Learn about exploits and their place in the kill chain.
- [Instructor] The concept of the cyber kill chain emerged when the Lockheed Martin Cyber Emergency Response Team produced a seminal paper on cyber attack, called "Intelligence-Driven Computer "Network Defense Informed by Analysis of Adversary "Campaigns and Intrusion Kill Chains". This can be downloaded from their website, shown here, and provides a way of looking at cyber attack which helps explain the sequences of events leading up to a theft, a breach, a denial of service, or any of the adverse outcomes from an attack.
Exploits happen at the fourth stage of the cyber kill chain. The cyber kill chain views an attack in seven stages: Reconnaissance, Weaponisation, Delivery, Exploitation, Installation, Command & Control, and Action. An attack doesn't always progress one step at a time in that sequence, but more usually the stages will overlap. However, each stage represents a milestone in prosecuting the attack and a point at which the target can be defended.
The exploitation stage is where an adversary takes advantage of a weakness in the software, the hardware, or the configuration of a system or even of a person, in the case of phishing, to open up a vector in which to deliver a payload into a target. This might be a vulnerability in an application on an internet-facing host, for instance a web server, or a browser vulnerability on an individual's workstation. The code which takes advantage of any such vulnerability is called an exploit.
An attack can be just an executable payload which is attached to an email with an enticement for someone within the target to activate it. It may be malware lurking on a website, waiting for someone to connect, either opportunistically or because a phishing email has persuaded them to click on the hyperlink. It can also be a packet sent remotely which is able to penetrate the attack surface of the target. An attack might be complete in itself with everything needed to get into the target and to activate the payload. It may however, just be a first stage attack to gain a foothold on the target which is then used as a channel for a second and subsequent attack to be mounted.
The later form is called a RAT, a remote access Trojan, and is commonly used to add a victim to a botnet so that it can be remotely controlled, at will, by the attacker. A remote access exploit will be crafted to penetrate the surface of the target. Often this will be a malformed packet which causes a buffer overflow, or in some other way is able to gain access to the execution flow of its target through one of its exposed services. This is followed by an address, which is the address in the target's memory that it uses to make execution jump into its payload.
The payload then follows this address. A good exploit will run its payload, and then tidy up and return control back to the target, so there's no sign that anything untoward has happened. Doing the research to identify a new vulnerability, and craft software to exploit it, takes time. A simple zero day would take two to three months to develop, while a sophisticated multi-zero day exploit such as Stuxnet is thought to have taken years to create. Unfortunately for the good guys, creating a new variant of an existing exploit in seconds is now possible with exploit kits.
These are automatic malware generators which use an existing base exploit and use encryption to change its signature so that it can evade antivirus systems. One of the early exploit kits was Zeus, although this has become overshadowed somewhat, by its more troublesome successor, SpyEye. There are many exploit kits available now in the dark net, many of them coming out of eastern Europe. Here's a look at what an exploit kit looks like: this is a SpyEye page which configures how the malware is generated.
These kits may also operate as botnet controllers, offering a landing page, retaining a database of infected victims, and even doing target assessment to determine the kind of exploit that's suitable.
Note: Learning about ethical hacking for exploits is part of the Malware competency from the Certified Ethical Hacker (CEH) body of knowledge.
- Writing assembler programs
- Using debugging programs
- Controlling flow
- Executing code from the data section
- Ethical attacking to identify vulnerabilities
- State-sponsored attacks
- Using Metasploit
- Adding new exploits to Metasploit
- Using Armitage