We can categorize the BeEF social engineering framework as shown in the picture below:
We can read more about the mentioned frameworks, namely: SET (Social Engineering Framework), BeEF, Honeyd and Cree.py, on the Infosec Institutewebsite,
where they are briefly described. .
We can use BeEF to host a malicious web site, which is then visited by the victim. The BeEF is used to send commands that will be executed on the web browser of the victim computer. The victim users will be added as zombies to the BeEF framework. When the attacker
logs into to the BeEF server, he can then execute the modules against the specified victim user. An attacker can execute any module or write his own module, which enables him to execute an arbitrary command against the victim zombie.
Among all the actions that we can execute against the hooked target web browser are also the following actions: key logger, port scanner, browser exploitation tool, web proxy, etc.
BeEF uses browser vulnerabilities to gain control of the target computer system. BeEF provides an API that we can use to write our own module to attack the target web browser. Therefore the BeEF provides the API that abstracts the complexity and makes possible
the quick and effective creation of modules.
First, we must download and install the browser exploitation framework. We can do that by visiting the BeEF
github webpage and execute the below commands.
To install the prerequisites, execute the below commands as root:
Execute the below commands as a normal user to satisfy the rest of the dependencies:
Download the BeEF framework:
To install the BeEF framework, we must first run the bundle command, which should install all the missing dependencies.
A successful installation of all dependencies should look as below:
Update the BeEF framework to the latest version:
After all that the BeEF framework should start normally, like below:
We can see that BeEF is up and running correctly: it’s running on all found network interfaces, so it is accessible from everywhere (not only localhost). From the BeEF output, we can see that the user interface panel is accessible on the URI:http://10.1.1.2:3000/ui/panel.
If we visit this web page, we’re automatically redirected to the web page: http://127.0.0.1:3000/ui/authentication,
which looks like the picture below:
Great. We’ve successfully set-up the BeEF exploitation framework. The default username and password are beef:beef.
When we’ve successfully authenticated, the below web page is presented to us:
We can see that the web page first greets us and presents the basic information and getting started guide about BeEF. We should read the getting started guide carefully since it provides enough details to get started with using the BeEF framework.
2.2. Getting Started
There are two demo pages currently available in the BeEF framework and are presented below:
a. Basic Demo Page
When the web page on the above picture loads, our web browser is already hooked into the BeEF framework and we can execute modules against it. The additional links and form are present for demonstration purposes of the various features of the BeEF framework,
which we won’t discuss here. All that is important is that upon visiting the above web page, the browser is automatically hooked into the BeEF framework.
b. Butcher Demo Page
This examples also automatically hooks the web browser into the BeEF framework, so no additional steps are required. The additional elements on the web page are for demonstrating purposes only.
On the left side of the BeEF user interface panel, we can see “Online Browsers” and “Offline Browsers”, which represent the hooked browsers, some of which are online and the others are offline; this depends on the polling activity of the victim web browser.
The getting started web page also states that we can communicate with the hooked browser by clicking on one of the browsers, upon which a new tab will appear and will look like the picture below:
We can see that each new tab representing a browser has five new tabs – summarized after :
Displays information about the hooked browser, which we can see in the picture above.
Displays log entries of current hooked browser. We can see this tab represented in the picture below:
Green : works against the target; invisible to the user.
Orange : works against the target; visible to the user.
Grey : must yet be verified against the target.
Red : does not work against the target.
We can see this tab represented in the picture below. We have selected the “Browser – Hooked Domain – Play Sound” module.
This tab allows us to submit arbitrary HTTP requests on behalf of the hooked browser.
This tab can be used to check if the page where the browser is hooked is vulnerable to XSS attack. If we right-click on the hooked browser, a menu opens giving us two options to choose from:
This option allows us to use the hooked browser as a proxy.
Launch XssRays on Hooked Domain
This launches the XSS vulnerability discovery on the web page. The XssRays tab mentioned above does the same thing, but we can use it to change options as well.
In this part we’ve installed the prerequisites for BeEF framework and BeEF itself. Afterwards we connected to the BeEF framework in web browser and looked at the user interface and the options it allows us to use. We also discussed how the BeEF framework should
be used and what it can do.
In the next part of the tutorial we’ll look at the “Commands” tab of the user interface where all the modules are stored.
 BeEF Getting Started Introduction Web Site, accessible on http://127.0.0.1:3000/ui/panel.