Now that we have our browser or target hooked, we can go to the Commands tab and start executing commands on the target:

We can use the Search option to look for a certain command, or we can use the categories and look for commands suitable for what we want to perform on the target computer. Some of the commands are information-gathering commands, some of them are social engineering, some of them will even give us full control over the target computer. There are a lot of commands, so we won't be able to go over all of them, but we will be looking at some of the most important commands so we know how to experiment and run them.

If we click on the Browser (53) option, we will see commands related to attacks that we can do inside the browser:

We can see attacks that will allow us to get a screenshot, we can try to turn on the webcam and see whether it works, and open the webcam on the target. If we click on Exploits (78), we will see a number of exploits that we can run:

All we have to do is click on the module that we want to run and click on the Execute button:

There are some modules that need some options to be set up, and we'll have examples of them as well.

In the Social Engineering (21) option, we can show fake updates, fake notification bars, and so on:

Let's have an example of a very simple command. We're going to run an alert to show an alert box. So, we are just using Search to filter, and we can see that it will just create an alert dialog, and it's going to say BeEF Alert Dialog:

We can modify the alert and type to anything we want, for example, change Alert text to test, and then, when we hit the Execute button, in the target browser, we will see a message saying test has been injected into the target browser, as shown in the following screenshot:

Another interesting thing that we can do is the raw JavaScript. It will allow us to execute any JavaScript we want. So, again, we search Google for a useful JavaScript code, such as a keylogger, or we can write our own script if we know JavaScript, and whatever we write will be executed on the target. Again, we're going to pop in an alert, and it is going to return BeEF Raw JavaScript, and hit the Execute button:

It will give us a dialog saying BeEF Raw JavaScript, just like we got in the previous example:

Now, let's see whether we can get a screenshot of the target computer. For this, we're going to use a plugin called Spyder Eye. So, again, click on the plugin, hit Execute, give it a second, then we're going to click on command 4 in the Module Results History tab:

The preceding image shows us a screenshot of what the target person is looking at.

Another really good plugin is a Redirect Browser plugin. It will allow us to redirect the browser to any web page we want. This could be very useful because we can use it to redirect the target person and tell them that they need to download an update, and instead of giving them an update, we give them a backdoor. We can redirect them to a fake login page for Facebook – we can do anything we want with the Redirect Browser plugin. We can set the website that we want the target to be redirected to. We're going to redirect them to http://beefproject.com in this example, and once we hit Execute, the target is redirected to http://beefproject.com or to any specific link mentioned in the Redirect URL textbox:

These are some of the basic modules that we can use.