Tag Archives: exploit kit

BeEF: The Browser Exploitation Framework Project

The last post on exploit kits caused me to look into BeEF.  At first glance, BeEF appears to be an open source browser exploit kit.  With a little more work, perhaps it could be just that, but it is not quite there.  It sure is a neat tool, though, and I’d like to try integrating it into some of my own engagements in the future.  Lets look at it.

Setup BeEF

The tool is already built into Backtrack under /pentest/web/beef.  First you’ll want to enable the metasploit module by editing the /pentest/web/beef/config.yaml file and change the metasploit enable line from false to true:

beef config


Then launch metasploit (msfconsole) and start up the API for BeEF to connect to:

load msgrpc ServerHost= Pass=abc123

Finally go ahead and start the BeEF server:

# cd /pentest/web/beef
# ./beef
[14:08:02][*] Browser Exploitation Framework (BeEF)
[14:08:02] | Version
[14:08:02] | Website http://beefproject.com
[14:08:02] | Run 'beef -h' for basic help.
[14:08:02] |_ Run 'git pull' to update to the latest revision.
[14:08:02][*] Successful connection with Metasploit.
[14:08:05][*] Loaded 226 Metasploit exploits.
[14:08:05][*] BeEF is loading. Wait a few seconds...
[14:08:06][*] 9 extensions loaded:
[14:08:06] | Demos
[14:08:06] | Autoloader
[14:08:06] | Events
[14:08:06] | XSSRays
[14:08:06] | Requester
[14:08:06] | Metasploit
[14:08:06] | Console
[14:08:06] | Admin UI
[14:08:06] |_ Proxy
[14:08:06][*] 339 modules enabled.
[14:08:06][*] 2 network interfaces were detected.
[14:08:06][+] running on network interface:
[14:08:06] | Hook URL:
[14:08:06] |_ UI URL:
[14:08:06][+] running on network interface:
[14:08:06] | Hook URL:
[14:08:06] |_ UI URL:
[14:08:06][*] RESTful API key: 00f4d61986f5adeed4fec94a4eb15da9a8b4c449
[14:08:06][*] HTTP Proxy:
[14:08:06][*] BeEF server started (press control+c to stop)

Using BeEF

The tool has documentation on the wiki here.  The documentation is pretty minimal, but for the most part you can figure it out.

Then you can browse to the admin panel at  The username and password by default is beef/beef (as specified in the config.yaml file).

Now you need to “hook” a browser.  Simply browse with any web browser to or  You’ll see the browser pop up right away on the admin panel, with different exploits based on modules that you can run on the “Commands” tab:

beef interface


There is all sorts of little information gathering tidbits you can grab.  One neat module is under Browser, you can grab some webcam pictures.  Once you execute it, your basic.html page automagically changes (give it a minute), asking for permission to run the webcam.  Eventually, you’ll be able to click on the “Module Results History” tab, and you’ll see a base64 encoded version of your image pop up (picture=/9j/4AA….)

beef webcam


Copy the base64 text into a file called picture.txt (it’ll start with /9y/ and end in ==).  Then you can decode it in the command line with the following:

$ base64 -d -i picture.txt > picture.jpg

Open up picture.jpg, and you should see your smiling face!

Another interesting test you might try is the Metasploit browser_autopwn feature.  The wiki gives a good job at describing how to run it here.


If you look at the source, all the page does is add in the hook.js file.  The setup of BeEF is really slick.  There just doesn’t seem to be anything terribly useful yet.  It definitely shows the power of Ajax type of programming (in a good way), or how scary XSS can be (in a bad way).  Hopefully it can grow into a more mature, useable project.

Crimeware Exploit Packs/Exploit Kits

I just wanted to put up a blog posting on some research I’ve been doing on exploit kits.  I have not seen or used these kits before, so this is all 2nd hand information, but I find the entire concept interesting.  Especially that there appears to be such a big market for them.

I will use the example of Blackhole, which appears to be the most prolific exploit kit.  Others include Nuclear Pack, Phoenix, and Cool.

Basics Steps of Getting Infected by an Exploit Kit

  1. A hacker compromises a legitimate website and injects bad code.  This bad code redirects users to a Blackhole page.  Another way could be through e-mail; you get SPAM, click on a link, and you end up on a Blackhole page.
  2. The Blackhole page determines your plugins (by PluginDetect) to determine your OS and any out of date plugins.
  3. Depending on what you appear to be vulnerable to, you’ll be served a bad PDF, Java applet, or Flash file to exploit the vulnerability.
  4. Depending on the Blackhole customer’s preference, you’ll receive a payload of Zeus, Fake AV, or another malicious program.

Interesting Tidbits on Exploit Kits

  • These are sophisticated programs for generating revenue for the author.  It is not just a ragtag bit of programming.
  • You pay a fee to use the exploit kit.  They are rented, not purchased.  Blackhole costs $1500 per year, or the more sophisticated Cool (by the same guy as Blackhole) costs $10,000 per month.
  • Everything is obfuscated.  The Blackhole PHP source code (by ION), the Javascript served up, and I believe even the payloads change with regularity.  The domains seem to rotate quite often as well.  This makes it very hard to detect.
  • There is lots of “phone home” action that goes on.  Updates come down regularly.  You can even get a referral code to be paid as the spammer/hacker that got someone to the Blackhole page in the first place.
  • These kits seem to be mostly foreign.  Blackhole is Russian, and I believe much of the documentation is in Russian.

Some great references for exploit kits:

Very detailed analysis of Blackhole: http://nakedsecurity.sophos.com/exploring-the-blackhole-exploit-kit-2/
Blackhole and Cool: http://krebsonsecurity.com/2013/01/crimeware-author-funds-exploit-buying-spree/
Example of new exploits found in exploit kits: http://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware/