How does BeEF work? (working understanding)

Alright, BeEF is a framework similar to Metasploit. BeEf uses a javascript, hook.js, which when executed by a browser, gives a hook to BeEF. With a hooked browser, similar to metasploit, you have an array of exploits in front of you. Some of them are viewing cookies, browser history to the more sophisticated attacks of getting a shell. I know for a fact that there is a shell exploit that uses a JBoss vulnerability. So, how the attack works is as follows, the client visits a malicious page, which contains BeEF's hook.js script running on it, or it can be executed via a XSS attack. When this is executed, you can see that a browser is hooked to you on your BeEF control panel and thereafter, launch exploits.

More Details: The BeEF launches a BeEF instance which is a combination of the UI server(the UI which is used to launch attacks and shows the various exploits) and the communications server which coordinates and communicates with the hooked browsers. These 2 servers in collaboration makes BeEF work.

BeEF has a very clean interface, by organizing attacks based on type and also indicating if particular attack is relevant to a browser (IE, FF, Chrome etc.). So you can just point and click on the attacks to launch.

What purpose does it have in real world? I am curious to know how it would enhance the security in an organization.

It can be used as a serious Pen Test tool. In most cases, when you demonstrate an XSS to a client (assuming you're a pen tester) it does not have that much of an impact when you show them a silly pop up. On the other hand, if you demonstrate XSS using BeEF, now that will give them a scare.

Further reading: http://code.google.com/p/beef/wiki/WindowsInstall