x32x01

ADMINISTRATOR
The Browser Exploitation Framework (BeEF) is a penetration testing tool focused on client-side attacks executed within a browser. Oh, Yes it includes lots of exploits.

PicsArt_07-01-01.08.51.jpg

Previously BeEF comes pre-installed with Kali Linux, but now it doesn't comes pre-installed. But it is available in Kali Linux repository. We can install it on Kali Linux or other similar Linux distribution by applying following command:
Code:
sudo apt-get install beef-xss

The following screenshot shows the output of the preceding command:

Screenshot_2020-06-26_13-28-59.png

It may consume our time depending on our internet speed and processing speed.

BeEF can be opened from the terminal using beef-xss command:
Code:
sudo beef-xss

If we are opening for the first time we need to set a new password to log in BeEF control panel.

Screenshot_2020-06-26_13-53-02.png

After setting up a new password for default user beef the tool will be started as we can see in the following screenshot:

Screenshot_2020-06-26_13-54-36.png

Now we can access the web based user interface (Web UI) in our browser. We don't know why but BeEF tries to open our browser automatically but failed (Hey BeEF, don't worry we can open it manually). We need to open our browser and navigate to http://127.0.0.1:3000/ui/panel and we are in the BeEF's login page.

Screenshot_2020-06-27_13-11-25.png

Now here we type beef as default user and our chosen password and press login.

We are logged in in our BeEF control panel.

Screenshot_2020-06-27_13-42-13.jpg

Now we need to "hook" a browser.

Screenshot_2020-06-27_13-50-06.png

BeEF is providing us a basic demo page and a advanced page to hook a browser as we can see in the above screenshot.

Let's check it by clicking on the advanced version.

Screenshot_2020-06-27_13-54-56.jpg

We can see in the above picture this is the advanced page to hook browser. Which browser opens this will be hooked (even own browsers also) and we got control of the browser.

But this runs on localhost to send it another person in our local network we need to use 192.168.XX.XXX (Local IP address) in the place of 127.0.0.1. Local IP address can be found by typing ip address command in terminal.
Code:
ip address

Screenshot_2020-06-27_14-01-36.png

Now we need to send this to anyone in our local network with some juicy social engineering techniques. Whenever our target opens this link with a browser the browser will be hooked.

We have send our this hooking url http://192.168.225.51:3000/demos/butcher/index.html to our another PC and open this link their.

In our attacker machine we got one online hooked browser.

Screenshot_2020-06-27_14-10-13.png

We need to click over the hooked browser's ip address.

Screenshot_2020-06-27_14-11-27.png

Now we are on current browser section. Here we can see all the details about our browser and we can run exploits.

To run exploit commands we need to navigate on the commands tab.

Screenshot_2020-06-27_14-17-17.png

For an example in this tutorial we run a basic exploit command on our hooked browser. We go social engineering menu and select the Google phishing and click on execute.

Screenshot_2020-06-27_14-24-18.png

After clicking on execute in our target PC the following page is automatically comes.

Screenshot_2020-06-27_09-01-24.jpg

Now if we enter credentials on targeted PC we got them on our attacker machine.

Not only creating phishing page crating BeEF have lots of advanced exploits. It can take snaps from webcam, it is dangerous when attacker integrated BeEF with metasploit.

Browser Exploitation Framework hooks the browser by a JavaScript inside a normal HTML page, it exposes restful API that allow BeEF to be scripted through HTTP/JSON requests.

To use BeEF over internet we need to use our external ip in the place of our internal ip address. We also need to forward default 3000 port.

Screenshot_2020-06-27_15-19-03.png

Liked our tutorials ? Then follow us on Twitter to get notification about our recent articles. For any query or problem please feel free to comment down, we always replay.
 
Top