Development and operations a practical guide



Download 4.62 Mb.
View original pdf
Page61/96
Date11.02.2023
Size4.62 Mb.
#60628
1   ...   57   58   59   60   61   62   63   64   ...   96
1 Joe Vest, James Tubberville Red Team Development and Operations
Execution Concepts
Exploits
Exploitation is a technique a threat uses to take advantage of a vulnerability or weakness. This can be due to a software flaw or misconfiguration. Unlike penetration testing, where validating exploits against a vulnerability is a primary goal, exploitation is not an end goal for Red Team engagements.
Exploits are merely a means to an end however, this does not reduce their importance. Exploitation can be a critical part of a Red Team engagement. Exploitation must be used with caution as many often trigger a Blue response. As with all decisions made during a Red Team engagement, risk vs.
reward must be measured to determine if the access gained from an exploit is worth the potential exposure.
Exploits should be used to gain access only as a means to an end. Once exploitation occurs,
backdoors or other means of access should be established. The exploit should not be used as a means to regain access to a target. For instance, assume a known remote code execution flaw exists in a web application. A readily available public exploit exists, and using such an exploit may trigger a security device, like an IDS. A Red Team weighs the risk and decides to move forward with the exploit. A
Red Team operator successfully uses the exploit from a burnable IP space. The exploit results in remote command execution of the target webserver. Instead of using the exploit repeatedly to issue commands, a web shell is deployed. This web shell can now be accessed from a different source address. In this way, the exploit is used only onetime. The web shell provides a useable backdoor to access the webserver for further actions.
Exploiting Known Vulnerabilities
A threat will use what is available. Like real attackers, Red Teams will take advantage of a weakness to support their goals. There is a key difference in how a Red Team should view and use an exploit vs. other types of security testing. In Red Teaming, known (including prepackaged or “canned”)
exploits should only be used to directly support a goal. This means an environment may have multiple exploitable vulnerabilities that a Red Team does not exploit. This could be due to minimizing detection or the fact that exploitation does not support a Red Team goal. It is important to remember that a Red Team engagement is not a comprehensive view of a target's vulnerabilities.
In summary, many exploits have known signatures and can be easily detected or have code that causes unintended damage or impacts to a target. A Red Team Operator should always understand the exploit, its code, and know its IOCs to manage the risk of exposure or damage to a target.
Popular places to find exploits:

Metasploit: www.metasploit.com – public exploits and zero days

ExploitHub: www.exploithub.com – commercial exploit clearinghouse for nonzero days

Exploit DB www.exploit-db.com – repository of exploits maintained by Offensive Security

Other exploit clearinghouses div

Focus Point
A target environment may have multiple exploitable vulnerabilities. Only those that enable meeting the goals and objectives of the engagement should be considered for exploitation. Document all identified exploitable vulnerabilities but use only those required to achieve engagement objectives.

Download 4.62 Mb.

Share with your friends:
1   ...   57   58   59   60   61   62   63   64   ...   96




The database is protected by copyright ©ininet.org 2024
send message

    Main page