Once hackers have discovered vulnerabilities on systems and platforms, they can proceed to find ways of taking advantage of these vulnerabilities. This is known as exploiting a vulnerability and it allows the hackers to take advantage of the vulnerable systems. Vulnerability exploitation can happen at various levels.
Exploitation involves using tools including the hundreds found within Kali Linux and code to take advantage of discovered vulnerabilities across different software, systems or applications. The tools involved are numerous, simple to advanced and are normally deployed to attack specific vulnerable services. Since these tools are diverse and can be applicable in a wide scope, we have divided the following sections, to cover the different categories in which these tools can be applied.
Web applications are some of the most used applications today. They have evolved to become more user-friendly, dynamic, responsive and reliable. The integration of services with web applications also allows them to be used together with mobile applications and databases. This has made these applications to be attractive to hackers, who look for various means to abuse this entire stack. The following are some of the tools that hackers use for vulnerability exploitation.
The operating system is the core software that manages the entire computer and all the installed software runs on top of this software. It is therefore very important for the operating system to remain secure or else it runs a risk of being exploited by hackers. These hackers can use the following tools to exploit OSes.
Databases are used together with web applications because this is mostly where data and information that is required by users are stored. So, when hackers can attack web applications and gain unauthorized access to the backend database, they can alter the contents of the database to their liking. The following tools allow hackers to exploit databases and you can use them too.
The exploitation tools above are used in diverse environments and circumstances. It takes the skill, patience and knowledge of a seasoned hacker to know when it is right to use which tool. However, since most of these tools are open-source, people with basic knowledge of Linux commands and how operating systems and networks operate can run these tools against any system.
To avoid falling into trouble, we highly encourage you to only run the tools above within a controlled environment such as virtual machines and only practice against vulnerable machines such as webgoat, Damn Vulnerable Web Application (DVWA) and Buggy Web Application (BWAPP).
Exploit Pack has been designed by an experienced team of software developers and exploit writers to automate processes with the latest techniques so that security professionals can focus on what's really important: The threat.
Adapt your exploit code on the fly, take full control of your target, remain under the radar of the most modern sensors and detection rules. Mitigate and report your attack, then evolve, fix and improve your target.
After a successful exploitation, make use of our state-of-the-art agents, bypass all modern AVs and EDRs and then obtain persistence and exfiltrate data under the radar. Become silent with Exploit Pack.
Zxyel Routers Beware This week we've released a module written by first time community contributor shr70 that can exploit roughly 45 different Zyxel router and VPN models. The module exploits a buffer overflow vulnerability t...
Web Application Vulnerability Scanners are automated tools that scan web applications, normally from the outside, to look for security vulnerabilities such as Cross-site scripting, SQL Injection, Command Injection, Path Traversal and insecure server configuration. This category of tools is frequently referred to as Dynamic Application Security Testing (DAST) Tools. A large number of both commercial and open source tools of this type are available and all of these tools have their own strengths and weaknesses. If you are interested in the effectiveness of DAST tools, check out the OWASP Benchmark project, which is scientifically measuring the effectiveness of all types of vulnerability detection tools, including DAST.
Disclaimer: The tools listing in the table below are presented in alphabetical order. OWASP does not endorse any of the Vendors or Scanning Tools by listing them in the table below.
OWASP is aware of the Web Application Vulnerability Scanner Evaluation Project (WAVSEP). WAVSEP is completely unrelated to OWASP and we do not endorse its results, nor any of the DAST tools it evaluates. However, the results provided by WAVSEP may be helpful to someone interested in researching or selecting free and/or commercial DAST tools for their projects. This project has far more detail on DAST tools and their features than this OWASP DAST page.
An elite Russian hacking team, a historic ransomware attack, an espionage group in the Middle East, and countless small time cryptojackers all have one thing in common. Though their methods and objectives vary, they all lean on leaked NSA hacking tool EternalBlue to infiltrate target computers and spread malware across networks.
This vulnerability is in the Microsoft Support Diagnostic Tool (MSDT), a tool from Microsoft that collects and sends system information back to Microsoft Support for problem diagnostics, such as issues with device drivers, hardware, etc. This tool is in all versions of Windows, including Windows Server OS. Because of the lack of an available patch from Microsoft (as of June 1st, 2022), machines that are not protected by endpoint software or a mitigation strategy are vulnerable to Follina.
The vulnerability that exists within msdt.exe is the Microsoft Support Diagnostic Tool. Normally, this tool is used to diagnose faults with the operating system and then report and provide system details back to Microsoft Support.
The vulnerability allows a malicious actor to effectively execute arbitrary code with the same privileges as the application calling it. As has been the case with the original reporting of this from @nao_sec and subsequent experimentation in the wider security community, the calling application is quite often a tool in Microsoft Office (Word, Excel, Outlook, etc.).
The TA413 APT group, a hacking outfit linked to Chinese state interests, has adopted this vulnerability in attacks against the international Tibetan community. As observed on May 30 by security researchers, threat actors are now using CVE-2022-30190 exploits to execute malicious code via the MSDT protocol when targets open or preview Word documents delivered in ZIP archives. Campaigns have impersonated the 'Women Empowerments Desk' of the Central Tibetan Administration and use the domain tibet-gov.web[.]app.
CVE-2022-30190 has the potential to have significant impact due to its ease of exploitation and ability to bypass Protected View, along with the availability of new PoC code and the lack of a security fix. Administrators and users should monitor updates from Microsoft and apply the patch as soon as it becomes available. Until then, mitigation should be applied as soon as possible.
We produced the following video, showing just how simple it is to utilize this exploit to retrieve an image snapshot and system information from a camera. We also show using password reset tool to take over a camera:
DHS' ranking of this vulnerability as a 10/10 is even more understandable now that the simplicity of compromising these devices has been proven. This vulnerability is significantly more critical than other recent cyber security announcements in the security industry (e.g.: Dahua Suffers Second Major Vulnerability, ONVIF / gSOAP Vulnerability, Axis Camera Vulnerabilities From Google Researcher Analyzed), due to the ease of exploit, the number of impacted devices, and the fact that many impacted devices (e.g., 'grey market') cannot be upgradeable to patched firmware.
A tool to reset user passwords (including the admin user) was released within days of the exploit announcement. Hikvision Password Reset Helper allows a user to enter an IP address for a camera, retrieve of a list of users, and selectively reset the password for any user. Examining the source code of this tool shows the "auth=YWRtaW46MTEK" string being utilized to change user passwords.
This password tool can just as easily maliciously change and takeover other's cameras. Ironically, this is literally the next generation of the tool, following the previous version using Hikvision's cracked security codes.
First, Hikvision called this a "privelege-escalating vulnerability", implying an attacker would need some minimal authorized access to the device before they could "escalate" their privileges to a higher role. This is false, as the exploit allows instant direct access to any affected camera.
Third, Hikvision claimed the exploit "may allow" attackers to "acquire or tamper with device information". Our tests, and other reports online, show this is 100% successful on affected devices and allows not just acquisition or "tampering" with device information, it allows full control of the device, user accounts, and other configuration data that can expose sensitive information, such as email addresses, and ftp server info.
Since the September 12th exploit detail release, Hikvision has made no notice publicly nor to dealers about this, despite that the release included direct examples showing how to use the exploit simply, putting customers at significant risk. This continues a pattern of Hikvision failing to proactively and responsibility notify their customers of new material risks to their products.
Honestly not trying to take sides, honest questions:#1) How is this report different than your previous report detailing the same exact thing? Or am I missing something?#2) Did Hikvision patch the exploit with the latest firmwares?
In the previous report, the details of the vulnerability, and how to exploit it, were not known. In this report, the actual vulnerability has been disclosed, and it is extremely simple to execute. Any vulnerable camera connected to the internet can be easily viewed, and manipulated, often with something as simple as a copy/paste operation. 041b061a72