Gaining initial access is the first step in the hacking process. This can be done by exploiting vulnerabilities in the system, using default or weak passwords, or social engineering techniques.
The majority of businesses rely on perimeter defences such as firewalls to provide complete protection, leaving internal assets vulnerable to attack and exploitation.
As a pentester, it’s your responsibility to show why layered defences, or defense-in-depth, are vital, and the simplest way to do so is to exploit those internal systems.
Only through acquiring a footing in your client’s network will you be able to accomplish so.
There are three main categories of exploitation:
- Server-side exploitation -Exploiting a client-facing application or device which provide a service
- Client-side exploitation – Taking advantage of flaws in user applications such as web browsers and other client software
- Privilege escalation – This type of exploitation occurs when an attacker gains access to a system or resource that they are not authorized to access.
The type of exploitation that is most effective depends on the goal of the attacker. If the goal is to gain access to a system or resource, then unauthorized access or privilege escalation would be the most likely exploit category to use.
If the goal is to prevent legitimate users from accessing a system or resource, then denial of service would be the most likely exploit category to use.
You may not need to utilise an exploit from each category depending on your target, and you may need to employ multiple vulnerabilities from some or all of these categories at times. Exploit chaining is a term used to describe this.
Each engagement is unique, and knowing the assault methods and outcomes of exploits from each of these categories will help you tackle the majority of them.
Server-side exploitation happens when an attacker exploits a vulnerability in an application that provides information or services to clients, resulting in the execution of code or commands on the server.
The extra benefit of gaining access to a system via server-side exploitation is that servers are typically located in protected locations, such as inside a DMZ or within a development environment. This initial access can be used to launch other assaults and perhaps obtain access to sensitive information.
- Code Injection
Code injection is a type of attack where the attacker executes malicious code on a server by exploiting a vulnerability in the application. This can be done by injecting malicious input into the application, which is then executed by the server. Code injection can be used to take control of a server, or to simply cause the application to crash.
- SQL Injection
SQL injection is a type of attack where the attacker executes malicious SQL code on a server by exploiting a vulnerability in the application.
- Command Injection
Command injection is a cyber attack that involves executing arbitrary commands on a host operating system (OS). Typically, the threat actor injects the commands by exploiting an application vulnerability, such as insufficient input validation.
- Buffer Overflow
A buffer overflow is a type of attack where the attacker sends more data to a server than the server can handle, causing the server to crash. Buffer overflows can be used to take
Client-side exploitation is the opposite side of the exploitation coin. Attackers obtain access to devices or programmes that authorised users use to access services or information via this method of exploitation.
The primary distinction between server-side and client-side exploitation is the location of the exploitation.
While a defect may exist in a server-side application, it is considered as a client-side exploit if it is exploited on the client.
A web browser is the most common programme used to assist this type of attack. Smishing attacks, or attacks initiated by mobile text message, are included in the client-side attack category.
An attacker targeting clients typically gains access as a conventional desktop user. This equates to an Active Directory (AD) domain user in a business environment, allowing the attacker to pivot to sensitive systems while also gathering knowledge about the AD ecosystem.
Due to factors such as greater security expertise inside IT departments, the introduction of secure software development life cycles, and “safe-by-default” configuration settings, server-side exploitation has gotten more difficult to achieve over time. As a result, attackers have begun to target the user (or client) more frequently.
Secure-by-default is a concept that suggests that a device’s or piece of software’s default, or out-of-the-box, configuration is the most secure configuration setting available.
Privilege escalation is the process by which an attacker acquires access to an account or service with higher privileges than the account that was used to gain access in the first place.
This may not always imply root or SYSTEM privileges. It simply signifies that an attacker was able to obtain new privileges.
To get root or SYSTEM access in today’s guarded corporate environments, an attacker may have to go through many privilege escalation procedures.
When it comes to account management, security teams and software suppliers have been enhancing their usage of privilege separation and least privilege to help secure environments.
Privilege separation and least privilege are two complementing principles that security engineers can utilise to help build a defense-in-depth strategy.
Privilege Separation and Least Privilege
Privilege separation is a security technique that relies on dividing the privileges associated with a single process among multiple processes.
It is often used to increase security by reducing the amount of code that runs with the highest privileges. For example, a process that requires the highest privileges to run might be split into two process: one with the highest privileges and one with the lowest.
The process with the highest privileges would contain only code that absolutely requires those privileges and the process with the lowest privileges would contain the
The concept of least privilege argues that a user or process only has access to the information or data needed to perform their task.