Exploitation Development and Implementation PRESENTER: BRADLEY GREEN

Outline  What is an exploit?  Classifications  How is an exploit developed?  Metasploit  Implementation  Hackers and exploitation  Companies and exploitation

What is an Exploit?  An exploit is “a piece of software, chunk of data, or sequence of commands that take advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior on computer software or hardware.”  Exploits can result in major damages to systems and are often used by hackers  The behaviors invoked by the exploits frequently involve gaining control of a computer system or a denial-of-service attack  There are many different types of exploits and are classified by a variety of characteristics

Classifications of Exploitation  First type of classification of exploits  By how the exploit reaches the vulnerability  Types  Remote Exploit  Local Exploit  Second Type of classification of exploits  The action against the system  Types  Unauthorized data access  Random code execution  Denial of service  Other Types

Exploit Development  Exploitation development is a complex process  Requires knowledge of various programming techniques  Assembly language knowledge and C++  Reverse code engineering  Shellcode and metasploit  Can be broken into multiple steps  Discover vulnerability  Crash and control the application  Uncover, calculate, and confirm  Overwrite the stack  Gather memory address  Develop and weaponize  Reconfirm

Common Tools Used  Metasploit framework is a commonly used tool  Very popular tool for novices and experts  Immunity Debugger  Often used in conjunction with metasploit  Backtrack  IDA  Virtual Machine Software

Metasploit Project  A computer security project that provides information about security vulnerabilities and assists in penetration testing  Used by security firms and hackers alike  Can be used to develop and test written exploits  Can execute exploits against a target machine  Easy to use  Five simple steps to metasploit  Designed to be an educational

Implementation  Discover the vulnerability  Determine if the vulnerability is exploitable  Determine risk of vulnerability  Estimate the capability  Develop the exploit  Choose a method for delivery  Local or remote  Payload is generated  The payload is delivered

Hackers and exploitation  Various types of hackers have different motives  Black Hat Motivation  Grey Hat Motivation  White Hat Motivation  Exploits can be used for personal gain by malicious hackers  Super-user level access  System Control  “Opening the door”  Hackers often use complex techniques  Can use multiple low-level exploits  Specific targeting  Zero Day exploits

Companies and Exploitation  Companies often hire outside penetration testers or “white hats” to prevent exploitation  Examples: Microsoft, Air Force,  Used for loss prevention  Several reasons for penetration testers  Determine feasibility  Higher-risk due to lower-risk  Identifying difficult to detect exploitable vulnerabilities  Assessing the consequences  Network defender assessment  Evidence to support increased investments

Conclusion  What an exploit is  Exploitation and classifications  How an exploit is developed and what tools are needed  Implementation  Hackers and exploitation  Companies and exploitation  Risks involved with exploitation

References  "Exploit (computer Security)." Wikipedia. Wikimedia Foundation, 12 May Web. 05 Dec  Ozment, Andy. "Vulnerability Discovery and Software Security." Andyozment.com.  N.p., n.d. Web. 03 Dec   Rouse, Margaret. "Fuzz Testing (fuzzing)." Searchsecurity.techtarget.com.  N.p., n.d. Web. 03 Dec   "What Is a Security Vulnerability?" What Is a Security Vulnerability? SecPoint,  n.d. Web. 03 Dec   Anley, Chris, and Jack Koziol. The Shellcoder's Handbook: Discovering and Exploiting Security Holes. Indianapolis, IN: Wiley Pub., Print.