For those of you who don’t know, BeEF (the browser exploitation framework) is a tool that cleverly uses the browser’s built in functionality, javascript and other third party software against the user. What’s interesting is that it doesn’t rely on any exploit (although this is also possible) to get the job done, so even if you are fully patched, you can still be attacked using beef.
Initial compromise of the user’s browser usually relies on either XSS, luring the user to your own website containing malicious javascript or MITM injection of javascript. Once a user runs the beef hook javascript their browser silently connects back to the beef admin.


For detailed information about BeEF see my previous posts related to Browser exploitation framework.
Today we going to use Pretty Theft Module in BeEF to compromise the credentials of Facebook.


The pretty theft module is a phishing module that uses floating divs to create legitimate looking fake login boxes that are displayed in the browser.


Pretty theft module  was originally created by Nickosaurus Hax and You can look at code here.


Currently its supports Safari, Firefox, Chrome, Opera (User is notified) browsers.


It’s a simple little module that will use a lightbox-style effect to darken the user’s browser and pop up a new div stating that their session has timed out – and that they need to reauthenticate. It also has the option to provide an image to put in the header of the div, so if you like, you can use the compromised site’s logo / favicon to make it feel a touch more authentic. Once the user has provided their user and password again, the page returns to its previous state, and you have their creds.


A potential extension for this module could be to use the collected creds to authenticate to a given login page in order to test the user’s credentials before returning them to the site.
This will have some other implications if the application doesn’t support multiple concurrent sessions, but would provide further authenticity to the user who couldn’t just enter in fake creds and be on their merry may.
The beef framework brilliantly demonstrates how lethal even the smallest bit of javascript can be and how important it is to use NoScript. Through modules like Pretty Theft it’s really easy to demonstrate the kinds of the attacks organisations are facing today and how to best defend against them.


If we want to try to Social Engineer them and grab their Facebook credentials we can go to the Social Engineering tab and click “Pretty Theft”. And then ‘Execute’.


Here i exploited the victims browser with XSS and executed the pretty theft command…


Screenshot from 2014-07-25 13:07:08


Screenshot from 2014-07-25 13:08:39


Screenshot from 2014-07-25 13:09:37



Screenshot from 2014-07-25 13:14:39




On the victim’s browser a pop up will appear.



Screenshot from 2014-07-25 13:17:19




Oh no! My Facebook timed out!


Screenshot from 2014-07-25 13:18:09



If the user fills in their creds and hits Log in, this appears in the BeEF control panel


Screenshot from 2014-07-25 13:27:46