16.3 Exploiting Vulnerabilities

Question 1

Shellshock is a _________ vulnerability that allows attackers to execute arbitrary Bash code on vulnerable targets.

Answer 1

Shellshock is a **remote code execution (RCE)** vulnerability that allows attackers to execute arbitrary Bash code on vulnerable targets.

Question 2

With Shellshock, attackers can perform almost any Bash command, including: (3)

Answer 2

• Download sensitive data.
• Send and receive shells to and from the target.
• Backdoor the victim.

Question 3

Shellshock is made possible by a vulnerability in how servers parse _______.

If a client requests a script, such as /cgi-bin/status.sh, the server will run the script _______ . Then it will send the output back in an HTTP response.

Sometimes, the server needs to use HTTP headers to run ______.

Servers will load HTTP request headers as ______ and run the CGI scripts. The scripts can then access the HTTP headers by reading the _______.

Answer 3

Shellshock is made possible by a vulnerability in how servers parse HTTP requests

If a client requests a script, such as /cgi-bin/status.sh, the server will run the script status.sh. Then it will send the output back in an HTTP response.

Sometimes, the server needs to use HTTP headers to run CGI scripts.

Servers will load HTTP request headers as Bash environment variables and run the CGI scripts. The scripts can then access the HTTP headers by reading the variables.

Question 4

True or False:

Bash sanitizes headers before loading them as environment variables. This means it loads whatever value is sent in the header.

Answer 4

False

Bash does not sanitize headers before loading them as environment variables. This means it loads whatever value is sent in the header.

Question 5

The request below results in _______ being set to _______. This is cryptic, but in vulnerable versions of Bash, this creates a code function that does _______.

bash
 GET /index.html HTTP/1.1
 Host: example.com
 User-Agent: () { :;};
 Connection: keep-alive

Bash interprets the value of this header as ______. This allows us to execute ______ on the target.

Answer 5

The request below results in HTTP_USER_AGENT being set to **() { :;};**. This is cryptic, but in vulnerable versions of Bash, this creates a code function that does nothing.

Bash interprets the value of this header as code. This allows us to execute arbitrary code on the target.

Question 6

Shellshock can be exploited when we include malicious code after the seemingly useless _____ string.

Answer 6

() { :;};

Question 7

Shellshock payloads are often executed with the following template:

________ runs the string ________ as a Bash command. This is different from passing a command directly because of how Bash handles the output.

• Using _______ helps preserve ______ more consistently.

Answer 7

**/bin/bash -c '**command' runs the string **'command'** as a Bash command. This is different from passing a command directly because of how Bash handles the output.

Using /bin/bash -c helps preserve stdout more consistently.

Question 8

What is Searchsploit?

Answer 8

“Searchsploit” is a command-line search tool for Exploit-DB, which also allows you to bring a copy of Exploit-DB with you. SearchSploit provides you with the ability to perform detailed offline searches in locally saved repositories.

Think about it as an offline copy mode so you don’t need an internet connection to work with the data.

Question 9

_________ is a popular online database that contains publicly disclosed exploits, cataloged according to their Common Vulnerability and Exposure (CVEs) identifier.

Answer 9

**Exploit Database (Exploit-DB)** is a popular online database that contains publicly disclosed exploits, cataloged according to their Common Vulnerability and Exposure (CVEs) identifier.

Question 10

CVE numbers typically start with ___________.

Answer 10

CVE numbers typically start with the year in which the vulnerability was discovered.

Question 11

What does SearchSploit allow security professionals to do?

Answer 11

SearchSploit allows security professionals to perform detailed offline searches of hundreds of exploit scripts through their local copy of the repository.

This capability is useful if you are working on a security assessment with an air-gapped, segregated network that lacks internet connectivity.

Question 12

SearchSploit, as indicated by its name, will search for all ______ and ______contained within the Exploit-DB repository.

Answer 12

SearchSploit, as indicated by its name, will search for all exploits and shellcode contained within the Exploit-DB repository.

Question 13

What do these commands do?

1. searchsploit -u
2. searchsploit -h
3. searchsploit ftp remote file
4. searchsploit -t oracle windows
5. searchsploit -t oracle windows | wc -l
6. searchsploit linux kernel 4.4 –exclude=”(PoC)|/DCCP/”
7. searchsploit mysql 6.0 -w

Answer 13

1. This will ensure that you have the latest updates
2. Built-in help option
3. This command will search the exploit database for the three terms: ftp, remote, and file.
4. Searches can be restricted to specific titles with the -t option.
5. The wc -l option will return the number of exploits in the search
6. –exclude=”(PoC)|/DCCP/”: Leaves out all lines that contain both PoC and DCCP`.
7. The search query returns URLs of the webpage of the associated exploit.

Question 14

Breakdown this SearchSploit command:

If we wanted to run the following exploit script exploits/windows/remote/43993.py, we would need to use the Python command as follows:

python exploits/windows/remote/43993.py payload=bind rhost=172.168.0.10 rport=1234

Answer 14

• python: Command required to run Python scripts.
• exploits/windows/remote/43993.py: Name of the Python exploit script.
• payload=bind: The payload setting. In our example, our payload is a **bind** payload.
• We use a bind payload when we know the IP address of the target. We’ll discuss the specifics of bind shells and payloads in the next unit.
• rhost=172.168.0.10: IP address of the remote host.
• rport=1234: Port number of the remote host.

Question 15

SearchSploit is a _________ for _______ that allows you to _______________________.

Security professionals can perform _______________ using ___________________.

SearchSploit comes preinstalled on ________ and should be ___________.

Answer 15

SearchSploit is a command-line utility for Exploit-DB that allows you to take an offline copy of the entire Exploit Database with you wherever you go.

Security professionals can perform detailed offline searches of hundreds of exploit scripts from Exploit-DB using the locally checked-out copy of the online repository.

SearchSploit comes preinstalled on Kali Linux and should be updated regularly.

Question 16

We used Nmap to perform port scans on targets. Attackers will often scan the network for other live hosts in a process known as _______.

Answer 16

We used Nmap to perform port scans on targets. Attackers will often scan the network for other live hosts in a process known as **host discovery**.

Question 17

One of the most important methods for host discovery is the ________.

Answer 17

One of the most important methods for host discovery is the **ping sweep**.

Question 18

_________ send a ping request to every IP address in the target range. Only live hosts will respond.

Answer 18

Ping sweeps

Question 19

Host discovery is followed by _______.

Answer 19

Host discovery is followed by **port scanning**.

Question 20

_________ is the process of attempting to connect to every port on a target machine and keeping track of which connection attempts are successful.

Answer 20

Port scanning is the process of attempting to connect to every port on a target machine and keeping track of which connection attempts are successful.

Question 21

True or False:

Nmap is the most important tool for scanning ports.

Answer 21

True

Question 22

Nmap for port scanning:

The default scan type is a _______.

Answer 22

The default scan type is a **SYN Scan**. In a SYN scan, Nmap sends TCP flags to a target port with the SYN flag set.

Question 23

If the target port is open, it responds with a packet with the ______ flags set. Nmap does not respond, leaving the target port half open.

Answer 23

If the target port is open, it responds with a packet with the SYN/ACK flags set. Nmap does not respond, leaving the target port half open.

Question 24

Nmap can also perform ________, where it responds to the SYN/ACK packet from the target.

Answer 24

Nmap can also perform TCP connect scans, where it responds to the SYN/ACK packet from the target.

Question 25

Nmap can perform UDP scans with the _____ flag.

Answer 25

Nmap can perform UDP scans with the -sU flag.

Question 26

You can specify which ports to scan with the ___ option.

Answer 26

You can specify which ports to scan with the -p option.

Question 27

Explain this Nmap command:

nmap -sS -p 445 192.168.12.50`

Answer 27

Performs a SYN scan against port 445 on 192.169.12.50.

Question 28

Explain this Nmap command:

nmap -sT -p 445 192.168.12.50

Answer 28

Performs a TCP connect scan against port 445 on 192.169.12.50.

Question 29

Explain this Nmap command:

nmap -sU -p 53 192.168.12.50

Answer 29

Performs a UDP scan of port 53 on `192.168.12.5

Question 30

Explain this Nmap command:

nmap -sS -p U:53,T:53 192.168.12.50

Answer 30

Scans UDP port 53 and TCP port 53. Uses a SYN scan on the TCP port.

Question 31

The -sV flag enables _________. This causes Nmap not only to determine if a target port is open, but also to determine which service is running on that port.

Answer 31

The -sV flag enables **service and version detection**. This causes Nmap not only to determine if a target port is open, but also to determine which service is running on that port.

Question 32

The -O flag enables _________. Nmap attempts to determine the target machine’s operating system based only on the data it collects during a normal port scan. In other words, it does not send specially-crafted packets to determine the target operating system.

Answer 32

The -O flag enables **passive OS detection**. Nmap attempts to determine the target machine’s operating system based only on the data it collects during a normal port scan. In other words, it does not send specially-crafted packets to determine the target operating system.

Question 33

The -A flag enables _________. Nmap sends additional packets meant to specifically trigger responses revealing the OS of the target. This method is much noisier than the -O flag and more likely to be detected by an IDS.

Answer 33

The -A flag enables **active OS detection**. Nmap sends additional packets meant to specifically trigger responses revealing the OS of the target. This method is much noisier than the -O flag and more likely to be detected by an IDS.

Question 34

Explain the following nmap command:

nmap -sV -p 80,443 192.168.12.50

Answer 34

Performs a service scan of ports 80 and 443 on 192.168.12.50. Does not determine the OS.

Question 35

Explain the Nmap command:

nmap -O -sV -p 80,443 192.168.12.50

Answer 35

Performs a service scan of ports 80 and 443 on 192.168.12.50 and determines the OS through passive methods.

Question 36

Explain the following Nmap command:

nmap -A -sV -p 80,443 192.168.12.50

Answer 36

Performs a service scan of ports 80 and 443 on 192.168.12.50 and determines the OS through active methods. This is noisier than the -O option

Question 37

_________ is the process of collecting all the information gathered into a single document.

Answer 37

**Network mapping** is the process of collecting all the information gathered into a single document (a network map).

Question 38

There are tools for generating graphical network maps, such as _______. However, maps drawn by hand often work just as well.

Answer 38

There are tools for generating graphical network maps, such as **Maltego**. However, maps drawn by hand often work just as well.

Question 39

Drawing a map yourself helps _______ and requires you to use all the information collected during the intelligence gathering phase.

Answer 39

Drawing a map yourself helps clarify attack tactics and requires you to use all the information collected during the intelligence gathering phase.