Hack Like a Pro: How to Hack Web Browsers with BeEF

How to Hack Web Browsers with BeEF

Welcome back, my greenhorn hackers.

I had promised new series on hacking web applications, mobile devices, and even Facebook here on Null Byte, and I intend to deliver you those sometime this year. In each of those topics, I will introduce you to new hacking tools and techniques, though, one tool that we will be using in all of those areas is called the Browser Exploitation Framework, or BeEF (don't ask me what the lowercase "e" stands for).

Similar to Metasploit, BeEF is a framework for launching attacks. Unlike Metasploit, it is specific to launching attacks against web browsers. In some cases, we will be able to use BeEF in conjunction with Metasploit to launch particular attacks, so I think its time for us to become familiar with it.

BeEF was developed by a group of developers led by Wade Alcorn. Built on the familiar Ruby on Rails platform, BeEF was developed to explore the vulnerabilities in browsers and test them. In particular, BeEF is an excellent platform for testing a browser's vulnerability to cross-site scripting (XSS) and other injection attacks.

Step 1: Start Cooking BeEF

BeEF is built into Kali Linux, and it can be started as a service and accessed via a web browser on your localhost. So let's start by firing up Kali and cooking a bit of BeEF. Start the BeEF service by going to "Applications" -> "Kali Linux" -> "System Services" -> "BeEF" -> "beef start."

Step 2: Opening a Browser to BeEF

The BeEF server can be accessed via any browser on our localhost (127.0.0.1) web server at port 3000. To access its authentication page, go to:

http://localhost:3000/ui/authentication

The default credentials are "beef" for both username and password.

Great! Now you have successfully logged into BeEF and are ready to begin using this powerful platform to hack web browsers.

Note that in the screenshot below that my local browser, 127.0.0.1, appears in the left hand "Hooked Browsers" explorer after I clicked on the link to the demo page. BeEF also displays its "Getting Started" window to the right.

Step 3: Viewing Browser Details

If I click on the local browser, it will provide with more choices to the right including a "Details" window where we can get all the particulars of that browser. Since I am using the Iceweasel browser built into Kali, which is built upon Firefox, it shows me that the browser is Firefox.

It also shows me the version number (24), the platform (Linux i686), any components (Flash, web sockets, etc.), and more information that we will be able to use in later web application hacks.

Step 4: Hooking a Browser

The key to success with BeEF is to "hook" a browser. This basically means that we need the victim to visit a vulnerable web app. This injected code in the "hooked" browser then responds to commands from the BeEF server. From there, we can do a number of malicious things on the victim's computer.

BeEF has a JavaScript file called "hook.js," and if we can get the victim to execute it in a vulnerable web app, we will hook their browser! In future tutorials, we will look at multiple ways to get the victim's browser hooked.

In the screenshot below, I have "hooked" an Internet Explorer 6 browser on an old Windows XP on my LAN at IP 192.168.89.191.

Step 5: Running Commands in the Browser

Now, that we have hooked the victim's browser, we can use numerous built-in commands that can executed from the victim's browser. Below are just a few examples; there are many others.

  • Get Visited Domains
  • Get Visited URLs
  • Webcam
  • Get All Cookies
  • Grab Google Contacts
  • Screenshot

In the screenshot below, I selected the "Webcam" command that many of you may be interested in. As you can see, when I execute this command, an Adobe Flash dialog box will pop up on the screen of the user asking, "Allow Webcam?" If they click "Allow," it will begin to return pictures from the victim's machine to you.

Of course, the text can be customized, so be imaginative. For instance, you could customize the button to say "You have just won the lottery! Click here to collect your winnings!" or "Your software is out of date. Click here to update and keep your computer secure." Other such messages might entice the victim to click on the box.

Step 6: Getting Cookies

Once we have the browser hooked, there is almost unlimited possibilities of what we can do. If we wanted the cookies of the victim, we can go to "Chrome Extensions" and select "Get All Cookies" as shown in the screenshot below.

When we click on the "Execute" button to the bottom right, it will begin collecting all the cookies from the browser. Obviously, once you have the user's cookies, you are likely to have access to their websites as well.

BeEF is an extraordinary and powerful tool for exploiting web browsers. In addition to what I have shown you here, it can also be used to leverage operating system attacks. We will be using it and other tools in my new series on hacking web applications, mobile devices, and Facebook, so keep coming back, my greenhorn hackers.

40 Comments

Thumbs up! Another great post! Thanks OTW.

excellent post!! I was looking to read something about this tool.

Hi,
I try to use the phone gap tools/exploits but they didn´t work?
Can u help me?
(Sorry for my bad english)

excellent, keep up the good works

so we can use this attack over LAN only?????

Secret:

Of course NOT! You can use this attack on any IP on any network!

but what when a user is not part of our LAN and working behind a NAT???
coz in metasploit we can hack using client side attack, what's here???

This is a client side attack. You will be getting the client to click on a vulnerable application to hook their browser.

It does matter whether they are part of our LAN or not or behind a NAT.

thnx for replying... quite eager for this series...

This is actually a really useful tutorial. Good Job.

can we hack android browsers using BeEF ????

Hi, how can we hook other browsers from other computers or phones?
I searched and I find qrcode extension, but I don't know how can I use it on android browsers?

Hi OTW!

So I found a website full of script kiddies. I decided (since you could put java, ruby on rails, and basically everything else) to use BeEF to mess with them some (all in legal ways mind you), so I changed the popup text to "Click to get your passwords back" which when clicked crashed their computer. Freaking hilarious.

could u plz tell how to hook a computer in internet not in lan plz

This technique works equally well if on the same LAN or not.

I tried to do this over WAN, but my victim's browser didn't hook. Do I need to port forward? If so... How can I port forward if I have no access to the router?

I'm really sorry for my noob english...

Arnold:

Yes, you do need to port forward.

Step 1) Get the ip address for your router by typing "ifconfig" into the terminal. Find the word BCAST. The ip address beside it is your router's ip.

Step 2) Open up your web browser and in the url bar type the ip address. Then log in. (try USER:admin PASSWORD: admin)
Step 3) Go to portforward.com and find your router and follow the steps!

Hope this helped!

Thanks for the quick reply JINX :) . But step 2 is my problem. I have no access to the router :( . Is there an alternative way to do this?

So you can't log in?

Unfortunately... I can't :( . I don't know the username and password.

If you find out what make and model the router is, you can google: default user and pass for <make> <model> router

JINX:

Thanks for answering all my questions. I already tried that before. Unfortunately, no luck found... Hehehe.

I'll try to use my phone, and try to forward port there. It's possible right?

I don't usually mess around with phones for hacking, so I have no clue. Sorry... :(

I have a problem : I send the adress to my victim over internet and then the victim become online on beef but after few seconde it quickly change to offline... why ?

Correct me if I'm wrong. Your victim closed the link after a few second.

Can you help me?
I have a problem, i see i need to forward port so i can do the thing.

I have Kali Linux 2.0 Live with persistence, i cant enter my router as my ISP disabled it because DHCP server mess up whole network when i enter router settings, so can you write how could i do port forwarding, and what ports should i forward, sorry if i'm being noob.

Hello once again Sir,

I'm experiencing an issue here which I believe is not of my fault So I ask If you know of any solutions.I start up beef (tried with both service start and using the icon) and when It opens the panel, I only see the logo but no Login/ Pass fields. I also get a few errors (some differ) including this one in the pic below. I ran a apt get update, upgrade and to make sure apt get install beef xss, but it's totally up to date. I use Kali 2 Live boot USB drive. I need some aid here. Thank you.

Image via imgur.com

same problem here, need aid

It's really hard for me to speculate what may be wrong. It may be another bug in Kali2.

For my part, I NEVER adopt a new software package until the bugs are worked out. I'm still running Kali 1.1 and will until all these bugs are resolved. Why do I want to be someone's beta tester on such an important software package in my work as Kali? I don't and you shouldn't either. Use Kali 1.1. It works

Running Beef in verbose mode fixes this.

i'm a new in hacking. can you give me a kind of suggestion to learn?? :) Thanks

Welcome to Null Byte, Demon!

You might want to start with my article "Hacking for Newbies". That should get you started along this exciting path to becoming a hacker!

Hi OTW, thanks for great tut.

1)I want to try it over WAN. But, how can we protect our anonimity while doing this? I mean that even we use duckdns or noip services(not sure it works with them) they can find out our ip easily by pinging. So how can we stay anonymous while doing this and metasploit handlers etc.

2)How can I make it more convinving? If I send them some ip or domain ends with noip etc. They may get suspicious. Do we need to vps or something? Is there any way that we can set it up on our domain? How will we handle the results?

Am I the only person here who hasn't had a great experience with BeEf? When testing I always find the exploits take a while to run? Is that just the nature of a javascript payload? Or am I doing something wrong?

Hello, I would like to know if BeEF may get access to all browsers? Can BeEF hook a Google Chrome Browser? Because some people click the option of "protect my computer from malicious websites". So if the hook url is sent via email, ex. gmail, etc, does the email recognize it as a spam url?

How can I be sure that the url is "clean" through the victim's eyes? And what does the victim sees once the url is clicked and opened by the victim? Sorry for the long question (s), thank you :)

i have done 1st step and then im come in 2nd step, The authentication page doesn't load ! please help me, thx for the Threat btw

hello!i'm fresh here.....i'm following you guys for a while,
and thanks to the otw tutorials i have beef up and running over wan

i can hook browsers but,.... in the first coulomb where the browsers are displayed i get a question mark instead of some decent browser info besides that no exploit or what so ever will work.... is't a port forwarding problem? i forwarded 3000, 5432, 5552, 53 and 80 im running in a vm host: mac (hackintosh)

Share Your Thoughts

  • Hot
  • Latest