Files

zinduolis 44b0c0aadc log progress on testing modules

2026-01-12 09:29:55 +10:00

37 KiB

Raw Blame History

BeEF Manual Testing Plan (Local VM Edition)

This document provides a simplified approach for manually testing BeEF modules entirely within the same Linux Ubuntu VM where BeEF is running.

1. Environment Setup (Local VM)

1.1 BeEF Server

Dependencies: Already installed via ./install.
Configuration: Credentials have been updated in config.yaml.
Launch: Run ./beef from the repository root.
Access: Open the local browser (e.g., Firefox) and navigate to the BeEF UI: http://127.0.0.1:3000/ui/panel.

1.2 Hooked Browsers (Local)

For local testing on the same machine:

Open a new tab or window in your browser (Firefox, Chromium, etc.).
Navigate to the hook demo page: http://127.0.0.1:3000/demos/butcher/index.html.
The browser will appear in the BeEF "Online Browsers" list as 127.0.0.1.

2. Testing Strategy: Grouped Execution

Phase 1: Common Infrastructure (Firefox): Start here. These modules work on the standard Linux/Firefox setup provided by the VM and don't require external devices or specific insecure software.
Phase 2: Specific Requirements (Firefox): Test these if you have the specific requirements (e.g., Android device, Flash plugin, specific vulnerable server running).
Phase 3: Other Browsers: Use Chrome/Edge/Safari for modules that explicitly don't work in Firefox.

3. Module Inventory and Instructions

3.1 Phase 1: Common Infrastructure (Standard Firefox)

Test these modules using Firefox on your local Linux VM. They leverage standard browser features or the BeEF infrastructure itself.

Status	Module Name	Instructions / Description	Cleanup Needed	Comments
[x]	Alert Dialog	1. Set `Title`, `Message`, and `Button name`. 2. Execute module. 3. Verify alert dialog appears on hooked page with configured text.	None.
[x]	BlockUI Modal Dialog	1. Set `Message` and `Timeout (s)`. 2. Execute module. 3. Verify blocking overlay appears with message. 4. Wait for timeout or use UnBlockUI to remove.	None.
[x]	Clickjacking	1. Set `iFrame Src` to target page for clickjacking. 2. Execute module. 3. Verify page shows overlay for click-based attack. 4. Click as user would to test interaction capture.	None.
[x]	Confirm Close Tab	1. Configure: `Confirm text`, `Create a pop-under window on user\` 2. Click Execute. Shows a confirm dialog to the user when they try to close a tab.	Close tab/window. Check for residual pop-unders.	a window pops up, but the text not as per command
[x]	Create Foreground iFrame	1. Execute module. 2. Click "Our Meaty Friends" button to reveal links. 3. Click any link (e.g., "The Browser Exploitation Framework Project homepage"). 4. Verify page loads in fullscreen iFrame overlay (check DevTools for `<iframe>` with `z-index:1` and 100% width/height). 5. Confirm hook remains active in BeEF UI.	Close tab/window.
[x]	Create Invisible Iframe	1. Set `URL` to any valid URL (e.g., `http://example.com`). 2. Execute module. 3. Open DevTools → Elements → search for `<iframe>` with `visibility:hidden` or `display:none`. 4. Verify iframe exists with correct src.	None.
[x]	Create Pop Under	1. Set `Clickjack` to `on` (waits for click) or `off` (immediate). 2. Execute module. 3. If Clickjack=on, click anywhere on page. 4. Check for small hidden window in taskbar (or DevTools: new window to `/demos/plain.html`). 5. Verify BeEF shows 2nd hooked browser.	Close pop-under window.
[-]	Cross-Origin Scanner (CORS)	1. Set `Scan IP range` (e.g., `127.0.0.1-127.0.0.1`) and `Ports` (e.g., `80,443,8080`). 2. Execute module. 3. Check command results for list of discovered web servers allowing CORS.	None.	See CORS-001
[x]	DNS Enumeration	1. Configure: `DNS (comma separated)`, `Timeout (ms)` 2. Click Execute. Discover DNS hostnames within the victim's network using dictionary and timing attacks.	None.
[x]	DOSer	1. Set `URL` to `http://127.0.0.1:3000/demos/plain.html`. 2. Set `Delay between requests (ms)` to `100`. 3. Set `HTTP Method` to `GET`. 4. Execute module. 5. Wait for status report in results (appears every 10s: "Requests sent: X"). 6. Verify ongoing requests in browser DevTools → Network tab.	Refresh hooked page to stop worker.
[-]	Detect Extensions	1. Execute module. 2. Check command results for list of detected Chrome/Firefox extensions.	None.	See EXT-001
[x]	Detect MIME Types	1. Click Execute. This module retrieves the browser's supported MIME types.	None.
[x]	Detect Popup Blocker	1. Execute module. 2. Check command result: "Popup blocker enabled" or "Popup blocker not detected".	None.
[x]	Fetch Port Scanner	1. Set `Scan IP or Hostname` (e.g., `127.0.0.1`) and `Specific port(s)` (e.g., `22,80,443,3000`). 2. Execute module. 3. Check command results for open/closed port status.	None.
[-]	Fingerprint Browser (PoC)	1. Execute module. 2. Check command results for browser name, version, and platform.	None.	See FP-001
[x]	Fingerprint Browser	1. Execute module. 2. Check command results for detailed fingerprint (canvas, WebGL, fonts, plugins, etc.).	None.
[-]	Fingerprint Local Network	1. Run `hostname -I` to find your IP (e.g., `192.168.1.5`). 2. Set `Scan IP range` to `common` (or specific IP). 3. Open Browser DevTools -> Network tab. 4. Execute module. 5. Verify: You will see many requests in DevTools (red/failed is normal). 6. Duration: `common` scan takes ~10-30s. Full /24 scan takes minutes. 7. Check BeEF results for any detected devices.	Refresh page to stop early.	See NET-001
[-]	Fingerprint Routers	1. Click Execute. This module attempts to discover network routers on the local network.	None.	See NET-002
[x]	Get Geolocation (API)	1. Execute module. 2. Allow/deny location permission in browser popup. 3. If allowed, check results for latitude/longitude coordinates.	None.
[ ]	Get HTTP Servers (Favicon)	1. Configure: `Remote IP(s)`, `Ports`, `Workers`... 2. Click Execute. Attempts to discover HTTP servers on the specified IP range by checking for a favicon.	None.
[ ]	Get Internal IP WebRTC	1. Execute module. 2. Check command results for local/private IP address (e.g., `192.168.x.x`).	None.
[ ]	Get Protocol Handlers	1. Configure: `Link Protocol(s)`, `Link Address` 2. Click Execute. This module attempts to identify protocol handlers present on the hooked browser.	None.
[ ]	Get Visited Domains	1. Configure: `Specify custom page to check` 2. Click Execute. This module will retrieve rapid history extraction through non-destructive cache timing.	None.
[ ]	Hijack Opener Window	1. First open demo page via a link from another page (so `window.opener` exists). 2. Execute module on the opened tab. 3. Check if opener window's location changed to BeEF `/iframe#` URL. 4. Verify result in command output.	Close affected windows.
[ ]	Identify LAN Subnets	1. Configure: `Timeout for each request (ms)` 2. Click Execute. Discover active hosts in the internal network(s) of the hooked browser.	None.
[ ]	Lcamtuf Download	1. Configure: `Real File Path`, `Malicious File Path`, `Run Once` 2. Click Execute. This module will attempt to execute a lcamtuf download.	Delete downloaded files.
[ ]	Link Rewrite	1. Execute module. 2. Click "Our Meaty Friends" button to reveal links. 3. Hover over any link and check DevTools or status bar. 4. Verify all `href` attributes have been modified.	Refresh page to restore links.
[ ]	Man-In-The-Browser	1. Execute module. 2. Click any link on page to navigate. 3. Verify page loads via AJAX (URL bar may not change, or content loads dynamically). 4. Confirm BeEF hook remains active. 5. Check command result shows "Browser hooked".	Close tab.
[ ]	No Sleep	1. Click Execute. This module uses NoSleep.js to prevent display sleep and enable wake lock in any Android or iOS web browser.	None.
[ ]	Ping Sweep (FF)	1. Configure: `Scan IP range (C class or IP)`, `Timeout (ms)`, `Delay between requests (ms)` 2. Click Execute. Discover active hosts in the internal network of the hooked browser.	None.
[ ]	Ping Sweep (JS XHR)	1. Configure: `Scan IP range (C class)`, `Workers` 2. Click Execute. Discover active hosts in the internal network of the hooked browser using JavaScript XHR.	None.
[ ]	Play Sound	1. Set `Sound File Path` to a valid audio URL (e.g., `/demos/alert.mp3` or external URL). 2. Execute module. 3. Listen for audio playback on hooked browser.	None.
[ ]	Port Scanner (Multiple Methods)	1. Set `Scan IP or Hostname` (e.g., `127.0.0.1`) and `Specific port(s)` (e.g., `22,80,443,3000`). 2. Execute module. 3. Check results for open ports (tries WebSockets, CORS, img tags).	None.
[ ]	Pretty Theft	1. Set `Dialog Type` (e.g., `Facebook`, `LinkedIn`, `Windows`, `Generic`). 2. Set `Backing` (e.g., `Grey`, `Clear`). 3. Execute module. 4. Verify fake login dialog appears on hooked page. 5. Enter test credentials and submit. 6. Check BeEF command results for captured credentials.	None.
[ ]	Raw JavaScript	1. Set `Javascript Code` (e.g., `alert('test')` or `console.log(document.cookie)`). 2. Execute module. 3. Verify JS executed (alert shown, or check DevTools console).	None.
[ ]	Redirect Browser (Rickroll)	1. Execute module. 2. Verify page is replaced with fullscreen Rickroll video. 3. Confirm hook remains active in BeEF UI.	Refresh page to restore.
[ ]	Redirect Browser (Standard)	1. Set `Redirect URL` (e.g., `https://example.com`). 2. Execute module. 3. Verify browser navigates to specified URL (hook will be lost).	Re-hook if needed.
[ ]	Redirect Browser (iFrame)	1. Set `Redirect URL`, optional `Title` and `Favicon`. 2. Execute module. 3. Verify page shows iFrame overlay with target URL. 4. Confirm hook remains active.	Close tab.
[ ]	Replace Videos (Fake Plugin)	1. Configure: `Payload URL`, `jQuery Selector` 2. Click Execute. Replaces an object selected with jQuery with an image advising the user to install a missing plugin.	None.
[ ]	Resource Exhaustion DoS	1. Execute module. 2. Observe browser becoming slow/unresponsive. 3. May need to force-close browser tab/window.	Force-close tab if needed.
[ ]	Return Ascii Chars	1. Execute module. 2. Check command results for ASCII character set.	None.
[ ]	Return Image	1. Execute module. 2. Check command results for base64-encoded PNG image data.	None.
[ ]	Simple Hijacker	1. Configure: `Targetted domains`, `Template to use` 2. Click Execute. Hijack clicks on links to display what you want.	None.
[ ]	Spoof Address Bar (data URL)	1. Configure: `Spoofed URL`, `Real URL` 2. Click Execute. This module redirects the browser to a legitimate looking URL with a data scheme.	None.
[ ]	Spyder Eye	1. Set `Repeat` (number of screenshots) and `Delay` (ms between shots). 2. Execute module. 3. Check command results for base64-encoded screenshot(s) of the victim's viewport.	None.
[ ]	TabNabbing	1. Set `URL` (e.g. fake login page) and `Wait` time (e.g., 1 minute). 2. Execute module. 3. Switch to a different tab and wait the configured time. 4. Switch back and verify the hooked tab has navigated to specified URL.	Close tab.
[ ]	Test CORS Request	1. Configure: `Method`, `URL`, `Data` 2. Click Execute. Test the beef.net.cors.request function.	None.
[ ]	Test HTTP Redirect	1. Click Execute. Test the HTTP 'redirect' handler.	None.
[ ]	Test JS variable passing	1. Configure: `Payload Name` 2. Click Execute. Test for JS variable passing.	None.
[ ]	Test Network Request	1. Configure: `Scheme`, `Method`, `Domain`... 2. Click Execute. Test the beef.net.request function by retrieving a URL.	None.
[ ]	Test Returning Results	1. Configure: `Times to repeat`, `String to repeat` 2. Click Execute. This module will return a string of the specified length.	None.
[ ]	Test beef.debug()	1. Configure: `Debug Message` 2. Click Execute. Test the 'beef.debug()' function.	None.
[ ]	Text to Voice	1. Set `Text` (e.g., "Hello world") and `Language` (e.g., `en`). 2. Execute module. 3. Listen for audio playback of the text.	None.
[ ]	UnBlockUI	1. First execute "BlockUI Modal Dialog" module to create a blocking overlay. 2. Then execute this "UnBlockUI" module. 3. Verify the BlockUI overlay is removed.	None.
[ ]	Unhook	1. Execute module. 2. Verify hook JavaScript is removed from page (check DevTools console). 3. Confirm browser goes "Offline" in BeEF UI. 4. Confirm no further commands can be executed.	Re-hook page if needed.
[ ]	iFrame Event Key Logger	1. Set `iFrame Src` (target URL to load in overlay). 2. Set `Send Back Interval` (e.g., 5000ms). 3. Execute module. 4. Type in the iFrame overlay. 5. Check BeEF command results for captured keystrokes.	Close tab.

3.2 Phase 2: Specific Requirements (Firefox)

These modules require specific devices, plugins, vulnerable software, or valid credentials to work.

3.2.1 Mobile & PhoneGap

Requires an Android/iOS device or PhoneGap environment.

Status	Module Name	Instructions / Description	Cleanup Needed
[ ]	Alert User	1. Click Execute. Show user an alert. This module requires the PhoneGap API.	None.
[ ]	Beep	1. Click Execute. Make the phone beep. This module requires the PhoneGap API.	None.
[ ]	Check Connection	1. Click Execute. Find out the network connection type e.g. Wifi, 3G. This module requires the PhoneGap API.	None.
[ ]	Detect PhoneGap	1. Click Execute. Detects if the PhoneGap API is present.	None.
[ ]	Geolocation	1. Click Execute. Geo locate your victim. This module requires the PhoneGap API.	None.
[ ]	Get Network Connection Type	1. Click Execute. Retrieve the network connection type (wifi, 3G, etc). Note: Android only.	None.
[ ]	Globalization Status	1. Click Execute. Examine device local settings. This module requires the PhoneGap API.	None.
[ ]	Keychain	1. Configure: `Service name`, `Key`, `Value`... 2. Click Execute. Read/CreateUpdate/Delete Keychain Elements. This module requires the PhoneGap API.	None.
[ ]	List Contacts	1. Click Execute. Examine device contacts. This module requires the PhoneGap API.	None.
[ ]	List Files	1. Configure: `Directory` 2. Click Execute. Examine device file system. This module requires the PhoneGap API.	None.
[ ]	List Plugins	1. Click Execute. Attempts to guess installed plugins. This module requires the PhoneGap API.	None.
[ ]	Persist resume	1. Click Execute. Persist over applications sleep/wake events. This module requires the PhoneGap API.	None.
[ ]	Persistence (PhoneGap)	1. Configure: `Hook URL` 2. Click Execute. Insert the BeEF hook into PhoneGap's index.html (iPhone only). This module requires the PhoneGap API.	None.
[ ]	Prompt User	1. Configure: `Title`, `Question`, `Yes`... 2. Click Execute. Ask device user a question. This module requires the PhoneGap API.	None.
[ ]	Start Recording Audio	1. Configure: `File Name` 2. Click Execute. Start recording audio. This module requires the PhoneGap API.	None.
[ ]	Stop Recording Audio	1. Click Execute. Stop recording audio. This module requires the PhoneGap API.	None.
[ ]	Track Physical Movement	1. Click Execute. This module will track the physical movement of the user's device.	None.
[ ]	Upload File	1. Configure: `Destination`, `File Path` 2. Click Execute. Upload files from device to a server of your choice. This module requires the PhoneGap API.	None.

3.2.2 Legacy Plugins (Flash, Java, Silverlight, etc.)

Requires the specific plugin to be installed and enabled in the browser.

Status	Module Name	Instructions / Description	Cleanup Needed
[ ]	Cross-Origin Scanner (Flash)	1. Configure: `Scan IP range (C class)`, `Ports`, `Workers`... 2. Click Execute. Scans an IP range... This module uses ContentHijacking.swf.	None.
[ ]	Detect Foxit Reader	1. Click Execute. This module will check if the browser has Foxit Reader Plugin.	None.
[ ]	Detect QuickTime	1. Click Execute. This module will check if the browser has Quicktime support.	None.
[ ]	Detect RealPlayer	1. Click Execute. This module will check if the browser has RealPlayer support.	None.
[ ]	Detect Silverlight	1. Click Execute. This module will check if the browser has Silverlight support.	None.
[ ]	Detect Unity Web Player	1. Click Execute. Detects Unity Web Player.	None.
[ ]	Detect VLC	1. Click Execute. This module will check if the browser has VLC plugin.	None.
[ ]	Detect Windows Media Player	1. Click Execute. This module will check if the browser has the Windows Media Player plugin installed.	None.
[ ]	Get Internal IP (Java)	1. Configure: `Number` 2. Click Execute. Retrieve the local network interface IP address of the victim machine using an unsigned Java applet.	None.
[ ]	Get System Info (Java)	1. Click Execute. This module will retrieve basic information about the host system using an unsigned Java Applet.	None.
[ ]	Webcam (Flash)	1. Configure: `Social Engineering Title`... 2. Click Execute. Shows the Adobe Flash 'Allow Webcam' dialog.	None.
[ ]	Webcam Permission Check	1. Click Execute. Checks if user has allowed BeEF domain to access Camera/Mic with Flash.	None.

3.2.3 Specific Target Software / Services

Requires a specific vulnerable software or service to be running and accessible (e.g., Apache, JBoss, Printers).

Status	Module Name	Instructions / Description	Cleanup Needed
[ ]	Apache Cookie Disclosure	1. Click Execute. Exploits CVE-2012-0053. Requires Apache HTTP Server 2.2.0 through 2.2.21.	Clear browser cookies.
[ ]	Apache Felix Remote Shell	1. Configure: `Target Host`, `Target Port`... 2. Click Execute. Attempts to get a reverse shell on an Apache Felix Remote Shell server.	None.
[ ]	Bindshell (POSIX)	1. Configure: `Target Address`, `Target Port`, `Timeout (s)`... 2. Click Execute. Sends commands to a listening POSIX shell.	None.
[ ]	Bindshell (Windows)	1. Configure: `Target Address`, `Target Port`, `Timeout (s)`... 2. Click Execute. Sends commands to a listening Windows shell.	None.
[ ]	ColdFusion Directory Traversal	1. Configure: `Retrieve file`, `CF server OS`... 2. Click Execute. Exploits directory traversal in ColdFusion 8/9.	None.
[ ]	Cross-Site Faxing (XSF)	1. Configure: `Target Address`, `Target Port`... 2. Click Execute. Sends commands to ActiveFax RAW server socket.	None.
[ ]	Cross-Site Printing (XSP)	1. Configure: `Target Address`, `Target Port`... 2. Click Execute. Sends a message to a listening print port (9100).	None.
[ ]	Detect Airdroid	1. Configure: `IP or Hostname`, `Port` 2. Click Execute. Attempts to detect Airdroid application for Android running on localhost.	None.
[ ]	Detect Burp	1. Run Burp Suite with browser proxied through it. 2. Execute module. 3. Check if Burp is detected (result shows "Burp detected" or similar).	None.
[ ]	Detect CUPS	1. Configure: `IP or Hostname`, `Port` 2. Click Execute. Attempts to detect Common UNIX Printing System (CUPS) on localhost.	None.
[ ]	Detect Coupon Printer	1. Click Execute. Attempts to detect Coupon Printer on localhost.	None.
[ ]	Detect Ethereum ENS	1. Configure: `Image resource`... 2. Click Execute. Detects if using Ethereum ENS resolvers.	None.
[ ]	Detect Google Desktop	1. Click Execute. Attempts to detect Google Desktop running on the default port 4664.	None.
[ ]	Detect OpenNIC DNS	1. Configure: `Image resource`... 2. Click Execute. Detects if using OpenNIC DNS resolvers.	None.
[ ]	EXTRAnet Collaboration Tool	1. Configure: `Remote Host`, `Remote Port`... 2. Click Execute. Exploits command execution in 'admserver' component.	None.
[ ]	Farsite X25 gateway	1. Configure: `HTTP(s)`, `Remote Host`... 2. Click Execute. Exploits CVE-2014-7175/7173 to execute code.	None.
[ ]	Firephp 0.7.1 RCE	1. Click Execute. Exploit FirePHP <= 0.7.1.	None.
[ ]	Get Wireless Keys	1. Click Execute. Retrieve wireless profiles (Windows Vista and Windows 7 only).	None.
[ ]	Get ntop Network Hosts	1. Configure: `Remote Host`, `Remote Port` 2. Click Execute. Retrieves information from ntop (unauthenticated).	None.
[ ]	GlassFish WAR Upload	1. Configure: `Host`, `Filename`... 2. Click Execute. Attempts to deploy a malicious war file on GlassFish Server 3.1.1.	None.
[ ]	GroovyShell Server	1. Configure: `Remote Host`, `Remote Port`... 2. Click Execute. Uses GroovyShell Server interface to execute commands.	None.
[ ]	Hook Default Browser	1. Configure: `URL` 2. Click Execute. This module will use a PDF to attempt to hook the default browser.	None.
[ ]	HP uCMDB 9.0x add user	1. Configure: `Protocol`, `Host`, `Port`... 2. Click Execute. Attempts to add users to HP uCMDB.	None.
[ ]	IBM iNotes (Extract List)	1. Click Execute. Extracts iNotes contact list.	None.
[ ]	IBM iNotes (Flooder)	1. Configure: `To`, `Subject`, `Body`, `Count`... 2. Click Execute. Floods an email address from the victim's account.	None.
[ ]	IBM iNotes (Read)	1. Click Execute. Read a note from the victim's IBM iNotes.	None.
[ ]	IBM iNotes (Send)	1. Configure: `To`, `Subject`, `Body` 2. Click Execute. Sends an email from the victim's account.	None.
[ ]	IBM iNotes (Send w/ Attachment)	1. Configure: `To`, `Subject`, `Body`, `File`... 2. Click Execute. Sends an email with attachment from the victim's account.	None.
[ ]	IMAP	1. Configure: `IMAP Server`, `Port`, `Commands` 2. Click Execute. Sends commands to an IMAP4 server.	None.
[ ]	IRC	1. Configure: `IRC Server`, `Port`, `Username`... 2. Click Execute. Connects to an IRC server and sends messages.	None.
[ ]	IRC NAT Pinning	1. Configure: `Connect to`, `Private IP`, `Private Port` 2. Click Execute. Attempts to open closed ports on statefull firewalls compatible with IRC tracking.	None.
[ ]	Jboss 6.0.0M1 JMX Deploy	1. Configure: `Remote Target Host`... 2. Click Execute. Deploy a JSP reverse or bind shell using JMX.	None.
[ ]	Jenkins Code Exec CSRF	1. Configure: `Remote Host`, `Target URI`... 2. Click Execute. Attempts to get a reverse shell from Jenkins Groovy Script console.	None.
[ ]	Kemp LoadBalancer RCE	1. Configure: `URL`, `Remote Port`... 2. Click Execute. Exploits RCE in Kemp LoadBalancer 7.1-16.	None.
[ ]	QEMU Monitor 'migrate'	1. Configure: `Remote Host`, `Remote Port`... 2. Click Execute. Attempts to get a reverse shell from QEMU monitor service.	None.
[ ]	QNX QCONN Command Exec	1. Configure: `Remote Host`, `Remote Port`... 2. Click Execute. Exploits vulnerability in qconn component of QNX Neutrino.	None.
[ ]	RFI Scanner	1. Configure: `Target Protocol`, `Target Host`... 2. Click Execute. Scans web server for RFI vulnerabilities.	None.
[ ]	Redis	1. Configure: `Target Address`, `Target Port`... 2. Click Execute. Sends commands to a listening Redis daemon.	None.
[ ]	Shell Shock (CVE-2014-6271)	1. Configure: `Target`, `HTTP Method`... 2. Click Execute. Attemp to use vulnerability CVE-2014-627 to execute arbitrary code.	None.
[ ]	Shell Shock Scanner	1. Configure: `HTTP Method`, `Target Protocol`... 2. Click Execute. Attempts to get a reverse shell by requesting ~400 potentially vulnerable CGI scripts.	None.
[ ]	VTiger CRM Upload Exploit	1. Configure: `Target Web Server`... 2. Click Execute. Uploads and executes a reverse shell on VTiger CRM 5.0.4.	None.
[ ]	WAN Emulator Command Exec	1. Configure: `Target Host`, `Target Port`... 2. Click Execute. Attempts to get a reverse root shell on a WAN Emulator server.	None.
[ ]	WordPress Add User	1. Configure: `Username`, `Pwd`, `Email`... 2. Click Execute. Adds a WordPress User.	None.
[ ]	WordPress Add Administrator	1. Configure: `Username:`, `Pwd:`... 2. Click Execute. Stealthily adds a Wordpress administrator account.	Close tab/window. Check for residual pop-unders.
[ ]	WordPress Current User	1. Click Execute. Get the current logged in user information.	None.
[ ]	WordPress Upload RCE (Plugin)	1. Configure: `Auth Key` 2. Click Execute. Attempts to upload and activate a malicious wordpress plugin.	None.
[ ]	Wordpress Post-Auth RCE	1. Configure: `Target Web Server` 2. Click Execute. Attempts to upload and activate a malicious wordpress plugin.	None.
[ ]	Zenoss 3.x Add User	1. Configure: `Zenoss web root`... 2. Click Execute. Attempts to add a user to a Zenoss Core 3.x server.	None.
[ ]	Zenoss 3.x Command Exec	1. Configure: `Target Host`, `Target Port`... 2. Click Execute. Attempts to get a reverse shell on a Zenoss 3.x server.	None.
[ ]	ruby-nntpd Command Exec	1. Configure: `Remote Host`, `Remote Port`... 2. Click Execute. Uses 'eval' verb in ruby-nntpd 0.01dev to execute commands.	None.

Requires the user to be logged into valid accounts (Gmail, Facebook, etc.) or susceptible to specific social engineering tricks.

Status	Module Name	Instructions / Description	Cleanup Needed
[ ]	Clippy	1. Configure: `Clippy image directory`... 2. Click Execute. Brings up a clippy image and asks the user to do stuff.	None.
[ ]	Detect Social Networks	1. Configure: `Detection Timeout` 2. Click Execute. Detects if authenticated to GMail, Facebook and Twitter.	None.
[ ]	Fake Flash Update	1. Configure: `Image`, `Payload URI` 2. Click Execute. Prompts the user to install an update to Adobe Flash Player.	None.
[ ]	Fake Notification Bar	1. Configure: `Notification text` 2. Click Execute. Displays a fake notification bar.	None.
[ ]	Fake Notification Bar (Chrome)	1. Configure: `URL`, `Notification text` 2. Click Execute. Displays a fake Chrome notification bar.	None.
[ ]	Fake Notification Bar (Firefox)	1. Configure: `Plugin URL`, `Notification text` 2. Click Execute. Displays a fake Firefox notification bar.	None.
[ ]	Fake Notification Bar (IE)	1. Configure: `URL`, `Notification text` 2. Click Execute. Displays a fake IE notification bar.	None.
[x]	Google Phishing	1. Configure: `XSS hook URI`, `Gmail logout interval`... 2. Click Execute. XSRF logout of Gmail, show phishing page.	None.
[ ]	Read Gmail	1. Click Execute. Grabs unread message ids from gmail atom feed.	None.
[ ]	Send Gvoice SMS	1. Configure: `To`, `Message` 2. Click Execute. Send a text message (SMS) through Google Voice.	None.
[ ]	Skype iPhone XSS	1. Click Execute. Steals iPhone contacts using a Skype XSS vuln.	None.

3.2.5 Advanced Network & Infrastructure

Requires specific network configurations (e.g., DNS, Tor, Proxy, WPAD).

Status	Module Name	Instructions / Description	Cleanup Needed
[ ]	DNS Tunnel	1. Configure: `Domain`, `Data to send` 2. Click Execute. This module sends data one way over DNS, client to server only.	None.
[ ]	DNS Tunnel	1. Configure: `Domain`, `Message`, `Wait between requests (ms)` 2. Click Execute. This module sends data one way over DNS. Message split into chunks.	None.
[ ]	DNS Tunnel: Server-to-Client	1. Configure: `Payload Name`, `Zone`, `Message` 2. Click Execute. This module retrieves data sent by the server over DNS covert channel.	None.
[ ]	Detect Tor	1. Configure: `What Tor resource to request`, `Detection timeout` 2. Click Execute. This module will detect if the zombie is currently using Tor.	None.
[ ]	Get Proxy Servers (WPAD)	1. Click Execute. This module retrieves proxy server addresses for the zombie browser's local network using WPAD.	None.

3.2.6 Antivirus (Requires Specific AV/Extension)

The "Detect Antivirus" module looks for artifacts (injected scripts, user-agent changes, or specific DOM elements) created by commercial antivirus products or their browser extensions.

Setup Steps (Local VM):

Install Browser Extension: BeEF detects specfic artifacts in the DOM or User-Agent string. A free option to test is the Avast Online Security extension.
- Open Firefox in the VM.
- Navigate to the Avast Online Security & Privacy addon page.
- Click Add to Firefox.
Execute: Run the module.
- Note: valid detection depends on the extension injecting specific signatures (e.g. ASW/ in User-Agent) which may vary by version.

Status	Module Name	Instructions / Description	Cleanup Needed	Comments
[ ]	Detect Antivirus	1. Install Avast extension (see above). 2. Execute module. 3. Check results for "Avast" or other detected AV.	Uninstall extension.

3.2.7 Browser Extensions (Requires Installation)

These modules detect specific browser extensions which must be installed in the hooked browser to be detectable.

Setup Steps:

LastPass: Install the LastPass Password Manager extension in Firefox.
FireBug: Note that FireBug is legacy/obsolete. This module may only work on older browser versions or specific legacy environments.

Status	Module Name	Instructions / Description	Cleanup Needed
[x]	Detect FireBug	1. Execute module. 2. Verify detection if legacy FireBug is present.	None.
[ ]	Detect LastPass	1. Install LastPass extension. 2. Execute module. 3. Verify results show "Detected LastPass...".	Uninstall extension.
[ ]	Detect Toolbars	1. Install a supported toolbar (e.g. legacy Google Toolbar, Alexa Toolbar). 2. Execute module. 3. Verify results show the detected toolbar name.	Uninstall toolbar.

3.2.8 BeEF Extensions (Requires Configuration)

Some modules require specific BeEF extensions to be enabled in the server configuration.