Skip to content

Information Gathering

Jack Walker edited this page Dec 30, 2019 · 23 revisions

So now, you have BeEF up and running, and you have hooked your first browser. You might be wondering what the next step is.

Your first step will often be to perform reconnaissance on the remote host. Which browser and plugins do they have running? Which website have you hooked?

This page will provide some information on how you may begin to go about this process.

Browser Fingerprinting

When a browser is hooked, BeEF will automatically gather several pieces of information on the hooked browser:

  • Browser Name and Version
  • Browser User Agent
  • Plugins (including Java, ActiveX, VBS, Flash...)
  • Windows Size

Default information on the hooked browser gathered by BeEF:

You can then use different plugins to gather more detailed information on the browsers:

Example Result from the Browser Fingerprinting Module:

Information Gathering on the System

By using several modules, you can also gather information on the system of the hooked browser:

  • Internet Explorer has permissions that allow system software detection (see Detect Softwares) and even registry keys (please note that attempting to use the registry keys module will prompt the user with an authorization message).
  • If the browser authorizes Java, the Get Internal IP module allows BeEF to detect the IP address of the system (don't worry, more fun network tricks with the will be described later)
  • The Get System Info module can gather additional information on the system from a Java Applet including: Operating System details, Java JVM info, IP addresses, Processor/Memory specs, and more.
  • It is also possible to retrieve the location of the user by using the Geolocation API or by using a trick requesting Google maps.
  • The default Javascript API allows access to data stored in the clipboard.

Result of Get System Info Module:

User Behaviour Fingerprinting

A hooked browser allows BeEF to discover information on the behaviour of the user:

  • Utilising some Javascript tricks, it is possible to detect if the browser has already visited a given URL or a given domain.
  • The Detect Social Networks module can identify if the user of the hooked browser has a current session on Facebook, Twitter, or Gmail.
  • The Detect TOR module can identify if the user of the hooked browser is currently using TOR.


Previous | Next

Clone this wiki locally