How to use BeEF, the Browser Exploitation Framework

The open source BeEF pen testing tool can be used by red and blue teams alike to hook web browsers and use them as beachheads to launch further attacks.

Having the right tools in your penetration testing toolbox is critical to effectively assess vulnerabilities and mitigate threats. One tool that can fit easily into both offensive campaigns and defensive countermeasures is the Browser Exploitation Framework Project, or BeEF.

Let's dive into what this web browser pen testing tool is, what it's used for and how to get started using it.

Editor's note: Tools such as BeEF can be used in ways that are lawful and helpful to you as a security practitioner, but they can also be used illegally, unlawfully and unethically. Make sure any planned use is ethical, lawful and legal. If you're not sure about the legality, do not proceed until you are. This may require some research on your part, such as an honest discussion with internal counsel about what you have planned.

What is BeEF?

BeEF is an open source tool designed to enable an attacker to use a target's browser as an attack point, or beachhead. The project's website says the tool is designed to "hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context."

Confused? Let's work through an example to see how this would be valuable.

Say that a user clicks on a website controlled by an attacker. Security professionals know this is a potentially problematic situation. The attacker can now communicate directly with the user and do the following:

  • show the user any content they want;
  • request permissions via that page to access the microphone or webcam;
  • attempt to launch mobile code, for example, Java;
  • link to other sites; and
  • attempt to trick the user into running malware.

They can use the site in furtherance of -- and as a starting point for -- other browser-borne attacks, such as clickjacking or cross-site request forgery.

These actions can all be simulated with BeEF. The tool enables you to hook a web browser, which navigates to a page you control, effectively providing you with limited control over a tab on the user's browser. Note that it is limited control. The specific actions you can take once in control vary depending on the type of browser, the users' browser security configuration, the OS platform and other factors.

One common technique, sometimes called tabnabbing, is to hook a browser tab, wait for some time to elapse -- potentially indicative of a user with numerous tabs open -- and redirect that tab to a nefarious site that mimics the appearance of a legitimate service -- something such as Microsoft 365, for example -- to ask for and capture the user's login credentials. Sites that log you out for security reasons -- for example, after a short period of inactivity -- are excellent targets for this because users expect that if they leave a tab open on such a page that they will need to reauthenticate when they return.

Hijacking a tab isn't in and of itself a compromise, per se -- you can't do anything you want with it. Most modern browsers are architected so that tabs are logically segmented from each other. This means you can't -- without taking other action -- influence or directly attack other tabs in that same browser. Likewise, you can't make requests to whatever websites you want as that user or from the user's browser -- cross-domain protections exist to prevent exactly this type of attack. You can, however, redirect the user's browser to sites you control, you can send them links and you can cause them to download malware.

What are the uses of BeEF?

On the surface, it might seem that there's little opportunity for blue-team use of a tool like this. By applying creativity, however, there are opportunities to bolster defensive efforts, as well as red-team activities.

Auditors, for example, might consider using BeEF to help validate zero-trust efforts. A key tenet of zero trust is that access to resources shouldn't be gated on the basis of point of origin alone. A tool that can help you test internal access to a resource -- using a hooked browser as a conduit -- versus external access to that same resource is important data.

Alternatively, you might consider using it as part of a phishing simulation exercise after a user clicks a simulated malicious link. Or you might use it to validate your organization's browser configuration and hardening standards.

How to use BeEF

So, where's the BeEf? The tool is available for install -- or installed by default, depending on the installation options you use -- in many pen testing Linux distributions, such as Kali and BlackArch. You can get up and running quickly if you are using one of these platforms or by downloading a VM image. You can also obtain and run the installer like you would any other piece of software.

Once installed, use boils down to the following three main steps:

  1. planning your campaign
  2. hooking the browser(s)
  3. taking action on the objectives

Let's talk through each phase and go over some examples of how to use BeEF to accomplish each phase.

1. Planning your campaign

The first step is to map out what you're going to do. It's particularly important with this tool that you have a clear idea of what you want to achieve. There are a couple reasons for this. First, you need to get your target to load a page you control. In many cases, you want this to be done surreptitiously so the user doesn't realize something unexpected has occurred. Depending on what you're trying to do, you might consider DNS poisoning, Address Resolution Protocol spoofing, watering hole attack, persistent cross-site scripting (XSS) or any number of other strategies. But you want to think through how you accomplish this.

Second, as mentioned earlier, different browser, OS and configuration parameter settings can affect what you can and can't use BeEF for. This means you need to apply creativity to accomplish your goal. Having a clear idea of intended outcomes means you can take advantage of targets and opportunities that arise or use advantageous situations that may be brief or ephemeral.

Screenshot of installing BeEF in Kali
Figure 1. Install the BeEF software in the Kali Linux platform.

Before starting, make sure you have the software installed. If you're using a platform such as Kali, the tool may or may not be installed by default, depending on the installation options you select. If it's not there by default, this is easily accomplished. On Kali, for example, use sudo apt update && sudo apt install beef-xss to install it, as illustrated in Figure 1.

When you run the software for the first time, it prompts you to create credentials. Remember the credentials you create since you need them later.

Screenshot of BeEF login screen
Figure 2. Log in to the software.

2. Hooking the browser(s)

After planning your campaign, the next step is to put it into practice. You typically start by hooking one or more browsers within the tool. The mechanics of this are straightforward: Put the appropriate scripts/code on a webpage, and get users to navigate to that webpage. As noted, you may need to use subterfuge to accomplish this without setting off an alarm. A near-infinite array of strategies help accomplish this, including phishing emails or persistent/stored XSS, which are useful in the context of a pen test.

After loading the software, you are asked to log in to access the control panel, shown in Figure 2. Log in with the credentials you created for the software.

Screenshot of hooked browsers in BeEF
Figure 3. Example of hooked browsers

Once authenticated, you see a console that shows the Getting Started information -- this is always worth a careful read -- as well as what browsers have been hooked. When you first load the software, there won't be any browsers hooked, so you need to start by hooking one.

To experiment, you can start with the tool's demo pages. The code to hook a browser is extremely straightforward and direct to add to any page -- again, for lawful use purposes only. Figure 3 illustrates the console after hooking several browser tabs -- one in a VM and one not in a VM to illustrate the difference.

3. Taking action on the objectives

After hooking one or more browsers, it's time to employ the hooked browser to perform your testing or to take the actions to realize the objectives you have planned.

Under the Commands tab, you find specific actions you can take. These are filtered by the following color coding:

  • green -- the command works on the target and won't be visible to the user;
  • red -- the command does not work on the target;
  • gray -- the command may work but hasn't been verified; and
  • orange -- the command works but has affects a user might notice.

Spend some time experimenting with different things you can do and how the specific commands work. If you want to try the tabnabbing strategy outlined above, for example, choose the Redirect Browser option -- it works on most browsers -- and direct the browser to load any page you choose. Simply provide the URL, hit Execute and soon the browser redirects as instructed.

You can also try to snoop on data users submit, see pages they load, send them pop-ups and fingerprint the browser. Hundreds of things can be done -- spend a few hours kicking the tires on these options as you plan your campaigns.

Another useful feature is the Proxy tab. Create specific requests for the browser to retrieve, or use the hooked browser tab as an HTTP forward proxy -- you can do this by right-clicking the hooked browser and specifying Use as Proxy from the drop-down. Remember that browser cross-origin and domain rules apply, so it's most useful when you can hook a page on the domain you want to test. The Forge Raw HTTP Request subtab lets you create an individual request in isolation.

Other more niche features to consider are XssRays for identifying XSS opportunities on hooked pages and the Network tab, which provides a graphical topology map of the hooked browsers in relation to BeEF.

The BeEF tool offers many options for how to use the target's actions to gain a beachhead or access point onto the remote endpoint. From there, it's a matter of applying creativity in usage to achieve the outcomes you are hoping for.

Next Steps

5 common browser attacks and how to prevent them

Dig Deeper on Threat detection and response