Exploits and payloads work together to compromise a system, but they are not the same thing. The exploit is the mechanism that delivers the payload. It is a sequence of commands that takes advantage of a vulnerability. Typical exploit types include:
- Buffer overflows
- Code injection
- Web application exploits
Some tools rank their exploits based on reliability and effectiveness. For example, Metasploit has a ranking system ranging from Manual (unstable, difficult to use, basically a denial-of-service), to Low (under 50 percent success rate), all the way to Excellent (succeeds nearly every time without crashing the target service). Not all exploits have to be technical in nature. For example, you could use social engineering as your exploit, inducing your victim into installing malware on their device.
Once you have broken into a system using an exploit, you can then deliver the payload. This is code that will run on the target, performing some kind of task or giving the attacker interactive control. Examples of common payloads include:
- VNC or other remote control
- Backdoors and Trojans
- Malicious DLLs
- Self-propagating worms and viruses
Payloads can either perform tasks on their own with no additional direction, or they can wait for commands from the attacker. They can either open a listening port and wait for an attacker to connect, or they can make a connection back to the attacker. This is especially useful when the victim is behind a firewall which the attacker cannot get past.
Most exploits and payloads are platform-specific. However, you can usually choose which payload you would like the exploit to deliver. In some cases, the exploit will deliver a small payload called a stager. Lightweight and reliable, the stager is a sort-of advance party used to gain a foothold on the victim. Once the stager launches, it downloads the larger payload (stage) from the attacker. Some payloads are self-contained and do not require the two-step stager/stage process. In Metasploit, such standalone payloads are called singles.
Exploit modification is the process of changing an exploit that works against a particular vulnerability, but does not work under certain conditions. A common example of this would be a buffer overflow that works against a particular Windows service, but does not work if any service packs have been applied. The service packs include patches for the original exploit. However, the author of the service pack might have only created a variant of the original vulnerability. The pen tester can try to locate the exact change and modify the exploit to account for the difference. Typically a debugger is used to see how the target responds to different commands.
Common tools used in exploit modification include:
- Immunity Debugger
- Android Debug Bridge (ADB)
- Java Debugger (jdb)
Exploit chaining is the act of using multiple exploits to form a larger attack. Success of the attack depends on all exploits doing their part. Their distributed nature, using multiple forms of attack, makes them complex and difficult to defend against. Some chained exploits must run consecutively, with each depending on the former to complete. But this is not a requirement. You could have chained exploits running in parallel. Each part would have to be in place and complete for the final attack or payload to succeed.
- A Metasploit exploit that results in a user-level shell, followed by a local privilege escalation attack to give the shell system-level privileges.
- A module that runs SQL injection, authentication bypass, file upload, command injection, and privilege escalation to finally give the attacker a root level shell.
- Physically (or electronically) breaking into a private network, planting a malicious device, then using that device to discover and attack vulnerable systems.
- Distracting a security guard so a colleague can tamper with a camera or alarm system while another colleague breaks into a private office to steal important documents.
Proof of Concept Development
A proof of concept (PoC) is a benign exploit developed to highlight vulnerabilities. It is usually created by a security researcher, and then demonstrated to the target organization or general public. While the technical aspects of the vulnerability might be published in great detail, many researchers do not include the specifics of how their PoC works to discourage malicious actors from using that knowledge to create a real exploit.
Guidelines for Leveraging Information to Prepare for Exploitation
Here are some guidelines you can use as you leverage information to prepare for exploitation:
- Record vulnerability-to-target mappings in a document that you can use to plan your attacks.
- Prioritize attack activities based on value to the overall objective, time needed, probability of success, and political need.
- Choose exploits based on platform and ranking.
- Choose payloads based on platform, connection type, desired effect, and level of control.
- When possible, cross-compile exploits and payloads on a single system for convenience.
- If necessary, use modified exploits to attack target systems with different patch levels.
- Chain exploits for greater success, and to make your attack more difficult to defend against.
- Use proof of concept exploits as the basis to develop your own exploit code. If you are not a coder, use the PoC to search for someone else's code.
- When social engineering, use various deception tactics to obtain the information you need, or to trick a user into completing a task for you.
- When password cracking, choose the technique that best suits your need: dictionary, rainbow table, or brute force.