It is increasingly important for enterprises to thoroughly educate employees on the dangers of using Web browsers. Employees should be aware of acceptable use policies and Internet access security processes. But how can an organization determine whether or not its users are making security-conscious decisions?
One answer is the Browser Exploitation Framework (BeEF), a budget-friendly penetration testing framework that helps companies deliver effective user awareness training surrounding these issues.
In this SearchSecurity screencast, Keith Barker, a Certified Information Systems Security Professional (CISSP) and trainer for CBT Nuggets LLC, demonstrates how to use BeEF to evaluate user behavior in a safe environment.
BeEf can be used to "safely" exploit Web and browser-based vulnerabilities like cross-site scripting (XSS) using client-side attack vectors. If a user clicks on a link that BeEf put there, it will hook the user's browser into the BeEF server. The tool -- which can be downloaded from the BeEf Project website or found in a distribution that already has it installed -- can also issue commands to the browser, such as redirection, changing URLs, generating dialogue boxes and more. It has the ability to run malware on the hooked browser IP address and use it as a launching point to infiltrate other computers on the same network, effectively spreading the malware.
BeEf is preinstalled on operating systems such as Kali Linux, as demonstrated in this tutorial. The BeEF server shows testers a myriad of options, including a report on all the plug-ins running on the hooked browser, plus up to 14 different browser components and whether they are enabled. Based on that information, BeEF can recommend the types of attacks that can be launched against the browser. The tool's reports are surprisingly detailed, providing in-depth data on the hooked browser, even if the computer running the browser is a touchscreen.
From Clippy to a fake notification bar, BeEF shows hundreds of potential exploits to compromise a browser -- something that your employees should be aware of when surfing the Web on a company network.
About CBT Nuggets:
CBT Nuggets creates online IT training on topics including network security, server administration and more. Train 24/7 from any device. Try CBT Nuggets with a seven-day free trial and train on a variety of topics, including Cisco security, Wireshark, Linux and more. Watch. Learn. Conquer.
About Keith Barker:
Keith Barker, CISSP, is a trainer for CBT Nuggets and has more than 27 years of IT experience. He is a double CCIE and has been named a Cisco Designated VIP. Barker is also the author of numerous Cisco Press books and articles.