In this lab, we will explore the Browser Exploitation Framework (BeEF), a popular web browser attack tool. BeEF is designed to take advantage of web browser vulnerabilities, allowing attackers to gain control over the target's web browser. The goal of this lab is to understand the structure of BeEF, its attack types, and perform various attacks using BeEF, such as stealing web page source code, creating pop-up alerts, and conducting phishing attacks to steal login credentials.
In this step, we will introduce the structure and attack types of BeEF.
BeEF (The Browser Exploitation Framework) is a popular open-source web application framework focused on exploiting web browser vulnerabilities. It is written in Ruby and available on GitHub. BeEF works by serving a JavaScript file called hook.js to the target's web browser. Once the browser loads the hook.js file, it establishes a persistent communication channel with the BeEF server, allowing the attacker to gather information about the target's browser and potentially execute malicious code.
Here's how BeEF works:
Client (Target Browser) <---> BeEF Server
|
|
User InterfaceThe BeEF server provides a web interface for the attacker to interact with the hooked browsers. The hook.js file, served by the BeEF server, continuously sends information about the target browser back to the server using GET and POST requests. This allows the attacker to gather details about the target's environment and potentially exploit vulnerabilities or use the compromised browser as a zombie or pivot for further attacks.
The two main components of BeEF are:
BeEF is classified as a Cross-Site Scripting (XSS) attack tool. XSS attacks involve injecting malicious JavaScript code into a web page, which gets executed when the victim visits the page. This allows the attacker to steal sensitive information, such as cookies or login credentials, or perform other malicious actions.
Let's explore the BeEF directory structure to understand its components better:
cd /usr/share/beef-xss/The important directories in BeEF are:
arerules: Contains functionality that is pre-loaded and triggered when a target is hooked.beef: A script file used to start the BeEF framework.config.yaml: Configuration file for setting various BeEF parameters.core: The core directory responsible for loading extensions and attack modules.extensions: Contains extension modules that add additional functionality.modules: Contains various attack modules, each with a command.js file (the attack code), config.yaml (module configuration), and module.rb (module definition and processing).In this step, we will learn how to start the BeEF server and access the web interface.
Before starting BeEF, we need to modify the default password for security reasons. Open the config.yaml file using vim:
vim config.yamlFind the passwd field and change the default beef password to a custom password of your choice. Save and exit the file.
Next, we need to set the locale to avoid potential errors during startup:
locale-gen UTF-8 en_US && localedef -c -f UTF-8 -i en_US en_US.UTF-8
export LANG="en_US.UTF-8"
export LANGUAGE="en_US:en"Now, start the BeEF server by running the following command:
./beefWait for the server to start completely. Once you see the message indicating that BeEF has started, you can access the web interface using a web browser.
Open a web browser on your host machine and navigate to http://<Kali_IP_Address>:3000/ui/panel. Replace <Kali_IP_Address> with the IP address of your Kali container (you can find it by running ifconfig inside the Kali container).
You will be prompted to enter a username and password. Use the default beef for both the username and password (or the custom password you set earlier).
After logging in, you will see the BeEF web interface with various sections, such as the online browser list, commands, and modules.
In this step, we will learn how to hook a browser using BeEF and interact with it.
Open a new browser tab or window and navigate to the following URL:
http://<Kali_IP_Address>:3000/demos/butcher/index.htmlReplace <Kali_IP_Address> with the IP address of your Kali container.
After accessing this URL, switch back to the BeEF web interface. You should now see a new entry in the "Online Browsers" section, indicating that your browser has been hooked by BeEF.
You can inspect the hooked browser's details by clicking on its icon. This will display information about the browser, such as its platform, user agent, and other details.
In the "Commands" tab, you can explore different attack modules loaded by BeEF. These modules allow you to perform various actions on the hooked browser, such as stealing page source code, creating pop-up alerts, and conducting phishing attacks.
In this step, we will use BeEF to steal the source code of the page the hooked browser is currently visiting.
In the BeEF web interface, expand the "Browser" > "Hooked Domain" section and click on the "Get Page HTML" module.
Click the "Execute" button to execute the module against the hooked browser.
You will see a new entry in the "Module Results History" section. Click on this entry to view the source code of the page the hooked browser is currently visiting.
To understand how this module works, let's examine the source code:
less /usr/share/beef-xss/modules/browser/hooked_domain/get_page_html/command.jsThe get_page_html module sends two JavaScript functions, getPageBody and getPageHTML, to the hooked browser. These functions retrieve the page source code and send it back to the BeEF server.
In this step, we will use BeEF to create a pop-up alert on the hooked browser.
In the BeEF web interface, expand the "Browser" > "Hooked Domain" section and click on the "Alert Dialog" module.
Click the "Execute" button to execute the module against the hooked browser.
You should see a pop-up alert on the hooked browser's page.
To understand how this module works, let's examine the source code:
less /usr/share/beef-xss/modules/browser/hooked_domain/alert_dialog/command.jsThe alert_dialog module simply sends the alert function to the hooked browser, which triggers a pop-up alert with a predefined message.
In this step, we will use BeEF to conduct a phishing attack and steal login credentials from the hooked browser.
In the BeEF web interface, expand the "Social Engineering" > "Pretty Theft" section and click on the "Facebook" module.
Click the "Execute" button to execute the module against the hooked browser.
A fake Facebook login page will be displayed on the hooked browser. Enter a username and password in the login form and click the "Log in" button.
Switch back to the BeEF web interface, and you should see the entered username and password displayed in the "Module Results History" section.
To understand how this module works, let's examine the source code:
less /usr/share/beef-xss/modules/social_engineering/pretty_theft/command.jsThe pretty_theft module creates a fake login page using HTML and JavaScript. When the user enters their credentials and submits the form, the module captures the entered information and sends it back to the BeEF server.
In this lab, we explored the Browser Exploitation Framework (BeEF), a popular web browser attack tool. We learned about the structure of BeEF, its attack types, and performed various attacks using BeEF, such as stealing web page source code, creating pop-up alerts, and conducting phishing attacks to steal login credentials. By understanding BeEF's capabilities and how it works, we can better understand the risks associated with web browser vulnerabilities and the importance of secure web application development practices.