Exploit Discovery

In this chapter, we’ll dive into how to identify the correct exploit for a vulnerability using resources like SearchSploit, MITRE ATT&CK, and NIST’s National Vulnerability Database (NVD). This process involves pinpointing vulnerabilities, understanding exploitability, and selecting appropriate tools and methods. We’ll walk through three in-depth case studies that illustrate different scenarios in network, web application, and system exploitation, showing how these frameworks can streamline the process of locating and selecting the right exploit.

---

Key Frameworks for Exploit Discovery

1. SearchSploit: An offline tool included in Exploit-DB that lets you search through available exploits directly from your terminal. Useful for finding pre-written exploits for known vulnerabilities.

2. MITRE ATT&CK: A comprehensive knowledge base that categorizes tactics and techniques used by cyber adversaries, linked to real-world observations. Helps in mapping out stages of an attack and finding corresponding methods and tools.

3. NIST National Vulnerability Database (NVD): Contains standardized data on software vulnerabilities (CVEs). Each entry includes information about the severity, impact, and possible mitigations, making it a valuable resource for identifying risks and finding mitigations.

---

Case Study 1: Web Application Exploitation – SQL Injection Vulnerability

Scenario

A cybersecurity assessment has identified a web application with an SQL injection vulnerability in the login form. The web app uses a poorly coded SQL query that is susceptible to injection attacks.

Steps to Identify and Use the Exploit

1. SearchSploit:

   • Query: Using searchsploit "SQL injection" web application on the terminal yields several potential scripts, payloads, and methods for exploiting SQL injection.

   • Exploit Selection: Narrow down based on the web app’s technology stack (e.g., PHP or ASP).

   • Example Exploit: SQL Injection Exploit - PHP (Login Bypass). Download the exploit and review its contents to ensure it aligns with the application environment.

2. MITRE ATT&CK:

   • Mapping Technique: Using the MITRE ATT&CK framework, SQL Injection falls under the T1190 - Exploit Public-Facing Application technique, which is part of the “Initial Access” tactic.

   • Further Analysis: Mapping the technique helps identify related methods attackers may use in conjunction with SQL Injection (e.g., credential dumping after a successful login bypass).

3. NVD:

   • Vulnerability Lookup: Check the NVD database for similar SQL injection vulnerabilities (e.g., CVE-2020-12084). This entry might include severity, associated risk, and potential mitigation or remediation suggestions.

   • Severity and Relevance: The CVSS score on NVD helps prioritize if this is a critical vulnerability, which aids in justifying the exploit’s importance.

Execution

Once the vulnerability is verified, a crafted SQL payload (like admin'--) can bypass login. Further, tools like SQLmap automate the attack and extract sensitive information from the database once initial access is gained.

---

Case Study 2: Network Exploitation – SMB Vulnerability

Scenario

During a network audit, an SMB service on a Windows server (version 2003) was identified as vulnerable. A quick scan suggests this service may be susceptible to an exploit for the MS08-067 vulnerability, a critical buffer overflow in Microsoft’s SMB protocol.

Steps to Identify and Use the Exploit

1. SearchSploit:

   • Query: Execute searchsploit MS08-067 to locate relevant exploits for this known vulnerability. This command reveals multiple options, including Python scripts and Metasploit modules.

   • Exploit Selection: Choose an exploit such as Microsoft Windows Server Service - Remote Buffer Overflow (MS08-067), compatible with Metasploit and non-Metasploit options.

   • Verification: Run a test payload in a controlled environment to confirm exploit functionality.

2. MITRE ATT&CK:

   • Mapping Technique: The MS08-067 exploit maps to the T1210 - Exploitation of Remote Services technique, useful in lateral movement within a network.

   • Tactical Relevance: The tactic helps reveal related techniques that may support post-exploitation (e.g., privilege escalation using stolen credentials after initial access).

3. NVD:

   • Vulnerability Check: Search for CVE-2008-4250 in the NVD for details on MS08-067. This vulnerability has a high CVSS score due to its critical impact on unpatched systems, reinforcing its exploit’s necessity.

Execution

Use Metasploit with the ms08_067_netapi module to initiate the exploit on the target IP. If successful, it opens a reverse shell, granting remote command execution. Further privilege escalation techniques can be employed to gain system-level access.

---

Case Study 3: Credential Harvesting and Privilege Escalation on Linux

Scenario

In a penetration test against a Linux-based web server, weak or reused passwords are suspected. After performing network reconnaissance, SSH is open on a non-standard port, indicating it might be accessible with credential-based attacks.

Steps to Identify and Use the Exploit

1. SearchSploit:

   • Query: Run searchsploit SSH brute-force to find scripts and tools that perform brute-force or dictionary-based SSH attacks.

   • Exploit Selection: Choose a brute-forcing tool, such as Hydra or Medusa, along with common password lists.

   • Auxiliary Tools: Consider using tools like John the Ripper or Hashcat if credential hashes are captured during the test.

2. MITRE ATT&CK:

   • Mapping Technique: This type of attack maps to T1110 - Brute Force, under “Credential Access.” The tool choice aligns with real-world tactics where attackers systematically attempt to gain SSH access through brute-force.

   • Linked Techniques: This approach may also involve T1078 - Valid Accounts, emphasizing post-compromise activities once access is gained.

3. NVD:

   • Vulnerability Reference: NVD may not have a direct CVE entry for brute-forcing, as this is a general approach rather than a specific flaw. However, searching for default credential vulnerabilities or known weak password lists in services (e.g., CVE-2020-7460 for SSH with default credentials) can inform the risk level.

Execution

Using Hydra: hydra -l root -P passwords.txt ssh://<target_IP>:<port>. If credentials are cracked, a shell can be accessed, followed by privilege escalation attempts (e.g., checking for sudo rights or SUID binaries).

Tools like LinPEAS and Linux Exploit Suggester can be run for potential privilege escalation techniques, further mapping out exploitable paths on the server.

---

Additional Resources

• Exploit-DB: Searchable database of exploits, includes SearchSploit for terminal-based access.

• MITRE ATT&CK Navigator: Interactive tool for mapping out tactics and techniques by stages of an attack.

• National Vulnerability Database (NVD): Tracks all known CVEs, their severity scores, and contextual information.

Each case demonstrates the synergy between these frameworks, from identifying vulnerabilities to selecting the right exploits and post-exploitation activities. Following this structured approach helps ensure systematic exploitation while considering each vulnerability's context and overall attack chain possibilities.

Here’s an extensive listing some common vulnerabilities, corresponding MITRE ATT&CK techniques, and description. Each vulnerability type is associated with its relevant MITRE ATT&CK technique ID (when applicable).

Vulnerability

SQL Injection

MITRE ATT&CK Technique

T1190 - Exploit Public-Facing Application

Description

An attacker injects malicious SQL queries into input fields to manipulate database queries and access unauthorized data.

Vulnerability

Command Injection

MITRE ATT&CK Technique

T1059 - Command and Scripting Interpreter

Description

Exploits allow attackers to execute arbitrary commands on a host, often used to gain control or retrieve sensitive data.

Vulnerability

Cross-Site Scripting (XSS)

MITRE ATT&CK Technique

T1059.007 - Cross-Site Scripting

Description

Malicious scripts are injected into trusted websites, leading to session hijacking or data theft.

Vulnerability

Cross-Site Request Forgery (CSRF)

MITRE ATT&CK Technique

T1056 - Input Capture

Description

Exploits user sessions by tricking them into making unwanted actions on a trusted application.

Vulnerability

Path Traversal

MITRE ATT&CK Technique

T1104 - Directory Traversal

Description

Attackers manipulate URL paths to access files and directories outside the web root.

Vulnerability

Local File Inclusion (LFI)

MITRE ATT&CK Technique

T1211 - Exploitation for Privilege Escalation

Description

Allows attackers to include files from the local server, potentially exposing sensitive info.

Vulnerability

Remote File Inclusion (RFI)

MITRE ATT&CK Technique

T1190 - Exploit Public-Facing Application

Description

Attackers remotely include files, often malicious, from a server they control to compromise a host.

Vulnerability

Buffer Overflow

MITRE ATT&CK Technique

T1203 - Exploitation for Client Execution

Description

Overflowing a buffer with excessive data to manipulate the memory, often allowing code execution.

Vulnerability

XML External Entity Injection (XXE)

MITRE ATT&CK Technique

T1190 - Exploit Public-Facing Application

Description

Attackers exploit XML parsers to access system files or initiate network requests.

Vulnerability

Insecure Deserialization

MITRE ATT&CK Technique

T1574.002 - Dylib Hijacking

Description

Exploits unsafe handling of serialized data, leading to remote code execution or data manipulation.

Vulnerability

Server-Side Request Forgery (SSRF)

MITRE ATT&CK Technique

T1071.001 - Application Layer Protocol

Description

An attacker tricks a server into making requests to unauthorized locations on its behalf.

Vulnerability

Unrestricted File Upload

MITRE ATT&CK Technique

T1190 - Exploit Public-Facing Application

Description

Attackers upload malicious files, which can then be executed on the server.

Vulnerability

Improper Authentication

MITRE ATT&CK Technique

T1078 - Valid Accounts

Description

Weak authentication practices allow unauthorized access to system resources.

Vulnerability

Hardcoded Credentials

MITRE ATT&CK Technique

T1110.001 - Credential Dumping

Description

Developers leave credentials within code, making them vulnerable to discovery and misuse.

Vulnerability

Insecure Direct Object References (IDOR)

MITRE ATT&CK Technique

T1530 - Data from Local System

Description

Exposes data by failing to properly authorize access to internal objects.

Vulnerability

Improper Session Handling

MITRE ATT&CK Technique

T1525 - Implant Container Image

Description

Weak session management allows attackers to hijack or manipulate sessions.

Vulnerability

Weak Password Policies

MITRE ATT&CK Technique

T1110 - Brute Force

Description

Weak or unenforced password rules make accounts more susceptible to brute-force attacks.

Vulnerability

API Key Leakage

MITRE ATT&CK Technique

T1552 - Unsecured Credentials

Description

Exposed API keys allow unauthorized access to application functionality or data.

Vulnerability

Improper Error Handling

MITRE ATT&CK Technique

T1047 - Exfiltration Over Unencrypted/Obfuscated Channel

Description

Error messages reveal sensitive data or give attackers clues to exploit vulnerabilities.

Vulnerability

Race Condition

MITRE ATT&CK Technique

T1069.001 - Permissions, User, Group

Description

Exploits delays between processes to manipulate resource access or obtain privileged information.

Vulnerability

JSON Web Token (JWT) Flaws

MITRE ATT&CK Technique

T1556.003 - Network Service Scanning

Description

Weak JWT validation or improper handling of token expiration allows privilege escalation.

Vulnerability

Command Injection in IoT Devices

MITRE ATT&CK Technique

T1071 - Application Layer Protocol

Description

Command injection exploits can compromise IoT devices, leading to unauthorized access or control.

Vulnerability

LDAP Injection

MITRE ATT&CK Technique

T1220 - Compromise Application Access Token

Description

Malformed LDAP queries can reveal sensitive directory information or allow unauthorized access.

Vulnerability

Weak TLS/SSL Configuration

MITRE ATT&CK Technique

T1573 - Encrypted Channel

Description

Misconfigured SSL/TLS allows attackers to intercept, alter, or decrypt sensitive data in transit.

Vulnerability

Improper Access Control

MITRE ATT&CK Technique

T1078 - Valid Accounts

Description

Weak or missing access controls allow unauthorized users to gain elevated permissions.

Vulnerability

Plaintext Storage of Sensitive Data

MITRE ATT&CK Technique

T1003 - Credential Dumping

Description

Storing sensitive data in plaintext exposes it to unauthorized access and misuse.

Vulnerability

Log Forging and Injection

MITRE ATT&CK Technique

T1059 - Command and Scripting Interpreter

Description

Manipulating logs to hide malicious activity or create false records, often to evade detection.

Vulnerability

DNS Hijacking

MITRE ATT&CK Technique

T1596.002 - Active Scanning

Description

Attackers alter DNS settings to redirect users to malicious sites or intercept sensitive data.

Vulnerability

Shell Injection

MITRE ATT&CK Technique

T1059 - Command and Scripting Interpreter

Description

Enables remote command execution through shell interfaces, compromising system integrity.

Vulnerability

Eavesdropping

MITRE ATT&CK Technique

T1071.001 - Application Layer Protocol

Description

Intercepting network communications to capture sensitive information.

Vulnerability

Cache Poisoning

MITRE ATT&CK Technique

T1557 - Man in the Middle

Description

Manipulates cache entries to serve malicious responses, often redirecting users or delivering malware.

Vulnerability

Password Spraying

MITRE ATT&CK Technique

T1110.001 - Password Guessing

Description

Attempting commonly used passwords across many accounts to gain access.

Vulnerability

Man-in-the-Middle (MitM) Attack

MITRE ATT&CK Technique

T1557 - Man in the Middle

Description

Intercepting and potentially altering communication between two parties without their knowledge.

Vulnerability

BlueKeep (RDP Vulnerability)

MITRE ATT&CK Technique

T1210 - Exploitation of Remote Services

Description

A vulnerability in RDP allowing remote code execution, critical for Windows systems.

Vulnerability

Weak HTTP Headers

MITRE ATT&CK Technique

T1190 - Exploit Public-Facing Application

Description

Insecure HTTP headers weaken browser protection against common attacks.

Vulnerability

Remote Code Execution (RCE)

MITRE ATT&CK Technique

T1203 - Exploitation for Client Execution

Description

Allows an attacker to execute arbitrary code remotely, compromising the system.

Vulnerability

Default Credentials in IoT Devices

MITRE ATT&CK Technique

T1078 - Valid Accounts

Description

Use of default credentials makes IoT devices susceptible to unauthorized access.

Vulnerability

Typo-Squatting

MITRE ATT&CK Technique

T1539 - Steal Application Access Token

Description

Registering domains with similar names to trick users into accessing malicious sites.

Vulnerability

Sensitive Data Exposure

MITRE ATT&CK Technique

T1114.002 - Data Encoding

Description

Poor data handling exposes sensitive information to unauthorized parties.

Vulnerability

Log Injection

MITRE ATT&CK Technique

T1070.004 - Event Triggered Execution

Description

Exploits injection flaws in log generation, enabling attackers to obfuscate their tracks.

Vulnerability

Ransomware Exploits

MITRE ATT&CK Technique

T1486 - Data Encrypted for Impact

Description

Encrypts files to demand a ransom for data decryption, causing severe operational disruptions.

Vulnerability

Fileless Malware

MITRE ATT&CK Technique

T1055.013 - Process Injection

Description

Malware that operates in-memory only, evading traditional detection methods.

Vulnerability

Memory Corruption

MITRE ATT&CK Technique

T1068 - Exploitation for Privilege Escalation

Description

Exploits memory flaws to manipulate application behavior or escalate privileges.

Vulnerability

Reverse Shell

MITRE ATT&CK Technique

T1219 - Remote Access Software

Description

Allows attackers to execute commands on a remote machine through a shell interface.

Vulnerability

Credential Reuse

MITRE ATT&CK Technique

T1078 - Valid Accounts

Description

Using stolen credentials from one service to access another, often leading to data breaches.

Vulnerability

Cross-Site WebSocket Hijacking

MITRE ATT&CK Technique

T1071.001 - Application Layer Protocol

Description

Exploits improper validation in WebSocket connections to gain unauthorized access.

Vulnerability

Improper Validation of Integrity Checks

MITRE ATT&CK Technique

T1589 - Gather Victim Identity Information

Description

Failing to verify data integrity allows attackers to manipulate system behavior.

Vulnerability

Integer Overflow

MITRE ATT&CK Technique

T1203 - Exploitation for Client Execution

Description

Exploits integer value overflow to manipulate program execution, often for privilege escalation.

This table covers a wide array of common vulnerabilities with brief descriptions and MITRE ATT&CK references for context. Let me know if you'd like additional details for any of these vulnerabilities or further examples!