BeEF comes preloaded with over three hundred modules that you can run depending on the browser hooked. These are broken down into twelve categories, including: “Exploits, Network, and Social Engineering.”

exp

Google Phishing

The Google Phishing command is a module within BeEF that aims to trick the user of a hooked browser into revealing their Google credentials.

Let’s execute the command, and on the victim’s browser, they should be presented with the fake login page.

Fake Notification Bar

The Fake Notification Bar command is another module within BeEF designed for social engineering attacks.

When this module is executed on a hooked browser, it displays a fake notification bar at the top of the target browser window. The content of this notification bar can be customized and designed to trick the user into clicking a link or downloading a file.

For our demo, we will be using a reverse shell payload. If the user is tricked into downloading and running the file, it will open a reverse shell to our machine. A reverse shell allows us to execute commands remotely on the victim’s system, giving us complete control over it.

For more information on reverse shells, see our reverse shell cheat sheet.

We will use the “Fake Notification Bar (Firefox)” module as the user’s browser is Firefox, but you choose which applies to your situation.

Please ensure that you set the “Plugin URL” to the location of the reverse shell. You can leave the “Notification text” or change it to fit your needs.

We changed our text to read: Critical Security Alert: Your Firefox browser is critically outdated! Click here to install the urgent security update now.

Once we click ‘Execute,” the user will be presented with a notification bar.

Session Cookies

Session cookies, also known as temporary cookies, store information about a user’s activity during a single browsing session. They help websites remember user actions, such as login credentials or items added to a shopping cart, and are deleted when the browser is closed.

In BeEF, we can exploit session cookies using the “Get Cookie” module. To do this, select “Get Cookie” and press the “Execute” button. The retrieved session cookies will appear in the “Command results” window.

From an attacker’s perspective, session cookies are highly valuable. With these cookies, an attacker can impersonate a user on a website (such as an e-commerce site or a member section of a forum) by hijacking their session. This allows the attacker to gain unauthorized access to the user’s account and potentially perform actions on their behalf.

Last updated 04 Sep 2024, 13:45 +0530 . history