Dailydave mailing list archives
Re: Exploits are important (or "Challenging your assumptions")
From: Val Smith <valsmith () attackresearch com>
Date: Wed, 11 May 2011 16:15:49 -0600
it comes down to this: Exploits are important.
For sure, I def use them, and if your doing things like stuxnet which is the direction the cool work seems to be going imo vs PCI audits, you need something at least exploit-like.
But that doesn't challenge an organization's assumptions. People expect to get lied to. And they expect misconfiguration and lacking IT management.
IDK about this, in my experience every company I have done work for expects someone to throw a buffer overflow at them and so they put a ton of resources into IDS & overflow signatures as well as firewalling off services. Except that when I do IR for them, this is almost never how I see them get hacked. (with the exception of browser bugs) When I talk to them about other methods they are usually mystified.
Exploits provide 3 major assumptions to attackers: 1. The attacker is ring0 on any machine they can execute binary code on 2. The attacker can execute binary code on any machine they can convince to connect to them (say, a browser) 3. The attacker can execute binary code on any machine they can get to execute interpreted bytecode (say, a PHP interpreter, or Python on Google App Engine, or Adobe Reader)
100% agree with above, very well put and very true.
So yes, even though as Val Smith say, learning a complex toolset like an attack framework requires significant time investment, if it can get you root once, when otherwise you'd have to fiddle around guessing passwords and leaving logs, it's well worth it. :>
I can't speak to what Mitnick does but a couple of things: - I wonder how many blackhats are using frameworks? And I don't mean specific custom toolsets that they write themselves, because I do that. In my experience none unless they want to look like a pen tester. Note that frameworks != exploits. I use exploits all the time, especially 0day but in very specific ways and as a part of a larger activity. - As far as leaving logs, I've only ever been detected once that I know of, and it wasn't via a log but by a monitored egress port, my bad. - Fiddling around guessing passwords is something I mostly do for school competitions like nccdc. Gotta give the kids a chance you know ;) - Generally our engagements involve a lot of deep learning some proprietary system better than its developers know it, reverse engineering, reading code, system integration, development, protocol stuff, traffic analysis and P.I. like leg work. But we are definitely involved in a different class of "testing" than regular "coverage" pen-tests (as jcran so succinctly put it) where frameworks are totally appropriate. - A large portion of the time I don't care about root, I care about data, and usually its a regular user account (which is less monitored) that has access to it. So don't mis-understand; exploits and frameworks are important and useful, just less so for the type of stuff I do than they used to be. V. _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Exploits are important (or "Challenging your assumptions") Dave Aitel (May 11)
- Re: Exploits are important (or "Challenging your assumptions") Val Smith (May 11)
- Re: Exploits are important (or "Challenging your assumptions") Mohammad Hosein (May 12)
- Re: Exploits are important (or "Challenging your assumptions") Val Smith (May 12)
- Re: Exploits are important (or "Challenging your assumptions") Vitaly Osipov (May 13)
- Re: Exploits are important (or "Challenging your assumptions") Daniel Clemens (May 13)
- Re: Exploits are important (or "Challenging your assumptions") Mohammad Hosein (May 12)
- Re: Exploits are important (or "Challenging your assumptions") Val Smith (May 11)