How do hackers find holes?


When I see black hats exploiting gaps in security, I have to wonder, how the hell did someone find this?

Is there an algorithm? I would think the white hats would have the algorithms too?

Even in video games, how do they find such obscure holes in professional programming?

In: Technology

Pentest tools. Trying previous methods like brute force for example. Seeing if any get through. Like security IT dudes(white fedora) make sure their company’s servers are bulletproof. Its just that the hackers(black balaclava) do the same thing but are dicks about it.

“Professional programmers” make mistakes all the time, because there is far more need for people who can code even fairly badly than there are people who are good at it. Companies will sometimes spend tens of thousands of dollars in sourcing costs to find one mediocre software engineer.

There are certainly common approaches. For example, it’s a very bad idea to store users’ passwords in a database, but tons of shoddily-written websites do. Many websites also have much more information exposed than you probably think, and hackers will poke at that information to try to find places where it exposes something it shouldn’t.

For programs on one’s own computer, one can use a program that lets them just look at the computer’s actual memory and watch when certain values change. If you pick up a health potion and the value at memory address 0x4a89b92d changes, well, that’s probably where the game is storing your number of health potions. So you change the value at 0x4a89b92d to 99999999 and see if you get a bunch of potions.

This is just a very basic summary. Finding weaknesses like this is a whole subfield of programming and engineering that tends to attract extremely smart and extremely technical people. There’s a ton of security talks on YouTube that are relatively accessible and pretty interesting, if you want to know more!

Every time someone closes a security hole, a new one is found. Even at companies, who do security well and try to seal every known exploit, new vulnerabilities are constantly being found.

Sometimes the company will find them before shipping the software. Some even have dedicated penetration teams. But sometimes they are found in the wild.

You cannot underestimate the tenacity of those who want to exploit your software and the creative ways they think to do so.

In many cases, companies don’t have dedicated security resources. Most programmers don’t learn much about security in school. Their job experiences won’t always teach them the right ways to do things. They may have never been in a high-risk environment and needed to think about security.

All that adds up to plenty of attack vectors.

To massively oversimplfy a huge topic – there are two classes of vulnerability: known and zero-day vulnerabilities.

Known vulnerabilities are documented in systems like the CVS Program. They maintain a list of vulnerabilities by software version and attempt to rank them according to severity. If you are able to fingerprint the version of software (for example, by sending a request to a server and causing it to expose the IIS version number in the response header) then you can look for known vulnerabilities associated with that version of the software and work from there.

Zero-days are publicly unknown or undisclosed vulnerabilities and finding them is significantly more complex and usually requires advanced knowledge and experience working with technology much closer to the metal. An understanding of things like CPU instruction sets, memory allocation, and having skills in software debugging/reverse engineering, etc is often required to discover new vulnerabilities. A researcher might also use techniques like fuzzing to try to crash or elicit an unusual response from a system to identify any potential bugs or holes that could be exploited.

That is a huge oversimplification but hopefully offers some insight.