-
Notifications
You must be signed in to change notification settings - Fork 2.2k
Information Gathering
Jess Williams edited this page Jan 1, 2020
·
23 revisions
So now, you have BeEF up and running, and you have hooked your first browser. You might be wondering what the next step is.
Your first step will often be to perform reconnaissance on the remote host. Which browser and plugins do they have running? Which website have you hooked?
This page will provide some information on how you may begin to go about this process.
When a browser is hooked, BeEF will automatically gather several pieces of information, including:
- Browser Name and Version
- Browser User Agent
- Plugins (including Java, ActiveX, VBS, Flash etc)
- If Adobe Flash Player is installed
You can then use different plugins to gather more specific information on the browsers, for example:
- The Browser Fingerprinting module uses a number of custom URLs to identify the hooked browser. This can be useful if you are concerned that the user has changed their user agent.
- You can complete the list of plugins with the modules Detect Firebug, Detect Popup Blocker, Detect Google Desktop or Detect Unsafe ActiveX.
Output from the Browser Fingerprinting Module:
BeEF enables you to gather information on the system of the hooked browser:
- Internet Explorer has permissions that allow system software detection (see Detect Softwares) and even registry keys (please note that attempting to use the registry keys module will prompt the browser's user for authorization).
- If the browser authorizes Java, the Get Internal IP module allows BeEF to detect the IP address of the system (don't worry, more fun network tricks will be described later).
- The Get System Info module can gather additional information on the system from a Java Applet including: Operating System details, Java JVM info, IP addresses, Processor/Memory specs, and more.
- It is also possible to retrieve the location of the user by using the Geolocation API or by using a trick requesting Google maps.
- The default Javascript API allows access to data stored in the clipboard.
Output from Get System Info Module:
A hooked browser allows BeEF to discover information on the behaviour of the user:
- Utilising some Javascript tricks, it is possible to detect if the browser has already visited a given URL or a given domain.
- The Detect Social Networks module can identify if the user of the hooked browser has a current session on Facebook, Twitter, or Gmail.
- The Detect TOR module can identify if the user of the hooked browser is currently using TOR.
Output from Detect Social Networks Module:
- Configuration
- Interface
- Information Gathering
- Social Engineering
- Network Discovery
- Metasploit
- Tunneling
- XSS Rays
- Persistence
- Creating a Module
- Geolocation
- Using-BeEF-With-NGROK