There are multitude of ways to exploit a target’s system. Newbie hackers often focus on the operating system or applications, but few think to exploit the browser. If you can exploit the browser, then you can have access to everything the target accesses on the Internet. Furthermore, the browser is a repository for credentials and other key information of the target’s browsing such as cookies, saved passwords, history etc.
We have a tool specifically designed to exploit the browser known as the Browser Exploitation Framework, or BeEF (don’t ask me what the lowercase “e” stands for).
Similar to Metasploit, BeEF is a framework for launching attacks. Unlike Metasploit, it is specific to launching attacks against web browsers. In some cases, we will be able to use BeEF in conjunction with Metasploit to launch particular attacks, so I think its time for us to become familiar with it.
BeEF was developed by a group of developers led by Wade Alcorn. Built on the familiar Ruby on Rails platform, BeEF was developed to explore the vulnerabilities in browsers and test them. In particular, BeEF is an excellent platform for testing a browser’s vulnerability to cross-site scripting (XSS) and other injection attacks.
Step 1: Start Cooking BeEF
BeEF is built into Kali Linux, and it can be started as a service and accessed via a web browser on your localhost. So let’s start by firing up Kali and cooking a bit of BeEF.
Start the BeEF service by going to “Applications” -> Exploitation Tools -> “beef xss framework.” BeEf will be located at different places on the GUI based upon the version of Kali Linux.
This will start a terminal like below.
Step 2: Opening a Browser to BeEF
The BeEF server can be accessed via any browser on our localhost (127.0.0.1) web server at port 3000. BeEF will usually start a web server and open an authentication page automatically in your default browser. If not, you can access its authentication page by navigating to:
http://localhost:3000/ui/authentication
You will be greeting by an authentication page similar to the above.
The default credentials for BeEF are “beef” for both username and password.
Great! Now you have successfully logged into BeEF and are ready to begin using this powerful platform to hack web browsers.
Click on the Getting Started tab. BeEF uses a Javascript-based xss scripting exploit or “hook” to take control of the target browser. We can test it on our own browser by clicking on the basic demo page or the “advanced version”. I clicked on the advanced version.
This opens the following web page for “Butcher” aptly named for BeEF). This is meant only as a demonstration of how to use the Javascript “hook”. Notice the two buttons on the lower left hand side of the page. They contain the Javascript hooks that when clicked will own the browser. I clicked on the “Order Your Beef” button.
Now, my browser is hooked and I can return to the BeEF control panel to exploit it.
Step 3: Viewing Browser Details
If I click on the local browser, it will provide with more choices to the right including a “Details” window where we can get all the particulars of that browser. Since I am using the Mozilla Firefox browser built into Kali, it details for me the browser, the operating system (Linux x86_64) and the browser plugins among other things.
It also shows me in the lower panel any Browser Components such Flash, VBScript, etc, if there are any.
Step 4: Running Commands in the Browser
Now, that we have hooked the victim’s browser, we can use numerous built-in commands that can executed from the victim’s browser. Below are just a few examples; there are many others.
Get Visited Domains
Get Visited URLs
Webcam
Get All Cookies
Grab Google Contacts
Screenshot
In the screenshot below, I selected the “Webcam” command that some of you may be interested in. As you can see, when I execute this command, an Adobe Flash dialog box will pop up on the screen of the user asking, “Allow Webcam?” If they click “Allow,” it will begin to return pictures from the victim’s machine to you.
Of course, the text can be customized, so be imaginative. For instance, you could customize the button to say “You have just won the lottery! Click here to collect your winnings!” or “Your software is out of date. Click here to update and keep your computer secure.” Other such messages might entice the victim to click on the box.
If we have hooked a phone, go to PhoneGap under the Module Tree. There we can execute a number of attacks including get Geolocation information on the target.
Step 6: Getting Cookies
Once we have the browser hooked, there is almost unlimited possibilities of what we can do. If we wanted the cookies of the victim, we can go to “Chrome Extensions” (assuming the browser is Chrome,of course) and select “Get All Cookies” as shown in the screenshot below.
When we click on the “Execute” button to the bottom right, it will begin collecting all the cookies from the browser. Obviously, once you have the user’s cookies, you are likely to have access to their websites as well.
BeEF is an extraordinary and powerful tool for exploiting web browsers. In addition to what I have shown you here, it can also be used to leverage operating system attacks. We will be using it and other tools in my new series on hacking web applications, mobile devices, and Facebook, so keep coming back, my greenhorn hackers.