In order to automate BeEF, we will be using the BeEF Autorun Rule Engine (ARE). With ARE, we can automatically run commands on a browser when it is hooked, provided it meets the requirements we specify. As an example, we would only want to run Google Chrome commands if the browser that is hooked is Google Chrome:

1. BeEF comes prepackaged with a number of ARE rules. On Kali, we can view them by navigating to the /usr/share/beef-xss/arerules/ directory and viewing its contents, as shown in the following screenshot:

2. Although BeEF comes prepackaged with ARE commands, these commands are continually being updated and added to. To view the latest comprehensive list of ARE commands, we can visit the BeEF projects arerules page at https://github.com/beefproject/beef/tree/master/arerules.
3. To get the latest rules, we will download the BeEF master archive. We switch to the /tmp/ directory and download the latest BeEF archive from https://github.com/beefproject/beef/archive/master.zip. We can now unzip the contents using the unzip command: 

4. Notice that we have downloaded the entire BeEF project, although all we need is to update the rules. So let's switch to the autorule directory, and we will run a command to look for autorule files and move them to the /usr/share/beef-xss/arerules/ directory.  
5. We can then switch back over to the /usr/share/beef-xss/arerules/ directory and confirm whether the files were moved. We should also go back to the /tmp/ directory and remove the files there as they are not needed. We can do this by executing the rm -r /tmp/beef-master and rm master.zip commands:

6. Now that we have the latest ARE rules, let's look specifically at the man_in_the_browser.json file. Man-in-the-browser attacks work by intercepting the request when a user clicks on a link. If the link is on the same domain, it simply will make an AJAX call to load the new page. To the user, it doesn't look any different from what they would normally experience; however they remain hooked. In the event that the link is to another domain, a new tab is launched to load the requested page. This may or may not tip off the user; however, it is not that uncommon for sites to open pages in new tabs. This is required because the same-origin policy won't allow us to make the request in the same way as if the link were to another page on our given domain.

7. In order for us to automatically run our ARE rules, we must move them from the /usr/share/beef-xss/arerules/ directory to the /usr/share/beef-xss/arerules/enabled/ directory. 
8. After moving them, we need to restart BeEF in order for it to pick up the new configuration:

9. When we originally created our web page to hook our victims, we did not add any links to the page. Let's begin by editing our beef.html file with the vi editor:

10. Now, we can edit the page and add a link. In this example, we will add the following HTML to our page: 

        <p>You should check out 
          <a href="http://www.packtpub.com">PacktPub</a>
        </p>

11. Now we navigate to 172.16.69.133/beef.html from our Windows XP machine. From our BeEF panel we can see that the browser is  hooked as expected:

12. When we navigate away from our page and to www.packtpub.com, our man_in_the_browser.json file goes to work, keeping our browser hooked. If we look in the logs, we can see that it was executed. Additionally, even though the user navigated away, we can see that our browser remains online: