Skip to main content

Hacking with Security Tools Part - 3

  Kali Linux and Exploit Development


Introduction 

  Welcome to the exploit development module. So far, we have been talking about the ethical hacking aspects of Kali Linux. You can also use this wonderful security distribution in the exploit development. Kali Linux comes with pre-installed tools and accessories, which gives support in the exploit development lifecycle. In this module, we will not be explaining “what is exploit development” but we will be discussing where Kali Linux can be used in the exploit development. 

Prerequisites 

• Basic concepts of exploits 

• Prior knowledge about debugging 

• Programming concepts 

• TCP/IP understanding 

• Understanding the background of exploit development 

 Kali Linux Exploit Development Support 

 Covering the real aspects of exploit development lifecycle, Kali Linux basically is not a full fleshed exploit development platform, however, it has pre-installed tools that have exploit development as a native feature. Kali Linux also comes with pre-installed debuggers, which play an important role in development of exploits. 

 Kali Linux comes with a pre-installed copy of Metasploit, which is an extraordinary tool in the development of exploit cycle. It also has some other disassemblers which help in the development of exploit but you cannot say it will cover the overall cycle of exploit development. 

In the overall lifecycle of exploit development, you cannot guarantee that only one platform will suffice for the development of exploits. In fact, you need to switch between tools in order to achieve your tasks. The concepts we want to deliver here is that Kali Linux does have a support platform, which can be used in exploit development. However, this support comes in the form of Metasploit and couple of different tools. We will talk about them shortly.

  Kali and Metasploit 

  It has advanced functionality to support exploit development, beginning from the level of fuzzing an application untilthe finding of offsets and giving the shellcode for the exploit. 

  Fuzzing and Kali Linux 

  We will be running an application on a Windows machine and then use Metasploit fuzzing in order to explore fuzzing from Kali Linux platform. 

 Vulnerable FTP server is running on a Window machine on IP address 192.168.81.140 and we will be fuzzing this application in order to crash it with the fuzzing tool available in Kali Linux with in Metasploit. 

 We configure the auxiliary module of Metasploit as shown in below figure.


You can see that the application crashed when our fuzzing reached the size of 500, or might be more than that, but that is the maximum size we noticed. This means that this application is successfully fuzzed and can be exploited. Let’s move a step further.

 Kali Linux & EIP Offset

  Now we will be finding offset, i.e. at which point the application crashed and the instruction pointer register (EIP) was overwritten. 

 This will be easily achieved with the Metasploit pattern_create module available in Kali. You can see the path and the command in the figure below in order to see how we can create patterns, which will be used in finding the offset.



You can see that application crashed, but what is the difference in crashing this with manual fuzzer written and before with Metasploit fuzzer? Well, now we have used a set pattern as a buffer value being created as explained above. Now the instruction pointer will have any four bytes from this pattern of 500 bytes and now we will see this a debugger. So we will repeat the step, however, we will attach the application in a debugger, in our case Immunity debugger.

   In the below figure, we have shown the application running in debug mode with Immunity debugger. Note down the EIP value as highlighted in the figure. Now we will crash this application with our fuzzer and see the change in EIP value.


You can see that the EIP value is now 41346841, which was overwritten by our fuzzer, and this 41346841 is any value from the buffer of 500 bytes we sent from our fuzzer script. You can also see the ESP value which has the buffer value we sent. Now we will take this 41346841 and find out at what point this EIP was overwritten, meaning how many bytes of buffer data out of 500 bytes this EIP is overwritten. 

 We will again go back to Kali Linux and look for pattern_offset tool in Kali to find the location of this 41346841 in the buffer of 500 bytes. Follow the steps shown as follows.



As expected, we have overwritten EIP with our value, but to successfully build the exploit you need to have a proper value, which should be the location in memory, where you can put your shellcode. For this, again, Metasploit has support by which you can find JMP ESP, which means you can put your shellcode in ESP and find the location as well and then put this location in EIP. 

 Now, how to find the return address either JMP ESP or SEH POP POP RET. Follow the steps below to quickly find it with the Metasploit tool. 

 We run the msfpescan tool to achieve this. This can be achieved by running the scan on the executable of the application server as follows.



The result is truncated. You can see that we can play enough with this tool in order to achieve our goal. Now you can take any of the values and test if it works for you. 

Kali and Shellcode

 What we need next is the shellcode we want to put in our exploit and this is also doable with Kali Linux, there are no of shellcode available in Metasploit, which you can generate, in the no of languages in which you are writing your exploit. In our case, we are using Python so we will show how you can use available shellcode in Metasploit to generate them as per your coding language.



The above figure shows the quick and easy way to generate the payload for the exploit in the python language. These are the key aspects of exploit developments at the basic level and Kali Linux supports these features, as we have explained in this module. However, full fleshed exploit development can also be achieved, but that requires more expertise from developer aspects as well.

  We have presented below the complete list of tool sets available in Kali Linux under the category of Exploit Development.



Popular posts from this blog

Haking On Demand_WireShark - Part 5

Detect/Analyze Scanning Traffic Using Wireshark “Wireshark”, the world’s most popular Network Protocol Analyzer is a multipurpose tool. It can be used as a Packet Sniffer, Network Analyser, Protocol Analyser & Forensic tool. Through this article my focus is on how to use Wireshark to detect/analyze any scanning & suspect traffic. Let’s start with Scanning first. As a thief studies surroundings before stealing something from a target, similarly attackers or hackers also perform foot printing and scanning before the actual attack. In this phase, they want to collect all possible information about the target so that they can plan their attack accordingly. If we talk about scanning here they want to collect details like: • Which IP addresses are in use? • Which port/services are active on those IPs? • Which platform (Operating System) is in use? • What are the vulnerabilities & other similar kinds of information. • Now moving to some popular scan methods and ho...
Read more

Bypassing Web Application Firewall Part - 2

WAF Bypassing with SQL Injection HTTP Parameter Pollution & Encoding Techniques HTTP Parameter Pollution is an attack where we have the ability to override or add HTTP GET/POST parameters by injecting string delimiters. HPP can be distinguished in two categories, client-side and server-side, and the exploitation of HPP can result in the following outcomes:  •Override existing hardcoded HTTP parameters  •Modify the application behaviors   •Access and potentially exploit uncontrollable variables  • Bypass input validation checkpoints and WAF rules HTTP Parameter Pollution – HPP   WAFs, which is the topic of interest, many times perform query string parsing before applying the filters to this string. This may result in the execution of a payload that an HTTP request can carry. Some WAFs analyze only one parameter from the string of the request, most of the times the first or the last, which may result in a bypass of the WAF filters, and execution of the pa...
Read more

Bypassing Web Application Firewall Part - 4

Securing WAF and Conclusion DOM Based XSS DOM based XSS is another type of XSS that is also used widely, and we didn’t discuss it in module 3. The DOM, or Document Object Model, is the structural format used to represent documents in a browser. The DOM enables dynamic scripts such as JavaScript to reference components of the document such as a form field or a session cookie, and it is also a security feature that limits scripts on different domains from obtaining cookies for other domains. Now, the XSS attacks based on this is when the payload that we inject is executed as a result of modifying the DOM environment in the victim’s browser, so that the code runs in an unexpected way. By this we mean that in contrast with the other two attacks, here the page that the victim sees does not change, but the injected code is executed differently because of the modifications that have been done in the DOM environment, that we said earlier. In the other XSS attacks, we saw the injected code was ...
Read more