How are hackers able to find such complicated exploits?

911 views

How are hackers able to find such complicated exploits?

In: Technology

44 Answers

Anonymous 0 Comments

Info sec engineer here – the best way to hack a system is via social engineering. Convince someone to open an email with a backdoor in it or click on a site which grabs your info. Hands down the cheapest and most effective way to compromise a system.

Anonymous 0 Comments

A zero-day is a computer-software vulnerability that is unexploited. That is the explanation for its name. Once it is first used by the exploiter it has a limited time available to maximize its usefulness. These exploits are often written in to programs by coders and sold to other people.

Zero day vulnerabilities can be bought on the dark web.

Zero day exploits are either unknown to those who should be interested in its removal or known but a patch has not been developed.

Until the vulnerability is removed, hackers can exploit it to adversely affect programs, data, additional computers or a network.

Anonymous 0 Comments

Lots of ways… But the juicy ones are mistakes in code that can be boiled down to something like this.

Lets say you have a bowl of lego on the table, someone can put lego in and you can take lego out one brick at a time and you can’t see inside the bowl because you’re not tall enough, each brick colour corresponds to doing something… Let’s say red means brush your teeth, and blue means go play xbox.

Now say you dump an entire bag of lego into the bowl when no one is looking so that the bowl is now full, if someone adds more lego to the bowl it just falls on the table… You can see the table though so you just pick up the blue lego and go play xbox.

Anonymous 0 Comments

You can think of it like a labyrinth, where you know that there is an exit but you don’t know if there are more than 1 connections to that exit, with the one known route leading through a password authentication which you don’t wanna go through.

You basically play with the system forwards and backwards, meaning you also try to find a way from exit to start. If you do both you get an instinct for when you get close to the other end, sometimes by surprise after you took a weird turn that didn’t look like the right one at all when you took it.

My favourite example of a complicated shortest route that is not the intended one is the Windows 95 domain authentication bypass

Anonymous 0 Comments

Hacking basically requires a lot of Research on the targeted system, Reconnaissance of the target, and trial and error.

If somebody wants to hack an Kanye’s twitter password, they could google if somebody happens to know Kanye’s password (research), look over Kanye’s shoulder when they type it in (reconnaissance “shoulder surfing”), or create a pssword cracker that runs through all of the possible passwords (trial and error). They can research and develop malware that can control Kanye’s device and then you can look up where the passwords are stored, all of which requires research into what kind of phone Kanye has.
Fact is a lot of basic hacking tools are readily available from reputable companies as penetration tools.
Hackers good and bad are motivated to find vulnerabilities in computer systems just about every computer system on the planet (research and trial & error). They poke at a given system, seeing what inputs give what outputs and see if any otlf then can give higher privedges. When a vulnerability is first discovered, that’s called a “zero-day” hack. Developers need time to patch these and some consumers may not update their systems when the patch is published.
Fact is just about every computer, language, networking protocol, etc was built with security as an after thought, and as a result most security measures are built on top of these insecure systems.

Anonymous 0 Comments

Play around with the code or website until you find cool stuff.

Simple example – search the source code for Steam and you’ll find a list of banned words…

Anonymous 0 Comments

My background: A guy who has worked with computers for about 27 years and in the computer industry for nearly 15, with an interest in video game speedrunning and console hacking.

A lot of exploits are found through understanding how technology works, previous experience, and trying a few different things to see what sticks. A recent example I saw was how to hack a Nintendo Wii Mini. They were able to exploit the console via the Bluetooth stack (software which handles the controllers).

They did this by looking at the Wii (which has been hacked for more than a decade) and realizing that the bluetooth stack for the Wii / Mini was also the same one used by Android phones. So they got the source code (which Google published, because open source), and went through it, looking for code that, if sent something unexpected, would act strange.

Once they found some code that acted strange when fed unexpected data, they sent it carefully crafted data and a carefully written program so that when the Wii Mini crashed over the data, it would run the program it was sent, which was just a program designed to run another program on the inserted USB stick.

So most exploits follow this method. People (researchers, malicious people, curious people) send unexpected data to something (a website, a computer program, a phone, a video game console) and see if the thing trips up. If it does, they send different data and see if it trips differently, and they then try and make it trip up in a specific way so that it’ll get confused and run whatever you tell it to run.

The really, really advanced hacks (such as breaking encryption) can be done using really cool methods, like timing how long it takes to encrypt / decrypt something and finding weaknesses in how those things are encrypted / decrypted.

But don’t forget, if you want to hack into a system, the best way is usually the most low-tech way. People will write their passwords on post-it notes (or tell you in the middle of a packed room) or a cleaner will let you into a room if you pretend you’re a contractor, or you can just [buy a wrench](https://xkcd.com/538/)

Anonymous 0 Comments

ELI5 Edition: Protecting a computer/network is like building a brick wall around your castle. You need to have all of the bricks secure and stacked properly so your wall will be strong and keep out intruders. Intruders (hackers) only need to find one weak brick out of the thousands of bricks that you put in the wall, break that brick, and it all comes crumbling down. Now they’re in your castle.

ELI10 Additional information: There’s TONS of ways to break a brick. Maybe a hammer, sure! Maybe you need to freeze a brick with liquid nitrogen, then hit it with a hammer and it breaks. Maybe the brick is strong, but can be dissolved in water. Or acid.

Hackers have giant toolboxes they use that have all the equipment they need to test for what types of bricks are in the wall, and then they’ll know if they have any ways to break any of these bricks. Some toolboxes you can find laying around for free (metasploit). Others might be super secret that no intruder wants to ever let their secret get out. Sometimes intruders even steal tools from other intruders!

Now to be smart and sneaky, they don’t go around banging on all the bricks and throwing acid everywhere just to see what sticks. That would be too noisy and you, the person in the castle, would probably hear them and try to fight them off. Instead, they’ll very methodically run some tests on all the bricks and see if anything comes up. It could take lots of time to run all these tests, but if the jewels in the castle are really pretty, it’s worth the wait. Finally, if/when just ONE of their tests come back with a known way to break it, that’s all they need, and they’re in your castle. (This is penetration testing)

And now for how they actually come up with these ways to break a brick? Patience, knowledge, creativity, and more patience. Some mad scientist, who has studied bricks very heavily, sat in a lab with a brick and tried every way he possibly could to come up with new ways to break a brick. He’ll try to heat it up, sing to it at just the right pitch, turn it upside down three times under a full moon. Maybe he even tried to go to the brick maker and blackmail him. “Put this secret powder in your brick batter or I tell your wife about your ‘poker night’. Don’t ask any questions!” Then the mad scientist has a special chemical that reacts with the secret powder and blows up!

Sometimes the mad scientist has a particular castle in mind when he’s working with these bricks, other times he just went to the brick store and bought their 100 most popular bricks, just to see what he could do. If he’s a “good” mad scientist, he’ll tell the people in the castle that their bricks are weak and they should fix them. But if he’s not, he might try to break in himself, or sell his new brick breaking method to someone else, or maybe he just tells everyone about it on Reddit because he likes to see the world in chaos!

Anonymous 0 Comments

Application security is like physical security of a building. If you leave a window open bad actors can get in easily.

Instead of open windows, software developers frequently code software in ways that can be easily manipulated, or that introduce easily exploitable vulnerabilities.

Companies hire security guards to go looking for open windows and hope they discover them before bad actors do.

Anonymous 0 Comments

Like graphing calculators and math you don’t actually have to know how things work to get the answer.

Once a math equation is solved (vulnerability is discovered) that equation is added to a calculator (automation tools).

Bad actors (script kiddies) can use calculators (automation tools), to find math answers (vulnerable software).

EIL15:
Once an exploit has been identified it’s added to a public list of common vulnerabilities and exposures (CVE). That cve list is maintained and used to identify other instances of that vulnerability in different programs.

As a known cve ages that additional time allows bad actors to creat more automation tools that can exploit the vulnerable. Those automation tools are then distributed. That’s how you get script kiddies. Bad actors without the actual knowledge of the exploit but using automation tools that allows them to exploit without knowing how it works.

This is why older systems missing older patches are more susceptible to hacking. Now a days any program that can be reached by the internet can be crawled by automation tools (bots) and tested for the presence of known CVEs.

We use Enterprise tools to discover them, determine the risk score (chance of being exploited x damage if exploited), and patch/remediate before the bad actors do.