Zero Day Angle

00:00

Hello and welcome to another penetration testing execution Standard discussion. Today we're going to be looking at zero day angle within the Pee test standard exploitation section,

00:12

so a quick disclaimer tools and techniques discussed in these videos could be used for system hacking. Any tools that we use or demonstrate should be researched

00:20

and understood by the user. Please researcher applicable laws and regulations in your given area regarding the use of such tools to ensure that you don't get into any trouble with the law.

00:32

So what are the objectives of two days particular discussion? Well, we're going to describe what zero day means. We're going to talk about fuzzing at a high level source code analysis and types of potential exports that we could look at during a zero day type. Um,

00:51

better research. So

00:54

what does zero day mean? Well, in most cases, it's often the last resort for most penetration testers because it's going to take the most time. It's a highly advanced organization that this would represent that can handle a focused attack against the organization through normal attack methods. So

01:15

in these cases were talking advanced levels of programming, it advanced levels of research and design, and so this is typically reserved to simulate nation state a teepee type Attackers. And so, in certain scenarios,

01:29

research may be conducted in order to reverse engineer fuzz or perform advanced discovery of vulnerabilities that may not have been discovered

01:38

can be very time consuming and should be considered. Win. Scoping the engagement in the event this type of attack is applicable. Ensure that the environment to the best of the Attackers. Knowledge is reproduced to include countermeasure technologies,

01:53

meaning that if you want an accurate test for us, the tester, we need to ensure that this environment is replicated accordingly and that we can accurately do the testing.

02:06

So what is fuzzing? Well,

02:08

fuzzing is the ability, essentially to recreate a protocol or application and attempt to send data at the application and hopes to identify a vulnerability. Oftentimes, hopes of a buzzard is to identify a crash in an application and craft a specific exploit out of it.

02:28

In the case of Fuzzing, the attacker again attempts to create a specific vulnerability out of something that hasn't been discovered before. As a part of the penetration test. If no avenues are identified during the engagement or the engagement calls for zero day research.

02:42

Fighting techniques should be leveraged in order to identify potentially vulnerable exposures. And so some top contenders, as faras tools go, is burke sweet.

02:51

I have seen many, many Web application testers, and fuzzing can be used to find known vulnerabilities in a system you know, and looking for things that are comin through like a wasp.

03:04

The OS Top 10 and so fuzzing can be a way to discover now vulnerabilities, but it will commonly be used to then attempt to find unknown vulnerabilities in a system and attempt thio exploit those vulnerabilities. And so these two tools are just two examples of fathers that are very popular and used both burp.

03:23

Burke comes in two flavors. It's got paid for in an open source

03:27

community addition that you can use and then a wasp zap

03:30

is a community maintained fuzz er, so definitely two tools that you want to become familiar with and use if you're going to specialize in this area of testing.

03:42

Now, what is so source code analysis is pretty much in the name S O. If you have source code available or it's open, then you can look at that source code and tried to identify falls within the application.

03:57

A zero day exposures can also be identified through these methods. And so if you have source code available, python, whatever the case may be. PHP.

04:06

There are tools out there that you can do some analysis hand where you can run the code through the tool on dhe. Then there's some ways that you can engage the site to attempt to get the application to respond in a manner that may, you know, show some type of vulnerability that's not known. This could be something that would maybe be specific for custom applications.

04:27

Hopefully for well known applications,

04:30

you would already have some listings of those exposures.

04:32

So what are some type of exploits that we could look for in these manners? Well,

04:38

during the test, we would probably consider buffer overflows to be zero day if they're not already discovered. So some exploits and vulnerabilities found can designate that buffer overflow zehr possible, and there is exploit code out there for that.

04:53

But this is usually when a program right stated to a buffer and then overruns the buffers boundaries and begins to overwrite portions of memory. Ah, lot of times D E. P.

05:00

That we discussed earlier will prevent that from happening. And so there are ways that we would then have to write an exploit to go into the sections of memory that aren't protected. S ch overwrites occur when the structure exception. Handler begins to gracefully close an application the attack that can manipulate how this works

05:20

and overwrite the base address of the handler and gain control of execution flow through

05:28

S C H

05:29

on dhe. Then we've got returned oriented programming, which is common in buffer overflow type attacks. And it's again used to help us to circumvent data execution prevention, D, p and other precluding defense mechanisms that maybe in place and so

05:45

and situations were GPS enabled. The attacker does not have direct access to execute specific assembly instructions, et cetera,

05:51

and so we could use this form of exploitation to write or overwrite portions of memory that would not be protected by the E. P. But again, a lot of this is out of scope of what we're discussing here. These are just some methods again,

06:05

if you're focusing on zero day attacks or that is your specialty. You're probably already well aware of these particular angles and areas. And again, if you're a business owner and you're looking to have this type of testing done, then that's the type of language you're gonna want to be aware of. So keep that in mind as well. So let's do a quick check on learning

06:23

true or false zero day exploitation. Research and execution can be very time consuming.

06:29

Well, if you need additional time to consider the particular statement, please pause the video. But in this case, it rains. True. Zero get exploitation. Research and execution can be very time consuming. That can take a large portion of an organization's time effort energy to vie to find zero day

06:48

exploitation avenues,

06:50

four custom applications or full organization systems that maybe don't use common Softwares. And so this can definitely be very time consuming. And when considering this type of researcher type of testing, know that it will likely be pricey and so

07:08

in summary, we described what zero day means.

07:12

We described fuzzing source code analysis and the types of potential exploits. Keep in mind most of the zero day attacks are essentially going to be attacked types or exploits that are yet discovered and, you know penetration Testers will be doing research and attempting to find these things a lot of times you hear about

07:30

but bounty programs. And this is essentially