BROWSER EXPLOITATION FRAMEWORK (BEEF)

PRESENTED BY

Christian Frichot

FREE DOWNLOAD:

https://github.com/beefproject/beef

What is BeEF?

BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser.

Amid growing concerns about web-borne attacks against clients, including mobile clients, BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack vectors. Unlike other security frameworks, BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser. BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context.

The little browser hacking framework that could; BeEF (Once again voted in the top 5 security tools on ToolsWatch.org) is back again for another hands on JavaScript-filled arsenal session of insanity. If you’ve seen people talk about BeEF, and haven’t gotten around to getting your hands dirty, then now is the perfect time to look under the cover and see how hook.js works. While the framework itself is hanging together with duct tape, Ruby and JavaScript, the capabilities of BeEF have been slowly marching forward year by year, with new features being added almost as quickly as new HTML5 APIs are added to browsers. Two of the larger additions to the framework have been the Autorun Rules Engine (ARE) and the Network Extension, the brain-children of @antisnatchor and @_bcoles. But BeEF isn’t just about client-side testing, it’s also a great tool if you need to quickly PoC JavaScript-based payloads.

This session will cover the following:

• Hands on with the Autorun Rules Engine (clever scheduling and automation of multiple payloads)
• Network Extension (just how much local network can a browser see?)
• Having fun with CSRF
• So you think HttpOnly & Secure flags really help?

Attendees will hopefully have a better appreciation of how BeEF works, and how custom modules and extensions can be developed to meet any custom requirements you may have.

BeEf can be used to “safely” exploit Web and browser-based vulnerabilities like cross-site scripting (XSS) using client-side attack vectors. If a user clicks on a link that BeEf put there, it will hook the user’s browser into the BeEF server. The tool — which can be downloaded from the BeEf Project website or found in a distribution that already has it installed — can also issue commands to the browser, such as redirection, changing URLs, generating dialogue boxes and more. It has the ability to run malware on the hooked browser IP address and use it as a launching point to infiltrate other computers on the same network, effectively spreading the malware.

BeEf is preinstalled on operating systems such as Kali Linux, as demonstrated in this tutorial. The BeEF server shows testers a myriad of options, including a report on all the plug-ins running on the hooked browser, plus up to 14 different browser components and whether they are enabled. Based on that information, BeEF can recommend the types of attacks that can be launched against the browser. The tool’s reports are surprisingly detailed, providing in-depth data on the hooked browser, even if the computer running the browser is a touchscreen.

From Clippy to a fake notification bar, BeEF shows hundreds of potential exploits to compromise a browser — something that your employees should be aware of when surfing the Web on a company network.