How To: BeEF+Ettercap:Pwning Marriage

BeEF+Ettercap:Pwning Marriage

This is the best how-to's website that I've ever seen, and I wanted to join it. It taught me a lot, but, because I'm here to learn too, please correct me if I'm wrong.

You probably know that Ettercap is a very powerful tool for man in the middle attacks.
You probably know that Browser Exploitation Framework (BeEF) is a very powerful tool for browser exploitation.
But, do you know how powerful tare they... together?

This is my first how-to, so I wanted to start with something impressive, but easy to explain.
That's the same for this attack: easy and fast, and also easy to automate with few lines of bash script.

The point of this how-to is demonstrating how to use an Ettercap filter to inject a BeEF hook, so that every time our victim opens the browser , his/her computer is automatically hooked in BeEF, wherever browses.

To follow this tutorial you need Kali Linux.
Note: this won't work with HTTPS, you'll need SSLstrip for that.

Step 1: Setup Ettercap

We first need to do some changes to the Ettercap configuration file. To work properly Ettercap needs root access.
In the terminal, type: vi /etc/ettercap/etter.conf

This should be the output:

Type i to edit the file.
Change ec-uid = 65534 to ec-uid = 0 and ec-gid = 65534 to ec-gid = 0 (as shown in the picture).
Then scroll down and find this:

Edit to this (uncomment last two lines):

To exit the editor, type esc, then :wq to save.
Ettercap is ready.

Step 2: Setup BeEF

To setup BeEF, type in the terminal: cd /usr/share/beef-xss, then ./beef.
This should be the output:

(The error you see is related to a Metasploit link I did, that won't show)

You can now open Iceweasel and type in the URL bar: http: // and login with default username beef and default password beef.

You should see the following:

BeEF is ready.

Step 3: Create the Ettercap Filter.

Open LeafPad, or the text editor you prefer, and write:

Where MACHINEIP is your machine ip, you can find it with the command ifconfig, or by checking the ./beef results, there is the complete URL.

It tells ettercap that whenever it captures a TCP packet coming from port 80 it has to redirect the packet back within the ARP poisoning contest, but edited.

Save as beefhook.filter.
In the terminal, navigate to the beefhook.filter folder, for example if you have the .filter in /Desktop
cd /root/Desktop
then type:
etterfilter beefhook.filter
this should be the output:

As you noticed, a new file is created: filter.ef.
That's the Ettercap filter.

Step 4: Start Ettercap and Load the Filter

To inject the filter in the victim's browser sessions, I'm going to use the text interface of Ettercap,because it looks faster, however Ettercap GUI is better if your goal is to sniff packets.

In the terminal, type:
ettercap -T -q -F FILTERPATH -M ARP /VICTIMIP/ //

in our case:
ettercap -T -q -F /root/Desktop/filter.ef -M ARP / //

-T:Starts the text interface.
-q:Less verbose, doesn't show packet contents.
-F:Load filter at path.
-M:Attack type (ARP in this case)
/victim ip/ /victim 2/

Now everytime out victim goes to a HTTP site, the filter will be injected.
The only two problems:

  1. If a web page uses <HEAD></HEAD> instead of <head></head>, just copy last if statement of the filter and paste under, replacing head with HEAD.
  2. Sometimes, it could fail, for example looks like it doesn't work very well on virtual machine, that's why I recommend to install Kali Linux as a dual boot, or USB Live.

I hope this post will be useful, thank you for reading.
Post in the comments about errors or mistakes I made.
Sorry for eventual grammar errors, but I'm not mother tongue.

Just updated your iPhone? You'll find new features for Podcasts, News, Books, and TV, as well as important security improvements and fresh wallpapers. Find out what's new and changed on your iPhone with the iOS 17.5 update.


Cool share and welcome! :) Keep up the good work.

Thank you so much, you made my day :)

Nice one, maybe explain what the configurations did in the config-files (especially the iptable ones)?

And this no longer works in modern browsers, since they actually look at the "content-length" of a packet and cut of the code at that length ...

ettercap -T -p -F filter.ef -M ARP / ///

ettercap 0.8.2 copyright 2001-2015 Ettercap Development Team

Incorrect number of token (///) in TARGET !!


Mate.... please look at the number of forward slashes... there should be (2) in the end but you have entered three....... Hope it helps...


ettercap -T -p -F filter.ef -M ARP / =>is correct

I have a problem with etterfilter
==>etterfilter beeffilter.filter or etterfilter beeffilter.filter -o beeffilter.ef
2 ways are unsuccess.

Share Your Thoughts

  • Hot
  • Latest