked” browser then responds to commands from the BeEF server. From there, we can do a number of malicious things on the victim’s computer. In order for a web browser to be “hooked,” you need that client to visit a web application that is vulnerable. Once the script is downloaded and run within their browser, you can do a lot of nasty things to further attack the system. BeEF comes with a file calledhook.js.If you can get another system on your local network to execute this JavaScript file, you’ll be able to see the new browser appear in the left hand pane.

Victim Open Crafted LinkNow, an attacker can execute any module or write his own module, which enables him to execute an arbitrary command against the victim zombie. Ello everyone in this article I’ll demonstrate the installation of BeEF Framework, Injecting BeEF hook to the vulnerable website and various attack which you can perform after hijacking the browser. Once we have the browser hooked, there are almost unlimited possibilities of what we can do. You could even leverage BeEF for operating system attacks. For more examples of what BeEF can help you accomplish, such as gaining access to the webcam and monitoring keystrokes, check out our Cyber Weapons Lab video above. To do this, you need to first trick the user into clicking a link. To generate the link, you can use a tool called BeEF, which used to be preinstalled on Kali Linux.

Brief Introduction to BEeF

As an example, I’m going to use the “Google Phishing” module in the “Social Engineering” folder. As you can see we have our victims web browser hooked. I am a freelancing software project developer, a software engineering graduate and a content writer. Hopefully, you found this tutorial useful to get you started with this tool with such diverse, useful functionality. The BeEF framework goes so far as to create complete logs of mouse movements, double-clicks, and other actions performed by the victim.

The course gave us the necessary tools in order to achieve this work successfully. Type URL of the malicious file and any notification text you want. Alert DialogueBoxJavaScript code is successfully run. And we got an alert dialogue box that means this page is vulnerable for Reflected XSS. Now that we have some basic control over it, we can do many things that will aid us in compromising this victim. The key to success with BeEF is to “hook” a browser. This basically means that we need the target to visit a vulnerable web app with the “hook.js” JavaScript file.

Step 4: Executing commands on the victim’s browser

We will be acquiring the user’s g mail login details. Once we execute the command,the victim will be redirected to a webpage similar to the google login page requiring him/her to her username and password as shown below. To get to the core of what BeEF is about, first, you will need to understand what a BeEF hook is. It is a JavaScript file, used to latch on to a target’s browser to exploit it while acting as a C&C between it and the attacker. This is what is meant by a “hook” in the context of using BeEF.

  • BeEF is a penetration testing tool that focuses on the web browser.
  • The injected code in the hooked browser responds to commands from the BeEF server that we control.
  • Additionally this will also give the BeEF team an outsider’s view of their Software Architecture.
  • The framework will have a proxy running on the loopback.

These modules include keyloggers and spyware, including the ones that use the webcams and microphones of the target browser. Now that you have logged into the BeEF web GUI, proceed to the “Hooked Browsers” section. Each one worked an a specific part of the project, and we collaborated to put the elements together and create this chapter. We tried to contact the developpers of BeEF, in order to have their point of view of our porject and we asked for more specific details about some points.

Security Auditing Tool

However the code is containing comments which can make the code learning process much faster. The documentation is containing information how to create new modules of our own, BeeF is built in a modular way so it is supposed to be easy creating new modules and adding them to BeeF.

  • For more examples of what BeEF can help you accomplish, such as gaining access to the webcam and monitoring keystrokes, check out our Cyber Weapons Lab video above.
  • It utilizes the client side attack vectors to asses the security level of the target environment.
  • Each browser is likely to be within a different security context, and each context may provide a set of unique attack vectors.
  • I’m still amazed by all the things some people just don’t know.
  • With sophisticated tools like BeEF, it’s a pretty simple matter to hack into other machines.
  • We tried to contact the developpers of BeEF, in order to have their point of view of our porject and we asked for more specific details about some points.

A Linux OS such as Kali Linux, Parrot OS, BlackArch, Backbox, or Cyborg OS is required to install BeEF on your local machine. This short tutorial will take a look at several ways that this flexible and versatile tool can be of use in pen-testing.

How to Find Any Router’s Web Interface Using Shodan

People use browsers for all types of things, and in general, we trust a lot of personal information to them. That’s why browsers are a perfect attack surface for a hacker, because the target may not even know they are infected and feed you all of the information you could want. And after logging in we have a view that looks as shown below. From here you can see the hacked browsers both online and offline. Gems are ruby files used to extend its applications functionalities.

Is 10 a private IP?

Private addresses include IP addresses from the following subnets: Range from 10.0. 0.0 to 10.255. 255.255 — a 10.0.

The Browser Exploitation Framework allows us to run a number of commands and attacks on a hooked target. A hooked target is basically a target that executes an URL or a JavaScript code given to us by BeEF. Once the target is hooked, we’ll be able to run all the commands that BeEF allows us to. I hope this sheds some light on how big of a threat XSS attacks are.

Remote Code Execution

Also, through the publication of the “Browser Hacker’s Handbook”, Wade has shared his specialist knowledge of security with students and professionals alike. The output of a beef-xss commandIn a Hook script, add the hacker’s IP Address.

beef hacking

Once we have logged into beef hacking framework UI, we now have to create a hook from which we will be able to attack the victim. And once the user enters his/her username and password we will be ale to view it right from our beef hacking framework.

The framework allows the penetration tester to select specific modules (in real-time) to target each browser, and therefore each context. Beef hacking framework is a powerful tool that can be leveraged by systems security professionals to try and design systems especially web apps which are safe for use by the end user. A hacker with the necessary knowledge can also add his own modifications on beef hacking framework to make it more powerful. For example, A hacker can design the login page of any website he needs information from and even customize the URLs of the phishing page to make them look more believable in the eyes of the victim. We as users of the internet, we should avoid visiting malicious and insecure websites to avoid being victims of beef hacking.

Leave a Reply

Your email address will not be published. Required fields are marked *