.

Custom exploits // fuzzing

<<

secureseve

User avatar

Jr. Member
Jr. Member

Posts: 79

Joined: Thu Apr 08, 2010 10:40 pm

Location: DMZ

Post Mon Oct 11, 2010 7:55 pm

Custom exploits // fuzzing

Hey guys, what's up? It's been a while since I've had time to log in and check the forums, I've been pretty busy. A fast question came up for debate with a friend of mine and I was wondering what you would normally do during a pentest.

Let's say client-side attacks are not part of the rules of engagement, so you're left with service-side attacks, misconfigurations, web app, etc. If you find services that aren't part of metasploit or other online exploit DBs, do you normally take the time to fuzz the service and create a custom exploit? Or do you move on and try to find a different point of entry? The scope of time is between 2-3 weeks of a large organization. This is just something a friend and I were trying to determine. I especially look forward to reponses from those who aren't very strong in exploit development/fuzzing/RE etc. Not saying that you can't do those, just aren't strong in them, so it may take a long time to actually find a vulnerability in the service.
http://twitter.com/mikesantillana
eLearnSecurity Team Member.
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Tue Oct 12, 2010 3:45 am

Re: Custom exploits // fuzzing

secureseven wrote:Hey guys, what's up? It's been a while since I've had time to log in and check the forums, I've been pretty busy. A fast question came up for debate with a friend of mine and I was wondering what you would normally do during a pentest.

Let's say client-side attacks are not part of the rules of engagement, so you're left with service-side attacks, misconfigurations, web app, etc. If you find services that aren't part of metasploit or other online exploit DBs, do you normally take the time to fuzz the service and create a custom exploit? Or do you move on and try to find a different point of entry? The scope of time is between 2-3 weeks of a large organization. This is just something a friend and I were trying to determine. I especially look forward to reponses from those who aren't very strong in exploit development/fuzzing/RE etc. Not saying that you can't do those, just aren't strong in them, so it may take a long time to actually find a vulnerability in the service.


Finding a 0day in a software service may be very time consuming, but it all depends on the target.

Finding 0days in Web Applications is relatively easy in most cases.

Using only known exploits will limit your chance of cracking the perimeter, except if the target is seriously outdated or new exploits has just been released for you to use and so forth.

Sometimes, it's just a matter of time before a new vulnerability emerges.
Last edited by MaXe on Tue Oct 12, 2010 3:47 am, edited 1 time in total.
I'm an InterN0T'er
<<

secureseve

User avatar

Jr. Member
Jr. Member

Posts: 79

Joined: Thu Apr 08, 2010 10:40 pm

Location: DMZ

Post Tue Oct 12, 2010 10:03 am

Re: Custom exploits // fuzzing

Thanks for your reply MaXe, that was my side of the argument. I figured, if other vectors aren't possible (which should be rare) a custom exploit would be needed as last resort. Have any of you come across a situation?
http://twitter.com/mikesantillana
eLearnSecurity Team Member.
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Tue Oct 12, 2010 3:36 pm

Re: Custom exploits // fuzzing

I think this really depends on your engagement.  Arguably, all software has some sort of vulnerability, that given enough time you can exploit.  In a consulting engagement, you don't always have the time. 

I usually try to find the path of least resistance.  Like MaXe said, it may be easier to find a SQL injection vulnerability in a web application, than to fuzz and exploit some proprietary app.  That's not always the case.  Sometimes developers subscribe to the theory of security by obscurity.  Sometimes a simple network monitor session will reveal all kinds of goofy things.  More often, I find myself modifying a PoC, rather than starting completely from scratch.  Still, there may be times when starting from scratch is all you have.
~~~~~~~~~~~~~~
Ketchup
<<

secureseve

User avatar

Jr. Member
Jr. Member

Posts: 79

Joined: Thu Apr 08, 2010 10:40 pm

Location: DMZ

Post Tue Oct 12, 2010 9:24 pm

Re: Custom exploits // fuzzing

Yup, thanks guys. That's pretty much what I said in my argument with my peer lol. But I just wanted to hear the voices of others out there. Good insight from both of you.
http://twitter.com/mikesantillana
eLearnSecurity Team Member.
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Wed Oct 13, 2010 7:09 am

Re: Custom exploits // fuzzing

And like for everything in life, it depends!

I once spent a lot of time reviewing an application before it got released, including code review. Once I found a vulnerability, I asked the manager if he wanted me to spend time trying to exploit it (long) or just tell the developpers how to fix it (fast). He said he wanted them to really understand the implications of their mistake, so I got the luxury of spending a few days exploiting it and create a video and a training session. I can tell you that, once you show them that you were able to download the entire database through the vulnerability, they listen to you carefully when you show them how to fix it.

That was a very positive experience for everyone! But it only happened to me once, thanks to a security-aware team lead. But most of the time, I either exploit it when it isn't too time consuming or I ask the client if he wants to spend extra $$$ on it. They usually want to save money...
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software