If I hook the victim's browser to BeEf, the victim will close the browser and their computer will be offline, even though its not. How do I ensure the hook will stick?

This is the nature of web browsers. The web browser process is terminated when the web browser is closed. When a process is terminated, it is not longer executing code.

There are numerous persistence modules, such as the Popunder Window and Create Pop Under (IE) module (which will bypass the popup blocker in unpatched versions Internet Explorer) which allow a sustained connection with the zombie browser until such time as the tab executing the hook code is closed.

These techniques will not survive closing the browser, as doing so will close all open tabs. It's possible that, when the browser is opened again, the browser may re-open previously opened tabs, causing the zombie to reconnect to the BeEF server.

It would be great if there were some way to cause the browser to leave a dangling thread, executing our code, even after the browser appears to have been closed. Unfortunately, at this time, no such technique exists. This would also be considered a bug and would eventually be patched by browser developers. If you're interested in researching this area, I would suggest starting with web workers as a potentially interesting starting point.

The best way to maintain permanent persistence would be to compromise and backdoor the underlying operating system. There are a few social engineering modules to gain code execution. At this stage, you're no longer exploiting the browser - instead compromising the underlying host. In the event that you've compromised a host system, and want to maintain a BeEF hook as opposed to a traditional command and control channel, this could be achieved through installing a malicious browser extension, backdooring one of the browser components, or injecting into the browser process.

Hi @vivianfrench2 , has this been resolved for you? I will be closing this ticket in a week if there is no response. Thank you.

Closing as question has been answered