Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Synex
- Browser Exploitation Framework: BeEF
- CyberPunk » Exploitation Tools
- Browser Exploitation Framework
- The Browser Exploitation Framework (BeEF) is a powerful professional security tool. BeEF is pioneering techniques that provide the experienced penetration tester with practical client side attack vectors. Unlike other security frameworks, BeEF focuses on leveraging browser vulnerabilities to assess the security posture of a target. This project is developed solely for lawful research and penetration testing.
- Browser Exploitation Framework: BeEF Browser Exploitation Framework: BeEF
- BeEF hooks one or more web browsers as beachheads for the launching of directed command modules. Each browser is likely to be within a different security context, and each context may provide a set of unique attack vectors. The framework allows the penetration tester to select specific modules (in real-time) to target each browser, and therefore each context.
- The framework contains numerous command modules that employ BeEF’s simple and powerful API. This API is at the heart of the framework’s effectiveness and efficiency. It abstracts complexity and facilitates quick development of custom modules.
- BeEF can be used to further exploit a cross site scripting (XSS) flaw in a web application. The XSS flaw allows an attacker to inject BeEF project Javascript code into the vulnerable web page. In BeEF terminology, the browser that has visited the vulnerable page is “hooked”. This injected code in the “hooked” browser then responds to commands from the BeEF server. The BeEF server is a Ruby on Rails application that communicates with the “hooked browser” through a web-based user interface. BeEF comes with the Kali Linux
- Browser Exploitation Framework: BeEF Wiki
- Requirements
- OSX 10.5.0 or higher, Modern Linux, Windows XP or higher
- Ruby 1.9.2 or higher
- SQLite 3.x
- The gems listed in the Gemfile: https://github.com/beefproject/beef/blob/master/Gemfile
- Browser Exploitation Framework: BeEF installation guide
- Commands
- The commands that come with BeEF include, but are not limited to:
- changing URLs of links on the target page.
- redirecting the victim’s browser to an arbitrary site
- causing dialog boxes to appear and attempt to collect information from the user,
- browser fingerprinting,
- uploading arbitrary files from the victim’s device, and
- detecting valid sessions with selected applications such as Twitter, Facebook and GMail.
- Notable features
- BeEF’s modular framework allows addition of custom browser exploitation commands.
- The extension API allows users to change BeEF’s core behavior.
- Keystroke logging
- Browser proxying
- Integration with Metasploit
- Plugin detection
- Intranet service exploitation
- Phonegap modules
- Hooking through QR codes
- Social Engineering modules spur user response such as entering sensitive data and responding to reminders to update software
- Restful API allows control of BeEF through http requests (JSON format).
- Source && Download
- Browser Exploitation Framework: BeEF download
- Positives
- Very clean interface. API. 'Point and Click' Attacks. It is a great attack tool as practically any browser that loads the hook script will get hooked
- Negatives
- BeEF is expecting that all web browsers have javascript enabled
- RATE HERE
- Ease Of Use
- 64%
- Features
- 63%
- Value
- 66%
- Overall Rating
- 67%
- Bottom Line
- It can be used as a serious Pen Test tool. In most cases, when you demonstrate an XSS to a client (assuming you're a pen tester) it does not have that much of an impact when you show them a silly pop up. On the other hand, if you demonstrate XSS using BeEF, now that will give them a scare.
- 65%
- 10 RATINGS
- OWND
- 33%
- COOL
- 33%
- NICE
- 22%
- WHAT ?
- 11%
- MEH
- 0%
- ZZZZZZZ
- 0%
- RAGE
- 0%
- You may also like:
- Exploitation ToolsPost Exploitation
- NSA Software Reverse Engineering Framework: Ghidra
- Graphical User Interface for Metasploit Meterpreter and Session Handler: Kage
- Kernel-Mode Rootkit Hunter: Tyton
- Tools for capturing and analyzing keyboard input paired with microphone capture
- Powershell Script for Enumerating Vulnerable DCOM Applications: DCOMrade
- Automatic SQL injection and database takeover tool: sqlmap
- Do you want to write for CyberPunk? If you have an interesting and intelligent topic you think we would like to publish, send it to admin@n0where.net. Tools should use "TOOL" subject. Articles [ Hackers Perspective, I hack3r, Hacker History, Hacker Today ], Overviews & Insights, PWN, phreakers and REST use subject HACK (We do require that any submission was NOT previously printed or available online). Letters to the editor ? Subject: "LETTER".
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement