Hijacking browsers with BeEF

Web Heist

© Lead Image © kanokpol prasankhamphaibun, 123RF.com

© Lead Image © kanokpol prasankhamphaibun, 123RF.com

Article from Issue 288/2024
Author(s):

Bits of JavaScript from a malicious website can put your browser in a trance. A tool called BeEF encapsulates that power in a most diabolical way, providing yet another reason to avoid unknown links and keep your browser up to date.

Web browsers have become so ubiquitous that they are installed on almost every Internet-connected device with a user interface. Because of this popularity, browsers are a very attractive target for attackers.

A 2023 article on the Dark Reading website [1] discusses a study by Spin.AI. The study analyzed around 300,000 browser extensions for several browsers that use Chromium under the bonnet, such as Google Chrome and Microsoft Edge. A staggering 51 percent of the extensions presented a high risk to users. The study apparently found that the "extensions all had the ability to capture sensitive data from enterprise apps, run malicious JavaScript, and surreptitiously send protected data including banking details and login credentials to external parties."

The complexity of modern browsers increases their attack surface greatly, and the threats that their developers must counter should not be underestimated. For a number of years, both Firefox and Google Chrome have made use of sophisticated sandboxing techniques to provide a number of isolation advantages [2].

Bearing in mind the challenges and the reality of serious threats, an offensive security tool used for pen testing leapt off the page at me recently. The tool takes advantage of how users interact with the web pages that they visit.

This article describes how an attacker can hijack an ordinary browser. After looking at some common attack techniques, the attack tool I'll look at is known as BeEF, which stands for the Browser Exploitation Framework. According to the BeEF GitHub repository [3], "Unlike other security frameworks, BeEF looks past the hardened network perimeter and client system and examines exploitability within the context of the one open door: the web browser."

On your Marks

I'll install BeEF on an Ubuntu Linux 22.04 system inside a VM. The documentation states that you can use BeEF on any machine capable of supporting Ruby v3.0+ or NodeJS, but macOS and Linux are officially supported. There's also a Docker container route, which should make for an easier way with package dependencies.

To install BeEF, start by cloning the repository and running the installation script:

$ git clone https://github.com/beefproject/beef.git
$ cd beef; ./install

You are then presented with some very welcome ASCII art. Two guesses what the logo depicts (Figure 1).

Figure 1: ASCII art for the BeEF installer echoes the beef theme.

At the foot of the output, under the BeEF logo, a number of steps continue the installation. The sophistication of the installation script is impressive. In Ubuntu Linux, I am offered a choice to install packages that will take up a sizable 347MB (which is not entirely surprising for a minimum Ubuntu installation on the VM). Following the package update, the installer uses another circa 60MB of disk space for setting up a few additional Ruby packages.

Hitting the Go Button

When the installation completes, have a look at the contents of the config.yaml file, which contains some useful configuration options, such as enabling debugging and restricting network addresses. The default credentials shown in config.yaml are:

user:   "beef"
     password: "beef"

You'll need to change the password before running BeEF. Enter the following command:

$ ./beef

and BeEF will output a number of settings, including a key for the RESTful API and an HTTP Proxy. The UI for BeEF (not the HTTP Proxy) is presented over TCP port 3000:

http://localhost:3000/ui/panel

Enter the username and password at the prompt. Once you are logged in, you are presented with the view in Figure 2.

Figure 2: Getting started with the BeEF UI.

The helpful Getting Started tab explains the concept of hooking a browser. Hooking is when the attacker injects some JavaScript into a webpage with the aim of gaining a degree of control. The first task is to click the demo link and check back to the terminal that I ran the BeEF server in. In Figure 3, you can see the Google Chrome browser that I am using is well and truly hooked.

Figure 3: Addictive, this BeEF stuff – I'm hooked.

The eagle-eyed among you will spot the "Invalid browser name?" error. If my memory serves, having watched the YouTube video, this is because Chrome has privacy settings that don't identify it in the same way as other browsers. The video denotes the browser name as "UN" which seems to stand for "unknown."

There's also a "Hook Me!" bookmarklet link, which you can use as a bookmark. The link contains some tricky-looking JavaScript, which apparently allows you to hook any page that you are currently visiting. Once hooked, BeEF acts as the command and control machine to provide attackers with the tools to do their damage.

Hook, Line, and Sinker

In Figure 4, you can see the UI version of the output from the terminal: a graphical representation with a couple of question marks (for the unknown browser name/type and hardware type), along with a welcoming Tux penguin icon showing that I'm using Linux and displaying the internal IP address that I'm using to connect to the VM.

Figure 4: UI version of the terminal output.

If I click onto the browser entry, the UI springs to life and gives me a myriad of options, such as exploits and specific details about the version of the browser. I can see what extensions and capabilities are available and some of the routes that BeEF might take to attack my version of Google Chrome.

Once I have selected a module and added some configuration, I can then click an Execute button that appears on the right-hand side to run the module against the browser. The modules for a target browser are classified by their expected effectiveness, as shown in Figure 5.

Figure 5: The modules are color coded to show what is possible.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More

News