How I Hacked Into My Mom’s Browser
Disclaimer: This is for educational purposes only. Any malicious use of these tools are considered criminal.
Here’s a story to tell. My mom found out how much Narcos and Gossip Girl I was watching during my exams, so she decided to strip me away from something I cannot live without. OTT. No Netflix, Amazon Prime or Hotstar. Yeah, you heard that right.
I decided to take things into my own hands, and the only logical solution would be to hack into her browser and get the passwords back. Study? Pfft.
I started researching and came across a mind-blowing tool which will be discussed later. I sent her a link that she thought was a reel about the newest Paneer Butter Masala recipe, but in the background, I got access to her browser and her passwords too. And the best part is, she has yet to find out! This tool works with so much secrecy that my mom didn’t even know her browser was being hacked.
It’s time to wear a black hoodie, and some rounded glasses and buy multiple displays like Mr. Robot because I hacked into my mom’s browser and I’m going to tell you how.
How To Hack Into Someone’s Browser:
Introducing BeEf, not the Kendrick-Drake beef, but the Browser Exploitation Framework Project. This is a powerful tool that can be used to gain access to someone’s browser. My mom was always very against beef, I just added fuel to the fire.
BeEF is used to find vulnerabilities of web browsers, and penetration testers use it to understand the behaviour of browsers, find weaknesses, and discover counter-measures to stop black hat hackers.
That’s enough yapping, let’s get into it!
Step 1: Install a Virtual Machine software like VirtualBox or VMWare and download Kali Linux as an OS. BeEF does not work on Windows but can operate on any OS running Ruby 3.0+. I already had this installed, so my mom didn’t suspect a thing.
Step 2: Install & Run BeEf. BeEf usually comes pre-installed onto Kali Linux, but here’s how you can download and run it. Make sure to create a password when it asks you to! (A password your mother will never guess.)
sudo apt install beef-xss
sudo beef-xssQuick Tip : You can edit the config.yaml file in the BeEF directory to make advanced changes to the program such as using additional extensions like Metasploit.
Step 3 : Open up the BeEF server at http://localhost:3000/ui/panel and enter your username and password. This is the step where I got excited thinking about all the Narcos I’d be watching soon. It should look something like this:
Step 4: Copy the link for the advanced demo page from the site, and have someone open that link (with consent). You’re Done, that’s it!
Whenever someone opens your link, you’ll see their browser in the ‘Hooked Browsers’ menu:
You now have access to their OS, computer, and browser information! And most importantly, your family Netflix password.
What attacks can you run now?
In short, the possibilities are endless. But here are some of the most effective (and coolest) ones.
- Google Phishing Attack: a fake Gmail log in pops up, when the victim enter their information, they don’t know an attack even happened because BeEF redirects them back to Google. However, their Google password is now yours and I don’t need to explain the kind of threat this poses.
- Browser History: Yes, you heard that right. Delete it now before it’s too late. BeEf can access your browser’s search history with ease.
- Webcam: BeEF can access your webcam and take 20 pictures a minute in base64 encoded in .jpg format. You may want to trim your nose hair for this one.
- Redirect Rickroll: Quite possibly the most dangerous, but BeEF has a module that redirects you to Rick Astley’s 1987 hit, Never Gonna Give You Up. Stay safe, my friends.
On a serious note, BeEF can redirect the victim to any site of the penetrator’s choice. This can lead to further attacks.
- GeoLocation: This module reports the physical location of the browser using a Location API. You can be tracked from anywhere in the world.
- Autocomplete Theft: This only works on Firefox, but every password you’ve asked Firefox to autocomplete for you on different websites can now be accessed by BeEf too.
- Port Scanner: While performing any kind of hack, it’s important to know which ports are open and unmonitored. BeEf helps you scan every port to find vulnerabilities.
- Keylogger: This is a powerful tool where BeEf will make a note of every key used by the victim. By putting the letters together, you can find the websites they’re going to, their passwords, or even bank account details.
These were only a few of the extensive commands made available by BeEF. You need to experiment around to find your favourites.
How does BeEF do it?
You now know how powerful BeEF is, but how does it do it?
The main execution of BeEF is in its hook script. The hook script is JavaScript code that is injected into the target web browser by phishing a user into a certain link. I used an Instagram reel to phish my mom into clicking the link. She never suspected a thing.
Once the victim visits the link, the hook script sets up a communication channel between the browser and your BeEf server allowing you to run your hacks.
The process of getting a user to visit the link is called Social Engineering. This part requires real life social skills, unfortunately. BeEF can also target XSS vulnerabilities to inject the hook script which is why webpage security is crucial.
Man In The Middle (MITM) attacks are easily prevented now but still occur to an extent. BeEF can intercept genuine packets and inject the script before it even enters the port. This acts as a Trojan Horse because it disguises itself as regular traffic.
Lastly, BeEF can attack through plugins (Flash, Java) that already have full access to your web browser and are the entities in control. Scary, huh?
The Lesson:
Now that you know how easy it can be to hack into someone, I hope you’ve understood how careful you need to be online and that you can’t trust unknown sources.
I’m sure you know the generic safety steps like using different passwords, and not trusting random websites but here are some advanced steps you can take to make sure this never happens to you:
- Web Security: Input validation, Output encoding and other web security features must be employed throughout websites with popular traffic to prevent XSS vulnerabilities.
- Prevention: Web Application Firewalls (WAFs) and Intrusion Detection Systems (IDS) can be used by users to make sure they never turn into victims.
- Browser Update & Extensions: Make sure your browser is always up-to-date and never give too much access to untrustworthy extensions
- Content Security Policy: This is a protocol that web developers can use to specifically prevent hook attacks.
- Just Be Careful: The best way to not become a victim is to be mindful of the links you click. It’s that simple.
If my mom followed these same steps, I wouldn’t be watching The Boys during my unit tests.
Conclusion:
BeEF is dangerous. BeEF is powerful. BeEF is just one of the various tools that can be used by black hat hackers to exploit innocent victims.
Everything from your identity, bank info, passwords, pictures, cryptocurrency to your secret mistress is available online and needs to be protected. Follow all the safety protocols already put in place to stay safe.
Oh, and have fun watching your mom’s reaction once you’re done with this.
