Beginners Cybersecurity (4) - Intrusion

Welcome to my cybersecurity guide for beginners, in my first article, I gave an overview on the different phases of attack. This article focuses on the reason that everyone wants to be a hacker, intrusion.

Intrusion

Finally in this series we move onto the intrusion stage, as I have previously mentioned the three phases that come before this are Delivery, Installation and Exploitation.

Delivery and Installation phases are purely related to phishing. Though you may not know the term, I'm pretty sure everyone has seen a phishing email at least once. Nowadays, most people have have received an email in which, through a disturbing notice (usually alerts about the closing of bank accounts, million-dollar bills, etc.) or promising good money (you're the lucky heir of a millionaire uncle in Argentina), they try to get you to click on malicious attachments or ask you to confirm your data inserting your credentials in an online form of some sort.

Given, however, that we are dealing with another aspect of the cybersecurity (a direct attack to a machine/server), I will avoid detailing these two phases in this article, to focus on the real subject, exploitation.

Exploitation

We have finally arrived at the moment when we implement the real attack. You have studied your victim, you have collected the weapons that will help you in your goal of penetration, now all we have to do is activate it.

At this point, as it may seem the most simple step to be performed, but that is more complex to describe. Because there isn’t a real list of tools it depends a lot on what you have discovered and identified as "vulnerable".

By its nature, the exploitation is limited to the act of "execution" of the exploit, it’s normally possible to consider the output of the exploit the next step of the attack. By definition, the exploitation phase of an attack focuses exclusively on establishing access to a system or a resource bypassing the security restrictions.

To clarify the concept, consider, for example in this case:

• reconnaissance: Identified potentially vulnerable service
• Armament: Identified vulnerability and XXX tool to use for exploitation
• Exploitation: Running the tool XXX configured with the parameters of the victim (the output is a reverse shell open)
• Command & Control: Through the shell activated by XXX tool can interact with the machine, my attack has been successful

As you can see the XXX tool is at the base of the whole cycle of attack, but its activity in the exploitation phase is limited to the mere execution (obviously parameterized ad hoc).

Other scenarios, provide a longer activity of exploitation, for example can be an attack using SQL Injection (where through identification of a programming flaw, you can identify the correct input format of the partial query, which normally proceeds with small steps and understanding through the failures and errors reported by db SQL that tries to perform the query). A scenario that can describe this other case would be as follows (in this case, the goal is to access the portal administrative section):

• Reconnaissance: Identified the web portal written in php; one of the pages lists the database users as a result of a search carried out through a mask that allows you to enter some data.
• Armament: Identified the possibility of SQL injection on the field "name" of the mask.
• Exploitation: It takes a long time to identify through the injection, the fields returned by the original query, after you identify the fields and/or tables relating to the access credentials to the portal and then you build a final query that returns using a union with the original query also additional information related user and password.
• Command & Control: You can now access the administrative section of the portal.

The real access to the administrative section, by entering credentials in the access panel of the section, is located in a limbo between the phase of exploitation and the Command & Control. But if we evaluate what has been said before "the exploitation provides for the execution of the exploit", then, we can consider this act as the final part of the exploitation phase, the one that introduces us to the next stage (the output of access is the availability of the system's administrative section).

A few words on this specific case or attack: Some tools identify and try to understand automatically the type of injection to be made, but from personal experience, I find that a good tester with previous experience in the world of programming and databases has in his hands a knowledge, a creativeness and an intellect that go well beyond the tool's capability, especially if it is based on complex algorithms. So, my advice is: "yes, get help from a tool, but often, the human intellect, exceeds the tools expectations".