BROWSER EXPLOITATION FRAMEWORK (BEEF)
What is BeEF?
BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser.
Amid growing concerns about web-borne attacks against clients, including mobile clients, BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack vectors. Unlike other security frameworks, BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser. BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context.
This session will cover the following:
- Hands on with the Autorun Rules Engine (clever scheduling and automation of multiple payloads)
- Network Extension (just how much local network can a browser see?)
- Having fun with CSRF
- So you think HttpOnly & Secure flags really help?
Attendees will hopefully have a better appreciation of how BeEF works, and how custom modules and extensions can be developed to meet any custom requirements you may have.
BeEf can be used to “safely” exploit Web and browser-based vulnerabilities like cross-site scripting (XSS) using client-side attack vectors. If a user clicks on a link that BeEf put there, it will hook the user’s browser into the BeEF server. The tool — which can be downloaded from the BeEf Project website or found in a distribution that already has it installed — can also issue commands to the browser, such as redirection, changing URLs, generating dialogue boxes and more. It has the ability to run malware on the hooked browser IP address and use it as a launching point to infiltrate other computers on the same network, effectively spreading the malware.
BeEf is preinstalled on operating systems such as Kali Linux, as demonstrated in this tutorial. The BeEF server shows testers a myriad of options, including a report on all the plug-ins running on the hooked browser, plus up to 14 different browser components and whether they are enabled. Based on that information, BeEF can recommend the types of attacks that can be launched against the browser. The tool’s reports are surprisingly detailed, providing in-depth data on the hooked browser, even if the computer running the browser is a touchscreen.
From Clippy to a fake notification bar, BeEF shows hundreds of potential exploits to compromise a browser — something that your employees should be aware of when surfing the Web on a company network.
This post first appeared on Computer Security.org - CyberSecurity News, Inform, please read the originial post: here