Common Attack Techniques


The specific attacks a pen test team chooses will depend on the target environment. However, there are common attacks that every chief information security officer (CISO) should worry about. These include:

  • Social engineering, including phishing and malware distribution
  • Injection attacks, including SQL injection, cross-site scripting (XSS), cross-site request forgery (XSRF), and directory traversal
  • Denial of service (DoS)
  • Session hijacking/man-in-the-middle attacks
  • Credential reuse
  • Brute forcing/password cracking

Many attack types use common techniques such as spoofing/impersonating, replaying authorized traffic in an unauthorized way, or exploiting software vulnerabilities. Most successful attacks today involve some level of social engineering, either through clicking trusted websites that have been compromised, or sending malicious code or links through email or social media. Private networks tend to have fewer security controls than the Internet, but they are harder for an outsider to access. You would have to find a way in. Common ways to gain access to a private network include:

  • Installing socially engineered malware on an internal computer
  • Breaking into a WAP or remote access server
  • Physically planting a malicious device on the private network
  • Colluding with an insider

Exploits and Payloads

Exploits and payloads work together to compromise a system, but they are not the same thing. The exploit is the mechanism that delivers the payload. It is a sequence of commands that takes advantage of a vulnerability. Typical exploit types include:

  • Buffer overflows
  • Code injection
  • Web application exploits

Some tools rank their exploits based on reliability and effectiveness. For example, Metasploit has a ranking system ranging from Manual (unstable, difficult to use, basically a denial-of-service), to Low (under 50 percent success rate), all the way to Excellent (succeeds nearly every time without crashing the target service). Not all exploits have to be technical in nature. For example, you could use social engineering as your exploit, inducing your victim into installing malware on their device.

Once you have broken into a system using an exploit, you can then deliver the payload. This is code that will run on the target, performing some kind of task or giving the attacker interactive control. Examples of common payloads include:

  • Meterpreter
  • VNC or other remote control
  • Backdoors and Trojans
  • Malicious DLLs
  • Self-propagating worms and viruses

Payloads can either perform tasks on their own with no additional direction, or they can wait for commands from the attacker. They can either open a listening port and wait for an attacker to connect, or they can make a connection back to the attacker. This is especially useful when the victim is behind a firewall which the attacker cannot get past.

Most exploits and payloads are platform-specific. However, you can usually choose which payload you would like the exploit to deliver. In some cases, the exploit will deliver a small payload called a stager. Lightweight and reliable, the stager is a sort-of advance party used to gain a foothold on the victim. Once the stager launches, it downloads the larger payload (stage) from the attacker. Some payloads are self-contained and do not require the two-step stager/stage process. In Metasploit, such standalone payloads are called singles.

Exploit Modification

Exploit modification is the process of changing an exploit that works against a particular vulnerability, but does not work under certain conditions. A common example of this would be a buffer overflow that works against a particular Windows service, but does not work if any service packs have been applied. The service packs include patches for the original exploit. However, the author of the service pack might have only created a variant of the original vulnerability. The pen tester can try to locate the exact change and modify the exploit to account for the difference. Typically a debugger is used to see how the target responds to different commands.

Common tools used in exploit modification include:

  • Metasploit
  • Immunity Debugger
  • Android Debug Bridge (ADB)
  • Java Debugger (jdb)

Exploit Chaining

Exploit chaining is the act of using multiple exploits to form a larger attack. Success of the attack depends on all exploits doing their part. Their distributed nature, using multiple forms of attack, makes them complex and difficult to defend against. Some chained exploits must run consecutively, with each depending on the former to complete. But this is not a requirement. You could have chained exploits running in parallel. Each part would have to be in place and complete for the final attack or payload to succeed.

  • A Metasploit exploit that results in a user-level shell, followed by a local privilege escalation attack to give the shell system-level privileges.
  • A module that runs SQL injection, authentication bypass, file upload, command injection, and privilege escalation to finally give the attacker a root level shell.
  • Physically (or electronically) breaking into a private network, planting a malicious device, then using that device to discover and attack vulnerable systems.
  • Distracting a security guard so a colleague can tamper with a camera or alarm system while another colleague breaks into a private office to steal important documents.

Proof of Concept Development

A proof of concept (PoC) is a benign exploit developed to highlight vulnerabilities. It is usually created by a security researcher, and then demonstrated to the target organization or general public. While the technical aspects of the vulnerability might be published in great detail, many researchers do not include the specifics of how their PoC works to discourage malicious actors from using that knowledge to create a real exploit.

Guidelines for Leveraging Information to Prepare for Exploitation

Here are some guidelines you can use as you leverage information to prepare for exploitation:

  • Record vulnerability-to-target mappings in a document that you can use to plan your attacks.
  • Prioritize attack activities based on value to the overall objective, time needed, probability of success, and political need.
  • Choose exploits based on platform and ranking.
  • Choose payloads based on platform, connection type, desired effect, and level of control.
  • When possible, cross-compile exploits and payloads on a single system for convenience.
  • If necessary, use modified exploits to attack target systems with different patch levels.
  • Chain exploits for greater success, and to make your attack more difficult to defend against.
  • Use proof of concept exploits as the basis to develop your own exploit code. If you are not a coder, use the PoC to search for someone else’s code.
  • When social engineering, use various deception tactics to obtain the information you need, or to trick a user into completing a task for you.
  • When password cracking, choose the technique that best suits your need: dictionary, rainbow table, or brute force.

Dictionary Attacks

A dictionary attack is the most straightforward type of automated password attack. A password cracking tool goes through a list of words until it either finds the password or exhausts the list. The hope is that the list is large enough to contain the password. Since most users choose simple, easy-to-remember passwords, chances are excellent that many common passwords can be found in the list. Security researchers have spent years collecting and collating wordlists. Some online websites, under the guise of password strength testing, actually collect passwords from visitors to add to these lists.

There are practical limits to using a dictionary attack. You must first know the user name. Some password crackers include lists of common user names, including administrator-type accounts. Password lists can become unwieldy in size. A list of 1.5 billion words is about 15 GB (uncompressed) in size. This may be difficult for the password cracker (or its system) to load or manage. Most systems have policies that lock out a user after only a few wrong password attempts. There are several techniques you can use to bypass the limits. These include:

  • Stealing a copy of the file or database that contains the user credentials, and attempting to crack the passwords offline.
  • Inducing the system to “dump” its passwords (in hashed format) so that you can crack them offline.
  • Intercepting a network authentication and sending the intercepted login hash to the password cracker.
  • Running the password cracker against a network service that does not have a lockout policy.
  • Running the password cracker against a user account such as administrator or root that is exempt from a lockout policy.

Offline Password Attacks

Not all password attacks are conducted across the network. An offline password attack is one in which the cracker does not try to log in to the target system. Instead, a copy of the file that contains user names and passwords (such as /etc/shadow in Linux or the SAM database in Windows) is stolen from the system. The attacker then runs the crack on their own machine against this file. An alternative to stealing the entire file is to get the system to display (dump) all of the credentials in their encrypted (hashed) format, take a copy of the dump, and then subject it to the cracker.

Rainbow Table Attacks

A rainbow table attack is a type of dictionary attack in which the passwords in the wordlist have been pre-computed into their corresponding hash values, and then compressed in a highly efficient manner. This makes offline password cracking attacks faster. The cracker does not have to spend time computing the hash of every password it tries. Most operating systems do not store user credentials in cleartext. Instead, they store hashes of the passwords. When a user logs on, the system takes the submitted password and hashes it. It then compares the result to the hash in its credentials file. If there is a match, the user is assumed to have supplied the correct password and is permitted entry.

If you manage to steal the credentials file that contains the users’ hashed passwords, you could conduct an offline attack on that file. If your dictionary contained pre-computed hashes instead of plaintext passwords, your password cracker could simply compare the password hashes to the dictionary hashes until a match is found. The crack would be exceptionally fast. The trade-off, however, is that most hashes are considerably larger than the original password. The size of your dictionary could become unwieldy. A rainbow table is a compromise between a plaintext table and a pure hash table. It uses a special reduction function to dramatically reduce the size of the dictionary. For example, 2.5 million hashes could be stored in a text file of 25 entries. For comparison, a rainbow table that is 64 GB in size can calculate over 70 trillion hashes. By contrast, a plaintext dictionary of the same size would contain about 6.5 billion passwords. A pure hash table would contain only about 4 billion hashes. The downside of a rainbow table is that it requires more computational power to use than a pure hash table. This is because it has to perform some calculations from its hash “chains” to produce the values that it does not directly store. However, it is by far the best choice for cracking complex passwords and orders of magnitude more efficient than a plaintext dictionary.

Password crackers that use rainbow tables include:

  • Ophcrack
  • RainbowCrack

Note: For more information on rainbow tables, see the following: and

Credential Brute Force Attacks

A credential brute force attack is one in which the attacker tries many passwords in the hope of eventually guessing the right one. If the attacker’s wordlist dictionary is exhausted, the cracking tool can then try variations of the passwords by substituting numbers or special characters for letters. It can also simply try combinations of characters until the password is found. If the password is used to create an encryption key, the attacker could alternatively try to guess the key. An example of this is a Wi-Fi password that is used to create a hexadecimal-based numeric key. The user need not guess the original password, but rather use other ways to extract the key and use it to access the system. If the password is short, such as a 4-digit PIN, an automated tool could go through all possible combinations in minutes. The longer and more complex the password, the harder it will be to break. If it is not practical to try to crack the password, the attacker might instead steal the password hash and supply that in place of the password itself.

Note: For more information about password strength, visit

Leave a Reply

Your email address will not be published. Required fields are marked *