How does BeEF work and how can it be persistent?
BeEF is best run from the MITMf tool -- both are available in most versions (especially recent) of Kali Linux. MITMf has an extension to BeEF not found in other places called BeEFAutorun. Both BeEFAutorun and BeEF Autorun Rule Engine (ARE) work similarly to XSSF and Trustwave SpiderLabs' beef_injection_framework, but the built-in ARE is superior and works out-of-the box. MITMf is a competitor to Ettercap (older) and bettercap (newer and includes a beefbox proxy module). Videos from TheBeefProject here.
That said, BeEF and XSSF -- no matter how delivered or automated -- both have their benefits and drawbacks. Neither has a built-in cache-persistent capability. This cache technique might only apply to browsers that support HTML5 offline storage, although most today do. The original technique was discovered by Lavakumar Kuppan and discussed on his website, andlabs (tool site down, but blog post is still up), as well as in the book HTML5 Security in the section on Application Cache. An html manifest tag can specify a cache.manifest file where storage occurs. A man-in-the-middle condition, control of a proxy server, browser hook (e.g., BeEF) etc, is required to initiate the attack. Code to perform the attack has been slightly modernized from the original code and available on GitHub as squid-imposter.
how is it possible to execute javascript across tabs/sessions?
This functionality is already available in the BeEF Modules that provide persistence. In particular, a BeEF attacker should consider using both the man_in_the_browser and the iframe_above modules unless they want a temporary injection. If all you need is a temporary injection (such as via your own hosted, malicious site, via an XSS, or other quick mechanism), then I would use the invisible_iframe module to provide a link to a metasploit-framework browser_autopwn listener. This technique is provided in the book, Gray Hat Hacking The Ethical Hacker's Handbook, 4th Edition. I think that this book has the most thorough coverage on BeEF and MetaSploit integration, but Mastering Kali Linux for Advanced Penetration Testing, Intermediate Security Testing by Daniel Dieterle, and The Browser Hacker's Handbook also make mention to many of these techniques.
It's interesting to compare the code from BeEF to XSSF. For example, keeping persistence across tabs in XSSF is performed by the ghostify and iframeize modules. One thing I enjoy with XSSF is the direct integration to the msfconsole command-line interface. BeEF does provide a Console, as well, though. A book that is in progress called Holistic InfoSec for Web Developers has an excellent section on configuring BeEF that includes metasploit-framework integration and setup of the BeEF Console. The author also has a YouTube channel where BeEF is extensively covered in demos 1 and 3. The XSSF console is incredibly flexible when time-pressured, implementing commands such as xssf_add_auto_attack detect_properties
, which can be very useful in live scenarios and cyber exercises. The setup and teardown of XSSF Tunnels is excellent. BeEF has more modules and is easier to troubleshoot if you need extra console (BeEF has both web-based and command-line consoles, as well as this third-party contributed command-line version named beefconsole.rb) and debugging (e.g., beef cli options) capabilities. Particularly awesome is the MS Office detection module -- and a PowerShell-friendly Meterpreter-delivered social-engineering attack against Internet Explorer with hta_powershell. Finally, BeEF supports channels over WebRTC, making it one of the coolest tools on the block.