KEMBAR78
Browser exploit framework | PPTX
Prashanth Sivarajan, profile picture
Uploaded byPrashanth Sivarajan
PPTX, PDF979 views

Browser exploit framework

BeEF (Browser Exploitation Framework) is a penetration testing tool that focuses on exploiting vulnerabilities within the web browser. It works by hooking one or more browsers and using them as entry points to launch attacks against the system from within the browser context. This allows penetration testers to assess the security of a target environment by exploiting client-side vectors rather than just focusing on the network perimeter or hardened systems. BeEF gathers information about hooked browsers and systems, performs network discovery, and has command modules for social engineering, exploits, and maintaining persistence within the browser.

Downloaded 21 times
-Prashanth Sivarajan Prash.siv@gmail.com
What is BeEF? BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser. Amid growing concerns about web-borne attacks against clients, including mobile clients, BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack vectors. Unlike other security frameworks, BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser. BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context.
How it works
UI Overview
Information Gathering Network Discovery Social Engineering Exploit Persistence Command Modules
Information Gathering Network Discovery Social Engineering Exploit Persistence Browser Fingerprinting Detect Plugins (Quicktime/VLC/Silverlight) Host Fingerprinting Detect logged in sessions Command Modules
Information Gathering Network Discovery Social Engineering Exploit Persistence Internal IP Address Ping Sweep DNS Enumeration Port Scanning Network Fingerprinting NAT Pinning Command Modules
Information Gathering Network Discovery Social Engineering Exploit Persistence Prompt Fake Login Page Redirect Embed iFrames Fake flash/browser Updates Flash camera & Mic permission Click jacking assist Command Modules
Information Gathering Network Discovery Social Engineering Exploit Persistence Several Device specific CSRF modules Command Modules
Information Gathering Network Discovery Social Engineering Exploit Persistence Foreground iframe Popup Under Man in the browser Command Modules
Metasploit Integration • Start msgrpc on metasploit • Enable metasploit in config.yaml • Configure BeEF with msgrpc username and pwd in extensions/metasploit/config.yaml • Start beef
Tunnelling Proxy • Doesn’t work like it used to thanks to same origin policy of browsers • Make request in the context of the hooked browser.
BeEF API Example • Authenticate • List hooked browsers • Make persistent (popup under) • Determine the type of browser • if browser.match(/^IE/) { add iframe with URL for Metasploit module ms10_046_shortcut_icon_dllloader} Else {execute a different module}

More Related Content

PDF
Owasp AppSecEU 2015 - BeEF Session
byBart Leppens
 
PPTX
Kali net hunter
byPrashanth Sivarajan
 
PDF
Browser Exploit Framework
byn|u - The Open Security Community
 
PPTX
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
byBlueHat Security Conference
 
PPTX
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
byZoltan Balazs
 
PDF
Kali tools list with short description
byJose Moruno Cadima
 
PDF
Introduction to iOS Penetration Testing
byOWASP
 
PPT
Root via XSS
byPositive Hack Days
 
Owasp AppSecEU 2015 - BeEF Session
byBart Leppens
 
Kali net hunter
byPrashanth Sivarajan
 
Browser Exploit Framework
byn|u - The Open Security Community
 
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
byBlueHat Security Conference
 
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
byZoltan Balazs
 
Kali tools list with short description
byJose Moruno Cadima
 
Introduction to iOS Penetration Testing
byOWASP
 
Root via XSS
byPositive Hack Days
 

What's hot

PPTX
[OWASP Poland Day] Application security - daily questions & answers
byOWASP
 
ODP
Browser Exploitation Framework Tutorial
byimlaurel2
 
PDF
Security Issues in Android Custom ROM
byAnant Shrivastava
 
PPTX
Nginx warhead
bySergey Belov
 
PPT
Denis Baranov: Root via XSS
byqqlan
 
PDF
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
byZoltan Balazs
 
PPTX
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
byBlueHat Security Conference
 
PDF
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
byAditya K Sood
 
PDF
Designing & Building Secure Web APIs
byCodeOps Technologies LLP
 
PDF
Slides null puliya linux basics
byAnant Shrivastava
 
PPTX
Telehack: May the Command Line Live Forever
byGregory Hanis
 
PDF
Window Shopping Browser - Bug Hunting in 2012
byRoberto Suggi Liverani
 
PDF
BlueHat v18 || The matrix has you - protecting linux using deception
byBlueHat Security Conference
 
PDF
I got 99 trends and a # is all of them
byRoberto Suggi Liverani
 
PDF
Android Tamer BH USA 2016 : Arsenal Presentation
byAnant Shrivastava
 
PPTX
Cross Context Scripting attacks & exploitation
byRoberto Suggi Liverani
 
PDF
20+ Ways to Bypass Your macOS Privacy Mechanisms
bySecuRing
 
PDF
[OWASP Poland Day] A study of Electron security
byOWASP
 
PPTX
[Wroclaw #2] Web Application Security Headers
byOWASP
 
PDF
Buffer Overflow Attacks
bysecurityxploded
 
[OWASP Poland Day] Application security - daily questions & answers
byOWASP
 
Browser Exploitation Framework Tutorial
byimlaurel2
 
Security Issues in Android Custom ROM
byAnant Shrivastava
 
Nginx warhead
bySergey Belov
 
Denis Baranov: Root via XSS
byqqlan
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
byZoltan Balazs
 
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
byBlueHat Security Conference
 
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
byAditya K Sood
 
Designing & Building Secure Web APIs
byCodeOps Technologies LLP
 
Slides null puliya linux basics
byAnant Shrivastava
 
Telehack: May the Command Line Live Forever
byGregory Hanis
 
Window Shopping Browser - Bug Hunting in 2012
byRoberto Suggi Liverani
 
BlueHat v18 || The matrix has you - protecting linux using deception
byBlueHat Security Conference
 
I got 99 trends and a # is all of them
byRoberto Suggi Liverani
 
Android Tamer BH USA 2016 : Arsenal Presentation
byAnant Shrivastava
 
Cross Context Scripting attacks & exploitation
byRoberto Suggi Liverani
 
20+ Ways to Bypass Your macOS Privacy Mechanisms
bySecuRing
 
[OWASP Poland Day] A study of Electron security
byOWASP
 
[Wroclaw #2] Web Application Security Headers
byOWASP
 
Buffer Overflow Attacks
bysecurityxploded
 

Viewers also liked

PPTX
Dark Arts Of Social Engineering
byNutan Kumar Panda
 
PDF
Introduction to Tor
byJaskaran Narula
 
PDF
Social engineering-Sandy Suhling
bysuhlingse
 
PPT
Social engineering
byNicholas Davis
 
PDF
Social Engineering
byWilliam Gregorian
 
PDF
Social Engineering Techniques - The Dark Arts
byn|u - The Open Security Community
 
PPTX
Social engineering
byMaulik Kotak
 
PPTX
Hacker tooltalk: Social Engineering Toolkit (SET)
byChris Hammond-Thrasher
 
PPTX
Social engineering
byAlexander Zhuravlev
 
PPTX
Social engineering
byVîñàý Pãtêl
 
PDF
Social Engineering - Strategy, Tactics, & Case Studies
byPraetorian
 
PPTX
Presentation of Social Engineering - The Art of Human Hacking
bymsaksida
 
PDF
Computing Fundamentals
byعطاءالمنعم اثیل شیخ
 
PDF
ใบงานที่1
byBenyaporn Wirasaratham
 
PDF
PDF Sertifikat
byYova Haura Nofit
 
PPTX
5. Language of Instruction
bymohdfidaiy
 
PPT
Renter_Intro_20140618
byAlbert Lee
 
Dark Arts Of Social Engineering
byNutan Kumar Panda
 
Introduction to Tor
byJaskaran Narula
 
Social engineering-Sandy Suhling
bysuhlingse
 
Social engineering
byNicholas Davis
 
Social Engineering
byWilliam Gregorian
 
Social Engineering Techniques - The Dark Arts
byn|u - The Open Security Community
 
Social engineering
byMaulik Kotak
 
Hacker tooltalk: Social Engineering Toolkit (SET)
byChris Hammond-Thrasher
 
Social engineering
byAlexander Zhuravlev
 
Social engineering
byVîñàý Pãtêl
 
Social Engineering - Strategy, Tactics, & Case Studies
byPraetorian
 
Presentation of Social Engineering - The Art of Human Hacking
bymsaksida
 
Computing Fundamentals
byعطاءالمنعم اثیل شیخ
 
ใบงานที่1
byBenyaporn Wirasaratham
 
PDF Sertifikat
byYova Haura Nofit
 
5. Language of Instruction
bymohdfidaiy
 
Renter_Intro_20140618
byAlbert Lee
 

Similar to Browser exploit framework

PDF
Be ef presentation-securitybyte2011-michele_orru
byMichele Orru
 
PPTX
beef-exploitation tool that exploits beef
byJinjaxJacobi
 
PPTX
Beef saurabh
bySaurav Chaudhary
 
PPTX
Advanced Client Side Exploitation Using BeEF
by1N3
 
PDF
Hacktivity2011 be ef-preso_micheleorru
byMichele Orru
 
PDF
BeEF_EUSecWest-2012_Michele-Orru
byMichele Orru
 
PDF
BeEF
byAlexandraLacatus
 
PDF
DeepSec2011_GroundBeEF
byMichele Orru
 
PDF
Antisnatchor all you ever wanted to know about beef
byDefconRussia
 
PDF
ZeroNights2012_BeEF_Workshop_antisnatchor
byMichele Orru
 
PDF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
byMichele Orru
 
PDF
Advances in BeEF - AthCon2012
byMichele Orru
 
PDF
I'm the butcher would you like some BeEF
byMichele Orru
 
PDF
When you don't have 0days: client-side exploitation for the masses
byMichele Orru
 
PDF
ZN27112015
byDenis Kolegov
 
Be ef presentation-securitybyte2011-michele_orru
byMichele Orru
 
beef-exploitation tool that exploits beef
byJinjaxJacobi
 
Beef saurabh
bySaurav Chaudhary
 
Advanced Client Side Exploitation Using BeEF
by1N3
 
Hacktivity2011 be ef-preso_micheleorru
byMichele Orru
 
BeEF_EUSecWest-2012_Michele-Orru
byMichele Orru
 
BeEF
byAlexandraLacatus
 
DeepSec2011_GroundBeEF
byMichele Orru
 
Antisnatchor all you ever wanted to know about beef
byDefconRussia
 
ZeroNights2012_BeEF_Workshop_antisnatchor
byMichele Orru
 
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
byMichele Orru
 
Advances in BeEF - AthCon2012
byMichele Orru
 
I'm the butcher would you like some BeEF
byMichele Orru
 
When you don't have 0days: client-side exploitation for the masses
byMichele Orru
 
ZN27112015
byDenis Kolegov
 

Recently uploaded

PDF
Getting the Best of TrueDEM – October News & Updates
bypanagenda
 
PDF
Cassandra vs. ScyllaDB: Evolutionary Differences
byScyllaDB
 
PDF
NSSHOEU-J 4x35mm² Cable Specification.pdf
byAnhui Feichun Special Cable Co., Ltd.
 
PDF
Application Monitoring and Observability: Elastic Stack Solution for Producti...
byPattabhi Amperayani
 
PDF
Combining AI with Red Teaming and Bug Bounty
byRamin Farajpour Cami
 
PDF
Unlocking Full-Stack Observability for AIOps: A Precisely Ironstream for Big ...
byPrecisely
 
PDF
From Data Chaos to Copilot Confidence: A Step-by-Step Microsoft 365 Copilot R...
byNikki Chapple
 
PDF
Fairness and Bias in AI Ethics and Explainability
byShiwani Gupta
 
PPTX
Top Trends in Kubernetes Security: TalosCon 2025
byCheryl Hung
 
PDF
UiPath DevConnect 2025: Introduction to Agentic Automation
byDianaGray10
 
PDF
Atlantix is an AI-first venture studio, building companies with AI at the core
byadmin625551
 
PDF
GPUS and How to Program Them by Manya Bansal
byScyllaDB
 
PDF
How to Measure Microsoft 365 Copilot Success and Manage AI Risk: Advanced Str...
byNikki Chapple
 
PDF
A 4-Terminal Approach to Validating Charge Conservation in MOSFET Compact Models
byEalwan Lee
 
PDF
UnityNet Digital Sovereignty Checklist 2025-10-13
byLHelferty
 
PDF
Planetek Italia Corporate Profile brochure
byPlanetek Italia Srl
 
PDF
Session 2 - Agentic Orchestration with UiPath Maestro
byDianaGray10
 
PPTX
UiPath Automation Suite Installation (Hands-On) [2/3]
bysuhanisingh58689
 
PPTX
BioVault.net ADW 2025 CODATA: SyftBox: a General Purpose Solution for Data Vi...
byMadhava Jay
 
PDF
What is Google Cloud Platform (GCP)? A 5-Minute Guide for Beginners (2025)
byTeleglobal International
 
Getting the Best of TrueDEM – October News & Updates
bypanagenda
 
Cassandra vs. ScyllaDB: Evolutionary Differences
byScyllaDB
 
NSSHOEU-J 4x35mm² Cable Specification.pdf
byAnhui Feichun Special Cable Co., Ltd.
 
Application Monitoring and Observability: Elastic Stack Solution for Producti...
byPattabhi Amperayani
 
Combining AI with Red Teaming and Bug Bounty
byRamin Farajpour Cami
 
Unlocking Full-Stack Observability for AIOps: A Precisely Ironstream for Big ...
byPrecisely
 
From Data Chaos to Copilot Confidence: A Step-by-Step Microsoft 365 Copilot R...
byNikki Chapple
 
Fairness and Bias in AI Ethics and Explainability
byShiwani Gupta
 
Top Trends in Kubernetes Security: TalosCon 2025
byCheryl Hung
 
UiPath DevConnect 2025: Introduction to Agentic Automation
byDianaGray10
 
Atlantix is an AI-first venture studio, building companies with AI at the core
byadmin625551
 
GPUS and How to Program Them by Manya Bansal
byScyllaDB
 
How to Measure Microsoft 365 Copilot Success and Manage AI Risk: Advanced Str...
byNikki Chapple
 
A 4-Terminal Approach to Validating Charge Conservation in MOSFET Compact Models
byEalwan Lee
 
UnityNet Digital Sovereignty Checklist 2025-10-13
byLHelferty
 
Planetek Italia Corporate Profile brochure
byPlanetek Italia Srl
 
Session 2 - Agentic Orchestration with UiPath Maestro
byDianaGray10
 
UiPath Automation Suite Installation (Hands-On) [2/3]
bysuhanisingh58689
 
BioVault.net ADW 2025 CODATA: SyftBox: a General Purpose Solution for Data Vi...
byMadhava Jay
 
What is Google Cloud Platform (GCP)? A 5-Minute Guide for Beginners (2025)
byTeleglobal International
 

Browser exploit framework

  • 1.
  • 2.
    What is BeEF? BeEFis short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser. Amid growing concerns about web-borne attacks against clients, including mobile clients, BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack vectors. Unlike other security frameworks, BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser. BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context.
  • 3.
  • 4.
  • 5.
    Information Gathering Network Discovery SocialEngineering Exploit Persistence Command Modules
  • 6.
    Information Gathering Network Discovery SocialEngineering Exploit Persistence Browser Fingerprinting Detect Plugins (Quicktime/VLC/Silverlight) Host Fingerprinting Detect logged in sessions Command Modules
  • 7.
    Information Gathering Network Discovery SocialEngineering Exploit Persistence Internal IP Address Ping Sweep DNS Enumeration Port Scanning Network Fingerprinting NAT Pinning Command Modules
  • 8.
    Information Gathering Network Discovery SocialEngineering Exploit Persistence Prompt Fake Login Page Redirect Embed iFrames Fake flash/browser Updates Flash camera & Mic permission Click jacking assist Command Modules
  • 9.
    Information Gathering Network Discovery SocialEngineering Exploit Persistence Several Device specific CSRF modules Command Modules
  • 10.
    Information Gathering Network Discovery SocialEngineering Exploit Persistence Foreground iframe Popup Under Man in the browser Command Modules
  • 11.
    Metasploit Integration • Startmsgrpc on metasploit • Enable metasploit in config.yaml • Configure BeEF with msgrpc username and pwd in extensions/metasploit/config.yaml • Start beef
  • 12.
    Tunnelling Proxy • Doesn’twork like it used to thanks to same origin policy of browsers • Make request in the context of the hooked browser.
  • 13.
    BeEF API Example •Authenticate • List hooked browsers • Make persistent (popup under) • Determine the type of browser • if browser.match(/^IE/) { add iframe with URL for Metasploit module ms10_046_shortcut_icon_dllloader} Else {execute a different module}