Almost there, couldn’t make it…

The result of the selected research papers for the Technical Symposium is out in my office. I thought I’ll totally get selected given the fact that very few papers on infosec usually compete. I wrote the abstract with confidence (may be over-confidence). Now I didn’t make it and I’m experiencing this sinking feeling of disappointment😦.

I know there are many factors to make into the symposium apart from the content relevance and technical depth. And I have enough maturity to take all the responsibilities of the result on myself. No more hard feelings… Anyway, here’s the extended abstract of my rejected paper. I welcome your constructive feedback.

Exploit Development for Advanced Penetration Testing

Extended Abstract

Penetration testing is a process of deliberate attack on an application or electronic system in order to assess the exploitability of a bug or vulnerability. Known popularly as white-hat hacking, penetration testing emulates the behaviour of malicious hackers (also called black-hat hackers) by actively hacking the application with the intention of enhancing its security by discovering the weaknesses and removing or mitigating them before they get exploited in the deployed environment.

Penetration testing typically starts with launching the well-known exploits on the detected vulnerabilities during the information gathering or vulnerability assessment phase of the VAPT (Vulnerability Assessment and Penetration Testing) process. An exploit is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behaviour to occur on computer software, hardware, or something electronic (usually computerized). Such behaviour frequently includes things like gaining control of a computer system, allowing privilege escalation, or a denial-of-service attack.

Metasploit is a free and open-source exploit framework with numerous well-engineered exploits, actively contributed by researchers around the world. Most penetration testers rely on Metasploit for finding and launching exploits against the application in question. With hundreds of exploits encompassing most of the network protocols and operation systems, and with the Metasploit’s unique ranking system, the pentesters are able to pick the exploit appropriate to their testing context and assess the likelihood of its success with reasonable accuracy. Upon the successful execution of an exploit, the development team is informed to patch the bug in the report. Although this approach is essential, it’s certainly not sufficient in combating all the attacks.

As the arms race between developers and hackers intensified, more zero-days (unidentified vulnerabilities in the security community) are being detected in the applications, because of which the applications are deemed vulnerable even though they have undergone VAPT process before their deployment. Plus the new generation malware and their sophisticated techniques are severely testing the application’s ability to withstand the weight and still perform reliably. Black-hat hackers are using the very tools that pentesters use such as Nmap and Metasploit to side-step and defeat the security by understanding the exploits, the ones against which the application was tested against and secured. Over dependence on tools by the pentesters is also a matter of concern as each application is unique to be thoroughly analysed by automated tools. For all these reasons and for developing deeper understanding of the application being pentested, it’s imperative to develop exploits and use them against the application during penetration testing.

This paper discusses the fundamentals of developing exploits such as,

  1. Application debugging

  2. Analysis of application crashes to detect vulnerabilities

  3. Reverse engineering techniques

  4. Fuzzing

  5. Writing stealthy exploits

All these basic techniques of developing an exploit are explained conceptually along with tools available to perform them. A rudimentary Metasploit exploit template is discussed with the help of a use case so the exploit can be readily used via the Metasploit framework. The operating system chosen to write an exploit against is Windows 10.

In summary, this paper provides a head-start for developing exploits so that penetration testers can craft intelligent exploits to track down and find elusive bugs and vulnerabilities in the application they’re testing and gain invaluable insights about the working of operating system in general and the application in particular. By so doing, the penetration testers become better equipped to identify and defend the next generation of attacks.

I’ll go ahead and write the paper anyway… and try to publish in Elsevier or IEEE 😉.

Posted in Uncategorized | Tagged , , , , , , , | Leave a comment