1

Web Browser Attack Using BeEF Framework

Harshil Sawant, Samuel Agaga

Abstract— Web Browser is a tool, which connects us to the III. SIMILARITY AMONG WEB BROWSERS
Internet. In this time of age, Internet has become a dependent
Today, a user can choose from many types of browsers.
factor for most of us. Therefore, it is very important for us to
understand what is web browser, the architecture, and threats Each has few elements that are distinct from one another.
that come when using it. This paper illustrates the theoretical side There is, however, one commonality among browser that is
of what is web browser, what are its components, how a browser their User Interface (UI) Elements. UI elements include
can be a risk, and how to protect the user. Furthermore, the address bar for inserting a URL, back/forward buttons,
paper illustrates a lab that demonstrates how to exploit a web bookmarking options, refresh and stop buttons for refreshing
browser attack using BeEF.
or stopping the web page, and home button that takes the user
to the home page. The HTML5 specification used today does
I. INTRODUCTION not define UI elements, but include common elements, such as
address bar, status bar, and tool bar. [2]
W EB browser can be define in many ways. One common
definition of web browser is that it is a software
application that allows users to view and interact with the
IV. WEB BROWSER COMPONENTS
content available in many forms on a web page, such as text,
image, music, video, games, etc. It is the most popular method There are seven main components of web browser. The
for users to access the Internet. There are many examples of components include user interface, browser engine, rendering
web browsers. The five most popular web browsers are engine, networking, UI backend, JavaScript interpreter, and
Mozilla Firefox, Google Chrome, Internet Explorer, Safari, data storage. [2]
and Opera. Furthermore, add-ons are available as applications 1. User Interface: includes every part of the browser
to extend the functionality of such browsers. Few examples of display, such as the address bar, back/forward button,
add-ons include Flash Player, Java, Adobe Reader, QuickTime bookmarking menu, etc., except the window where
Player, etc. Depending on how the developers designed the the user see the requested page.
web page, specific add-ons are need to view specific content. 2. Browser Engine: organizes actions between the UI and
[1] the rendering engine.
3. Rendering Engine: accountable for displaying
requested content. When a user request HTML
II. WEB BROWSER IN-DEPTH content, the rendering engine analyses HTML and
CSS files, and displays the analyzed content on the
The main function of a web browser is to present the web screen.
resources a user requests. The browser requests the resources 4. Networking: includes network calls such as HTTP
from the server and displays it within the browser window. requests.
The requested resource is usually an HTML document, but 5. UI Backend: it is used for drawing basic widgets like
could be an image, PDF, or any other form of content. The combo boxes and windows. The backend exposes a
user uses URL (Uniform Resource Identifier) to specify the generic interface that is not platform specific.
location of the resource. Additionally, HTML and CSS Underneath it all uses operating system user interface
specification defines the way a browser will interpret and approaches.
display the HTML files. Such specification are maintained by 6. JavaScript Interpreter: it is used to analyze and execute
the W3C (World Wide Web Consortium) organization. W3C JavaScript code.
is a standard organization for the web. In the past, many 7. Data Storage: It is a persistence layer. The browser
browsers followed a part of the specifications and developed needs this component to save data locally, such as
their own extensions specific to the browser. This caused cookies. Additionally, browser supports storage
compatibility issues for web authors. Now most of the existing mechanisms such as localStorage, IndexedDB,
browsers follow the common specifications. [2] WebSQL, and FileSystem.
The following image illustrates how each of the component
interact within the system.
 2

Block pop-up windows, some of which may be

malicious and hide attacks. This may block malicious
software from being downloaded to your computer.
Tighten the security settings on your browsers. Check
the settings in the security, privacy, and content
sections in your browser. The minimum level should
be medium.
Consider disabling JavaScript, Java, and ActiveX
controls.

It is important to note that number of these tips may limit

the users from access few of the browser’s content. For
example, JavaScript is used to control web pages on the client
side of the browser, server-side programs, and even mobile
applications. If you need to use JavaScript, set your browser to
Figure 1: Web Browser Components [2] prompt you before running scripts. Lower your security
settings temporarily to have proper access, and then reset
them. [1]
V. WEB BROWSER RISK
According to the past studies, about 45% of people roaming VII. WHAT IS BEEF?
the Internet are not utilizing the most secure version of their
BeEF is short for The Browser Exploitation Framework. It
web browser. Similar to many software, without the proper
security patches, web browsers are vulnerable to attack or is a penetration testing tool that focuses on exploit of web
exploit. Furthermore, even a fully patched web browser can be browser vulnerabilities. BeEF is a browser-based exploit
vulnerable to attack if the browser add-ons are not fully package that “hooks” one or more browsers as beachheads, so
patched. Remember, when the user patches the browser, the the attacker can launch directed command modules and further
add-ons are not automatically patched. [1] attacks against the system from within the browser context. A
Usually, browser-based attacks originated from malicious user can be hooked by opening a customized URL and
websites. However, poor security programming of web continue to see typical web traffic, while an attacker has access
applications or vulnerabilities in the software supporting to the user’s session. BeEF evades network security appliances
websites, let attackers to compromise trusted web sites to and host-based anti-virus applications by targeting the
deliver malicious payloads to unsuspecting visitors. Hackers vulnerabilities found in common browsers. [4] BeEF also
would add scripts that do not change a vulnerable website’s allows the professional penetration tester to assess the actual
appearance. These scripts can silently redirect the user to security posture of a target environment by using client-side
another website without him/her knowing about it. This attack vectors. Unlike other security frameworks, BeEF looks
redirect to another web site may cause malicious programs to past the hardened network perimeter and client system, and
be downloaded to your computer. Such programs are generally examines exploitability within the context of the one open
designed to allow remote control of the user’s computer by the door: the web browser. [3]
attacker and to capture personal information, such as credit
card information, banking information, etc. [1]
VIII. LAB
VI. PROTECT USER FROM BROWSER RISK The following experiment illustrates steps we followed to
show how to execute a successful web browser attack using
The following are few of many practices a user must enforce
to avoid unwanted browser risk. [1] BeEF and how important it is to have an updated antivirus
Keep your browser(s) updated and patched. running for your computer to detect web browser attack using
BeEF framework.
Keep your operating system updated and patched.
Use anti-virus and antispyware software, and keep
them updated.
Keep your applications, such as multi-media programs
used for viewing videos, updated and patched,
particularly if they work with your browser.
Make sure your computer’s firewall is on.
 3

ATTACK Above is the login page of Kali Linux. Note that we had
Set up victim VM and attacker VM. Make sure the network created the login details during installation of the operating
adapter for both VMs is set to Bridged Adapter. system.

Figure 2: VMs [9]

The highlighted VM are used for the experiment. The exploit

was carried out on the Kali Linux while the CentOS 7 was the
victimized OS.
Figure 5: Beef Directory

Use Terminal in Kali Linux to run the beef framework, the

attacker will have to login into the Kali Linux and then
navigate to the “beef-xss” directory and run the “beef” script
as shown above.

Figure 3: Victim’s Machine CentOS 7 [8]

Figure 6: Running Beef

As can be seen from the above screenshot, beef has been

successfully launched. Use the highlighted URL to open BeEF
login page in the attacker browser.

Figure 4: Attacker’s Machine Latest Kali Linux [7]

 4

Figure 9: Malicious Link Page

Figure 7: BeEF Login Page
At this point, from the attacker side, you can mask the
Once BeEF has been launched, the next thing will be to login malicious link using tools such as bitly.com, before baiting
into the UI as seen above. The username and password is your victim to click on your malicious link using social
“beef”. engineering.

Figure 8: BeEF Home Page

Figure 10: Bitly.com
The above image is the BeEF home page with two highlighted
links. Any one of the link can be used to hook the victim’s Suppose you are successful on bating your victim to click on
browser. Make sure to replace the IP address of the link from you link using email or other social engineering method. The
127.0.0.1 to your attacker’s IP address (in this case victim’s system will be “hooked” as illustrated by the
192.168.2.171). You can find you attacker’s IP address from following image. For this experiment, open the advanced
the terminal using “ifconfig” command. Just for curiosity, the version link in the victim’s VM to show that social engineering
following image is one of link called “advanced version” of is successful.
the html page when opened in the victim’s VM.
 5

machine running the beef service. Make sure to replace the

default IP address in the custom logo with the attacker’s VM
IP address (in this case 192.168.2.171) before executing.

Figure 11: Browser Hooked

As can be seen in the above screenshot, the browser running

on the victim’s machine with IP address 192.168.2.174 has
been hooked. The above image is shown in the attacker’s VM.
Figure 14: Launching the Attack

To run the attack, we simply just click on execute as show in

Fig. 14 above.

Figure 12: Social Engineering Attack

In this attack, we exploited the victim machine by means of

social engineering as can been seen above. Under commands
tab, go to social engineering to test the same attack we tested.

Figure 15: Fake Facebook Login

Once we have clicked execute, the Face Facebook

authentication screen will be displaced on the victim’s
machine as seen in Fig. 15 above.

Figure 13: Selecting Attack

We are running the “Pretty Theft exploit”. In Fig. 13 above, on

the right is where we enter the information of the attacker’s
 6

However, attack was successful after we disabled the antirust

program as shown above.

Figure 16: Login Details Captured

Looking at the heighted portion on the right of the screenshot

Figure 19: Successful Login after Disabling Antivirus
in Fig. 16 indicates our captured login details of the victim’s
username and password for Facebook. After the antivirus program was disabled, the victim’s machine
Note. It would feel more authentic for the victim if the attacker
got “hooked” see Fig. 18 above.
execute his attack at the right time, for example, when the
victim is on Facebook login page.
IX. FUTURE WORK
Defense In an article, it is proposed that after several successful
attempts to steal credit card information or banking
passwords, many companies are trying to step towards
cloud-based browsers, a Java-free browser. A cloud-based
browser store no data from each session and prevent any
malware from networking with the user’s computer. One
such product is Authentic8’s Silo. A separate browser that
executes only after entering a password. It then executes on
the cloud and calls up a list of links the user has previously
entered, and can store passwords for those sites. All code
executes on their remote servers, providing security against
malware and privacy against tracking. [5]
Figure 17: Defense by Symantec Antivirus
X. CONCLUSION
One of the ways to defend this attached is by having an up to In conclusion, we now know how threating it is for everyone
date antivirus program running on your computer. In the
to surf the web without using proper security practices. From
screenshot above, when we tried this exploit against a machine
the experiment, we have learned that web browser attack is a
running Symantec antivirus, we actually got a warning stating
broad topic. Malicious users can execute all sort of attacks
that there was BeEF framework attack as can be seen in the
screenshot in Fig. 17. So test the same process, but turn on from XSS to Buffer Overflow if the user is not updating his
your Symantec antivirus. system regularly. BeEF is a simple penetration-testing tool that
can be used by anyone to test some attacks or hack someone’s
system, so it is necessary for everyone to keep up with the
updates and patches.

Figure 18: Disabling Symantec Antivirus