An exploit is a program that takes advantage of a vulnerability in software. Vulnerabilities can occur in firmware, drivers, operating systems or software. The exploit enables the attacker to …
An exploit is only as dangerous as the corresponding vulnerability. For example, an exploit can only allow user account rights, while a better exploit with the same vulnerability allows root access.
MITRE classifies the vulnerability on a CVSS scale of 1 to 10. 6/7 and above are serious vulnerabilities that require action. A level 10 vulnerability means that an attacker can remotely attack a victim computer without access data or other prerequisites hindering the hacker.
The known “ping-of-death” vulnerability was the following:
The attacker manipulates an IP packet so that the IP address of the receiver and the sender are the same. The packet sent reaches the victim system. The victim immediately sends the packet “to itself”. The computer is stuck in a receive-send loop – until the computer crashes.
Steffen Lippke
How are exploits created?
As soon as a security gap is known, criminals and security researchers try to exploit it. An exploit is a perfectly adapted weapon with which criminals can specifically attack 1 program or system.
Exploits are bash, terminal or PowerShell scripts or Java, Ruby or Python programs (and similar) that a developer has created for the vulnerable location. Once an exploit is ready, the user can only specify the necessary parameters (IP, port, etc.) to gain (root) access to the system.
Use of an exploit
Exploits should ideally not exist – but security researchers want to show companies that their gaps can be actively exploited.
Honest people should not publicise exploits for the time being, but should approach the company first.
Steffen Lippke
The developers should close the gap promptly and encourage their customers to patch it.
04 Windows vulnerabilities
If the majority of customers haveupdated their software, then the security researcher can go public with the exploit (and reap the rewards).
On the other hand, criminals create exploits to enrich themselves. Either they hack the affected companies themselves and blackmail the companies…
… or …
The criminals sell the exploit on the Darknet (eBay for zero-day exploits).
Legal use for exploits?
Yes.
If an administrator has forgotten his password or taken it to the grave, then an exploit is the only way to regain access.
Such a system should be taken offline if possible, because other hackers could attempt a hack at the same time.
The criminals search the Internet for server software and index it in a table with the corresponding IP address. If an exploit for server software XY becomes known, they can attack the servers in a matter of minutes.
If the exploitsare successful, the test can protect companies from a data breach.
In the past, one or two pranksters have published exploits out of stupidity without informing the manufacturer concerned beforehand. Disappointed security researchers publish their exploits out of “frustration” if the company does not close the gap. Hacktivists publish exploits out of protest in order to deliberately harm a manufacturer and exert pressure.
Legally, these actions are not illegal. In reality, this would mean that a gun dealer places loaded weapons on the street and the gun dealer assumes that nobody will turn the weapons against a person.
Where can I find exploits? – Sources
Exploits are available in …
Exploit DB: The company Offensive Security maintains this database (known as the developers of Kali Linux). They sort the vulnerabilities according to the Common Vulnerabilities and Exposure database (CVE), in which all vulnerabilities are listed.https://www.exploit-db.com/
Metasploit: The company Rapid7 develops the Metasploit software. The Community Edition offers many free exploits. Metasploit summarises exploits as a framework in order to minimise the training time per exploit.
Free repos: The Wild West of exploits are the public Git servers (e.g. GitHub). Security researchers or hacktivists post exploits online. For these exploits you need more familiarisation time, because in most cases they are hardly / not documented.
What if I have created an exploit myself?
The first step is to contact the affected company without using traditional email.
Use encrypted emails such as PGP or S/MIME to stop curious hackers. Present or describe to the company how your exploit works so that they can improve it. This process is called ethical hacking. You can receive a finder’s fee for your find.
How can I protect against exploits? – Protection
Patch, patch, patch!
Update: As a user or administrator, you should always install security updates quickly.
Harden: Make it difficult for hackers. Switch off functions of software that you don’t use, block unused ports and implement best practices for the security of your application.
Useless: Switch off unused servers and software. Patch not only your software, but also the operating system, firmware and drivers on your computer. Less software means more security.
Encrypt: Use a VPN for internal company applications so that servers are not unnecessarily accessible from the internet
Least Privilege: Set up strict rights management so that everyone can only do what he or she wants to do.
Internal network = Internet: Treat your internal servers as if they are connected to the Internet. If a hacker has penetrated the company network, lateral movement should remain difficult.
This concept is called Zero Trust. You only trust the teachings of cryptography and no one in your organisation because the administrator must assume that any account can be compromised at any time.
Steffen Lippke
What is the difference to a software bug?
03 Bug tracking
Exploits are software bugs – but not every software bug is an exploit.
Bugs are programming errors that cause undesired behaviour. Non-hazardous bugs are, for example, user interface bugs (1 button missing).
The bug is annoying, but this bug cannot be utilised in an exploit. Developers should close their bugs promptly to prevent an attacker from finding a way to develop an exploit directly from the bug.
Leave a Reply