Dr. Strangelove: How I Learned to Stop Worrying and Love the BeEF

Michele Orru just presented “Dr. Strangelove or: How I Learned to Stop Worrying and Love the BeEF” at the 2011 CONfidence in Krakow.

What will you do during a pentest if you should get access to some target internal resources while having no exploitable external ones for the escalation? Well, there could be many responses on this provocative sentence, starting from Social Engineering techniques to the exploitation of victims browser inside the target.

We will see how BeEF can help resolving almost impossible pentest situations while directly exploiting the victims inside the target, using their machines as pivot to gather access to internal as well external resources, and how it’s much easier now to extend BeEF functionality writing your own modules to suit your needs.

Great stuff, and not just because every conference should have at least one presentation modelled after Dr. Strangelove. This could actually spark a contest that spans security conferences — each one gives an award for best Dr. Strangelove security talk.

Although I’m obviously biased I would like to think my comparison to Stuxnet hysteria I presented earlier this year was more historically aimed and made more sense as a threat analysis.

Is anyone, and I mean anyone, really so worried about the Browser Exploitation Framework (BeEF) that they are proposing changes to national security? I don’t see it. Seems to me more of the opposite reaction to the BeEF — browser exploits are out there, and BeEF is doing what BeEF does…mooing and grazing and dumping excrement (filling logs).

If it were my choice I might have tried “BeEF, the other pentest meat”, “BeEF, it’s what’s for pentests”, “What’s on your (zombie) grill?” or even “Ground BeEF: Cutting the legs off a browser”.

But on the other hand I admit I’m still in favour of as many presentations using Dr. Strangelove as possible to drive the message. The more Strangelove the better.

In related news, the presentation talked about the effort to port BeEF from PHP to Ruby. I vote they rename the new Ruby version “DeCalf” (e.g. not written in Java).

One thought on “Dr. Strangelove: How I Learned to Stop Worrying and Love the BeEF”

  1. Before I even read this post, the title made me think of your Dr. Stuxlove presentation.
    Dare I say, trendsetter?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.