On the 12th Day of Christmas, Div0 gave to me ... Browser Exploitation Framework (BeEF), theHarvester, nmap Scripting Engine (NSE), msfvenom, searchsploit, urlcrazy, recon-ng, Zone Transfer Tool, Using Online Digest Databases, Hash Identification, Password Mutation Using JTR, and Custom Word List Generator (CeWL).
BeEF is a pentesting framework that focuses on the Web browser. BeEF is very powerful as it looks past the hardened network and host system, and examine exploitability directly via your system’s open window – i.e. the Web browser.
Installation
As of all the other tools we’ve discussed thus far, BeEF is readily available on Kali Linux. Nonetheless, you can acquire BeEF from its Github repository. You can find installation instructions on either its INSTALL.txt file or Wiki page.
BeEF Architecture
BeEF has 2 major components:
User interface that allows user to see all online and offline browsers it has hooked, and run exploits and information gathering against them; and
Communication server that communicates with the hooked browsers via HTTP.
Configuring & Running BeEF
All the main configurations of BeEF can be performed by modifying the config.yaml file. Some main configurations you should look at are:
Network limitations
Web server configuration
Extensions
If you are all set, start up your BeEF!
I’m running my ‘Web service’ from 192.168.98.128, and only allowing access to the user interface from 127.0.0.1 (localhost).
If you examine the extensions section closely, you will realise you can configure BeEF to use Metasploit as well.
Browser Hooking using BeEF
BeEF simply hook onto browsers that visited the Web pages it serves. In my test setup, I got 4 hosts hooked onto my BeEF.
192.168.98.129 is a Damn Vulnerable Linux machine.
192.168.98.130 is a Windows XP machine with no service pack.
192.168.98.131 is a Windows XP SP3 machine.
192.168.98.1 is a hardened Windows 7 machine (fully patched, and Kaspersky Antivirus installed).
The user interface is pretty self-explanatory. You can check out the browser and host information of the machine BeEF has hooked.
192.168.98.131's Browser Information
192.168.98.131's Host Information
It is also very intuitive what you can/can't do with the hooked machines.
List of things you can do to 192.168.98.131's Browser (Green=Will Work, Amber=User May Detect, Red=Won't Work):
List of things you can do to 192.168.98.131's Host Machine:
List of things you can do to 192.168.98.129:
Now, testing BeEF on my hardened Windows 7 machine (FYI, my antivirus did not even make the sound):
I tried using the Webcam feature, although it asked for permission to access my Webcam, I’m sure there are definitely users out there who will click ‘allow’ without thinking too much about it. It, of course, switched on my Webcam. See that tiny light?
Defending Against BeEF
Common sense, do not visit unsolicited Web sites.
It is not possible to cover every single aspect of BeEF in one short post. However, it is definitely an amazing tool to look into for our very last episode of 12 Days of Christmas.
Shared by Emil Tan, Skipper & Co-Founder of Div0.