Hijacking browsers with BeEF
Web Heist
Bits of JavaScript from a malicious website can put your browser in a trance. A tool called BeEF encapsulates that power in a most diabolical way, providing yet another reason to avoid unknown links and keep your browser up to date.
Web browsers have become so ubiquitous that they are installed on almost every Internet-connected device with a user interface. Because of this popularity, browsers are a very attractive target for attackers.
A 2023 article on the Dark Reading website [1] discusses a study by Spin.AI. The study analyzed around 300,000 browser extensions for several browsers that use Chromium under the bonnet, such as Google Chrome and Microsoft Edge. A staggering 51 percent of the extensions presented a high risk to users. The study apparently found that the "extensions all had the ability to capture sensitive data from enterprise apps, run malicious JavaScript, and surreptitiously send protected data including banking details and login credentials to external parties."
The complexity of modern browsers increases their attack surface greatly, and the threats that their developers must counter should not be underestimated. For a number of years, both Firefox and Google Chrome have made use of sophisticated sandboxing techniques to provide a number of isolation advantages [2].
Bearing in mind the challenges and the reality of serious threats, an offensive security tool used for pen testing leapt off the page at me recently. The tool takes advantage of how users interact with the web pages that they visit.
This article describes how an attacker can hijack an ordinary browser. After looking at some common attack techniques, the attack tool I'll look at is known as BeEF, which stands for the Browser Exploitation Framework. According to the BeEF GitHub repository [3], "Unlike other security frameworks, BeEF looks past the hardened network perimeter and client system and examines exploitability within the context of the one open door: the web browser."
On your Marks
I'll install BeEF on an Ubuntu Linux 22.04 system inside a VM. The documentation states that you can use BeEF on any machine capable of supporting Ruby v3.0+ or NodeJS, but macOS and Linux are officially supported. There's also a Docker container route, which should make for an easier way with package dependencies.
To install BeEF, start by cloning the repository and running the installation script:
$ git clone https://github.com/beefproject/beef.git $ cd beef; ./install
You are then presented with some very welcome ASCII art. Two guesses what the logo depicts (Figure 1).
At the foot of the output, under the BeEF logo, a number of steps continue the installation. The sophistication of the installation script is impressive. In Ubuntu Linux, I am offered a choice to install packages that will take up a sizable 347MB (which is not entirely surprising for a minimum Ubuntu installation on the VM). Following the package update, the installer uses another circa 60MB of disk space for setting up a few additional Ruby packages.
Hitting the Go Button
When the installation completes, have a look at the contents of the config.yaml
file, which contains some useful configuration options, such as enabling debugging and restricting network addresses. The default credentials shown in config.yaml
are:
user: "beef" password: "beef"
You'll need to change the password before running BeEF. Enter the following command:
$ ./beef
and BeEF will output a number of settings, including a key for the RESTful API and an HTTP Proxy. The UI for BeEF (not the HTTP Proxy) is presented over TCP port 3000:
http://localhost:3000/ui/panel
Enter the username and password at the prompt. Once you are logged in, you are presented with the view in Figure 2.
The helpful Getting Started tab explains the concept of hooking a browser. Hooking is when the attacker injects some JavaScript into a webpage with the aim of gaining a degree of control. The first task is to click the demo link and check back to the terminal that I ran the BeEF server in. In Figure 3, you can see the Google Chrome browser that I am using is well and truly hooked.
The eagle-eyed among you will spot the "Invalid browser name?" error. If my memory serves, having watched the YouTube video, this is because Chrome has privacy settings that don't identify it in the same way as other browsers. The video denotes the browser name as "UN" which seems to stand for "unknown."
There's also a "Hook Me!" bookmarklet link, which you can use as a bookmark. The link contains some tricky-looking JavaScript, which apparently allows you to hook any page that you are currently visiting. Once hooked, BeEF acts as the command and control machine to provide attackers with the tools to do their damage.
Hook, Line, and Sinker
In Figure 4, you can see the UI version of the output from the terminal: a graphical representation with a couple of question marks (for the unknown browser name/type and hardware type), along with a welcoming Tux penguin icon showing that I'm using Linux and displaying the internal IP address that I'm using to connect to the VM.
If I click onto the browser entry, the UI springs to life and gives me a myriad of options, such as exploits and specific details about the version of the browser. I can see what extensions and capabilities are available and some of the routes that BeEF might take to attack my version of Google Chrome.
Once I have selected a module and added some configuration, I can then click an Execute button that appears on the right-hand side to run the module against the browser. The modules for a target browser are classified by their expected effectiveness, as shown in Figure 5.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
AlmaLinux 10.0 Beta Released
The AlmaLinux OS Foundation has announced the availability of AlmaLinux 10.0 Beta ("Purple Lion") for all supported devices with significant changes.
-
Gnome 47.2 Now Available
Gnome 47.2 is now available for general use but don't expect much in the way of newness, as this is all about improvements and bug fixes.
-
Latest Cinnamon Desktop Releases with a Bold New Look
Just in time for the holidays, the developer of the Cinnamon desktop has shipped a new release to help spice up your eggnog with new features and a new look.
-
Armbian 24.11 Released with Expanded Hardware Support
If you've been waiting for Armbian to support OrangePi 5 Max and Radxa ROCK 5B+, the wait is over.
-
SUSE Renames Several Products for Better Name Recognition
SUSE has been a very powerful player in the European market, but it knows it must branch out to gain serious traction. Will a name change do the trick?
-
ESET Discovers New Linux Malware
WolfsBane is an all-in-one malware that has hit the Linux operating system and includes a dropper, a launcher, and a backdoor.
-
New Linux Kernel Patch Allows Forcing a CPU Mitigation
Even when CPU mitigations can consume precious CPU cycles, it might not be a bad idea to allow users to enable them, even if your machine isn't vulnerable.
-
Red Hat Enterprise Linux 9.5 Released
Notify your friends, loved ones, and colleagues that the latest version of RHEL is available with plenty of enhancements.
-
Linux Sees Massive Performance Increase from a Single Line of Code
With one line of code, Intel was able to increase the performance of the Linux kernel by 4,000 percent.
-
Fedora KDE Approved as an Official Spin
If you prefer the Plasma desktop environment and the Fedora distribution, you're in luck because there's now an official spin that is listed on the same level as the Fedora Workstation edition.