L7: Exploiting Host-based Vulnerabilities
password cracking
the act of trying to guess or decode encrypted passwords.
buffer overflow
A difficult attack to develop but very powerful when done correctly. The attacker attempts to put more data in a program's memory buffer than it can hold. This overruns the buffer's boundaries, allowing malicious code to be entered (and executed) in adjacent memory addresses.
Memory corruption
A programming error that allows the attacker to hijack the normal execution flow of a program by corrupting the application's memory space.
Buffer or heap overflow
A programming error that allows the attacker to overwrite allocated memory addresses with malicious code.
Five Year Bug
A race condition created by raw mode PTY local echo permits privilege escalation. Affects Linux kernel 3.14-rc1 < 3.15-rc4 (x64). CVE-2014-0196.
Dirty COW Bug
A race condition in mm/gup.c leverages incorrect handling by the copy-on-write (COW) feature by kernel memory subsystem /proc/self/mem. Allows writing to private, read-only memory mappings. Affects Linux kernel 2.6.22 < 3.9 (x86/x64). CVE-2016-5195.
Security feature bypass
A software weakness that allows an attacker to bypass policies, filters, validation, or other security safeguards.
heap overflow
A type of buffer overflow that occurs in dynamically allocated memory addresses.
Cross-site scripting (XSS)
A vulnerability in which a malicious script is injected into a trusted website and then downloaded and executed by the browser of a different end user.
Cross-site request forgery (XSRF)
A vulnerability that allows unauthorized commands to be transmitted from a user to a trusting web application.
/etc/sudoers
Accounts listed in this group can run commands as root.
integer overflow
An arithmetic operation that creates a numeric value that is outside the range (too large or too small) of the bits assigned to represent it. It could allow an attacker to access arbitrary parts of memory for code execution.
ret2libc (return to libc)
An existing function in the C library that eliminates the need for the attacker to inject their own shell code to take control of a target. This result allows arbitrary code execution and escalation of privilege.
Directory traversal
Any condition that allows an attacker to access restricted directories.
Denial of service
Any condition that allows the attacker to consume resources (network, CPU, RAM, disk, allowed connections, etc.) so that the process can no longer service legitimate requests.
remote code execution
Any condition that allows the attacker to execute arbitrary code.
Information disclosure
Any condition that allows the attacker to gain access to protected information.
Privilege escalation
Any condition that allows the attacker to gain elevated access after a system has been compromised.
Network fast flux
Botnets use a rapidly changing network of compromised hosts, making it difficult to keep up with constantly changing IP addresses and DNS names.
Stagefright MMS flaw
Considered the most serious Android flaw to date. Allows an attacker to send a malicious video message that can be processed by the native media playback library without user knowledge. Permits escalation of privilege and remote arbitrary code execution. Affects versions up to 5.1. CVE-2015-3864. Metasploit module exploit/android/browser/stagefright_mp4_tx3g_64bit
A. Copy /etc/passwd and /etc/shadow, combine the copies, and send them to a cracker
How can a pen tester obtain Linux passwords? A. Copy /etc/passwd and /etc/shadow, combine the copies, and send them to a cracker B. Edit GRUB to go into single user mode C. Use a SUID executable to run commands as root D. Perform a buffer overflow using ret2libc to launch /bin/sh
polymorphic malware
Malware adds garbage code to itself every time it runs in an effort to change its signature.
Rootkits and bootkits
Malware attempts to replace parts of the operating system so it can control the system and subvert the anti-malware detection process.
Encrypted archives
Malware is encrypted into an archive or .zip file. The user is socially engineered into opening the package and infecting their system.
Sandbox detection
Malware will try to scan the virtual environment to determine if it has been sandboxed, and to fingerprint the sandbox.
Use-after-free
One of the simplest ways to corrupt memory. The attacker attempts to access memory that has been freed (is no longer needed) by the program. This can cause the program to crash or allow execution of arbitrary code.
SAM (Secure Account Manager)
Registry hive that stores local user names and passwords.
SUID executables
SUID allows a user to run a command as another user. It is often used by administrators to change a user's password. When an application needs to run as the owner, an SUID permissions bit is set to allow this. A number of executables use SUID, but are poorly coded and can allow an attacker to escalate privilege.
Binary packers
Small routines that alter the malware, encrypting and obfuscating it so that it cannot be easily analyzed by antivirus software.
memory leak DoS
The intentional triggering of a memory leak to crash the program or take advantage of unexpected behavior due to low memory.
Logic bombs
The malicious part of the code lies dormant until an event (such as the date) triggers it.
extended sleep
The malware uses extended sleep calls to simply "wait out" the anti-malware analysis time period.
Sticky bits
These are permission bits set on (mostly) directories. They only permit the owner to delete or rename files in that directory. They are especially useful in the shared directories of /var/tmp and /tmp. Sticky bit exploits can be disruptive and cause denial of service.
Botnet command and control
Trick the user into installing "clean" code (a dropper) onto a target machine. That code then connects to a malicious site or IP to download malware.
Insecure sudo
Under certain conditions, this vulnerability allows attackers to circumvent protections and execute commands that would normally require a password, resulting in privilege escalation.
remote root flaw
Unsafe second checksum in udp.c can give a remote attacker complete control of a system via UDP traffic. Affects pre-4.5 Linux kernel. CVE-2016-10229.
A. krbtgt
What default account does Windows use to encrypt and digitally sign Kerberos tickets? A. krbtgt B. guest C. administrator D. defaultuser()
/etc/shadow
What directory are Linux passwords currently stored in?
/etc/password
What directory were Linux passwords originally stored?
A. An encrypted file that contains the proof of identity required for network authentication in active directory
What is a Kerberos ticket? A. An encrypted file that contains the proof of identity required for network authentication in active directory B. A registry hive that is stored on disk and loaded into memory on boot C. A special utility that encrypts hashes in NT 4.0 using RC4 D. A hashing algorithm used for NTLM authentication
C. A self-contained application run in lightweight virtual machines
What is a docker container? A. A browser that runs in low-privilege sandbox mode B. An entire operating system run within their own environment using hardware abstraction C. A self-contained application run in lightweight virtual machines D. A mobile app that must request access from the OS to access resources
C. A permission set on directories to only allow the owner to delete or rename files
What is a sticky bit? A. A directory under root where configuration files are stored B. A hashing algorithm used in /etc/shadow C. A permission set on directories to only allow the owner to delete or rename files D. A directory under root where binary files are stored
C. Credentials for Windows account and single sign-on
What is contained in the Windows vault? A. Active directory database file B. Cached domain login credentials C. Credentials for Windows account and single sign-on D. SYSKEY boot key
B. A programming error that allows the attacker to overwrite allocated memory addresses with malicious code
What is the description of a buffer or heap overflow vulnerability? A. A programming error that allows the attacker to hijack the normal execution flow of a program by corrupting the application's memory space B. A programming error that allows the attacker to overwrite allocated memory addresses with malicious code C. Any condition that allows the attacker to gain elevated access after a system has been compromised D. Any condition that allows an attacker to access restricted directories
B. Any condition that allows the attacker to execute arbitrary code
What is the description of a remote code execution vulnerability? A. A programming error that allows the attacker to overwrite allocated memory addresses with malicious code B. Any condition that allows the attacker to execute arbitrary code C. Any condition that allows the attacker to gain elevated access after a system has been compromised D. Any condition that allows an attacker to access restricted directories
A. Reverse TCP shell
What technique does NOT exploit a vulnerability for Windows privilege escalation? A. Reverse TCP shell B. Local UAC bypass C. DLL hijacking D. Task Scheduler 2.0 exploiting
D. Denial of service
What vulnerability category is the most frequent in Linux? A. Memory corruption B. Directory traversal C. Security feature bypass D. Denial of service
JTAG connector
a simple hardware interface that allows a computer to communicate directly with chips on a board. Although it may have somewhat different pinouts and connector types, it specifies a standardized set of signals and is used in nearly all embedded devices.
JTAG debugging
a troubleshooting methodology used by hardware manufacturers to test printed circuit boards. It can also be used to hack a device; for example, to gain root access to a home router.
cold boot attack
an attacker with physical access to a computer with an encrypted drive may be able to retrieve encryption keys after starting the computer from its off state. When the operating system loads, you scan the system's RAM to find the keys that were stored temporarily in memory and not just on the storage device itself. Although RAM is volatile, it can take several minutes after losing power before data is completely erased.
sandbox
any environment used to isolate a computer process away from other processes, as well as the host.
side-loaded
installed without digital signatures
Privilege escalation
one of the primary objectives in any exploit. It allows the attacker to gain control, access/change sensitive files, and leave permanent backdoors.
serial console
refers to the use of a computer serial port (COM, USB) to provide a direct console interface to a device.