NST - Digital Exploits (Lesson)

Digital Exploits

Introduction

In this lesson, you will learn about pentesting and the characteristics of digital exploits. You will also examine types of attacks that can be executed using tools like Metasploit.

A pentester, also known as a penetration tester, is a cybersecurity professional who helps organizations identify and fix security vulnerabilities in their digital assets and computer networks. Penetration testing is testing the effectiveness of security controls or finding vulnerabilities in a web application or other software. It is also known as ethical hacking or security auditing. At completion, a pentester delivers a detailed report of the pentest results and recommendations for improving security.

Reasons why organizations will do a pentest:

  • Check to see if there are holes in security configurations.
  • Ensure compliance in industries like healthcare and finance.
  • Validate expense of security controls – “Do we really need this?”

When people think of a pentester, they may think of the show Mr. Robot and imagine a hooded hacker, cracking his knuckles and typing furiously to expose the guts of a company’s network. This video gives you a more detailed and realistic look at what ethical hackers do!

A Day in the Life of an Ethical Hacker  Video

Used by permission with Creative Commons license:  Source Links to an external site.

Ethical Hacking Video

Used by permission with Creative Commons license:  Source Links to an external site.

The reality of pentesting is that it can be tedious work that requires you to take detailed notes about the process of the pentest. You have to document how you found the vulnerabilities, what worked and didn’t work, and provide a log in case anything went wrong. At the end, the pentester has to present company officials with a post-test summary and convince them to make needed security changes. Maybe the most frustrating part of being a Pentester is that many companies don’t follow through on the recommended security changes, primarily due to expense. They will rationalize that the security holes are not that serious or that compliance just requires a pentest but doesn’t mandate mitigation. These organizations prioritize spending money on making their business run and may not want to take money away from other budgets to spend on security.

Colors of Cybersecurity

There is a long tradition in cybersecurity of using colors to represent different types of activities, actors, and organizational teams. Most cybersecurity departments have a Red Team, which does the work of finding vulnerabilities, and a Blue Team, which does the work of protecting assets. There are also Purple Teams, made up of Red and Blue Teams working collaboratively.

Red Team vs. Blue Team

Penetration Testing vs Vulnerability Assessment

Pentesting vs Attacking

The goal is the same -- find vulnerabilities in systems or software that can be exploited to bypass security controls. However, there is a clear line – ethically and legally – between pentesting and attacking.

Question & Answer re: Pentesting

The key is to have permission and to be specifically hired by an organization to find vulnerabilities in their systems! A pentest should always be set up with an agreed-upon scope of the test. For example, a scope might say that testing from outside the network is OK, but if you get in, then stop. Or they might say test this website that we have but not the customer portal. Or they may want a physical pentest where the locks, alarms, and security guards are evaluated.

However, it is up to the organization or client to define the parameters. If a pentest goes out of scope, there can be serious legal consequences.  There are many more stories where pentesters who thought they were in scope ended up facing scary situations!

More Colors of Cybersecurity

Hat colors were often used to categorize roles in cybersecurity. Recently, the industry has shifted towards clearer terms. The difference between these two types of hackers is permission and motivation!

  • Authorized Hacker (Formerly White Hat) has good intentions and explicit permission to look for vulnerabilities, so actions are legal.
  • Unauthorized Hacker (Formerly Black Hat) intends malicious actions, has NO permission to access system, so actions are illegal.

black hat, grey hat, white hat

  • Semi-Authorized Hacker (Formerly Grey Hat) often has good intentions but no permission. This type of hacker needs to use caution as they can easily step over the legal line into major issues!
    • Example: An independent researcher who finds a vulnerability OR a user who finds one accidentally.
    • Responsible disclosure is KEY! Must contact the organization, provide documentation, and should NOT share publicly.
    • In some cases, the discovery is eligible for a bug bounty, meaning organizations offer a monetary reward for discoveries of a bug, error, or vulnerability.

Again, having permission is the only legal way to poke at someone else’s software! Unfortunately, it can be very tempting for those with cyber skills to poke at things to see what will happen – if I try this or change this code, can I get in?

Reflection Activity

Exploits

A vulnerability is a glitch in code that can be used to make software do something it wasn’t originally intended to do. However, every vulnerability is different, and it can be hard to figure out exactly how to take advantage of the hole in the system.

Pentesters or hackers look for a way into places they don’t belong. To do this, they need an exploit. Exploit is defined as software, code, or commands used to take advantage of a vulnerability in a computer system. Exploits are often shared, sometimes on the darknet but also via a tool called Metasploit, which is used by both pentesters and threat actors.

Exploits can be used to:

  • Get access to the system to remotely perform actions on the target PC.
  • Disable the system by creating an OS or system crash for a DoS.
  • Change attacker’s permissions to root or administrator.
  • Steal data like passwords or valuable documents.
  • Start a screen capture.
  • Keylogging.
  • Upload and execute a file.
  • Install a method to easily gain future access (backdoor).

Attack is the steps an adversary takes but hacking is when you make something do an action it wasn’t intended to do. Hacks work because of vulnerabilities. 

Categories of Valuable Data

Two main categories of valuable data for exfiltration:

  1. User credentials – usernames and passwords, especially for users with administrative rights.

  2. Proprietary data – trade secrets, like research for new products or the recipe for the “secret sauce,” or key to a bitcoin account or database of bank accounts.

Metasploit Framework

The Metasploit Framework is an exploit toolkit, which is an application that has a bundle of exploits that will work on multiple vulnerabilities. An exploit is the way into a system to deliver a payload. The payload is the attack code to execute after you are in the system. Metasploit is modular which means you can mix and match the exploit and payload.

It is an open-source tool that works as a pentesting code repository. New exploits are added regularly through contributions from the cyber community. It is used by security professionals globally, taught in cybersecurity courses, and part of certification exams.

Sample Attack Scenario

Recently the BreachesRUs (BRU) gang performed a data breach on Spack, a professional social networking site. BRU stole the profile data for millions of Spack users which included their names, usernames, passwords, and company names.

Today the BRU is targeting the NicePeeps Corporation (NPC). An NPC employee, Goofy, had a Spack account so that means BRU has his password, username, and company name. BRU is going to use Goofy’s credentials to hack his computer to steal an admin password. BRU will use this to exploit the NPC network.

Their goal is to infect the NPC server with ransomware which will encrypt all server data, making it impossible for the NPC to continue normal operations. NPC will be forced to pay millions for the decryption keys.


BRU Gang Attack Steps

Sources of Exploits

Reflection and Wrap-up

In this lesson, we have learned about the crucial role of penetration testers in identifying and mitigating vulnerabilities within networked systems to enhance organizational security. We explored the distinctions between pentesting and vulnerability assessment, highlighting that both aim to fortify defenses but employ different methodologies. The lesson underscored the importance of ethical boundaries in cybersecurity through the differentiation between authorized, unauthorized, and semi-authorized hackers, emphasizing the legal and ethical imperative of obtaining permission before conducting tests. Furthermore, we delved into the mechanics of exploits and the Metasploit Framework, illustrating how these tools and techniques can be applied both ethically by security professionals and maliciously by threat actors.

Through the narrative of a simulated attack by the fictional BRU gang, the lesson demonstrated a practical application of these concepts, from reconnaissance to privilege escalation and data exfiltration. This comprehensive overview not only demystifies the work of cybersecurity professionals but also highlights the ongoing battle between safeguarding digital assets and the evolving tactics of cyber adversaries.

[CC BY-NC-SA 4.0 Links to an external site.] UNLESS OTHERWISE NOTED | IMAGES: LICENSED AND USED ACCORDING TO TERMS OF SUBSCRIPTION - INTENDED ONLY FOR USE WITHIN LESSON.