How are hackers able to find such complicated exploits?

241 views

How are hackers able to find such complicated exploits?

In: Technology

It all boils down to understanding how a system works very deeply. And then a dash of creativity to find a weakpoint in that.

Do you have a specific exploit in mind?

As with most other achievements: loads of experience, a lot of hard work and a bit of luck. Did you have anything specific in mind?

As one who has subbed to this group merely out of curiosity, I think this is a great question. Aside from trying out commonly known weaknesses, how do they find zero day exploits in new releases of operating systems and programs?

Some of it, to be fair, is through word of mouth. With tech being such a broad field and vulnerabilities being discovered left and right, us tech professionals need as much help compiling all of that information into digestible chunks, which is why some of us listen to security podcasts or read The Register daily. Hackers have that same level of information – it really comes down to whether or not we can protect against it. Some risks we have to accept in order to keep the business going, and not everyone is up to date on the latest and greatest patches – there’s a number of data acquisitions that go back to bad patch management. Doesn’t take a genius to be informed and to keep that information in their back pocket for later.

In addition to what others have said, there are a lot of hacking tools these days and vulnerabilities are generally published once found. Hackers can look at old vulnerabilities to get ideas for new ones. For example, a buffer overflow in one area of the code might imply there are similar vulnerabilities elsewhere. The tools, like fuzzing tools, make them easier to find.

Since no one has really given you a technical hacking response yet, [here is one example of a vulnerability that can be found called a stack overflow error. ](https://www.rapid7.com/blog/post/2019/02/19/stack-based-buffer-overflow-attacks-what-you-need-to-know/) The linked article goes into the actual depth required to understand this type of vulnerability and how to exploit it so I recommend reading it, but I’ll do my best to give you a *very* high-level explanation.

For computer programs to work, they need to allocate chunks of memory in the computer to store variables. The code that allocates this memory can do so in a bunch of different ways. For example, in the C coding language, you can call a function named “malloc” or “realloc” to get some chunk of memory. The “malloc” or “memory allocation” method in C is used to dynamically allocate a single large block of memory with a specified size. When you call that function, the function returns a “pointer”, which is a variable that essentially tells you where in the overall memory your little chunk lives.

Here’s the thing though (and this is where my explanation becomes so high level it’s essentially incorrect), once I know where a chunk of memory exists, I can kind of figure out a way to make the computer program read memory outside of that chunk. Say a program allocated blocks 40-45 of a 100 block stack. If I can put some variables in to blocks 50-60 and get that program to use those blocks of memory instead, I can tell the computer to do something entirely different. For example, maybe block 45 pointed to a function the computer was supposed to execute. If I have it point to block fifty, I can have it point to a different function to run. How do you figure out what to do to get it to point to block 50? There are a lot of different ways and the example I linked above explains some of those ways.

Again, I’m oversimplifying here, but this is the gist. I did this in grad school and had the new program be a rootkit, which is essentially a program that installs itself into the operating system and then hides itself so that it can look at different files without being seen.

This at least used to be a more common vulnerability, but it’s only one type of vulnerability among many. As others have mentioned, most are actually social hacks. For countless examples of this, look up Rachel Tobac of SocialProof Security on YouTube and elsewhere. I grew up with her and her husband (who is a more technical security researcher) and she has a bunch of good examples on this front.

You don’t learn how to hack. Instead, you learn everything you can learn about how computers, networks, security software, etc. works, and then you’ll know ways in which those systems can break.

Typically they don’t. There are teams of researchers who have multiple engineering degrees whose only job it is to find previously undisclosed vulnerabilities. They are paid what is called a ‘bug bounty’. These are programmers and engineers with intimate familiarity with how software works, how operating systems manage low level memory operations, and how all the corresponding protocols work. The image of a lone basement dwelling hacker able to outsmart teams of engineers is inaccurate. And no, Abby Shuto couldn’t just access a database after typing a few buttons.

What is more likely to happen is that a patch is released by a manufacturer. When that happens the time to exploit kit is only a few days. That is because when the manufacturer releases the patch, the flaw becomes obvious, they are essentially releasing directions on how to exploit their flaw. Exploit kits (something legitimately used by spy groups and law enforcement agencies) are not difficult to come by and their operation, while confusing to a normal user, are far easier to use than attempting to find a previously undisclosed flaw.

Mostly vulnerability testing and fuzzing to find bugs as well as just looking at public bug reports, then investigate and understand the bugs to see if it’s exploitable.

Basically, lots of code is tested to make sure that things that “make sense” work. It’s fairly common for people to fail to test the edge cases and error cases, so a common attack methods is automate data entry, generate files to give the program, etc, and just keep doing it over an over, but each time trying something a little different. Fuzzing for example is where you just randomly insert errors into the data you give the program, see if it handles it. Websites are commonly vulnerable to SQL injection, so you can try putting quotes and semicolons in fields and see if it breaks anything.

If something breaks, then you investigate why, often you’re looking for things like “XYZ crashed because abc is not valid code”, then you look at the test and see that abc is actually part of the data entry, so it might imply that if it was code it would run, so you enter code there and see if it works.

It’s just about having a very deep and intuitive knowledge of the system that you’re trying to exploit. If you understand how something works at a very low level, then you also understand how to break it, and break it in the way that you want it to break.

If you’re curious, have a listen to the Darknet Diaries podcast – it’s full of case studies of hacks, exploits and how they were identified, prevented and/or solved. It’s fascinating and accessible to people that aren’t experts in information security.

Ex vulnerability researcher here, basically you need to understand the system you’re exploiting and find a flaw in the logic to use to your advantage. If you want a more in-depth analysis let me know and I can explain how I’d find and create exploits.

It’s kind of like an ant colony looking forward food; you can kill (some of) them, or plug where they’re coming in, but they’re constantly searching for a tiny little hole to navigate until they get back in.

Really don’t need complicated exploits when Bob uses the same password for 10 different accounts. And opens every email attachment or clicks on any link.

A program that runs in a computer for example can be broken down into instructions. There are other programs out there called disassemblers that can show these instructions and in some cases provide a human readable description such as: here are the instructions that are followed when a user copies and pastes. By analysing the code a hacker might see that there is no check done on the amount of information that is copied. The hacker may then see or deduce what happens when they exploit this oversight. In some particular case it might be that copying a specific set of symbols that appear to make no sense can actually change the outcome of the perviously mentioned instructions by overwriting the programs instructions with the information copied. These new “hacked” instructions may then do malicious things like download nadsty programs

You try all the doors and ground floor windows. If that doesn’t work you lock for the hide-a-key rock that the local Home Depot sells. If that doesn’t work you look for easily climbed parts of the house and unlocked second story windows. If that doesn’t work you start getting creative and seeing if maybe you can impersonate a meter reader or some other ruse to get in.

It’s just a matter of trying different things (using known exploits, vulnerbilites, default passwords, security holes like strong networks (but some jackass has a web enabled coffee pot that you can get onto the network through using “admin” and “password”). Are they running old code on their websites that has known vulns? Do you know their employee email addresses and can you send them off-the self viruses to let you in?

The first thing you might try (checking doors) is simply looking for their employee login and trying known default accounts, and employee names and common passwords. Then you might start checking their publicly facing websites for known vulnerabilities. Then maybe (using automated software) you start scanning their home network for open or easily entered connections. Maybe their home network is great, but a branch is weaker.

Once something cracks, either an IoT device isn’t properly secured, you get an employee login, you get on their network another way (maybe it was as easy as sitting in the parking lot and looking for free wifi or running wifi password cracking software on a poorly secured wifi) what you do would depend on what you’re after.

Hacking things is like looking at a wall of various well built-ness, you’re objective is to get a needle from one side of the wall, to the other (by going through it). You scan the wall and search for a week point, a common one being people themselves, and you try and exploit it and break that part of the wall. There’s no one way to hack into things. You could (And I would never condone this without someone’s explicit and written prior consent):

Brute force admin credentials to try and gain access to the system.

If you’re resources are big and the target is big enough, you could go for bribery or even break in to the physical location where the computers are held, stick a usb into a computer and leave a lovely little virus which’ll give you what you want.

Best one is probably by people, email claiming to be IT or some other fake identity, state that you’ll need their email and password for xyz bs reason. Whilst most people probably won’t fall for it, all you need is one high up person who’s not tech savvy enough to spot the scam and then you have access to a whole bunch of information. If you can trick someone high up at twtiter for instance, to click on a scam link or open a nasty virus file, that can be you hacking in and finding what you need.

Generally speaking, the better the security, the more complicated the exploit, whilst I’m not a hacker, I imagine they’d start off with the lower level simple stuff, and then work their way up to the increasingly complicated exploits as their attempts fail

Everything starts with a single exploit discovery, like a null-byte exception, buffer overflow, or unsanitized inputs. Then, you look for more. Once you have enough to formulate a full-blown attack, you can either wait, sell the information, or develop attacks based on those vulnerabilities. Once they get good enough, they’ll already have attacks ready for most common vulnerabilities allowing them to quickly cripple or download all information from the compromised systems.

They are often extremely intelligent and have worked on or chosen to learn at a very deep level how certain systems work. No system is perfect, a lot of programming focuses more on getting things to work rather than being fool proof. Foolproof is a goal, but not a requirement. If you know the system you can understand how to exploit it.

ELI5: While bad guys are often highly skilled in their target technology, it’s also a team effort supported by everyone else on the planet (both good and bad).

Researchers and vendors announce their vulnerabilities so they can be understood and fixed by good guys, though that often means they’re also understood and exploited by bad guys.

These records are public too: https://nvd.nist.gov/