Custom exploits // fuzzing

Viewing 5 reply threads
  • Author
    Posts
    • #5677
      secureseve
      Participant

      Hey guys, what’s up? It’s been a while since I’ve had time to log in and check the forums, I’ve been pretty busy. A fast question came up for debate with a friend of mine and I was wondering what you would normally do during a pentest.

      Let’s say client-side attacks are not part of the rules of engagement, so you’re left with service-side attacks, misconfigurations, web app, etc. If you find services that aren’t part of metasploit or other online exploit DBs, do you normally take the time to fuzz the service and create a custom exploit? Or do you move on and try to find a different point of entry? The scope of time is between 2-3 weeks of a large organization. This is just something a friend and I were trying to determine. I especially look forward to reponses from those who aren’t very strong in exploit development/fuzzing/RE etc. Not saying that you can’t do those, just aren’t strong in them, so it may take a long time to actually find a vulnerability in the service.

    • #35720
      MaXe
      Participant

      @secureseven wrote:

      Hey guys, what’s up? It’s been a while since I’ve had time to log in and check the forums, I’ve been pretty busy. A fast question came up for debate with a friend of mine and I was wondering what you would normally do during a pentest.

      Let’s say client-side attacks are not part of the rules of engagement, so you’re left with service-side attacks, misconfigurations, web app, etc. If you find services that aren’t part of metasploit or other online exploit DBs, do you normally take the time to fuzz the service and create a custom exploit? Or do you move on and try to find a different point of entry? The scope of time is between 2-3 weeks of a large organization. This is just something a friend and I were trying to determine. I especially look forward to reponses from those who aren’t very strong in exploit development/fuzzing/RE etc. Not saying that you can’t do those, just aren’t strong in them, so it may take a long time to actually find a vulnerability in the service.

      Finding a 0day in a software service may be very time consuming, but it all depends on the target.

      Finding 0days in Web Applications is relatively easy in most cases.

      Using only known exploits will limit your chance of cracking the perimeter, except if the target is seriously outdated or new exploits has just been released for you to use and so forth.

      Sometimes, it’s just a matter of time before a new vulnerability emerges.

    • #35721
      secureseve
      Participant

      Thanks for your reply MaXe, that was my side of the argument. I figured, if other vectors aren’t possible (which should be rare) a custom exploit would be needed as last resort. Have any of you come across a situation?

    • #35722
      Ketchup
      Participant

      I think this really depends on your engagement.  Arguably, all software has some sort of vulnerability, that given enough time you can exploit.  In a consulting engagement, you don’t always have the time. 

      I usually try to find the path of least resistance.  Like MaXe said, it may be easier to find a SQL injection vulnerability in a web application, than to fuzz and exploit some proprietary app.  That’s not always the case.  Sometimes developers subscribe to the theory of security by obscurity.  Sometimes a simple network monitor session will reveal all kinds of goofy things.  More often, I find myself modifying a PoC, rather than starting completely from scratch.  Still, there may be times when starting from scratch is all you have.

    • #35723
      secureseve
      Participant

      Yup, thanks guys. That’s pretty much what I said in my argument with my peer lol. But I just wanted to hear the voices of others out there. Good insight from both of you.

    • #35724
      caissyd
      Participant

      And like for everything in life, it depends!

      I once spent a lot of time reviewing an application before it got released, including code review. Once I found a vulnerability, I asked the manager if he wanted me to spend time trying to exploit it (long) or just tell the developpers how to fix it (fast). He said he wanted them to really understand the implications of their mistake, so I got the luxury of spending a few days exploiting it and create a video and a training session. I can tell you that, once you show them that you were able to download the entire database through the vulnerability, they listen to you carefully when you show them how to fix it.

      That was a very positive experience for everyone! But it only happened to me once, thanks to a security-aware team lead. But most of the time, I either exploit it when it isn’t too time consuming or I ask the client if he wants to spend extra $$$ on it. They usually want to save money…

Viewing 5 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2020 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?