Thursday, September 13, 2012

BeEF web cloning, BeEF mass mailing, Social Engineering with better BeEF!

After a week of hard work, I'm pleased to release a new Social Engineering extension that will come very handy during your social engineering attacks that involve Phishing, both email and web based.

Now BeEF has its own web cloner, and its own mass mailer! But, there are tools out there that do this already, you say. Why should I use BeEF to do this, you ask?

Because it's BeEF! While there are other tools out there to do these things, I've made some improvements to how these are done when adding them into BeEF. We're talking about things like cloning web pages with an exact path, automatic BeEF hooking, and finally a mass mailer that supports HTML emails... well, you should really read this whole post.

You are probably already aware that you can already do web cloning, credential harvesting and mass mailing with other tools. At the time of this writing though, these tool modules have various limitations. For example:
  • When you clone a web page, you cannot arbitrarily specify the exact path where you want to serve the cloned page from. For instance, if you clone hxxp:// and your phishing domain is, you cannot mount the cloned page on Instead, you have to use unless you don't patch the tool by yourself. 

  • Also, after a POST request is intercepted, the victim control is lost (unless you don't use other attacks that pwn the victim machine first). 
  • Finally, you cannot have one instance of the tool that is serving multiple phishing pages (in case you want to do that).

  • When you use the mass mailer, you cannot send HTML emails. By default the degree of customization of your email is very limited, meaning that when you create a template you can specify only a subject, a body and an attachment. The email is always sent in plain text. In many attack scenarios, when you already profiled your victim (so you know already email/name and you probably have also an HTML email with company footer/branding), you want to send targeted emails that looks exactly the same as the one she will usually receive, a legitimate one.
I was frustrated with these limitations. I always needed to customize these tools in order to include BeEF hooks, so, I got bored and decided to write my own code.

The BeEF web cloner has the following features:
  • Clone the page you want, and mount it where you want (including exact path). You can clone multiple pages and mount them in multiple different locations. You can also specify if you want to mount the exact clone, or mount a different file of your own (for instance, after you applied your custom modifications that are easier to accomplish manually rather than with a parser);
  • The page that has been cloned is automatically modified in multiple ways: the BeEF hook is added - in a way that the victim will be automatically hooked in BeEF as soon she's on the page - and the 'form' fields are modified in order to intercept POST requests (credentials sent to a login page, for instance);
  • Finally, if the original page you cloned can be framed (currently the extension checks only for X-Frame-Options, not for custom framebusting code), after the victim clicks on the login page - and the POST request is intercepted - the original page will be loaded in an overlay iFrame while keeping the browser hooked in BeEF. 
The BeEF mass mailer has the following features:
  • Connects to an SMTP server on the port you want (with/without TLS), and send highly customizable emails based on a template you choose to N victims you specify. When specifying your victim emails, you also associate every email with a name, so the final email will look more legitimate (like, Hi Michele, then next Hi Wade, etc... depending on the recipient). The mass_mailer configuration options and the default email template file structure are shown here below:

  • Template creation is actually where the fun starts. You are completely free to create both a plain text and an HTML email with the content you want. What I usually do, while having already the original legitimate HTML email of the victim, is the following:
    • copy and paste the original HTML content on your new template file mail.html;
    • if the email contains images (in the form of <img src="" />),  download those emails in the template directory;
    • then configure the config.yaml file by adding your new template, specifying which images you have, and assigning a Content Id to each of them;
    • using the Content Ids, edit the mail.html file modifying each image source with something like <img src="cid:__cidX__" /> , where X is the id of the CID of the image you want in that position;
    • finally, place __name__ and __link__ / __linktext__ placeholders where you want, as those values will be automatically replaced with content you want.
The default template email looks like the following:

And it looks like this when it's received from a mail client:

Note that the fromname (BeEF) can be always spoofed when creating an email, and you're free to specify the value you want. Also, by default, many mail clients displays only the fromname field instead of the full email address.
Both the web cloner and the mass mailer functionality are currently exposed only via the RESTful API. To clone and mount it on /login.aspx on BeEF, use the following curl request:(update [BeEF]; and [token]; accordingly):
curl -H "Content-Type: application/json; charset=UTF-8" -d
 '{"url":"", "mount":"/login.aspx"}' 
 -X POST http://[BeEF]/api/seng/clone_page?token=[token];

To send an email using the default template, with custom fromname/subject/link/linktext values, to 2 recipients, use the following curl request (update [BeEF] and [token] accordingly):
curl -H "Content-Type: application/json; charset=UTF-8" -d 
  '{"template": "default","subject": "your subject","fromname": "BeEF","link": 
  "http://[BeEF]/login.aspx","linktext": "","recipients":
  ' -X POST http://[BeEF]/api/seng/send_mails?token=[token];

A few notes. The extension is (currently) not compatible with Windows, because it uses wget to clone the web page, and file to determine the correct mime type for inline/attachment email contents. Other than that, it leaves you to set up a public server with a proper domain name an MX records for the SMTP server (in case you cannot use the victim SMTP server for spoofing purposes).

Finally, don't forget to change in the main config.yaml file to your public  server IP address.

Having these two nice tools, you can plan your social engineering campaigns using both web and email phishing, while using BeEF to do the dirty work. What I usually do is script everything with the RESTful API: clone a page, include that phishing link on a new mass mailer template, send the emails to my targets, hook them all in BeEF, launch targeted command modules, and (thanks to BeEF's awesome browser/plugin detection) wait for reverse shells :D

Have fun!  


  1. Was setting up a Tor hidden service with BT5 r3 - and guess what your stuff was installed into apache2. So my hidden service is working and I plan on getting BeEF working in Tor as a service.
    There might be a need for this tool in Tor if I understand your madness.. - Tor Site - otwxbdvje5ttplpv.onion
    - clearWeb
    - @gAtOmAlO2 - let me know if I can be of service...

    1. I have read your blog its very attractive and impressive. I like it your blog.

      Email Marketing India Email Marketing Services India

  2. Moving house? Find out about our change of address service that will ensure your mail is redirected to your new home.postal change of address

  3. This comment has been removed by the author.

    1. This comment has been removed by the author.

    2. currently running beef-xss 4.4.9

  4. Clone websites help a great deal in online marketing, particularly if you are planning to design a new e-commerce site. It is also recommended when you are starting a new marketing campaign or promotion strategy. See more clone website

  5. Thank you, this was helpful. We use an oData service and I was having trouble implementing the factory.psd to html

  6. Easysite to create your own website Create a free website with Customize with' free website builder, no coding skills needed. Choose a design, begin customizing and be online today!

  7. Because of increased security threats and invasions, it has become highly difficult to protect online resources and business identity as well. Businesses are looking for better business intelligence approaches and web hosting services to protect their resources and keep up their operational activities. Companies having great online infrastructure experience better growth and outcomes. nigeria web hosting

  8. This includes Search Engine Optimization, which is designed to drive traffic to your website, blog, or online venue. It also designed to help your online business enjoy greater visibility, while effectively establishing brand validity and awareness. LinkTech Marketing

  9. Though email marketing has become a very famous device to advertise services, several businesses still hesitate to utilize it, since they are not informed regarding the advantages email marketing brings. BT Mail

  10. Here's how to create and profit from a your own YouTube clone website. A video website can make a lot of money and you'll have a blast profiting from it. Here's how to do it! See more web cloning

  11. I have been searching out for this similar kind of post for past a week and hardly came across this. Thank you very much and will look for more postings from you. I like play game five nights at freddy’s 4, game word cookies game , game hill climb racing 2 , hotmail login, and u? I hope people visit my website.

  12. Good service!Further, keep in mind that in order to make your mass email effective, you need to add calls to action. A call to action is something that encourages your subscribers to take the action you want them to, such as making a purchase or signing up for a webinar. A call to action may be “Click to Sign Up” or a button with “Purchase Now.”Email marketing services You can read more about the call to action here. It is a great idea to include your call to action more than once throughout your mass email message, to help draw attention to it.

  13. I just couldn't leave your website before telling you that I truly enjoyed the top quality info you present to your visitors? Will be back again frequently to check up on new posts.
    cheap facebook likes india

  14. Experience teaches you so much that books can't even teach you. You learn new techniques and trends and, thus, it is crucial that to give a professional look to your website, you only hire a design service with highly experienced designers. Don't compromise on quality.
    web design lessons

  15. I don't know what to say except that I have enjoyed reading.
    web growth hacking

  16. I always needed to customize these tools in order to include BeEF hooks, so, I got bored and decided to write my own code.Web design

  17. Someone Sometimes with visits your blog regularly and recommended it in my experience to read as well.
    digital marketing Ottawa

  18. I will do niche blog comment Just in 5$ .All comment relevant with your niche and UNIQUE .This off-page seo will increase your traffic and promote your business.

  19. A delightful scrutinizing for any person who values examining on the web diaries.Web design in North Platte NE

  20. This is very interesting content! I have thoroughly enjoyed reading your points and have come to the conclusion that you are right about many of them. You are great. growth hacking agency amsterdam

  21. Thankyou for this wondrous post, I am happy I watched this site on yippee. web design 

  22. I will never forget this blog as a perfect work of art.
    web design company

  23. Potential clients can likewise read audits about your business or even discover you in a bustling spot utilizing Google Maps, both definitely pertinent to the necessities of versatile clients. boston web design