Exploitations

Learning outcomes:

• List the aspects of systems that are vulnerable to exploitation
• List several ways people can be exploited including common Social Engineering techniques and preventions
• Explain what an exploit is, how it is labeled and classified
• Describe the importance of patch management in relationship to exploits
• Describe some examples of risky applications, and how code can be tested including the use of fuzzers

Would you like to download my PowerPoint to follow along?

• What is Exploitation
• Recon shows us where the vulnerabilities are
• Exploitation gives us access to systems/resources by taking advantage of those vulnerabilities
• Exploitation is a precision thing, think scalpel not shotgun or smash and grab
• We should have a high value target (or list of targets) we're aiming for
• Look at the success probability and impact on the organization
• Remember we're the good ones! If the attack takes down the system and the company loses money, we're not doing good
• Custom VS Public exploits
• Public and known exploits can be taken advantage of using common tools
• Tailored exploits and custom exploits can be created/found
• Tailoring requires more skill, in depth programming and systems knowledge
• Known exploit for XP SP2, can we get something similar to work on XP SP3?
• Zero-day is a last resort. Most malicious attackers aren't sophisticated enough for a zero-day
• These need to be tested on your own systems that match the target systems as well as you can
• Examples of Exploits
• People
• Layer 8
• Social engineering
• Phishing/vishing/smshing
• Spear phishing
• Physical location
• Operating Systems
• Applications and common tools
• Risky Applications
• Browsers
• PDF
• Flash
• Office apps (Macros)
• Legacy applications
• Memory/buffer overflows and corruption
• MitM and WiFi proximity attacks
• Exploit Vocab
• Zero day exploitation
• Pivoting
• Use a compromised system to exploit others
• If you compromise a printer on the network, use the printer to attack the computers to hide your trail and guard against restrictions such as firewalls
• Also called Island Hopping
• Proxy Pivoting is channeling all your traffic through your pivot point
• VPN pivot directs traffic using an encrypted layer to tunnel into your target
• Appears as if the attacker is in system
• Exploit Classification
• Known exploits and classifications
• MITRE CVE classifications
• Trademarked by MITRE to have a free and open standard
• Sponsored by DHS and CISA (Cybersecurity and Infrastructure Security Agency)
• National Vulnerability Database (NVD)
• Exploits are scored using the Common Vulnerability scoring system to determine the risk
• The databases are used as reference for vulnerability scanners
• Exploit Reporting
• CVE board notes and charter is public
• CVE numbering authorities (CNA) can distribute CVE IDs when a new one is found
• CVE IDs can be requested by finding your CNA
• How to report exploits
• How to make a quality report
• Google's Bug hunter program including resources on how to get started and write a good report
• Writing a good and detailed vulnerability report
• Legal issues
• An Attorney's View of Vulnerability Disclosure
• Coders' Rights Project Vulnerability Reporting FAQ from the EFF
• Researchers vs accidental
• Bug Bounties
• Bug Bounty Basics
• Find a bug --> Report-->$$$
• Some companies choose to work with Hackers rather than against them
• Public bug bounty programs are starting to get more popular
• Public Bug Bounty Program List from Bug Crowd
• Public bug bounties have 6x the amount of people working to find bugs then invite only, however almost 80% are private programs
• Some companies start invite only/private until they are comfortable with the scary hackers
• Vulnerability disclosure policies - clear guidelines for reporting
• Patch Management
• This is a process companies use to update software, OS and applications
• Patch management classifies and prioritizes vulnerabilities and bugs that are found
• Patches usually comes from the vendor, but can also be public
• Secure Programming
• DevOps vs DevSecOps
• DevOps is when you can developers who automate manually done processes
• DevSecOps is when you actually care about the security of your operations and have security measures in your development process
• DevSecOps is still new because security can slow down development
• Tools to test your programs
• Most languages have tools to test your code
• Fuzzers
• Black box testing technique
• Uses malformed or semi-malformed data and injects it into your software using automation
• For example, your program adds two numbers? Cool, what happens if I use very very large numbers? Small ones? Binary sequences? Chars or strings? Unsigned?

Suggested Activities and Discussion Topics:

• Go to this list of Public Bug and Security Vulnerability Disclosure Programs and pick one to research and then share your thoughts. Would you be comfortable participating? What are the rules? What are the limits? What safeguards do they have in place?
• Find an interesting exploit at one of the following links, be ready to share what you found.
• National Vulnerability Database
• Rapid7 - Vulnerability & Exploit Database
• VulnDB - Vulnerability Database
• Offensive Security - Exploit Database

Would you like to see some more classes? Click here