Customized Exploitation Avenue

00:00

Hello and welcome to another penetration testing execution standards discussion. Today we're looking at the customized Exploitation Avenue within the exploitation component of the Pee test standard. So a quick disclaimer

00:16

pee test videos do cover techniques and tools that could be used for system hacking. So

00:20

anything that we demonstrate or discussed should be researched and thoroughly understood by the user.

00:27

Police research your laws and regulations regarding the use of such tools or techniques, and you're given area to ensure that you don't get into any trouble with the law. So what are the objectives of two days discussion?

00:40

Well, we want to describe what a customized exploit is we're going to do. Just grab a few examples.

00:48

We're going thio, Look at how do we go about tailoring? Exploits were publicly available and just a little touch on exploit modification again, just describing everything in a high level and making you aware of how these things should look.

01:03

So what is a customized exploit? Well, every attack is typically not the same and how the Exploitation Avenue occurs. So in order for us to be successful, we have to provide tailored and customize exploits based on a scenario. And so if we're doing wireless testing

01:21

and we've got a specific technology in use,

01:23

then there needs to be an identified attack type based on the technologies that are in place. And so having an understanding of the same areas were looking at and the applicability of an exploit

01:38

is one of the most important expect aspects of this particular phase within the penetration test and so on. Exploit is specific to Sisko Wireless device

01:48

and the wireless devices in question. Are Netgear some other type of device?

01:53

Chances are they exploiting what work? And so it doesn't make sense for us

01:57

to attempt to use that exploit. And so this is pretty much what we're looking at here is that we're looking at the exploits that are tailored to and specific to certain patch levels. Certain service types.

02:08

There may be a way that we could modify some of the code within the exploit, provided Thio fit and work against that system, but that would require again additional testing and thinks that nature and so some examples of exploits

02:21

that air specific like there's Apache strut. So this is all exploit BB and things of that nature that we look through. And so Apache struts 2.3 point five. And so this is specific Thio these particular versions of Apache

02:38

and anything outside of that. It would likely be that this would not functional work because the vendor has likely patch this particular issue. Same thing with this Windows seven remote desktop.

02:49

So this is specific to Window 7 32 bit.

02:54

And even after you go in and read more on this exploit, it's specific to a particular patch level of Windows seven. And so again, you're gonna have to do some research and understand where you may be able to make modifications to Taylor. These exploits to fit your needs.

03:12

And so how do we go about tailoring and exploit

03:15

well in a number of occasions? Again, exploits are publicly available, and so you may have to do some work. So if it's designed for Windows X P Service, Pack two and

03:28

we're attacking Windows X P service pack three systems,

03:30

the exploit may not work. We may need to make some modifications,

03:35

and so we should have some knowledge in place to be able to customize and exploiting the ability to change on the fly in order to complete an attack.

03:44

So if you know that the clients running at a specific service pack of Windows X p like service pack three,

03:51

it's likely that you can do research on that particular service pack and likely find exploits. It would be available for it instead of having to spend ah, lot of time tailoring the exploiting, customizing it again. If time is of the essence

04:06

and we don't have the capability or the No Hall, how are the ability to make these modifications? Then we'll need to seek, you know, other vectors that are available to us

04:17

and so again, within exploit DBS. You can see here this is just a snippet from the site.

04:24

It's just got as some titles of exploits here some dates. So if we're looking at this from left to right, you'll note that we've got a date here, whether or not it was validated, the title of the Exploit, the type, the platform and the author. Now you can search by C V E

04:43

here and using the filters. And so if you need to find exploits that Air Force specific CV,

04:47

you can do so now. remember,

04:50

exploit A D B may not be all encompassing, so you want the source that from multiple sites. And so here's a quick example of a snippet.

05:00

So essentially you can see they do provide some directions in modifying exploits, providing the appropriate information. So the Port four Rdp in this case, maybe something other than 3389 So we may need to make a change there. The host I P, is going to need to be different.

05:18

You always want to ensure that you replace the shell code in an exploit, especially for exploits that are not

05:26

validated. You could, you know, make a connection or provide ah connection out to an actual attacker system, depending on the circumstance and and where you get the information from.

05:36

And so if you can't look at this and make a determination on where you need to make modifications, you need to proceed with caution, and you need to work through the particular exploit code and ensure that you understand all the different components of it. There may be something stuck into it that

05:55

is meant to provide additional information on your system or a connection to your system. or it may pull a payload to your system.

06:01

So always keep these things in mind when you're modifying, exploits and, uh, you know, trying to make those fit into your particular scenario. So a quick check on learning true or false, you can typically find and run and exploit without any modifications to the exploit.

06:18

Well, if you need additional town, please pause the video. But in this case, this is a false statement. In most instances, we will need to make it least minor modifications to exploit code and order for it to run. In some cases, you may not. If you're using, like a medicine boy,

06:33

exploit where is built into the framework, but it will ask for parameters up front, which it will then put into

06:40

the backend exploit codes. So even in those cases modifications are made, an information must be provided.

06:47

So in summary,

06:48

we described what it customized exploit is. We looked at some examples. We described how we could go about tailoring those exploits as far as looking at publicly available information and a few step. It's on just modification and things that we would want to look for

07:04

again at a high level. This is really to help you get started to help you understand what you should be looking for in doing within your testing.