BeEF (Browser Exploitation Framework)

May 8, 2011, by | Start Discussion

What is BeEF

BeEF is a Browser Exploitation Framework. It enables an attacker/pen tester to assess the security of the browser and lets him exploit it if found vulnerable.

  • It has various uses.
  • It can Port scan the zombie.(BeEF framework uses word zombies for targets/victims).
  • It helps to foot print the zombie for various plugins and settings.
  • It can exploit the browser vulnerabilities.
  • It can be used as key logger.
  • It can be used as a platform to check exploit behaviour under different browsers like IE, Firefox, Safari etc.

The good thing about BeEF, is that it is designed in a modular way (which makes addition of new exploits as easy as possible). Additionally, it is cross platform.

The functionality of the framework revolves around two components namely zombies and modules.

  1. Zombies are the prospective targets (browsers) which can be exploited/manipulated based up on their security posture.
  2. Modules are the functional parts of the framework. They let us use exploits, shells, port scanner etc.

BeEF has many cool features:

BeEF is actively being developed by its developers. They have plans to incorporate many features. BeEF has following features right now in the PHP version.

  1. Key logger
  2. Bind shells
  3. Port scanner
  4. Clipboard theft
  5. Tor detection
  6. Integration with Metasploit Framework
  7. Many browser exploitation modules
  8. Browser functionality detection
  9. Mozilla extension exploitation support.

Who can use it?

The scope of the BeEF is very broad, it can used by Penetration testers, security researchers, information security hobbyists etc.

How does it work?

BeEF is built on a client-server architecture and has two components namely :-

  • User interface
  • Communication server

User interface

BeEF has a very nice and easy to use User interface. This component acts an interface between BeEF framework, zombies (BeEFframework uses word zombies for targets/victims ) and the attacker. UI lets you select zombies, select modules, and configure various settings etc.

Communication Server

This component is the heart (base) of the framework. The communication Server communicates with the zombies ( Targets ) via the http protocol and takes care of everything the framework does.

A typical scenario:

A attacker hosts a site using BeEF. Victim access the web page hosted by attacker. The web page triggers  BeEF framework to send the instructions to the browser, to execute on the target machine. The user gets added into the zombie list of the framework. The whole process is invisible to the user.

Now attacker logs in to the BeEF server remotely and can run modules to get the desired outcome. He can redirect the victim to a malicious site, exploit vulnerable browser, log the browser activity etc. Usages are limit less and are only restricted by imagination/creativity of the attacker.

How to install BeEF:

These instructions are for php version of BeEF.


  1. Web server
  2. PHP

Install Instructions:

  1. Download beef source from the site (checkout the source with svn client)
  2. Extract the source into the webroot directory of the server (usually it is /var/www/)
  3. Check the permissions  and ownership of the BeEF directory
  4. Go to the location of BeEF directory through a browser
  5. Follow the instructions


Let us see the demo of MS09-002 exploit in BeEF. There is a nice collection of videos by Jabra atVimeo. Please see the References for video links.

Consider we have three machines.

  • Attacker Machine:
  • BeEF Server Machine:
  • Victim (Zombie) Machine : victim is running a windows box with Internet Explorer.

Attacker performs the following steps which results in exploitation of victim's machine.

Step 1:

Attacker hosts a site (here running a BeEF framework.

Step 2:

Victim visits the site, assuming the site is safe. Once he access the page, the browser executes a series of instructions fetched from the framework which instructs the browser to maintain connection and receive further commands. Furthermore victim's ip gets added to the zombie list of BeEF.

Step 3:

Attacker logs into the server through the URL, usually by providing username and password (default username and password are beef/beef ).

Step 4:

Attacker selects the desired zombie, in our case victim's machine from the zombies list in left panel.

Step 5:

Attacker verifies the availability of port 28876 (Port is configurable in BeEF). As you can see in the screen-shot below, it’s available for our use, ideally it means, the port 28876 is not being used by any other process right now.

Step 6:

Attacker selects the MS009-002 exploit from standard modules menu.
Standard Modules –>xplt: xp sp2 iebindshell

Step 7:

The following page is displayed

Step 8:
Once Attacker clicks the Exploit button, BeEF exploits the vulnerability and opens a port 28876 on victim's machine.

Step 9:

Attacker connects to the victim's box using Netcat on port 28876 using following command –
nc  28876.
For more info on using Netcat see the man page of nc or “nc/?”

Thats it. Attacker now has complete access of the victim's system. The applications of BeEF are only limited by the creativity of the attacker. He can turn this system into a web server for hosting malicious sites to trap few more zombies.


BeEF is a very powerful tool in any security professional's arsenal. It creates new client side attack vectors to test/assess the security of the browser. It helps a security professional to test their exploits on various browsers to assess exploit’s functionality and restrictions


Project home :
Jabra's BeEF Videos:

Imran aka Morpheus works at TCS, Hyderabad. He is a proud member of Team Matriux. His interests include VAPT, Malware Analysis and Reverse Engineering.

Leave a Reply