top of page

Hack Browsers with BeEF (Hack and Hook)

As we promised you in our last Jour-Fix meeting there is new series on hacking mobile devices,web applications and even Facebook and Google here in Pheniix, and we intend to deliver you those in 2020.In this article we try to hack browsers with BeEF.

In each of those topics, we will introduce you to new hacking tools and techniques, though, one tool that we will be using in all of those areas is called the Browser Exploitation Framework, or BeEF.

Introduction to BeEF:

BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser.

Amid growing concerns about web-borne attacks against clients, including mobile clients, BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack vectors. Unlike other security frameworks, BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser. BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context.

Similar to Metasploit, BeEF is a framework for launching attacks. Unlike Metasploit, it is specific to launching attacks against web browsers. In some cases, we will be able to use BeEF in conjunction with Metasploit to launch specific attacks, so let's jump in!

BeEF was developed by a group of developers led by Wade Alcorn. Built on the familiar Ruby on Rails platform, BeEF was developed to explore the vulnerabilities in browsers and test them. In particular, BeEF is an excellent platform for testing a browser's vulnerability to cross-site scripting (XSS) and other OWASP vulnerabilities.

How to start BeEF ?

BeEF is built into Kali Linux, and it can be started as a service and accessed via a web browser on your localhost. So let's start jump into BeEF. Start the BeEF service by going to "Applications" -> "Kali Linux" -> "System Services" -> "BeEF" -> "beef start."

Access BeEF via a browser:

The BeEF server can be accessed via any browser on our localhost ( web server at port 3000. To access its authentication page, go to: http://localhost:3000/ui/authentication

The default credentials are "beef" for both username and password.

Awesome! Now you have successfully logged into BeEF and are ready to begin using this powerful platform to hack web browsers.

Note that in the screenshot below that my local browser,, appears in the left hand "Hooked Browsers" explorer after I clicked on the link to the demo page. BeEF also displays its "Getting Started" window to the right.

Viewing Browser Details

If we click on the local browser, it will provide more choices to the right including a "Details" window where we can get all the particulars of that browser. Since I am using the Iceweasel browser built into Kali, which is built upon Firefox, it shows me that the browser is Firefox.

It also shows me the version number (24), the platform (Linux i686), any components (Flash, web sockets, etc.), and more information that we will be able to use in later web application hacks.

Hooking a Browser

The key to success with BeEF is to "hook" a browser. This basically means that we need the victim to visit a vulnerable web app. This injected code in the "hooked" browser then responds to commands from the BeEF server. From there, we can do a number of malicious things on the victim's computer.

BeEF has a JavaScript file called "hook.js," and if we are successful to get the victim to execute it in a vulnerable web app, we will hook their browser!

In the screenshot below, I have "hooked" an Internet Explorer 6 browser on an old Windows XP on my LAN at IP

Executing Commands in the Browser

Now, that we have hooked the victim's browser, we can use numerous built-in commands that can executed from the victim's browser. Below are just a few examples; there are many others.

  • Get Visited Domains

  • Webcam

  • Get All Cookies

  • Grab Google Contacts

  • Screenshot

  • Get Visited URLs

In the screenshot below, I chose the "Webcam" command that many of you may be interested in. As you can see, when I execute this command, an Adobe Flash dialog box will pop up on the screen of the user asking, "Allow Webcam?" If they click on "Allow," it will start to return pictures from the victim to you.

Of course, user will NOT click on allow because even the most idiot PC user nowadays know some basic security skills. Therefore you can customize the text. For instance, you could customize the button to say "A security update is available for you! Click here to secure your PC!" or "Your software is out of date. Click here to update and keep your computer secure." Other such messages might entice the victim to click on the box.

Getting Cookies

Once we have the browser hooked, there is almost unlimited possibilities of what we can do. If we wanted the cookies of the victim, we can go to "Chrome Extensions" and select "Get All Cookies" as shown in the screenshot below.

When we "Execute" it, it will begin collecting all the cookies from the browser. Obviously, once you have the user's cookies, you are likely to have access to their websites as well.

BeEF is an extraordinary and powerful tool for exploiting web browsers. In addition to what I have shown you here, it can also be used to leverage operating system attacks.

Common bug:

If you have problems in running BeEF then try this:


All product names, logos, and brands are the property of their respective owners in Austria or other countries. All company, product and service names used in this website are for identification purposes only. Pheniix is not affiliated with or an official partner of Cisco, CompTIA,Dimension Data, VMware, Amazon, Microsoft, Certified Ethical Hacker, (ISC)², Juniper, Wireshark, Offensive Security,Google, GNS3, F5, Python, Linux, Java, OpenStack, Vagrant, Ansible, Docker, GIT, Blockchain or other companies. Use of these names, logos, and brands does not imply endorsement. The opinions expressed in Pheniix are personal perspectives and not those of Cisco, Dimension Data or any other company. Pheniix runs as an independent blog.

#SecurityCenter #IPSEC #InfoSec #ASASecurityDeviceManagerASDM #CCNASecurity #NationalCyberSecurityAwarenessMonth #Cybersecurity #CloudSecurity #Security #security #NationalSecurityAgencyNSA #IBMSecurity #CiscoSecurity #cybersecurity #securityflaw #CyberSecurity #OWASP #KaliLinux #hacking #hack #Virus

bottom of page