BeEF has a very capable, yet straightforward, API that serves as the pivot upon which its efficiency stands and grows out into an imitation of a full-fledged cyber attack.
This short tutorial will take a look at several ways that this flexible and versatile tool can be of use in pen-testing.
Installing the BeEF Framework
A Linux OS such as Kali Linux, Parrot OS, BlackArch, Backbox, or Cyborg OS is required to install BeEF on your local machine.
Although BeEF comes pre-installed in various pen-testing operating systems, it might be possible that it is not installed in your case. To check if whether BeEF is installed, look for BeEF in your Kali Linux directory. To do so, go to applications>Kali Linux>System Services>beef start.
Alternatively, you can fire up BeEF from a new terminal emulator by entering the following code:
$ cd ./beef
To install BeEF on your Kali Linux machine, open the command interface and type in the following command:
$ sudo apt-get install beef-xss
BeEF should now be installed under /usr/share/beef-xss.
You can start using BeEF using the address described previously in this section.
Welcome to BeEF
Now, you can see the BeEF GUI in its full glory. Access the BeEF server by launching your web browser and looking up the localhost (127.0.0.1).
You can access the BeEF web GUI by typing the following URL in your web browser:
http://localhost:3000/ui/authentication
The default user credentials, both the username and password, are “beef:”
$ BeEF Login Web GUI
Now that you have logged into the BeEF web GUI, proceed to the “Hooked Browsers” section. Online Browsers and Offline Browsers. This section shows the victim’s hooked status.
Using BeEF
This walkthrough will demonstrate how to use BeEF in your local network using the localhost.
For the connections to be made outside the network, we will need to open ports and forward them to the users waiting to connect. In this article, we will stick to our home network. We will discuss port forwarding in future articles.
Hooking a Browser
To get to the core of what BeEF is about, first, you will need to understand what a BeEF hook is. It is a JavaScript file, used to latch on to a target’s browser to exploit it while acting as a C&C between it and the attacker. This is what is meant by a “hook” in the context of using BeEF. Once a web browser is hooked by BeEF, you can proceed to inject further payloads and begin with post-exploitation.
To find your local IP address, you open a new terminal and enter the following:
Follow the steps below to perform the attack:
- To target a web browser, you will first need to identify a webpage that the victim to-be likes to visit often, and then attach a BeEF hook to it.
- Deliver a javascript payload, preferably by including the javascript hook into the web page’s header. The target browser will become hooked once they visit this site.
If you have been able to follow these steps without any problems, you should be able to see the hooked IP address and OS platform in the BeEF GUI. You can find out more about the compromised system by clicking on the hooked browser listed in the window.
Also, there are several generic webpage templates they have made available for your use.
http://localhost:3000/demos/butcher/index.html
You can glean all sorts of information from here, such as the plugins and extensions that the browser is using, and various information about the hardware and software specs of the target.
The BeEF framework goes so far as to create complete logs of mouse movements, double-clicks, and other actions performed by the victim.
Here is a list of available modules that can be used to breach a designated system. These modules include keyloggers and spyware, including the ones that use the webcams and microphones of the target browser.
Note that certain commands have a colored icon. These icons all have different connotations that you can find out by taking the ‘getting started’ introductory tour, which introduces various aspects of the BeEF interface. Also, notice how each module has a traffic light icon associated with it. These traffic symbols are used to indicate any of the following:
- The command module works against the target and should be invisible to the user
- The command module works against the target but may be visible to the user
- The command module has yet to be verified against this target
- The command module does not work against this target
You can also send shell commands to the target system, as shown below:
Coupled with Metasploit, BeEF can be used to perform quite varied and intricate system exploitation using modules, such as browser_auto_pwn.
Conclusion
BeEF is an incredibly powerful tool that you can use to fortify systems against cyberattacks. From providing spyware modules to tracking mouse movement on the targeted system, BeEF can do it all. It is a good idea, therefore, to test your system using this security forensics tool.
Hopefully, you found this tutorial useful to get you started with this tool with such diverse, useful functionality.