Friday, July 5, 2013

A funny issue on BeEF keylogger spotted by Mario

Mario Heiderich, a good friend of mine, spotted a cool issue with the BeEF keylogger. He went “Armin Meiwes” on our favourite open source bovine. He found XSS in BeEF using <svg/onload=blah>. Well-done!

The BeEF team encourages security researchers to help out wherever possible. As such, we are announcing a BeEF bug bounty program. Each bug will receive a kilogram of Minotaur rump (depending upon supply ;-). Contact us if you would like to help out. We want to hear from you!

We're publishing the writeup about the bug Mario found and we're addressing how we fixed it in today's blog post.

Wednesday, June 26, 2013

The Internet of Things

We've heard a lot of people buzzing about this Internet of Things. So, we thought we'd offer you this without further comment:

Tuesday, June 18, 2013

Cross-domain communication with a JSP shell from a browser hooked with BeEF

If you're a penetration tester, you have surely played with webshells before. There are plenty of webshell examples in multiple languages (e.g. Java (JSP), ASP, ASP.NET, PHP). Most of these webshells, including the Metasploit ones, give you either a bind or reverse shell running as the web or application server user (e.g. Tomcat, Apache, IIS).

This works fine when you want to use our BeEF Bind custom shellcode to exploit compiled software (kudos to our friend Ty Miller), but what can you do if you're able to upload a webshell to the target and you want bi-directional communication with that from the hooked browser?

If your target is a Java Application Server, for instance JBoss or GlassFish (see the exploits we ported to BeEF for both of them, inside the exploit directory), you can deploy the following JSP shell I wrote for that purpose.

Thursday, April 4, 2013

The Evolution of Chrome Extensions Detection

Today's blog post is by guest blogger Giovanni Cattani.

The Old Technique

Detecting which Chrome extensions are installed has always been a trivial matter of finding a specific extension ID and trying to load the manifest.json file, which is always located in the same spot:


However, in the latest Chrome versions, attempting to load the manifest usually fails and the JavaScript console returns the following error:

Denying load of chrome-extension://abcdefghijklmnopqrstuvwxyz012345/manifest.json. Resources must be listed in the web_accessible_resources manifest key in order to be loaded by pages outside the extension.

Load Error

What happened to the good old detection code that used to work seamlessly? And what is the web_accessible_resources manifest key?

Wednesday, March 20, 2013

Exploiting m0n0wall 1.33 with BeEF

Today's post is a guest post from Bart Leppens.

What is m0n0wall? m0n0wall is a free software firewall distribution that often runs on embedded hardware like Alixor Soekris boards.  It is based on a bare-bones version of FreeBSD. There is no netcat, socat, perl, python, ruby or even telnet present on the system.  I actually don't know if this is due to security considerations or just to save some diskspace since m0n0wall was longtime fitting on a 8 MB CF-card, now it requires just a 16 MB card. And we figured out how to exploit it with BeEF.

Monday, March 11, 2013

Subverting a cloud-based infrastructure with XSS and BeEF

Well, the world is changing. You can probably do a lot more direct damage with a XSS in a high-value site than with a local privilege escalation in sudo [...] - [email protected]
If you are intrigued by sophisticated exploits and advanced techniques, Cross-Site Scripting is probably not the most appealing topic for you. Nevertheless, recent events demonstrated how this class of vulnerabilities has been used to compromise applications and even entire servers.

Today, we are going to present a possible attack scenario based on a real-life vulnerability that has been recently patched by the Meraki team. Although the vulnerability itself isn't particularly interesting, it is revealing how a trivial XSS flaw can be abused to subvert an entire network infrastructure.

Monday, February 25, 2013

About the latest Rack vulnerability and how it affected BeEF

A friend of mine, Louis @snyff Nyffenegger, recently found an XSS in Rack default 404 page. By default, Rack is reflecting the value of the not found URI in the page, without applying proper output escaping. This leads to reflected XSS.

A simple patch suggested by him is the following:

So how does this affect BeEF?

The bug is present when using Rack::File or similar directives to mount content in the Thin web server. We use that directive to mount the static content served via the /demos URI.


The affected code in the file.rb Rack library is:

Tuesday, January 15, 2013


With two hooks (customhook and qrcode), you can have quite a bit of fun in a pentest. Today's blog post uses these together for some fun(ny) and useful pentest ideas.

This post was contributed by Christian Frichot (@xntrik).

Monday, January 7, 2013

BeEF Live - The quick and easy way to get your BeEF

Today's post is brought to you by Ben Waugh (@bw_z)

By far the most common queries or issues our users encounter is how to get BeEF dependencies running with a minimum of hassle on their systems. While our installation guide includes instructions for most *Nix distributions, we also put together a LiveCD which includes a working install or BeEF, Metasploit and sqlmap.

Using the LiveCD
Download here:

To run, simply:
  • Download 
  • Create a new VM using your virtualisation software of choice
  • Boot from the ISO. 
  • The console will automatically login with user "beef" and present you with a few options at startup:
    • Install & Setup SSH: this will enable SSH for remote access to the VM and prompt you to create a password. 
    • Update BeEF (or metasploit/sqlmap) will update to the latest version available in GitHub.
    • Start beef.
Known Issues
Due to some issues running Ubuntu on VirtualBox, users of VirtualBox may have to toggle PAE Support

About the LiveCD
The liveCD is based on Ubuntu 12.04 LTS and is configured to use Ruby 1.9.3p194. Apart from the standard install instructions (above) there is very little custom configuration of the OS.
Ruby Version Manager was used ( to install and ruby versions, users can customise further and download, install and switch between Ruby versions with the rvm command on the LiveCD.

The LiveCD was generated using Remastersys and it's dist command, which generates the 850MB ISO file above. The custom splash screen and grub text are also customised by providing a custom splash.png and isolinug.cfg files.

A reference to the liveCD/ file in the BeEF repository is added to the default user profile to provide the user with a series of friendly prompts, including updating or running beef.

Any suggestions for other customisations or feature requests for the BeEF LiveCD? Let us know @beefproject or raise issues for us in GitHub.