Documente Academic
Documente Profesional
Documente Cultură
What is the process in which hackers find exploits? What websites do hackers read?
How do they find and identify vulnerabilities?
Where can I find a true hacker community or
This question previously had details. They are now in a comment. forum on the Internet?
Answer Request Follow 63 Comment 1 Downvote How does one become a hacker?
33,483 Views
Last Asked Mar 24, 2017
1 Merged Question
Edits
Let's suppose that this is the web form for that vulnerable application:
If you put in an IP address, such as "8.8.8.8", the application would take that
input and create a command for the command line.
Let's suppose that an attacker inputs the following in the IP address box:
If you don't already know, the ';' is an end of command character. It marks the
end of a command and allows you to start a new one. In other words, after the
ping command completes, the system
2 will run "cat /etc/passwd".
9 6
Home Answer Notifications Search Quora Add Question
Therefore, not only will the web application ping 8.8.8.8 three times, it will also
display the contents of the /etc/passwd file -- an important file that contains a
list of usernames on that system.
How do you find this type of vulnerability? You have a number of different
options:
Learn about vulnerable code and search for them on Github and other
online source code repositories. Hint: for PHP it is system and passthru
Web applications are a great place to start. Not only are web applications
easier to understand (compared to buffer overflows, off-by-one, stack overflow,
and format string vulnerabilities), they are also easier to exploit. Start by reading
the OWASP Top Ten Project .
Go through each of the OWASP top 10 categories and learn everything you can
about it. Once you feel like you understand the vulnerabilities, you can use the
OWASP WebGoat Project to practice what you learned.
WebGoat is a deliberately insecure web application that you can use to practice
finding and exploiting vulnerabilities.
Keep practicing and learning new techniques. If you run out of things to learn,
go back to Exploits Database by Offensive Security and look at the latest
exploits. You will end up finding new hacking techniques that you can
incorporate into your growing tool kit.
and usually involves increasing the privileges of the user account running the
exploit. Those who utilize exploits often use social engineering to gain critical
information needed to access the system. Many crackers (or hackers) take pride
in their knowledge of software exploits and post them to a website to share or
boast with other crackers. Web browsers and media players are often targets by
crackers since they both have access to system information and can download
files from the internet. Patches (or “fixes”) are intended to remedy these
vulnerabilities as soon as they are revealed and are often distributed in software
updates. Hence, it is vital to keep your software up-to-date in order to make sure
that all known vulnerabilities patched. A zero-day exploit is one that the
software’s creator has not yet discovered. To prevent losing data because of an
attack taking advantage of an exploit, is a good idea to keep regular backups of
your data saved on your computer
The Process
-Tricks
Given that most hackers are motivated by curiosity and have time to try endless
attacks, the probability is high that eventually they do find a sophisticated
method to gain access to just about any environment. However, these aren't the
types of attacks we address in this article, because most successful intrusions
are accomplished through well-known and well-documented security
vulnerabilities that either haven't been patched, disabled, or otherwise dealt
with. These vulnerabilities are exploited every day and shouldn't be.
available over the Internet. Less experienced hackers, commonly called "script
kiddies," then run the scanning tool 24 x 7, scanning large numbers of systems
and finding many systems that are vulnerable. They typically run the tool
against the name-spaces associated with companies they would like to get into.
The script kiddies use a list of vulnerable IP addresses to launch attacks, based
on the vulnerabilities advertised by a machine, to gain access to systems.
Depending on the vulnerability, an attacker may be able to create either a
privileged or non-privileged account. Regardless, the attacker uses this initial
entry (also referred to as a "toe-hold") in the system to gain additional privileges
and exploit the systems the penetrated system has trust relationships with,
shares information with, is on the same network with, and so on.
Once a toe-hold is established on a system, the attacker can run scanning tools
against all the systems connected to the penetrated system. Depending on the
system compromised, these scans can run inside an organization's network.
sadmind
exploit. Hackers frequently use this vulnerability to gain root access on Solaris
2.6 OE systems.
Using only a search engine and the CVE number, found by searching through
the Mitre site listed previously, it is possible to find the source code and detailed
instructions on how to use it. The entire process takes only a few minutes. The
hacker finds the source code on the SecurityFocus web site and finds detailed
instructions on the SANS site.
6k Views · View Upvoters
Upvote 6 Downvote
Promoted by Platformax
Is CRM exactly what you need? Sign up for free.
CRM for small and medium businesses, created by salespeople with 40 years of
sales experience.
Getting into your system would involve exploiting whatever services exposed to
the world. While nodejs and other custom web servers are gaining popularity,
exploiting Apache web server or whatever insecure web application it runs, is a
tried and true attack vector. If I compromised your WordPress and convinced it
to give me a web shell, I now have access rights of your web server. My next step
is to escalate them to root level.
Let's look at privilege escalation after I somehow gained access to your system,
which are their own exploits, and now have user-level access. I can't modify
restricted files to create a backdoor.
There is a way to mark a system utility to execute with "root" privileges. We refer
to this as "suid root". A typical system today has only a few of them, but in the
past there were many such utilities.
My next goal for that system is to cause of one of these special files to run my
malicious code with system rights. If I am successful in doing that, I found an
exploit for that utility.
Writing an exploit usually involves writing so-called "shell code". You force a
privileged tool to execute this "shell code" and then you get "root" privileges.
Here is some information about that Shellcoding for Linux and Windows
Tutorial
The attacker will usually research vulnerabilities in her own lab running exactly
the same version of software and similar processor architecture as her target.
3.4k Views · View Upvoters
Upvote 9 Downvote
Bugs aren’t random. It’s not like every nth line of code has something
exploitable. Software that tries to do certain things, fails in certain ways, over
and over and over again.
So mostly we look for the old problems, and port them over to their new hosts.
There are three main strategies for finding bugs. Design review — just look at
what it’s trying to do, and figure out if it did it wrong. Code review — look at how
it’s built, either as source code or compiled binaries (both help, both matter).
And Fuzzing.
Fuzzing is basically throwing noise at software, and seeing what happens. Bugs
might only show up one out of a million tests, but if you try things a hundred
million times, you’re going to get a hundred bugs.
Fuzzing gets smarter each passing year. What that means is that instead of
throwing random noise at code, we watch what happens as we talk to the
software, and learn from it. Bugs are not random, because software is not
random. You have to *reach* a bug, in order to find it.
Alternatively, if you’re twenty levels deep into a program and you find a
problem, who knows if that problem is even exploitable. Anywhere along those
19 layers above you might be something that stops you. Often it’s a hassle to
figure that out.
SAT and SMT solvers are technologies that automate figuring out if things are
exploitable after all. They’re quite effective. These solvers of course are used in a
variety of ways; they’re probably the most effective “machine learning” tech in
security right now.
292 Views · View Upvoters · Answer requested by Roman Riga
Upvote 1 Downvote
Ryan Rossi
Answered Apr 21, 2017
Most of the answers are great but I want to share educational resources. What
you want to do is do a google search for penetration testing tutorials. The five
phases of a penetration test are recon, scanning, gaining access, maintaining
access, and covering your tracks. You want to learn recon and scanning. A great
place to start is Cybrary - Online Cyber Security Training, Free, Forever . Take
the penetration testing courses they are free. Some tools used for scanning are.
Nmap, OWASP ZAP, Vega, Nessus, and OpenVAS. Once you gain knowledge of
penetration testing go to Vulnerability Assessment & Bug Bounty Programs
and Vulnerability Coordination and participate in their bug bounty programs
to practice. If you find major vulnerabilities you could get paid handsomely.
Does this answer your question?
1.1k Views · View Upvoters
Upvote 3 Downvote
My opinion is that it depends whether you’re talking about white hats or black
hats.
In most cases, white hats can take their time and or use very little effort. For
example, you can sit back and scan ports or brute force a login. This is
commonly very slow but tends to work after some time.
As for black hats; you work under pressure. As soon as you make your first move,
the clock starts ticking. I do pen-testing and ask that the security
team/department don’t know whats about to happen. This allows me to work
under pressure and see if they can catch whats going on. Black hats will find
small exploits; for example spamming a login form or a page querying MySQL
and not caching. The MySQL querying tends only to cause the CPU usage to go
up; yet this can still be damaging to a company. Other methods that shouldn’t
work but still do are trying to find password dumps. Most people still use the
same password for everything, and if you find a single dump with their login
information, you may have gotten his or hers company Point of Sale login
details.
At the end of the day, it comes down to time. As I stated before once a black hat
starts going, they typically need to stay a few steps ahead.
Upvote 2 Downvote
It's probably derived from Brute-Force password hacking where they figure out
the administrator password by checking it against a list. They just hack it and
hack it until they figure it out.
Those who don't use complex passwords are vulnerable to this type of hack.
One of my newly acquired clients, the hackers guessed correctly that the admin
login was the web designer's name because she posted it on the home page of
the website. Easy enough yea?
SQL Injection is when they go after the database. There are many forms but the
simplest one is when they try to get information from the Users table. The
Administrator is usually the #1 login and so guess what the hackers do? They try
to figure out the name of that login and then they proceed to brute force it.
Recently I saw 560 attempts to login to a friend's website. They were all blocked
by the security plugin though.
If you want to learn more about hacking, you can take classes in what's called
Ethical Hacking. You will learn everything you want to know PLUS you can
probably make a career out of it.
Here's some good articles on the types of hacks - warning - they are very
technical to read: Learn more about Web Site Security - Acunetix
1.7k Views
Upvote Downvote