# Exploit Discovery In this chapter, we’ll dive into how to identify the correct exploit for a vulnerability using resources like SearchSploit, MITRE ATT\&CK, and NIST’s National Vulnerability Database (NVD). This process involves pinpointing vulnerabilities, understanding exploitability, and selecting appropriate tools and methods. We’ll walk through three in-depth case studies that illustrate different scenarios in network, web application, and system exploitation, showing how these frameworks can streamline the process of locating and selecting the right exploit. *** #### Key Frameworks for Exploit Discovery 1. **SearchSploit**: An offline tool included in Exploit-DB that lets you search through available exploits directly from your terminal. Useful for finding pre-written exploits for known vulnerabilities. 2. **MITRE ATT\&CK**: A comprehensive knowledge base that categorizes tactics and techniques used by cyber adversaries, linked to real-world observations. Helps in mapping out stages of an attack and finding corresponding methods and tools. 3. **NIST National Vulnerability Database (NVD)**: Contains standardized data on software vulnerabilities (CVEs). Each entry includes information about the severity, impact, and possible mitigations, making it a valuable resource for identifying risks and finding mitigations. *** #### Case Study 1: Web Application Exploitation – SQL Injection Vulnerability **Scenario** A cybersecurity assessment has identified a web application with an SQL injection vulnerability in the login form. The web app uses a poorly coded SQL query that is susceptible to injection attacks. **Steps to Identify and Use the Exploit** 1. **SearchSploit**: * **Query**: Using `searchsploit "SQL injection" web application` on the terminal yields several potential scripts, payloads, and methods for exploiting SQL injection. * **Exploit Selection**: Narrow down based on the web app’s technology stack (e.g., PHP or ASP). * **Example Exploit**: `SQL Injection Exploit - PHP (Login Bypass).` Download the exploit and review its contents to ensure it aligns with the application environment. 2. **MITRE ATT\&CK**: * **Mapping Technique**: Using the MITRE ATT\&CK framework, SQL Injection falls under the `T1190 - Exploit Public-Facing Application` technique, which is part of the “Initial Access” tactic. * **Further Analysis**: Mapping the technique helps identify related methods attackers may use in conjunction with SQL Injection (e.g., credential dumping after a successful login bypass). 3. **NVD**: * **Vulnerability Lookup**: Check the NVD database for similar SQL injection vulnerabilities (e.g., CVE-2020-12084). This entry might include severity, associated risk, and potential mitigation or remediation suggestions. * **Severity and Relevance**: The CVSS score on NVD helps prioritize if this is a critical vulnerability, which aids in justifying the exploit’s importance. **Execution** Once the vulnerability is verified, a crafted SQL payload (like `admin'--`) can bypass login. Further, tools like SQLmap automate the attack and extract sensitive information from the database once initial access is gained. *** #### Case Study 2: Network Exploitation – SMB Vulnerability **Scenario** During a network audit, an SMB service on a Windows server (version 2003) was identified as vulnerable. A quick scan suggests this service may be susceptible to an exploit for the MS08-067 vulnerability, a critical buffer overflow in Microsoft’s SMB protocol. **Steps to Identify and Use the Exploit** 1. **SearchSploit**: * **Query**: Execute `searchsploit MS08-067` to locate relevant exploits for this known vulnerability. This command reveals multiple options, including Python scripts and Metasploit modules. * **Exploit Selection**: Choose an exploit such as `Microsoft Windows Server Service - Remote Buffer Overflow (MS08-067)`, compatible with Metasploit and non-Metasploit options. * **Verification**: Run a test payload in a controlled environment to confirm exploit functionality. 2. **MITRE ATT\&CK**: * **Mapping Technique**: The MS08-067 exploit maps to the `T1210 - Exploitation of Remote Services` technique, useful in lateral movement within a network. * **Tactical Relevance**: The tactic helps reveal related techniques that may support post-exploitation (e.g., privilege escalation using stolen credentials after initial access). 3. **NVD**: * **Vulnerability Check**: Search for `CVE-2008-4250` in the NVD for details on MS08-067. This vulnerability has a high CVSS score due to its critical impact on unpatched systems, reinforcing its exploit’s necessity. **Execution** Use Metasploit with the `ms08_067_netapi` module to initiate the exploit on the target IP. If successful, it opens a reverse shell, granting remote command execution. Further privilege escalation techniques can be employed to gain system-level access. *** #### Case Study 3: Credential Harvesting and Privilege Escalation on Linux **Scenario** In a penetration test against a Linux-based web server, weak or reused passwords are suspected. After performing network reconnaissance, SSH is open on a non-standard port, indicating it might be accessible with credential-based attacks. **Steps to Identify and Use the Exploit** 1. **SearchSploit**: * **Query**: Run `searchsploit SSH brute-force` to find scripts and tools that perform brute-force or dictionary-based SSH attacks. * **Exploit Selection**: Choose a brute-forcing tool, such as Hydra or Medusa, along with common password lists. * **Auxiliary Tools**: Consider using tools like John the Ripper or Hashcat if credential hashes are captured during the test. 2. **MITRE ATT\&CK**: * **Mapping Technique**: This type of attack maps to `T1110 - Brute Force`, under “Credential Access.” The tool choice aligns with real-world tactics where attackers systematically attempt to gain SSH access through brute-force. * **Linked Techniques**: This approach may also involve `T1078 - Valid Accounts`, emphasizing post-compromise activities once access is gained. 3. **NVD**: * **Vulnerability Reference**: NVD may not have a direct CVE entry for brute-forcing, as this is a general approach rather than a specific flaw. However, searching for default credential vulnerabilities or known weak password lists in services (e.g., `CVE-2020-7460` for SSH with default credentials) can inform the risk level. **Execution** Using Hydra: `hydra -l root -P passwords.txt ssh://:`. If credentials are cracked, a shell can be accessed, followed by privilege escalation attempts (e.g., checking for `sudo` rights or SUID binaries). Tools like `LinPEAS` and `Linux Exploit Suggester` can be run for potential privilege escalation techniques, further mapping out exploitable paths on the server. *** #### Additional Resources * **Exploit-DB**: Searchable database of exploits, includes SearchSploit for terminal-based access. * **MITRE ATT\&CK Navigator**: Interactive tool for mapping out tactics and techniques by stages of an attack. * **National Vulnerability Database (NVD)**: Tracks all known CVEs, their severity scores, and contextual information. Each case demonstrates the synergy between these frameworks, from identifying vulnerabilities to selecting the right exploits and post-exploitation activities. Following this structured approach helps ensure systematic exploitation while considering each vulnerability's context and overall attack chain possibilities. Here’s an extensive listing some common vulnerabilities, corresponding MITRE ATT\&CK techniques, and description. Each vulnerability type is associated with its relevant MITRE ATT\&CK technique ID (when applicable).
VulnerabilityMITRE ATT&CK TechniqueDescription
SQL InjectionT1190 - Exploit Public-Facing ApplicationAn attacker injects malicious SQL queries into input fields to manipulate database queries and access unauthorized data.
Command InjectionT1059 - Command and Scripting InterpreterExploits allow attackers to execute arbitrary commands on a host, often used to gain control or retrieve sensitive data.
Cross-Site Scripting (XSS)T1059.007 - Cross-Site ScriptingMalicious scripts are injected into trusted websites, leading to session hijacking or data theft.
Cross-Site Request Forgery (CSRF)T1056 - Input CaptureExploits user sessions by tricking them into making unwanted actions on a trusted application.
Path TraversalT1104 - Directory TraversalAttackers manipulate URL paths to access files and directories outside the web root.
Local File Inclusion (LFI)T1211 - Exploitation for Privilege EscalationAllows attackers to include files from the local server, potentially exposing sensitive info.
Remote File Inclusion (RFI)T1190 - Exploit Public-Facing ApplicationAttackers remotely include files, often malicious, from a server they control to compromise a host.
Buffer OverflowT1203 - Exploitation for Client ExecutionOverflowing a buffer with excessive data to manipulate the memory, often allowing code execution.
XML External Entity Injection (XXE)T1190 - Exploit Public-Facing ApplicationAttackers exploit XML parsers to access system files or initiate network requests.
Insecure DeserializationT1574.002 - Dylib HijackingExploits unsafe handling of serialized data, leading to remote code execution or data manipulation.
Server-Side Request Forgery (SSRF)T1071.001 - Application Layer ProtocolAn attacker tricks a server into making requests to unauthorized locations on its behalf.
Unrestricted File UploadT1190 - Exploit Public-Facing ApplicationAttackers upload malicious files, which can then be executed on the server.
Improper AuthenticationT1078 - Valid AccountsWeak authentication practices allow unauthorized access to system resources.
Hardcoded CredentialsT1110.001 - Credential DumpingDevelopers leave credentials within code, making them vulnerable to discovery and misuse.
Insecure Direct Object References (IDOR)T1530 - Data from Local SystemExposes data by failing to properly authorize access to internal objects.
Improper Session HandlingT1525 - Implant Container ImageWeak session management allows attackers to hijack or manipulate sessions.
Weak Password PoliciesT1110 - Brute ForceWeak or unenforced password rules make accounts more susceptible to brute-force attacks.
API Key LeakageT1552 - Unsecured CredentialsExposed API keys allow unauthorized access to application functionality or data.
Improper Error HandlingT1047 - Exfiltration Over Unencrypted/Obfuscated ChannelError messages reveal sensitive data or give attackers clues to exploit vulnerabilities.
Race ConditionT1069.001 - Permissions, User, GroupExploits delays between processes to manipulate resource access or obtain privileged information.
JSON Web Token (JWT) FlawsT1556.003 - Network Service ScanningWeak JWT validation or improper handling of token expiration allows privilege escalation.
Command Injection in IoT DevicesT1071 - Application Layer ProtocolCommand injection exploits can compromise IoT devices, leading to unauthorized access or control.
LDAP InjectionT1220 - Compromise Application Access TokenMalformed LDAP queries can reveal sensitive directory information or allow unauthorized access.
Weak TLS/SSL ConfigurationT1573 - Encrypted ChannelMisconfigured SSL/TLS allows attackers to intercept, alter, or decrypt sensitive data in transit.
Improper Access ControlT1078 - Valid AccountsWeak or missing access controls allow unauthorized users to gain elevated permissions.
Plaintext Storage of Sensitive DataT1003 - Credential DumpingStoring sensitive data in plaintext exposes it to unauthorized access and misuse.
Log Forging and InjectionT1059 - Command and Scripting InterpreterManipulating logs to hide malicious activity or create false records, often to evade detection.
DNS HijackingT1596.002 - Active ScanningAttackers alter DNS settings to redirect users to malicious sites or intercept sensitive data.
Shell InjectionT1059 - Command and Scripting InterpreterEnables remote command execution through shell interfaces, compromising system integrity.
EavesdroppingT1071.001 - Application Layer ProtocolIntercepting network communications to capture sensitive information.
Cache PoisoningT1557 - Man in the MiddleManipulates cache entries to serve malicious responses, often redirecting users or delivering malware.
Password SprayingT1110.001 - Password GuessingAttempting commonly used passwords across many accounts to gain access.
Man-in-the-Middle (MitM) AttackT1557 - Man in the MiddleIntercepting and potentially altering communication between two parties without their knowledge.
BlueKeep (RDP Vulnerability)T1210 - Exploitation of Remote ServicesA vulnerability in RDP allowing remote code execution, critical for Windows systems.
Weak HTTP HeadersT1190 - Exploit Public-Facing ApplicationInsecure HTTP headers weaken browser protection against common attacks.
Remote Code Execution (RCE)T1203 - Exploitation for Client ExecutionAllows an attacker to execute arbitrary code remotely, compromising the system.
Default Credentials in IoT DevicesT1078 - Valid AccountsUse of default credentials makes IoT devices susceptible to unauthorized access.
Typo-SquattingT1539 - Steal Application Access TokenRegistering domains with similar names to trick users into accessing malicious sites.
Sensitive Data ExposureT1114.002 - Data EncodingPoor data handling exposes sensitive information to unauthorized parties.
Log InjectionT1070.004 - Event Triggered ExecutionExploits injection flaws in log generation, enabling attackers to obfuscate their tracks.
Ransomware ExploitsT1486 - Data Encrypted for ImpactEncrypts files to demand a ransom for data decryption, causing severe operational disruptions.
Fileless MalwareT1055.013 - Process InjectionMalware that operates in-memory only, evading traditional detection methods.
Memory CorruptionT1068 - Exploitation for Privilege EscalationExploits memory flaws to manipulate application behavior or escalate privileges.
Reverse ShellT1219 - Remote Access SoftwareAllows attackers to execute commands on a remote machine through a shell interface.
Credential ReuseT1078 - Valid AccountsUsing stolen credentials from one service to access another, often leading to data breaches.
Cross-Site WebSocket HijackingT1071.001 - Application Layer ProtocolExploits improper validation in WebSocket connections to gain unauthorized access.
Improper Validation of Integrity ChecksT1589 - Gather Victim Identity InformationFailing to verify data integrity allows attackers to manipulate system behavior.
Integer OverflowT1203 - Exploitation for Client ExecutionExploits integer value overflow to manipulate program execution, often for privilege escalation.
This table covers a wide array of common vulnerabilities with brief descriptions and MITRE ATT\&CK references for context. Let me know if you'd like additional details for any of these vulnerabilities or further examples!