Sneak Peak into the Art of Exploitation

August 22, 2012 by

It's a well-known saying that gathering maximum information about the enemy is half the work done in defeating him. The same holds true when you are about to attack a target (a potential victim); the first step is to gather as much information as possible. Information gathering can be broadly classified into two categories – Active and Passive. In an active reconnaissance phase, you probe the target directly to reveal information, and in passive reconnaissance, the attacker tries to extract information indirectly.

Generally an attacker tries to seek information about the Domain Name, Network Blocks, and system architecture and system enumeration via the Internet. For gaining remote access into the victim's PC, he would also seek information about authentication mechanisms. If the attack is happening within the network, the information under siege would be network protocols, TCP and UDP services, system enumeration, and general network topology and architecture. So usually the network range is determined initially which is then followed by discovering open ports on the target. Following this, the services and enumeration of users, workgroups, etc. takes place.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Let's start from the basics, and then proceed to the advanced tools in this article.


A very well-known tool to almost all the techies in the world, WHO IS can reveal the initial information about the target organization, which can help us launch a social engineering attack on the victim. Let's look into the various types of information that we can possibly unearth via this tool.

In the above mentioned screenshot, we get very important initial information about the organization being queried here. We get the geographic location of the organization along with its IP address and we are also able to know the server type that is running on the target.

Looking further, now comes the interesting part. We get to see the administrative and technical contact details, and over here the email ID given seems to be the personal ID which reveals the name of the person too. We get the fax, telephone, and complete address of the contact person. Following which we also have information about the name servers used by the organization.

GHDB – The Google Hacking Database

An Initiative by Exploit-DB

Google is the biggest tool any attacker can posses. Besides simple searching, Google provides advanced key words to be used in the search terms. These terms are known as Google Dorks. The exploit-db has collected all these dorks in one place and named it as the GHDB.

What can be possibly unearthed from these? Here they are:

  • Vulnerable servers and files over the Internet

  • Files containing passwords and usernames

  • Login portals

  • Various online devices like camera, PC clients, etc.

  • Advisories and vulnerabilities

Nmap Tool

In the previous two phases we saw how to gather as much information as possible about the target. Next, we will discuss a tool called Nmap - an acronym for Network Mapper, it helps to scan for open ports, open services, operating systems, etc.

Various commands are used such as -sV, -O, -PO, which stands for service identification command, banner grabbing, and port open and close. The -sV command takes more time than other commands as it scans through the services, ports, open/close status, and also the vendor name. With this we get the network range, we get to know the ports and services, which leads us to the next phase called vulnerability assessment/research.

In the above screenshot, the Nmap scanner shows whether the host is alive or dead. This also shows the open ports and the protocol used by them. We infer that the ports 135, 139 and 445 are open in the TCP mode. It's a well known fact that an unpatched XP machine is vulnerable to MSRPC DCOM exploitation and also the netBIOS exploitation.

The above command in NMAP demonstrates the services run by each port and their versions. It also shows us the operating system info. On the other hand, -O command in Nmap gives only the OS information.

Vulnerability Assessment (VA)/Research:

In this phase we look into all possible vulnerabilities and 0days with respect to the results obtained in the network scanning phase. Various online resources such as exploit-db.com and 1337day.com can be used to look into the 0days and vulnerabilities and their patch status.

Jargon alert: 0day (Zero-day): A vulnerability that is not patched/addressed by the vendor.

So, considering the above scenario, when we search for Windows XP on the exploit database, we find a large number of vulnerabilities. It's up to us now to find a close match and verify if the above-mentioned vulnerabilities exist in the remote system. This work can be done easily by using a framework called metasploit, to be discussed in the following section.

From the VA research phase we move on to perform the attack. This attack depends totally on the previous two phases discussed above. We perform attacks using a piece of code known as an exploit. We perform post-exploitation tasks using snippets of code called payloads. Metasploit development framework is one of the best exploit development frameworks which have been developed on Ruby. It contains a huge list of payloads and exploits for performing an attack.

As you can see, from the exploit database we cross-checked to find that an RPC DCOM buffer overflow vulnerability exists in an unpatched Windows XP. Thus, we searched the exploit on . Metasploit, which makes our task easy by automating the exploitation process. From here we go around setting payloads and exploiting the system.

Backdoors and Malwares for Maintaining Access

As an attacker I wouldn't want to be doing all these phases again and again, and I would prefer to maintain access on the target. This is achieved by the use of binders and backdoored executables. We'll see how a backdoored executable can be created using the Metasploit framework. This approach uses the classic social engineering tactic to voluntarily make the victim download and open the file. The skill required to do this is left to the creativity of the attacker.

This creates the backdoored executable. Assume that the social engineering succeeds, and the victim opens your executable:

Then I run this server in my attacker machine to listen to the connection from the victim when he clicks it. As soon as he clicks on the executable and runs it:

A meterpreter is opened in the attacker server and the system is owned, as shown in the previous figure. Thus we can make use of backdoored executables in our attacks using the Metasploit framework.

Malwares for Making Money

Over the years the Internet has evolved with many money-making affiliate programs. Hackers try to maintain a large network of computers which automatically installs and indirectly earns a source of considerable income to the attacker.

Jargon alert: Botnet: A huge number of computers run with a command and control server which sends instructions to the other computers in the network. These computers reply back and send/carry out operations as instructed by the C & C server. This large network of computers is called Botnet.

Web Application Attacks

Web applications can be footprinted using the WhatWeb tool on the backtrack machine. This tool provides details about the IP address, server operating systems, and domain-specific information. Post vulnerability research phase, web application attacks are of various types. A few famous ones include: SQL injection, Cross-site scripting (XSS), and CSRF.

See WhatWeb in action:

This tool shows us the geographic location, IP address, HTTP server being run on the target, CMS, and other kinds of information which play a crucial role in web application analysis and reconnaissance.

Become a Certified Ethical Hacker, guaranteed!

Become a Certified Ethical Hacker, guaranteed!

Get training from anywhere to earn your Certified Ethical Hacker (CEH) Certification — backed with an Exam Pass Guarantee.

Become a Certified Ethical Hacker, guaranteed!

Become a Certified Ethical Hacker, guaranteed!

Get training from anywhere to earn your Certified Ethical Hacker (CEH) Certification — backed with an Exam Pass Guarantee.

This article provides basic information regarding various ways in which exploitation is carried out. We have revisited the hacker cycle with shades of gray to the article. There are more tools available out there which are ready for some action. The knowledge of hacking isn't something that gets you money nor steals credentials. It simply means knowing your system in and out – its weaknesses and rectifying them to secure yourself from the malicious people.


Karthik is a cyber security researcher at Infosec Institute and works for Cyber Security and Privacy Foundation (a non-profit organization) as a researcher, in India. He finds deep interest in Information security as a whole, and is particularly interested in VA/PT and serving to the cause for Nation's Security.