Thursday, August 9, 2012


We've been so busy in the last months that we haven't even had the time to write a blog post with the changes :D

Anyway, here we are with a new tasty piece of BeEF,!

Here is the breakdown of the most important changes (without mentioning bugfixes, that are always there if you look at our GIT repo history):

  • Twitter and E-mail notifications (thanks @marcwickenden): we have a new extension where you can configure an SMTP server or Twitter account in order to receive automatic notifications as soon as a new browser is hooked in BeEF;
  • HTTPS support (thanks to one of our long-term developers, Christian @xntrik Frichot): you can now start BeEF with full HTTPS support. You should use this when you want to target HTTPS applications, especially if the user is using latest Chrome/Firefox browsers: they do security checks for mixed content and prevent the hook to work in case you use HTTP;
  • new Chrome extension module (thanks Mike Haworth): now you can have screenshots of the current tab the user is in;
  • Gmail phishing and Flash Webcam modules (thanks using the first module you can logout a user from Gmail, create a fake Gmail login page, then steal the the Google account credentials. With the second module, if the user clicks "Allow Webcam" from the popup created by Flash, you can get photos from his webcam at a defined time interval you can specify; 
  • Nat_pinning module (thanks Bart Leppens): you probably remember Samy's research on the topic. Well, we added this nice attack to BeEF, so you can have fun with it. 
  • The GlassFish exploit has been enhanced (again, thanks Bart), and we also added GlassFish fingerprinting to our internal network fingerprinting module.
  • Brendan @_bcoles Coles, as always, did a great job adding new modules and porting various attacks to BeEF: Spring exploit for CVE-2010-1622, lots of XSRF and some RCE modules for various embedded devices like routers and cameras (D-Link dir-615, Linksys wcv series, Cisco E2400, 3Com OfficeConnect ADSL Wireless 11g, Asmax AR-804gu). Other than that, he also added enhanced fingerprinting for various mobile devices, and the balloon dialogs for the admin web-gui. Let us know via @beefproject if you want more/different stuff in this dialog.
  • Michele @antisnatchor Orru, except from bugfixes, added the confirm_close_tab module, in order to achieve better hook persistence and annoy the user (basically the user is asked  for confirmation - in a loop - when he's closing the hooked tab). Another bunch of changes he worked on were about the AssetHandler (you can now bind/unbind raw sockets in BeEF, useful for example in the nat_pinning module to bind a socket on port 6667), the RESTful API (added a /api/modules/multi endpoint that you can now use to launch multiple modules at once to a single target) and the admin web-gui (added a JSON endpoint that enables you to call the RESTful API from ExtJS)
These 2 months were fun as always. If you want to get involved with out project, just let us know. We have tons of features to implement and we need man-power :D

Last thing to mention is the nice BlackHat 2012 presentation about BeEF in MiTM scenarios, from Steve Ocepek and Ryan Lynn (for those of you who don't remember him, Ryan developed the Metasploit integration we currently have in BeEF). Have a look at what awesome stuff they did here. For those of you who were not already using Ettercap + BeEF, you should definitely have a look at their work. Even if you used Ettercap before, they wrote a bunch of nice MiTM Ruby scripts using PacketFu that automate the whole process.


  1. I configured all the necessery credientials for beef notification in config.yaml (auth token, ...) but when i launched beef i couldn't go through the authentication process in the admin panel using default username/password (beef/beef), i disabled the notification once again and everything got back to normal.

    is there anaything else to configure to resolve that issue?

  2. Log Message:
    Fixed Twitter client to not cause errors on failed tweets allowing logins etc to continue

    Sorry about that.

  3. (we haven't looked at e-mail yet)

  4. Yes, that's a great information to all of people. I am very happy to know this content as well. I hope that business man's are need to follow this article. amazon coupons

  5. It is the one of the best information to me which was very essential to me as well and sure that it must be effective to me to know the huge unknown information. Security Camera Review

  6. This was reported to MSRC on July 2 and hasn't been fixed to date. conversion bug

  7. Good Post! Thank you so much for sharing this pretty post, it was so good to read and useful to improve my knowledge as updated one, keep blogging.

    Selenium with python Training in Electronic City

  8. My Assignment Services, is well-known for its 24-hour online Assignment Help on the WhatsApp platform. Students can reach out to us with their queries at any point of the day or night and get the most effective solutions for them. University assessments have to follow specific referencing and citation styles like Harvard, APA, Chicago and MLA. Also, they should be referenced only from credible academic sources. Our best online academic help experts talk about how to select and evaluate the right academic sources, which will help you clear all your academic-related doubts. Assignment Service by My Assignment Services has been trusted by millions of students worldwide for over a decade. We have been providing complete academic assistance to students struggling with their college and university tasks. We have a team of dedicated subject matter experts who maintain a 100% record of submitting orders well before the deadline. This also gives the students some time to review them and ask for revisions, if needed. You can trust our academic ghostwriters completely to get best quality write-ups including case studies, research proposals, dissertations and Assignment Help Melbourne, and more.