Join Malcolm Shore for an in-depth discussion in this video Exploiting a target, part of Penetration Testing Essential Training.
- [Instructor] We earlier covered the cyber kill chain and discussed the seven stages of a cyberattack. Let's take a look, in more detail, at the delivery and exploitation phases. This are the phases in which a pen tester spends most of their time. At the delivery phase, the objective is to find a way to deliver a payload to a target. There are four common ways to do that. The first is to send someone the payload as an attachment to an email and have them execute it. Or, more usually, a document with malicious code installed in it.
Regardless, the delivery mechanism is the same. Another way of delivering a malware payload to a target is to have the target come and get it by sending them an email containing a hyperlink to a malicious website. This may be a website which, when the user visits it, can automatically drop the malware into their system. It might be a site which contains trojanized software, containing malicious code hidden inside the legitimate code. Another way to deliver a payload is to connect to an exposed port and send the malware through the port, or gain access through the port and copy the malware directly in.
Quite often, this will be achieved by sending a packet which contains an initial exploitation warhead, followed by the payload, which can be carried through in the packet. Finally, the malware can be stored on removable media, such as a USB flash drive, in such a way that when it's inserted into the target computer, it automatically runs. Once the malware has been delivered, there may be an exploitation phase, in which a vulnerability on the target system is exploited to enable the malicious payload to gain access to the system.
In the case of a malicious attachment, the exploitation is a human one, getting someone to run the malware without knowing that it's malicious, or even that any code is running. It may be an executable attachment, or it may be a document which, when opened, exploits a vulnerability in the application software, or just simply runs an embedded malicious macro. We continue to see this technique used with Word documents, PDF files, Flash movies, and spreadsheets in particular.
The one thing these techniques have in common is that the user is unaware that code is executing. The next approach is when the delivery was that of a phishing email containing a hyperlink to a malicious site. The malicious site will be looking to take advantage of a vulnerability in the browser, which it can exploit to run what is known as a dropper. The purpose of this is to drop the payload onto the target computer. The unauthorized use of credentials is a technique used when a password file has been extracted and cracked, revealing a large number of account user ID password credentials.
It may also be the result of having intercepted traffic and found credentials in the clear. For instance, in a Telnet session. The fourth exploitation technique is used when there's a vulnerability in a service exposed to the attacker. In this case, the attacker can exploit the vulnerability with an initial malware module, which opens the door into the system. This is often a technically-challenging approach, but potentially a lucrative one, because it may leave no evidence of attack, not even a login record. Let's have a look of some examples of attacks and analyze their delivery and exploitation techniques.
The first attack we'll look at is the high-profile ransomware, WannaCry, or WannaCrypt, as it's sometimes known. The WannaCry campaign delivery mechanism was emails containing an infected zip file, which, when opened, drops the malware into the computer and executes it. Here we see the current tracking of WannaCry. Half a million or so currently-infected systems tracked. If we scroll down a bit, we can see there's not much new infection, but lots of existing systems that continue to run as infected hosts.
This indicates a small number of systems are unpatched and still being infected, but most of the campaign has dried up. WannaCry is a highly virulent piece of malware, not only having a vicious payload but also being able to automatically reach out and exploit other systems in the local network, or even across the internet. So as soon as a few WannaCry targets were hit, they became attack-launching parents for propagation to the next layers of targets. One of the reasons WannaCry was able to do this was through its use of a piece of malware developed by the US National Security Agency, called EternalBlue, which used an exploitation technique not known in the public domain, the zero day.
This was a flaw in the session management block, or SMB software, used on Windows systems to manage file sharing and printing. Analysis has concluded that the initial infection was through an exposed SMB port. By allowing its technique to become exposed, the NSA allowed the world's cybercriminals to develop a military-grade attack. This malware demonstrates a delivery through an exposed service, and exploitation through the EternalBlue SMB vulnerability.
The next example we'll look at is the Stuxnet attack on the Iranian uranium enrichment facility. This was notable in that the target was on an isolated network, not connected to the internet. Stuxnet was a very sophisticated attack, reportedly developed and launched by Israel and the United States, and it was executed in two phases. The first phase was a network scan, to determine exactly what software was running on the isolated network and to map out the topology of the network itself.
This then enabled a second attack to be launched, which targeted the centrifuges used to enrich the uranium. The original reporting indicated that the attack was able to get onto the isolated network by use of a USB drive, and that USB drive may have been taken in by an agent working in the facility. Later analysis indicated that the attack was the remote breach of a supply computer, and insertion of the malware onto the supply computer, from where it jumped on to a USB stick.
Stuxnet propagated itself around the networking using a Microsoft print spooler flaw and three other zero day vulnerabilities to ensure the maximum opportunity to spread. Once it found the Siemens equipment, which controlled the centrifuges, it injected malicious code into its memory. This attack demonstrates multiple delivery and exploitation vectors, including a Microsoft print spooler zero day. Another high-profile case was that of Saudi Aramco, which was the largest attack seen this decade, with over 30,000 workstations being taken down.
The delivery mechanism was traced back to a single employee clicking on a malicious website. The website was able to exploit the browser and drop a backdoor payload onto his computer. This then allowed the attackers to gain a foothold on the Saudi Aramco network and begin their attack. The first sign of trouble was when files began to disappear and systems crashed. The Saudi Aramco network was disconnected from the internet. And then, when the virus continued to spread, the workstations were disconnected from the local networks.
Subsequent analysis found that the attack was due to the Shamoon virus. The delivery mechanism was a malicious website, and the exploit was a browser vulnerability. The final example we'll look is the Sony PlayStation hack. This was an external penetration into the PlayStation network servers, which resulted in the global Sony PlayStation network being taken down. The result of this intrusion was that the exposure of 77 million credit cards, one of the biggest recorded data breaches.
This was again due to the flaw in the SMB software, this one on RedHat Linux Apache servers, and it was able to be exploited. The delivery mechanism was an exposed vulnerable service, which exploited an SMB flaw.
Cybersecurity expert Malcolm Shore reviews popular pen testing tools, as well as the Bash and Python scripting skills required to be able to acquire, modify, and re-use exploit code. He also provides a refresher on Kali Linux and introduces techniques for testing web services. At the end of this course, you'll be prepared to take more advanced training, and to pursue the popular Offensive Security Certified Professional (OSCP) certification.
- Pen testing overview
- Pen testing tools
- Bash scripting
- Python scripting
- Kali and Metasploit
- Web testing
- Finding exploit code