Skip to content

Persistence

Isaac Powell edited this page Mar 17, 2022 · 15 revisions

Introduction

_A recent discussion on persistence: _ (https://github.com/beefproject/beef/issues/2318)[https://github.com/beefproject/beef/issues/2318]

BeEF has several modules that have been developed to help maintain persistence on hooked browsers.

The modules can be found here:

Note (2022)

Most of the information on this page is wrong and outdated. Current status of persistence modules:

  • confirm_close_tab - still worked last i checked; but not as effective as it used to be.
  • hijack_opener - works, but requires specific conditions.
  • iframe_above - not sure; and requires user interaction.
  • invisible_htmlfile_activex - nice bug, but only ever worked in IE11. now patched.
  • jsonp_service_worker - not sure; and dependent on the web site exposing JSONP.
  • man_in_the_browser - patched many years ago. never worked in IE.
  • popunder_window - browsers now block popups by default; however, this module still works if the users clicks somewhere on the page.
  • popunder_window_ie - nice bug, but only ever worked in IE11. now patched.

Table of Contents

Old School Module

The Old School module will create a pop-up window underneath the victim's browser. This window will open an empty BeEF page. An old school technique but it still works!

Dirty Module

The Dirty module will ask the user to confirm that they want to close this tab again and again and again. Dirty!

Stealth Module

The Stealth module will rewrite all the links on the web-page causing them to load the target URL in a 100% foreground iFrame. This means that the victim sees the page they were expecting to be redirected to, but the URL still does not change!

Clean Module

The Clean module launches a "man-in-the-browser" hack. It listens for and handles any click on a link.

For links within same domain, Clean will make an AJAX request and load the new page instead of the old one and then add the page into the browser's history. There will be no visible difference to the victim. The page will load in the typical fashion but the browser is still hooked.

The Same Origin Policy prevents this behaviour on other domains, so in the event that the victim navigates to a domain that is not within the same domain, Clean will open the requested web-page in a new tab.


XSS Rays | BeEF RESTful API

Clone this wiki locally