2. Overview
What is BeEF
Installation and requirements
How it works
Case studies & examples
Advantages
2
Software Security, FCS Iasi, 2013-2014
3. What is BeEF?
http://beefproject.com/
open-source penetration testing tool used
to test and exploit web application and
browser-based vunerabilities.
Main developer: Wade Alcorn, security
expert
Last stable release: 0.4.4.7 / August 2013
3
Software Security, FCS Iasi, 2013-2014
4. Installation and requirements
OSX 10.5.0 or higher, Modern Linux,
Windows XP or higher
Ruby 1.9.2 RVM or higher
SQLite 3.x
A list of ruby gems [...]
4
Software Security, FCS Iasi, 2013-2014
5. How it works
BeEF uses a javascript file hook.js that will
hook one or more browsers and will use
them for launching directed command
modules and further attacks against the
system though a open door: the web
browser context
Uses a web interface to manage and send
commands (attacks) to the browser
zombies
5
Software Security, FCS Iasi, 2013-2014
7. BeEF Features
The official page lists 128 modules (exploits)
Modular framework, can be easily extended
with custom browser exploitation commands
Provides RESTFul API that allows to control
BeEF throuth HTTp requests (in JSON format)
Can be configured to be integrated with
Metasploit
7
Software Security, FCS Iasi, 2013-2014
8. BeEF Commands
Modify the target's page html content (all the
content, or alter only the hrefs)
redirect the victim's browser to an arbitrary
site
generate dialog boxes/ fake notifications /
request missing plugin installation as a context
for placing and executing malicious code
browser fingerprinting, detect plugins (ActiveX,
Java, Flash, etc.)
detect valid sessions of applications such as
Twitter, Facebook and GMail.
8
Software Security, FCS Iasi, 2013-2014
9. Ex 1 - Malicious code injection
Fake Notification Bar (e.g. Firefox)
Displays a fake notification bar at the top of the
screen. If the user clicks the notification they will
be prompted to download a malicious Firefox
extension (by default).
Raw Javascript
Sends the code to the selected hooked browsers
where it will be executed. Code is run inside an
anonymous function and the return value is
passed to the framework. Multiline scripts are
allowed, no special encoding is required.
9
Software Security, FCS Iasi, 2013-2014
10. Ex 2 - Web page defacement
Replace content (Deface webpage)
Overwrite the page, title and shortcut icon on the
hooked page.
Replace HREFs
Rewrite all the href attributes of all matched links.
TabNabbing
This module redirects to the specified URL after
the tab has been inactive for a specified amount
of time.
10
Software Security, FCS Iasi, 2013-2014
11. Ex 3 - Keystroke Logging
iFrame Event Logger
Creates a 100% by 100% iFrame overlay with
event logging.
Fake LastPass
Displays a fake LastPass user dialog which will log
all the user's key strokes.
11
Software Security, FCS Iasi, 2013-2014
12. Ex 4 – Exporing the network
Detect Social Networks
This module will detect if the Hooked Browser is
currently authenticated to GMail, Facebook and
Twitter. (specify detection timeout)
Network / Port Scanner
Scan ports in a given hostname, using
WebSockets, CORS and img tags. It uses the
three methods to avoid blocked ports or Same
Origin Policy.
12
Software Security, FCS Iasi, 2013-2014
13. Ex 5 – Browser fingerprinting
Spider Eye
Creates a snapshot of the victim's window
Detect Firebug
Detect Silverlight
Detect Windows Media Player
Detect ActiveX
Detect toolbars
Etc..
13
Software Security, FCS Iasi, 2013-2014
14. Metasploit / w3af / BeEF
Metasploit
w3af
BeEF
Language
Perl → Ruby
Python
Ruby
Supported
OS
cross-platform
cross-platform
cross-platform
Pen-testing
target
network
Web applications
browser
$
Open source +
paid
Open source
Open source
Firewall
14
Software Security, FCS Iasi, 2013-2014