Execution Flow
Explore
-
Determine application/system inputs where bypassing input validation is desired: The attacker first needs to determine all of the application's/system's inputs where input validation is being performed and where they want to bypass it.
| Techniques |
|---|
| While using an application/system, the attacker discovers an input where validation is stopping them from performing some malicious or unauthorized actions. |
Experiment
-
Determine which character encodings are accepted by the application/system: The attacker then needs to provide various character encodings to the application/system and determine which ones are accepted. The attacker will need to observe the application's/system's response to the encoded data to determine whether the data was interpreted properly.
-
Combine multiple encodings accepted by the application.: The attacker now combines encodings accepted by the application. The attacker may combine different encodings or apply the same encoding multiple times.
| Techniques |
|---|
| Determine which escape characters are accepted by the application/system. A common escape character is the backslash character, '\\' |
| Determine whether URL encoding is accepted by the application/system. |
| Determine whether UTF-8 encoding is accepted by the application/system. |
| Determine whether UTF-16 encoding is accepted by the application/system. |
| Determine if any other encodings are accepted by the application/system. |
| Techniques |
|---|
| Combine same encoding multiple times and observe its effects. For example, if special characters are encoded with a leading backslash, then the following encoding may be accepted by the application/system: \"\\\\\\.\". With two parsing layers, this may get converted to \"\\.\" after the first parsing layer, and then, to \".\" after the second. If the input validation layer is between the two parsing layers, then \"\\\\\\.\\\\\\.\" might pass a test for \"..\" but still get converted to \"..\" afterwards. This may enable directory traversal attacks. |
| Combine multiple encodings and observe the effects. For example, the attacker might encode \".\" as \"\\.\", and then, encode \"\\.\" as \"\.\", and then, encode that using URL encoding to \"%26%2392%3B%26%2346%3B\" |
Exploit
-
Leverage ability to bypass input validation: Attacker leverages their ability to bypass input validation to gain unauthorized access to system. There are many attacks possible, and a few examples are mentioned here.
| Techniques |
|---|
| Gain access to sensitive files. |
| Perform command injection. |
| Perform SQL injection. |
| Perform XSS attacks. |
Execution Flow
Explore
-
Identify target software: The adversary identifies software that uses external binary files in some way. This could be a file upload, downloading a file from a shared location, or other means.
Experiment
-
Find injection vector: The adversary creates a malicious binary file by altering the header to make the file seem shorter than it is. Additional bytes are added to the end of the file to be placed in the overflowed location. The adversary then deploys the file to the software to determine if a buffer overflow was successful.
-
Craft overflow content: Once the adversary has determined that this attack is viable, they will specially craft the binary file in a way that achieves the desired behavior. If the source code is available, the adversary can carefully craft the malicious file so that the return address is overwritten to an intended value. If the source code is not available, the adversary will iteratively alter the file in order to overwrite the return address correctly.
| Techniques |
|---|
| Create malicious shellcode that will execute when the program execution is returned to it. |
| Use a NOP-sled in the overflow content to more easily \"slide\" into the malicious code. This is done so that the exact return address need not be correct, only in the range of all of the NOPs |
Exploit
-
Overflow the buffer: Once the adversary has constructed a file that will effectively overflow the targeted software in the intended way. The file is deployed to the software, either by serving it directly to the software or placing it in a shared location for a victim to load into the software.
Execution Flow
Explore
-
Identify target application: The adversary identifies a target application or program that might load in certain files to memory.
Experiment
-
Find injection vector: The adversary identifies an injection vector to deliver the excessive content to the targeted application's buffer.
-
Craft overflow file content: The adversary crafts the content to be injected. If the intent is to simply cause the software to crash, the content need only consist of an excessive quantity of random data. If the intent is to leverage the overflow for execution of arbitrary code, the adversary crafts the payload in such a way that the overwritten return address is replaced with one of the adversary's choosing.
| Techniques |
|---|
| The adversary creates or modifies a symbolic link pointing to those files which contain an excessive amount of data. If creating a symbolic link to one of those files causes different behavior in the application, then an injection vector has been identified. |
| Techniques |
|---|
| Create malicious shellcode that will execute when the program execution is returned to it. |
| Use a NOP-sled in the overflow content to more easily \"slide\" into the malicious code. This is done so that the exact return address need not be correct, only in the range of all of the NOPs |
Exploit
-
Overflow the buffer: Using the specially crafted file content, the adversary creates a symbolic link from the identified resource to the malicious file, causing a targeted buffer overflow attack.
Execution Flow
Explore
-
Determine Target System: In certain cases, the adversary will explore an organization's network to determine a specific target machine to exploit based on the information it contains or privileges the main user may possess.
| Techniques |
|---|
| If needed, the adversary explores an organization's network to determine if any specific systems of interest exist. |
Experiment
-
Develop or Obtain malware and install on a USB device: The adversary develops or obtains the malicious software necessary to exploit the target system, which they then install on an external USB device such as a USB flash drive.
| Techniques |
|---|
| The adversary can develop or obtain malware for to perform a variety of tasks such as sniffing network traffic or monitoring keystrokes. |
Exploit
-
Connect or deceive a user into connecting the infected USB device: Once the malware has been placed on an external USB device, the adversary connects the device to the target system or deceives a user into connecting the device to the target system such as in a USB Drop Attack.
| Techniques |
|---|
| The adversary connects the USB device to a specified target system or performs a USB Drop Attack, hoping a user will find and connect the USB device on their own. Once the device is connected, the malware executes giving the adversary access to network traffic, credentials, etc. |
Execution Flow
Experiment
-
Craft Certificates: The adversary crafts two different, but valid X.509 certificates that when hashed with an insufficiently collision resistant hashing algorithm would yield the same value.
-
Send CSR to Certificate Authority: The adversary sends the CSR for one of the certificates to the Certification Authority which uses the targeted hashing algorithm. That request is completely valid and the Certificate Authority issues an X.509 certificate to the adversary which is signed with its private key.
Exploit
-
Insert Signed Blob into Unsigned Certificate: The adversary takes the signed blob and inserts it into the second X.509 certificate that the attacker generated. Due to the hash collision, both certificates, though different, hash to the same value and so the signed blob is valid in the second certificate. The result is two certificates that appear to be signed by a valid certificate authority despite only one having been signed.
Execution Flow
Explore
-
Identify target application: The adversary identifies a target application or program to perform the buffer overflow on. Adversaries look for applications or programs that accept formatted files, such as configuration files, as input.
Experiment
-
Find injection vector: The adversary identifies an injection vector to deliver the excessive content to the targeted application's buffer.
-
Craft overflow content: The adversary crafts the content to be injected. If the intent is to simply cause the software to crash, the content need only consist of an excessive quantity of random data. If the intent is to leverage the overflow for execution of arbitrary code, the adversary crafts the payload in such a way that the overwritten return address is replaced with one of the adversary's choosing.
| Techniques |
|---|
| Knowing the type of file that an application takes as input, the adversary takes a normal input file and modifies a single variable or tag to contain a large amount of data. If there is a crash, this means that a buffer overflow attack is possible. The adversary will keep changing single variables or tags one by one until they see a change in behavior. |
| Techniques |
|---|
| Create malicious shellcode that will execute when the program execution is returned to it. |
| Use a NOP-sled in the overflow content to more easily \"slide\" into the malicious code. This is done so that the exact return address need not be correct, only in the range of all of the NOPs |
Exploit
-
Overflow the buffer: The adversary will upload the crafted file to the application, causing a buffer overflow.
Execution Flow
Explore
-
Find User Input: The adversary finds anywhere in the web application that uses user-supplied input in a form or action. This can also be found by looking at parameters in the URL in the navigation bar of the browser
Experiment
-
Add Duplicate Parameter Values: Once the adversary has identified what user input is used as HTTP parameters, they will add duplicates to each parameter one by one to observe the results. If the response from the HTTP request shows the duplicate parameter value concatenated with the original parameter value in some way, or simply just the duplicate parameter value, then HPP is possible.
| Techniques |
|---|
| In the URL, add a duplicate parameter by using the \"&\" delimiter. For example \"par1=val1\" becomes \"par1=val1&par1=val2\". Depending on the backend API, this could be treated as \"par1=val1, val2\", which could lead to par1 being set to val2, ignoring val1. |
| If the request is created based on user input directly on the page, the adversary will test by adding an encoded delimiter to the input. For example, the adverary might supply \"1000%26action=withdraw\" and the backend might interpret a POST request with the paramters \"action=deposit&amount=1000&action=withdraw\" |
Exploit
-
Leverage HPP: Once the adversary has identified how the backend handles duplicate parameters, they will leverage this by polluting the paramters in a way that benefits them. In some cases, hardcoded parameters will be disregarded by the backend. In others, the adversary can bypass a WAF that might only check a parameter before it has been concatenated by the backend, resulting in malicious queries getting through.
Execution Flow
Explore
-
Find a vulnerable web service: The adversary finds a web service that uses a vulnerable authentication scheme, where an authentication token is concatenated with the parameters of a request and then hashed
| Techniques |
|---|
| Read application documentation to learn about authentication schemes being used |
| Observe web service traffic to look for vulnerable authentication schemes |
Experiment
-
Attempt adding padding to parameters: An adversary tests if they can simply add padding to the parameters of a request such that the request is technically changed, with the hash remaining the same
| Techniques |
|---|
| Exploit the hash function extension / padding weakness with only padding to test the weakness |
Exploit
-
Add malicious parameters to request: Add malicious parameters to a captured request in addition to what is already present. Do this by exploiting the padding weakness of the hash function and send the request to the web service so that it believes it is authenticated and acts on the extra parameters.
| Techniques |
|---|
| Exploit the hash function extension / padding weakness by adding malicious parameters to a web service request such that it is still deemed authentic |
Execution Flow
Explore
-
Determine service to send cross domain requests to: The adversary first determines which service they will be sending the requests to
Experiment
-
Send and time various cross domain requests: Adversaries will send a variety of cross domain requests to the target, timing the time it takes for the target to respond. Although they won't be able to read the response, the adversary can use the time to infer information about what the service did upon receiving the request.
| Techniques |
|---|
| Using a GET request, leverage the \"img\" tag in conjunction with \"onload() / onerror()\" javascript events to time a response |
| Using a POST request, leverage the \"iframe\" element and use the \"onload()\" event to time a response |
Exploit
-
Infer information from the response time: After obtaining reponse times to various requests, the adversary will compare these times and infer potentially sensitive information. An example of this could be asking a service to retrieve information and random usernames. If one request took longer to process, it is likely that a user with that username exists, which could be useful knowledge to an adversary.
| Techniques |
|---|
| Compare timing of different requests to infer potentially sensitive information about a target service |
Execution Flow
Explore
-
Identify target application: The adversary identifies a target application or program to perform the buffer overflow on. Adversaries often look for applications that accept user input and that perform manual memory management.
Experiment
-
Find injection vector: The adversary identifies an injection vector to deliver the excessive content to the targeted application's buffer.
-
Craft overflow content: The adversary crafts the input to be given to the program. If the intent is to simply cause the software to crash, the input needs only to expand to an excessive quantity of random data. If the intent is to leverage the overflow for execution of arbitrary code, the adversary will craft input that expands in a way that not only overflows the targeted buffer but does so in such a way that the overwritten return address is replaced with one of the adversaries' choosing which points to code injected by the adversary.
| Techniques |
|---|
| In this attack, the normal method of providing large user input does not work. The program performs bounds checking on the user input, but not the expanded user input. The adversary needs to provide input that they believe will be expanded by the program to overflow a buffer. To identify where this is possible, an adversary either needs to have knowledge of the inner workings of the program or use a disassembler and other reverse engineering tools to guide the search. |
| Techniques |
|---|
| Create specific files and directories on the system and then give input using path traversal shortcuts to those directories that could expand past an input buffer. |
Exploit
-
Overflow the buffer: Using the injection vector, the adversary gives the crafted input to the program, overflowing the buffer.
Execution Flow
Explore
-
The adversary identifies a database management system running on a machine they would like to gain control over, or on a network they want to move laterally through.
Experiment
-
The adversary goes about the typical steps of an SQL injection and determines if an injection is possible.
-
Once the Adversary determines that an SQL injection is possible, they must ensure that the requirements for the attack are met. These are a high privileged session user and batched query support. This is done in similar ways to discovering if an SQL injection is possible.
-
If the requirements are met, based on the database management system that is running, the adversary will find or create user defined functions (UDFs) that can be loaded as DLLs. An example of a DLL can be found at https://github.com/rapid7/metasploit-framework/tree/master/data/exploits/mysql
-
In order to load the DLL, the adversary must first find the path to the plugin directory. The command to achieve this is different based on the type of DBMS, but for MySQL, this can be achieved by running the command \"select @@plugin_dir\"
Exploit
-
The DLL is then moved into the previously found plugin directory so that the contained functions can be loaded. This can be done in a number of ways; loading from a network share, writing the entire hex encoded string to a file in the plugin directory, or loading the DLL into a table and then into a file. An example using MySQL to load the hex string is as follows. select 0x4d5a9000... into dump file \"{plugin directory}\\\\udf.dll\";
-
Once the DLL is in the plugin directory, a command is then run to load the UDFs. An example of this in MySQL is \"create function sys_eval returns string soname 'udf.dll';\" The function sys_eval is specific to the example DLL listed above.
-
Once the adversary has loaded the desired function(s), they will use these to execute arbitrary commands on the compromised system. This is done through a simple select command to the loaded UDF. For example: \"select sys_eval('dir');\". Because the prerequisite to this attack is that the database session user is a super user, this means that the adversary will be able to execute commands with elevated privileges.
Execution Flow
Explore
-
Identify target general susceptibility: An attacker uses an automated tool or manually finds whether the target application uses dynamically linked libraries and the configuration file or look up table (such as Procedure Linkage Table) which contains the entries for dynamically linked libraries.
| Techniques |
|---|
| The attacker uses a tool such as the OSX \"otool\" utility or manually probes whether the target application uses dynamically linked libraries. |
| The attacker finds the configuration files containing the entries to the dynamically linked libraries and modifies the entries to point to the malicious libraries the attacker crafted. |
Experiment
-
Craft malicious libraries: The attacker uses knowledge gained in the Explore phase to craft malicious libraries that they will redirect the target to leverage. These malicious libraries could have the same APIs as the legitimate library and additional malicious code.
| Techniques |
|---|
| The attacker monitors the file operations performed by the target application using a tool like dtrace or FileMon. And the attacker can delay the operations by using \"sleep(2)\" and \"usleep()\" to prepare the appropriate conditions for the attack, or make the application perform expansive tasks (large files parsing, etc.) depending on the purpose of the application. |
Exploit
-
Redirect the access to libraries to the malicious libraries: The attacker redirects the target to the malicious libraries they crafted in the Experiment phase. The attacker will be able to force the targeted application to execute arbitrary code when the application attempts to access the legitimate libraries.
| Techniques |
|---|
| The attacker modifies the entries in the configuration files pointing to the malicious libraries they crafted. |
| The attacker leverages symlink/timing issues to redirect the target to access the malicious libraries they crafted. See also: CAPEC-132. |
| The attacker leverages file search path order issues to redirect the target to access the malicious libraries they crafted. See also: CAPEC-38. |
Execution Flow
Explore
-
Determine target system: The adversary must first determine the system they wish to modify the registry of. This needs to be a windows machine as this attack only works on the windows registry.
Experiment
-
Gain access to the system: The adversary needs to gain access to the system in some way so that they can modify the windows registry.
| Techniques |
|---|
| Gain physical access to a system either through shoulder surfing a password or accessing a system that is left unlocked. |
| Gain remote access to a system through a variety of means. |
Exploit
-
Modify windows registry: The adversary will modify the windows registry by changing the configuration settings for a service. Specifically, the adversary will change the path settings to define a path to a malicious binary to be executed.
Execution Flow
Explore
-
Identify web application URL inputs: Review application inputs to find those that are designed to be URLs.
| Techniques |
|---|
| Manually navigate web site pages to identify URLs. |
| Use automated tools to identify URLs. |
Experiment
-
Identify URL inputs allowing local access.: Execute test local commands via each URL input to determine which are successful.
| Techniques |
|---|
| Manually execute a local command (such as 'pwd') via the URL inputs. |
| Using an automated tool, test each URL input for weakness. |
Exploit
-
Execute malicious commands: Using the identified URL inputs that allow local command execution, execute malicious commands.
| Techniques |
|---|
| Execute local commands via the URL input. |
Execution Flow
Explore
-
Probing: The adversary probes the target application, service, or device to find a possible weakness that would allow escaping the virtualized environment.
| Techniques |
|---|
| Probing applications, services, or devices for virtualization weaknesses. |
Experiment
-
Verify the exploitable security weaknesses: Using the found weakness, the adversary attempts to escape the virtualized environment.
| Techniques |
|---|
| Using an application weakness to escape a virtualized environment |
Exploit
-
Execute more complex attacks: Once outside of the virtualized environment, the adversary attempts to perform other more complex attacks such as accessing system resources or executing unauthorized code within the host environment.
| Techniques |
|---|
| Executing complex attacks when given higher permissions by escaping a virtualized environment |
Execution Flow
Explore
-
Determine application's/system's password policy: Determine the password policies of the target application/system.
| Techniques |
|---|
| Determine minimum and maximum allowed password lengths. |
| Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc.). |
| Determine account lockout policy (a strict account lockout policy will prevent brute force attacks). |
Exploit
-
Brute force password: Given the finite space of possible passwords dictated by the password policy determined in the previous step, try all possible passwords for a known user ID until application/system grants access.
| Techniques |
|---|
| Manually or automatically enter all possible passwords through the application/system's interface. In most systems, start with the shortest and simplest possible passwords, because most users tend to select such passwords if allowed to do so. |
| Perform an offline dictionary attack or a rainbow table attack against a known password hash. |
Execution Flow
Explore
-
Survey the target: An adversary determines the input data stream that is being processed by a data parser that supports using substituion on the victim's side.
| Techniques |
|---|
| Use an automated tool to record all instances of URLs to process requests. |
| Use a browser to manually explore the website and analyze how the application processes requests. |
Exploit
-
Craft malicious payload: The adversary crafts malicious message containing nested quadratic expansion that completely uses up available server resource.
-
Send the message: Send the malicious crafted message to the target URL.
Execution Flow
Explore
-
Find an android application that uses implicit intents: Since this attack only works on android applications that use implicit intents, rather than explicit intents, an adversary must first identify an app that uses implicit intents. They must also determine what the contents of the intents being sent are such that a malicious application can get sent these intents.
Experiment
-
Create a malicious app: The adversary must create a malicious android app meant to intercept implicit intents from a target application
-
Get user to download malicious app: The adversary must get a user using the targeted app to download the malicious app by any means necessary
| Techniques |
|---|
| Specify the type of intent wished to be intercepted in the malicious app's manifest file using an intent filter |
Exploit
-
Intercept Implicit Intents: Once the malicious app is downloaded, the android device will forward any implicit intents from the target application to the malicious application, allowing the adversary to gaina access to the contents of the intent. The adversary can proceed with any attack using the contents of the intent.
| Techniques |
|---|
| Block the intent from reaching the desired location, causing a denial of service |
| Gather sensitive information from the intercepted intent |
| Modify the contents of the intent and forward along to another application |
Execution Flow
Explore
-
Understand the password recovery mechanism and how it works.
Exploit
-
Find a weakness in the password recovery mechanism and exploit it. For instance, a weakness may be that a standard single security question is used with an easy to determine answer.
Execution Flow
Explore
-
Determine target web application: An adversary first needs to determine what web application they wish to target.
| Techniques |
|---|
| Target web applications that require users to enter sensitive information. |
| Target web applications that an adversary wishes to operate on behalf of a logged in user. |
Experiment
-
Create malicious application: An adversary creates an application, often mobile, that incorporates a WebView component to display the targeted web application. This malicious application needs to downloaded by a user, so adversaries will make this application useful in some way.
-
Get the victim to download and run the application: An adversary needs to get the victim to willingly download and run the application.
| Techniques |
|---|
| Create a 3rd party application that adds useful functionality to the targeted web application. Victims will download the application as a means of using the targeted web application. |
| Create a fun game that at some point directs a user to the targeted web application. For example, prompt the user to buy in game currency by directing them to PayPal. |
| Techniques |
|---|
| Pay for App Store advertisements |
| Promote the application on social media, either through accounts made by the adversary or by paying for other accounts to advertise. |
Exploit
-
Inject malicious code: Once the victim runs the malicious application and views the targeted web page in the WebView component, the malicious application will inject malicious JavaScript code into the web application. This is done by using WebView's loadURL() API, which can inject arbitrary JavaScript code into pages loaded by the WebView component with the same privileges. This is often done by adding a script tag to the document body with a src destination to a remote location that serves malicious JavaScript code.
| Techniques |
|---|
| Execute operations on the targeted web page on behalf of an authenticated user. |
| Steal cookie information from the victim. |
| Add in extra fields to the DOM in an attempt to get a user to divulge sensitive information. |
Execution Flow
Explore
-
Find an android application that uses implicit intents: Since this attack only works on android applications that use implicit intents, rather than explicit intents, an adversary must first identify an app that uses implicit intents to launch an Android-based trusted activity, and what that activity is.
Experiment
-
Create a malicious app: The adversary must create a malicious android app meant to intercept implicit intents to launch an Adroid-based trusted activity. This malicious app will mimic the trusted activiy's user interface to get the user to enter sensitive data.
-
Get user to download malicious app: The adversary must get a user using the targeted app to download the malicious app by any means necessary
| Techniques |
|---|
| Specify the type of intent wished to be intercepted in the malicious app's manifest file using an intent filter |
Exploit
-
Gather sensitive data through malicious app: Once the target application sends an implicit intent to launch a trusted activity, the malicious app will be launched instead that looks identical to the interface of that activity. When the user enters sensitive information it will be captured by the malicious app.
| Techniques |
|---|
| Gather login information from a user using a malicious app |
Execution Flow
Explore
-
Determine suitable tasks to exploit: Determine what tasks exist on the target system that may result in a user providing sensitive information.
| Techniques |
|---|
| Determine what tasks prompt a user for their credentials. |
| Determine what tasks may prompt a user to authorize a process to execute with elevated privileges. |
Exploit
-
Impersonate Task: Impersonate a legitimate task, either expected or unexpected, in an attempt to gain user credentials or to ride the user's privileges.
| Techniques |
|---|
| Prompt a user for their credentials, while making the user believe the credential request is legitimate. |
| Prompt a user to authorize a task to run with elevated privileges, while making the user believe the request is legitimate. |
Execution Flow
Explore
-
Scan for user accounts with set SPN values
-
Request service tickets
| Techniques |
|---|
| These can be found via Powershell or LDAP queries, as well as enumerating startup name accounts and other means. |
| Techniques |
|---|
| Using user account's SPN value, request other service tickets from Active Directory |
Experiment
-
Extract ticket and save to disk
| Techniques |
|---|
| Certain tools like Mimikatz can extract local tickets and save them to memory/disk. |
Exploit
-
Crack the encrypted ticket to harvest plain text credentials
| Techniques |
|---|
| Leverage a brute force application/script on the hashed value offline until cracked. The shorter the password, the easier it is to crack. |
Execution Flow
Explore
-
Find a target SOA or Web Service: The adversary must first indentify a target SOA or Web Service.
Experiment
-
Determine desired outcome: Because poisoning a web service registry can have different outcomes, the adversary must decide how they wish to effect the webservice.
-
Determine if a malicious service needs to be created: If the adversary wishes to redirect requests or responses, they will need to create a malicious service to redirect to.
| Techniques |
|---|
| An adversary can perform a denial of service attack on a web service. |
| An adversary can redirect requests or responses to a malicious service. |
| Techniques |
|---|
| Create a service to that requests are sent to in addition to the legitimate service and simply record the requests. |
| Create a service that will give malicious responses to a service provider. |
| Act as a malicious service provider and respond to requests in an arbitrary way. |
Exploit
-
Poison Web Service Registry: Based on the desired outcome, poison the web service registry. This is done by altering the data at rest in the registry or uploading malicious content by spoofing a service provider.
| Techniques |
|---|
| Intercept and change WS-Adressing headers to route to a malicious service or service provider. |
| Provide incorrect information in schema or metadata to cause a denial of service. |
| Delete information about service procider interfaces to cause a denial of service. |
Execution Flow
Explore
-
Survey the application for user-controllable inputs: Using a browser, an automated tool or by inspecting the application, an adversary records all entry points to the application.
| Techniques |
|---|
| Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL. |
| Use a proxy tool to record all user input entry points visited during a manual traversal of the web application. |
| Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery. |
| Manually inspect the application to find entry points. |
Experiment
-
Probe entry points to locate vulnerabilities: The adversary uses the entry points gathered in the \"Explore\" phase as a target list and injects postfix null byte(s) to observe how the application handles them as input. The adversary is looking for areas where user input is placed in the middle of a string, and the null byte causes the application to stop processing the string at the end of the user input.
| Techniques |
|---|
| Try different encodings for null such as \\0 or %00 |
Exploit
-
Remove data after null byte(s): After determined entry points that are vulnerable, the adversary places a null byte(s) such that they remove data after the null byte(s) in a way that is beneficial to them.
| Techniques |
|---|
| If the input is a directory as part of a longer file path, add a null byte(s) at the end of the input to try to traverse to the given directory. |
Execution Flow
Explore
-
Determine Target Hardware: The adversary must first identify a system that they wish to target, and a specific hardware component that they can swap out with a malicious replacement.
-
Discover Vulnerability in Supply Chain: The adversary maps out the supply chain for the targeted system. They look for ooportunities to gain physical access to the system after it has left the manufacturer, but before it is deployed to the victim.
| Techniques |
|---|
| Look for datasheets containing the system schematics that can help identify possible target hardware. |
| Procure a system and inspect it manually, looking for possible hardware component targets. Search for manufacturer IDs on hardware chips or FCC IDs on wireless chips to determine their functionality. |
| Techniques |
|---|
| Procure a system and observe the steps it takes in the shipment process. |
| Identify possible warehouses that systems are stored after manufacturing. |
Experiment
-
Test a Malicious Component Replacement: Before performing the attack in the wild, an adversary will test the attack on a system they have procured to ensure that the desired outcome will be achieved.
| Techniques |
|---|
| Design a malicious hardware component that will perform the same functionality as the target component, but also contains additional functionality. |
| Obtain already designed malicious components that just need to be placed into the system. |
Exploit
-
Substitute Components in the Supply Chain: Using the vulnerability in the supply chain of the system discovered in the explore phase, the adversary substitutes the malicious component for the targeted component. This results in the adversary gaining unintended access to systems once they reach the victim and can lead to a variety of follow up attacks.
Execution Flow
Explore
-
Determine Entry Point: The adversary must first identify a system that they wish to target and search for an entry point they can use to install the malicious software. This could be a system which they have prior knowledge of, giving them insight into the software and environment.
-
Discover Vulnerability in Supply Chain: The adversary maps out the supply chain for the targeted system. They look for ooportunities to gain physical access to the system after it has left the manufacturer, but before it is deployed to the victim.
| Techniques |
|---|
| Use a JTAGulator to identify exposed JTAG and UART interfaces in smaller embedded systems. |
| Identify exposed USB connectors that could be used to load software. |
| Techniques |
|---|
| Procure a system and observe the steps it takes in the shipment process. |
| Identify possible warehouses that systems are stored after manufacturing. |
Experiment
-
Test Malicious Software: Before performing the attack in the wild, an adversary will test the attack on a system they have procured to ensure that the desired outcome will be achieved.
| Techniques |
|---|
| Design malicious software that will give an adversary a backdoor into the system once it is deployed to the victim. |
| Obtain already designed malicious software that just need to be placed into the system. |
Exploit
-
Implant Software in the Supply Chain: Using the vulnerability in the supply chain of the system discovered in the explore phase, the adversary implants the malicious software into the system. This results in the adversary gaining unintended access to systems once they reach the victim and can lead to a variety of follow up attacks.
Execution Flow
Explore
-
Survey the target: Using a browser or an automated tool, an attacker records all instance of web services to process XML requests.
| Techniques |
|---|
| Use an automated tool to record all instances of URLs to process XML requests. |
| Use a browser to manually explore the website and analyze how the application processes XML requests. |
Experiment
-
An adversary crafts input data that may have an adverse effect on the operation of the web service when the XML data sent to the service.
Exploit
-
Launch a resource depletion attack: The attacker delivers a large number of XML messages to the target URLs found in the explore phase at a sufficiently rapid rate. It causes denial of service to the target application.
| Techniques |
|---|
| Send a large number of crafted XML messages to the target URL. |
Execution Flow
Explore
-
Survey the application for user-controllable inputs: Using a browser, an automated tool or by inspecting the application, an adversary records all entry points to the application.
| Techniques |
|---|
| Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL. |
| Use a proxy tool to record all user input entry points visited during a manual traversal of the web application. |
| Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery. |
| Manually inspect the application to find entry points. |
Experiment
-
Probe entry points to locate vulnerabilities: The adversary uses the entry points gathered in the \"Explore\" phase as a target list and injects postfix null byte(s) followed by a backslash to observe how the application handles them as input. The adversary is looking for areas where user input is placed in the middle of a string, and the null byte causes the application to stop processing the string at the end of the user input.
| Techniques |
|---|
| Try different encodings for null such as \\0 or %00 followed by an encoding for the backslash character. |
Exploit
-
Remove data after null byte(s): After determined entry points that are vulnerable, the adversary places a null byte(s) followed by a backslash such that they bypass an input filter and remove data after the null byte(s) in a way that is beneficial to them.
| Techniques |
|---|
| If the input is a directory as part of a longer file path, add a null byte(s) followed by a backslash at the end of the input to try to traverse to the given directory. |
Execution Flow
Explore
-
Determine configuration process: The adversary, through a previously compromised system, either remotely or physically, determines what the configuration process is. They look at configuration files, data files, and running processes on the system to identify areas where they could inject malicious data.
-
Determine when configuration occurs: The adversary needs to then determine when configuration or recalibration of a system occurs so they know when to inject malicious data.
| Techniques |
|---|
| Look for a weekly update cycle or repeated update schedule. |
| Insert a malicious process into the target system that notifies the adversary when configuration is occurring. |
Experiment
-
Determine malicious data to inject: By looking at the configuration process, the adversary needs to determine what malicious data they want to insert and where to insert it.
| Techniques |
|---|
| Add false log data |
| Change configuration files |
| Change data files |
Exploit
-
Inject malicious data: Right before, or during system configuration, the adversary injects the malicious data. This leads to the system behaving in a way that is beneficial to the adversary and is often followed by other attacks.
Execution Flow
Explore
-
Determine the relevant open-source code project to target: The adversary will make the selection based on various criteria:
Experiment
-
Develop a plan for malicious contribution: The adversary develops a plan to contribute malicious code, taking the following into consideration:
Exploit
-
Execute the plan for malicious contribution: Write the code to be contributed based on the plan and then submit the contribution. Multiple commits, possibly using multiple identities, will help obscure the attack. Monitor the contribution site to try to determine if the code has been uploaded to the target system.
Execution Flow
Explore
-
Determine parameters: Determine all user-controllable parameters of the application either by probing or by finding documentation
Experiment
-
Cause error condition: Inject each parameter with content that causes an error condition to manifest
-
Modify parameters: Modify the content of each parameter according to observed error conditions
Exploit
-
Follow up attack: Once the above steps have been repeated with enough parameters, the application will be sufficiently mapped out. The adversary can then launch a desired attack (for example, Blind SQL Injection)
Execution Flow
Explore
-
Identify target application: The adversary identifies a target application or program to perform the buffer overread on. Adversaries often look for applications that accept user input and that perform manual memory management.
Experiment
-
Find attack vector: The adversary identifies an attack vector by looking for areas in the application where they can specify to read more data than is required.
Exploit
-
Overread the buffer: The adversary provides input to the application that gets it to read past the bounds of a buffer, possibly revealing sensitive information that was not intended to be given to the adversary.
Execution Flow
Explore
-
Determine application's/system's password policy: Determine the password policies of the target application/system.
-
Obtain password hashes: An attacker gets access to the database table storing hashes of passwords or potentially just discovers a hash of an individual password.
| Techniques |
|---|
| Determine minimum and maximum allowed password lengths. |
| Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc.). |
| Determine account lockout policy (a strict account lockout policy will prevent brute force attacks). |
| Techniques |
|---|
| Obtain copy of database table or flat file containing password hashes (by breaking access controls, using SQL Injection, etc.) |
| Obtain password hashes from platform-specific storage locations (e.g. Windows registry) |
| Sniff network packets containing password hashes. |
Exploit
-
Run rainbow table-based password cracking tool: An attacker finds or writes a password cracking tool that uses a previously computed rainbow table for the right hashing algorithm. It helps if the attacker knows what hashing algorithm was used by the password system.
| Techniques |
|---|
| Run rainbow table-based password cracking tool such as Ophcrack or RainbowCrack. Reduction function must depend on application's/system's password policy. |
Execution Flow
Explore
-
Acquire known credentials: The adversary must obtain known credentials in order to access the target system, application, or service.
-
Determine target's password policy: Determine the password policies of the target system/application to determine if the known credentials fit within the specified criteria.
| Techniques |
|---|
| An adversary purchases breached username/password combinations or leaked hashed passwords from the dark web. |
| An adversary leverages a key logger or phishing attack to steal user credentials as they are provided. |
| An adversary conducts a sniffing attack to steal credentials as they are transmitted. |
| An adversary gains access to a database and exfiltrates password hashes. |
| An adversary examines outward-facing configuration and properties files to discover hardcoded credentials. |
| Techniques |
|---|
| Determine minimum and maximum allowed password lengths. |
| Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc., or whether they are allowed to contain words from the dictionary). |
| Determine account lockout policy (a strict account lockout policy will prevent brute force attacks if multiple passwords are known for a single user account). |
Experiment
-
Attempt authentication: Try each credential until the target grants access.
| Techniques |
|---|
| Manually or automatically enter each credential through the target's interface. |
Exploit
-
Impersonate: An adversary can use successful experiments or authentications to impersonate an authorized user or system, or to laterally move within a system or application
-
Spoofing: Malicious data can be injected into the target system or into a victim user's system by an adversary. The adversary can also pose as a legitimate user to perform social engineering attacks.
-
Data Exfiltration: The adversary can obtain sensitive data contained within the system or application.
Execution Flow
Explore
-
Acquire known Windows administrator credentials: The adversary must obtain known Windows administrator credentials in order to access the administrative network shares.
| Techniques |
|---|
| An adversary purchases breached Windows administrator credentials from the dark web. |
| An adversary leverages a key logger or phishing attack to steal administrator credentials as they are provided. |
| An adversary conducts a sniffing attack to steal Windows administrator credentials as they are transmitted. |
| An adversary gains access to a Windows domain system/files and exfiltrates Windows administrator password hashes. |
| An adversary examines outward-facing configuration and properties files to discover hardcoded Windows administrator credentials. |
Experiment
-
Attempt domain authentication: Try each Windows administrator credential against the hidden network shares until the target grants access.
| Techniques |
|---|
| Manually or automatically enter each administrator credential through the target's interface. |
Exploit
-
Malware Execution: An adversary can remotely execute malware within the administrative network shares to infect other systems within the domain.
-
Data Exfiltration: The adversary can remotely obtain sensitive data contained within the administrative network shares.
Execution Flow
Explore
-
Determine target's password policy: Determine the password policies of the target system/application.
-
Select passwords: Pick the passwords to be used in the attack (e.g. commonly used passwords, passwords tailored to individual users, etc.)
| Techniques |
|---|
| Determine minimum and maximum allowed password lengths. |
| Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc., or whether they are allowed to contain words from the dictionary). |
| Determine account lockout policy (a strict account lockout policy will prevent brute force attacks). |
| Techniques |
|---|
| Select passwords based on common use or a particular user's additional details. |
| Select passwords based on the target's password complexity policies. |
Exploit
-
Brute force password: Given the finite space of possible passwords dictated by information determined in the previous steps, try each password for all known user accounts until the target grants access.
| Techniques |
|---|
| Manually or automatically enter the first password for each known user account through the target's interface. In most systems, start with the shortest and simplest possible passwords, because most users tend to select such passwords if allowed to do so. |
| Iterate through the remaining passwords for each known user account. |
Execution Flow
Explore
-
Determine which user's credentials to capture: Since this is a more targeted attack, an adversary will first identify a particular user they wish the capture the credentials of.
Experiment
-
Deploy keylogger: Once a user is identified, an adversary will deploy a keylogger to the user's system in one of many ways.
-
Record keystrokes: Once the keylogger is deployed on the user's system, the adversary will record keystrokes over a period of time.
-
Analyze data and determine credentials: Using the captured keystrokes, the adversary will be able to determine the credentials of the user.
| Techniques |
|---|
| Send a phishing email with a malicious attachment that installs a keylogger on a user's system |
| Conceal a keylogger behind fake software and get the user to download the software |
| Get a user to click on a malicious URL that directs them to a webpage that will install a keylogger without their knowledge |
| Gain access to the user's system through a vulnerability and manually install a keylogger |
| Techniques |
|---|
| Search for repeated sequences that are following by the enter key |
| Search for repeated sequences that are not found in a dictionary |
| Search for several backspaces in a row. This could indicate a mistyped password. The correct password can then be inferred using the whole key sequence |
Exploit
-
Use found credentials: After the adversary has found the credentials for the target user, they will then use them to gain access to a system in order to perform some follow-up attack
Execution Flow
Explore
-
Find a REST-style application that uses SSL: The adversary must first find a REST-style application that uses SSL to target. Because this attack is easier to carry out from inside of a server network, it is likely that an adversary could have inside knowledge of how services operate.
Experiment
-
Insert a listener to sniff client-server communication: The adversary inserts a listener that must exist beyond the point where SSL is terminated. This can be placed on the client side if it is believed that sensitive information is being sent to the client as a response, although most often the listener will be placed on the server side to listen for client authentication information.
| Techniques |
|---|
| Run wireshark or tcpdump on a device that is on the inside of a firewall, load balancer, or router of a network and capture traffic after SSL has been terminated |
Exploit
-
Gather information passed in the clear: If developers have not hashed or encrypted data sent in the sniffed request, the adversary will be able to read this data in the clear. Most commonly, they will now have a username or password that they can use to submit requests to the web service just as an authorized user
Execution Flow
Explore
-
Survey the application for user-controllable inputs: Using a browser or an automated tool, an adversary follows all public links and actions on a web site. They record all the links, the forms, the resources accessed and all other potential entry-points for the web application.
| Techniques |
|---|
| Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL. |
| Use a proxy tool to record all links visited during a manual traversal of the web application. |
| Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery. |
Experiment
-
Probe identified potential entry points for DOM-based XSS vulnerability: The adversary uses the entry points gathered in the \"Explore\" phase as a target list and injects various common script payloads and special characters to determine if an entry point actually represents a vulnerability and to characterize the extent to which the vulnerability can be exploited. Specific to DOM-based XSS, the adversary is looking for areas where input is being used to directly change the DOM.
-
Craft malicious XSS URL: Once the adversary has determined which parameters are vulnerable to XSS, they will craft a malicious URL containing the XSS exploit. The adversary can have many goals, from stealing session IDs, cookies, credentials, and page content from the victim. In DOM-based XSS, the malicious script might not even be sent to the server, since the victim's browser will manipulate the DOM itself. This can help avoid serve-side detection mechanisms.
| Techniques |
|---|
| Use a list of XSS probe strings to inject script in parameters of known URLs. If possible, the probe strings contain a unique identifier. |
| Use a proxy tool to record results of manual input of XSS probes in known URLs. |
| Use a list of HTML special characters to inject into parameters of known URLs and check if they were properly encoded, replaced, or filtered out. |
| Techniques |
|---|
| Change a URL parameter to include a malicious script tag. |
| Add a URL fragment to alter the value of the expected Document object URL. |
| Send information gathered from the malicious script to a remote endpoint. |
Exploit
-
Get victim to click URL: In order for the attack to be successful, the victim needs to access the malicious URL.
| Techniques |
|---|
| Send a phishing email to the victim containing the malicious URL. This can be hidden in a hyperlink as to not show the full URL, which might draw suspicion. |
| Put the malicious URL on a public forum, where many victims might accidentally click the link. |
Execution Flow
Explore
-
Find Session IDs: The attacker interacts with the target host and finds that session IDs are used to authenticate users.
-
Characterize IDs: The attacker studies the characteristics of the session ID (size, format, etc.). As a results the attacker finds that legitimate session IDs are predictable.
| Techniques |
|---|
| An attacker makes many anonymous connections and records the session IDs assigned. |
| An attacker makes authorized connections and records the session tokens or credentials issued. |
| Techniques |
|---|
| Cryptanalysis. The attacker uses cryptanalysis to determine if the session IDs contain any cryptographic protections. |
| Pattern tests. The attacker looks for patterns (odd/even, repetition, multiples, or other arithmetic relationships) between IDs |
| Comparison against time. The attacker plots or compares the issued IDs to the time they were issued to check for correlation. |
Experiment
-
Match issued IDs: The attacker brute forces different values of session ID and manages to predict a valid session ID.
| Techniques |
|---|
| The attacker models the session ID algorithm enough to produce a compatible session IDs, or just one match. |
Exploit
-
Use matched Session ID: The attacker uses the falsified session ID to access the target system.
| Techniques |
|---|
| The attacker loads the session ID into their web browser and browses to restricted data or functionality. |
| The attacker loads the session ID into their network communications and impersonates a legitimate user to gain access to data or functionality. |
Execution Flow
Explore
-
Survey the application for user-controllable inputs: Using a browser or an automated tool, an adversary follows all public links and actions on a web site. They record all the links, the forms, the resources accessed and all other potential entry-points for the web application.
| Techniques |
|---|
| Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL. |
| Use a proxy tool to record all links visited during a manual traversal of the web application. |
| Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery. |
Experiment
-
Probe identified potential entry points for reflected XSS vulnerability: The adversary uses the entry points gathered in the \"Explore\" phase as a target list and injects various common script payloads and special characters to determine if an entry point actually represents a vulnerability and to characterize the extent to which the vulnerability can be exploited.
-
Craft malicious XSS URL: Once the adversary has determined which parameters are vulnerable to XSS, they will craft a malicious URL containing the XSS exploit. The adversary can have many goals, from stealing session IDs, cookies, credentials, and page content from the victim.
| Techniques |
|---|
| Use a list of XSS probe strings to inject script in parameters of known URLs. If possible, the probe strings contain a unique identifier. |
| Use a proxy tool to record results of manual input of XSS probes in known URLs. |
| Use a list of HTML special characters to inject into parameters of known URLs and check if they were properly encoded, replaced, or filtered out. |
| Techniques |
|---|
| Change a URL parameter to include a malicious script tag. |
| Send information gathered from the malicious script to a remote endpoint. |
Exploit
-
Get victim to click URL: In order for the attack to be successful, the victim needs to access the malicious URL.
| Techniques |
|---|
| Send a phishing email to the victim containing the malicious URL. This can be hidden in a hyperlink as to not show the full URL, which might draw suspicion. |
| Put the malicious URL on a public forum, where many victims might accidentally click the link. |
Execution Flow
Explore
-
Survey the application for stored user-controllable inputs: Using a browser or an automated tool, an adversary follows all public links and actions on a web site. They record all the links, the forms, the resources accessed and all other potential entry-points for the web application. The adversary is looking for areas where user input is stored, such as user profiles, shopping carts, file managers, forums, blogs, and logs.
| Techniques |
|---|
| Use a spidering tool to follow and record all links and analyze the web pages to find entry points. |
| Use a proxy tool to record all links visited during a manual traversal of the web application. |
| Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery. |
Experiment
-
Probe identified potential entry points for stored XSS vulnerability: The adversary uses the entry points gathered in the \"Explore\" phase as a target list and injects various common script payloads and special characters to determine if an entry point actually represents a vulnerability and to characterize the extent to which the vulnerability can be exploited.
-
Store malicious XSS content: Once the adversary has determined which stored locations are vulnerable to XSS, they will interact with the web application to store the malicious content. The adversary can have many goals, from stealing session IDs, cookies, credentials, and page content from a victim.
| Techniques |
|---|
| Use a list of XSS probe strings to submit script in input fields that could be stored by the web application. If possible, the probe strings contain a unique identifier so they can be queried for after submitting to see if they are stored. |
| Use a list of HTML special characters to submit in input fields that could be stored by the web application and check if they were properly encoded, replaced, or filtered out. |
| Techniques |
|---|
| Store a malicious script on a page that will execute when viewed by the victim. |
| Use a tool such as BeEF to store a hook into the web application. This will alert the adversary when the victim has accessed the content and will give the adversary control over the victim's browser, allowing them access to cookies, user screenshot, user clipboard, and more complex XSS attacks. |
Exploit
-
Get victim to view stored content: In order for the attack to be successful, the victim needs to view the stored malicious content on the webpage.
| Techniques |
|---|
| Send a phishing email to the victim containing a URL that will direct them to the malicious stored content. |
| Simply wait for a victim to view the content. This is viable in situations where content is posted to a popular public forum. |
Execution Flow
Explore
-
Discover Existing Session Token: Through varrying means, an adversary will discover and store an existing session token for some other authenticated user session.
Experiment
-
Insert Found Session Token: The attacker attempts to insert a found session token into communication with the targeted application to confirm viability for exploitation.
Exploit
-
Session Token Exploitation: The attacker leverages the captured session token to interact with the targeted application in a malicious fashion, impersonating the victim.
Execution Flow
Explore
-
Fingerprinting of the operating system: In order to perform a valid path traversal, the adversary needs to know what the underlying OS is so that the proper file seperator is used.
-
Survey application: Using manual or automated means, an adversary will survey the target application looking for all areas where user input is taken to specify a file name or path.
| Techniques |
|---|
| Port mapping. Identify ports that the system is listening on, and attempt to identify inputs and protocol types on those ports. |
| TCP/IP Fingerprinting. The adversary uses various software to make connections or partial connections and observe idiosyncratic responses from the operating system. Using those responses, they attempt to guess the actual operating system. |
| Induce errors to find informative error messages |
| Techniques |
|---|
| Use a spidering tool to follow and record all links on a web page. Make special note of any links that include parameters in the URL. |
| Use a proxy tool to record all links visited during a manual traversal of a web application. Make special note of any links that include parameters in the URL. Manual traversal of this type is frequently necessary to identify forms that are GET method forms rather than POST forms. |
| Use a browser to manually explore a website and analyze how it is constructed. Many browser's plug-in are available to facilitate the analysis or automate the URL discovery. |
Experiment
-
Attempt variations on input parameters: Using manual or automated means, an adversary attempts varying absolute file paths on all found user input locations and observes the responses.
| Techniques |
|---|
| Access common files in root directories such as \"/bin\", \"/boot\", \"/lib\", or \"/home\" |
| Access a specific drive letter or windows volume letter by specifying \"C:dirname\" for example |
| Access a known Windows UNC share by specifying \"\\\\UNC\\share\\name\" for example |
Exploit
-
Access, modify, or execute arbitrary files.: An adversary injects absolute path traversal syntax into identified vulnerable inputs to cause inappropriate reading, writing or execution of files. An adversary could be able to read directories or files which they are normally not allowed to read. The adversary could also access data outside the web document root, or include scripts, source code and other kinds of files from external websites. Once the adversary accesses arbitrary files, they could also modify files. In particular situations, the adversary could also execute arbitrary code or system commands.
| Techniques |
|---|
| Manipulate file and its path by injecting absolute path sequences (e.g. \"/home/file.txt\"). |
| Download files, modify files, or try to execute shell commands (with binary files). |
Execution Flow
Explore
-
Discovery of potential injection vectors: Using an automated tool or manual discovery, the attacker identifies services or methods with arguments that could potentially be used as injection vectors (OS, API, SQL procedures, etc.).
| Techniques |
|---|
| Manually cover the application and record the possible places where arguments could be passed into external systems. |
| Use a spider, for web applications, to create a list of URLs and associated inputs. |
Experiment
-
1. Attempt variations on argument content: Possibly using an automated tool, the attacker will perform injection variations of the arguments.
| Techniques |
|---|
| Use a very large list of probe strings in order to detect if there is a positive result, and, what type of system has been targeted (if obscure). |
| Use a proxy tool to record results, error messages and/or log if accessible. |
Exploit
-
Abuse of the application: The attacker injects specific syntax into a particular argument in order to generate a specific malicious effect in the targeted application.
| Techniques |
|---|
| Manually inject specific payload into targeted argument. |
Execution Flow
Explore
-
The attacker interacts with the target host and finds that session IDs are used to authenticate users.
-
The attacker steals a session ID from a valid user.
Exploit
-
The attacker tries to use the stolen session ID to gain access to the system with the privileges of the session ID's original owner.
Execution Flow
Explore
-
Acquire known credentials: The adversary must obtain known credentials in order to access the target system, application, or service.
-
Determine target's password policy: Determine the password policies of the target system/application to determine if the known credentials fit within the specified criteria.
| Techniques |
|---|
| An adversary purchases breached username/password combinations or leaked hashed passwords from the dark web. |
| An adversary leverages a key logger or phishing attack to steal user credentials as they are provided. |
| An adversary conducts a sniffing attack to steal credentials as they are transmitted. |
| An adversary gains access to a database and exfiltrates password hashes. |
| An adversary examines outward-facing configuration and properties files to discover hardcoded credentials. |
| Techniques |
|---|
| Determine minimum and maximum allowed password lengths. |
| Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc., or whether they are allowed to contain words from the dictionary). |
| Determine account lockout policy (a strict account lockout policy will prevent brute force attacks if multiple passwords are known for a single user account). |
Experiment
-
Attempt authentication: Try each username/password combination until the target grants access.
| Techniques |
|---|
| Manually or automatically enter each username/password combination through the target's interface. |
Exploit
-
Impersonate: An adversary can use successful experiments or authentications to impersonate an authorized user or system or to laterally move within a system or application
-
Spoofing: Malicious data can be injected into the target system or into a victim user's system by an adversary. The adversary can also pose as a legitimate user to perform social engineering attacks.
-
Data Exfiltration: The adversary can obtain sensitive data contained within the system or application.
Execution Flow
Explore
-
Setup the Attack: Setup a session: The attacker has to setup a trap session that provides a valid session identifier, or select an arbitrary identifier, depending on the mechanism employed by the application. A trap session is a dummy session established with the application by the attacker and is used solely for the purpose of obtaining valid session identifiers. The attacker may also be required to periodically refresh the trap session in order to obtain valid session identifiers.
| Techniques |
|---|
| The attacker chooses a predefined identifier that they know. |
| The attacker creates a trap session for the victim. |
Experiment
-
Attract a Victim: Fixate the session: The attacker now needs to transfer the session identifier from the trap session to the victim by introducing the session identifier into the victim's browser. This is known as fixating the session. The session identifier can be introduced into the victim's browser by leveraging cross site scripting vulnerability, using META tags or setting HTTP response headers in a variety of ways.
| Techniques |
|---|
| Attackers can put links on web sites (such as forums, blogs, or comment forms). |
| Attackers can establish rogue proxy servers for network protocols that give out the session ID and then redirect the connection to the legitimate service. |
| Attackers can email attack URLs to potential victims through spam and phishing techniques. |
Exploit
-
Abuse the Victim's Session: Takeover the fixated session: Once the victim has achieved a higher level of privilege, possibly by logging into the application, the attacker can now take over the session using the fixated session identifier.
| Techniques |
|---|
| The attacker loads the predefined session ID into their browser and browses to protected data or functionality. |
| The attacker loads the predefined session ID into their software and utilizes functionality with the rights of the victim. |
Execution Flow
Explore
-
Determine target website: The adversary first determines which website to impersonate, generally one that is trusted and receives a consistent amount of traffic.
| Techniques |
|---|
| Research popular or high traffic websites. |
Experiment
-
Impersonate trusted domain: In order to impersonate the trusted domain, the adversary needs to register the BitSquatted URL.
| Techniques |
|---|
| Register the BitSquatted domain. |
Exploit
-
Wait for a user to visit the domain: Finally, the adversary simply waits for a user to be unintentionally directed to the BitSquatted domain.
| Techniques |
|---|
| Simply wait for an error in memory to occur, redirecting the user to the malicious domain. |
Execution Flow
Explore
-
Explore target website: The attacker first explores the target website to determine pieces of functionality that are of interest to them (e.g. money transfers). The attacker will need a legitimate user account on the target website. It would help to have two accounts.
| Techniques |
|---|
| Use web application debugging tool such as WebScarab, Tamper Data or TamperIE to analyze the information exchanged between the client and the server |
| Use network sniffing tool such as Wireshark to analyze the information exchanged between the client and the server |
| View HTML source of web pages that contain links or buttons that perform actions of interest. |
Experiment
-
Create a link that when clicked on, will execute the interesting functionality.: The attacker needs to create a link that will execute some interesting functionality such as transfer money, change a password, etc.
| Techniques |
|---|
| Create a GET request containing all required parameters (e.g. https://www.somebank.com/members/transfer.asp?to=012345678901&amt=10000) |
| Create a form that will submit a POST request (e.g. |
Exploit
-
Convince user to click on link: Finally, the attacker needs to convince a user that is logged into the target website to click on a link to execute the CSRF attack.
| Techniques |
|---|
| Execute a phishing attack and send the user an e-mail convincing them to click on a link. |
| Execute a stored XSS attack on a website to permanently embed the malicious link into the website. |
| Execute a stored XSS attack on a website where an XMLHTTPRequest object will automatically execute the attack as soon as a user visits the page. This removes the step of convincing a user to click on a link. |
| Include the malicious link on the attackers' own website where the user may have to click on the link, or where an XMLHTTPRequest object may automatically execute the attack when a user visits the site. |
Execution Flow
Explore
-
Survey the application for user-controllable inputs: Using a browser or an automated tool, an attacker follows all public links and actions on a web site. They record all the links, the forms, the resources accessed and all other potential entry-points for the web application.
| Techniques |
|---|
| Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL. |
| Use a proxy tool to record all links visited during a manual traversal of the web application. |
| Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery. |
Experiment
-
Probe identified potential entry points for XSS vulnerability: The attacker uses the entry points gathered in the \"Explore\" phase as a target list and injects various common script payloads to determine if an entry point actually represents a vulnerability and to characterize the extent to which the vulnerability can be exploited.
| Techniques |
|---|
| Use a list of XSS probe strings to inject script in parameters of known URLs. If possible, the probe strings contain a unique identifier. |
| Use a proxy tool to record results of manual input of XSS probes in known URLs. |
| Use a list of XSS probe strings to inject script into UI entry fields. If possible, the probe strings contain a unique identifier. |
| Use a list of XSS probe strings to inject script into resources accessed by the application. If possible, the probe strings contain a unique identifier. |
Exploit
-
Steal session IDs, credentials, page content, etc.: As the attacker succeeds in exploiting the vulnerability, they can choose to steal user's credentials in order to reuse or to analyze them later on.
-
Forceful browsing: When the attacker targets the current application or another one (through CSRF vulnerabilities), the user will then be the one who perform the attacks without being aware of it. These attacks are mostly targeting application logic flaws, but it can also be used to create a widespread attack against a particular website on the user's current network (Internet or not).
-
Content spoofing: By manipulating the content, the attacker targets the information that the user would like to get from the website.
| Techniques |
|---|
| Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and sends document information to the attacker. |
| Develop malicious JavaScript that injected through vectors identified during the Experiment Phase and takes commands from an attacker's server and then causes the browser to execute appropriately. |
| Techniques |
|---|
| Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and performs actions on the same web site |
| Develop malicious JavaScript that injected through vectors identified during the Experiment Phase and takes commands from an attacker's server and then causes the browser to execute request to other web sites (especially the web applications that have CSRF vulnerabilities). |
| Techniques |
|---|
| Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and exposes attacker-modified invalid information to the user on the current web page. |
Execution Flow
Explore
-
Determine target website: The adversary first determines which website to impersonate, generally one that is trusted and receives a consistent amount of traffic.
| Techniques |
|---|
| Research popular or high traffic websites. |
Experiment
-
Impersonate trusted domain: In order to impersonate the trusted domain, the adversary needs to register the TypoSquatted URL.
| Techniques |
|---|
| Register the TypoSquatted domain. |
Exploit
-
Deceive user into visiting domain: Finally, the adversary needs to deceive a user into visiting the TypoSquatted domain.
| Techniques |
|---|
| Execute a phishing attack and send a user an e-mail convincing the user to click on a link leading the user to the TypoSquatted domain. |
| Assume that a user will incorrectly type the legitimate URL, leading the user to the TypoSquatted domain. |
Execution Flow
Explore
-
Determine target website: The adversary first determines which website to impersonate, generally one that is trusted, receives a consistent amount of traffic, and is a homophone.
| Techniques |
|---|
| Research popular or high traffic websites which are also homophones. |
Experiment
-
Impersonate trusted domain: In order to impersonate the trusted domain, the adversary needs to register the SoundSquatted URL.
| Techniques |
|---|
| Register the SoundSquatted domain. |
Exploit
-
Deceive user into visiting domain: Finally, the adversary needs to deceive a user into visiting the SoundSquatted domain.
| Techniques |
|---|
| Execute a phishing attack and send a user an e-mail convincing the user to click on a link leading the user to the SoundSquatted domain. |
| Assume that a user will unintentionally use the homophone in the URL, leading the user to the SoundSquatted domain. |
Execution Flow
Explore
-
Determine target website: The adversary first determines which website to impersonate, generally one that is trusted and receives a consistent amount of traffic.
| Techniques |
|---|
| Research popular or high traffic websites. |
Experiment
-
Impersonate trusted domain: In order to impersonate the trusted domain, the adversary needs to register the URL containing the homoglpyh character(s).
| Techniques |
|---|
| Register the Homograph domain. |
Exploit
-
Deceive user into visiting domain: Finally, the adversary needs to deceive a user into visiting the Homograph domain.
| Techniques |
|---|
| Execute a phishing attack and send a user an e-mail convincing the to click on a link leading the user to the malicious domain. |
Execution Flow
Explore
-
Find an application that allows copying sensititve data to clipboad: An adversary first needs to find an application that allows copying and pasting of sensitive information. This could be an application that prints out temporary passwords to the screen, private email addresses, or any other sensitive information or data
Experiment
-
Target users of the application: An adversary will target users of the application in order to obtain the information in their clipboard on a periodic basic
| Techniques |
|---|
| Install malware on a user's system designed to log clipboard contents periodically |
| Get the user to click on a malicious link that will bring them to an application to log the contents of the clipboard |
Exploit
-
Follow-up attack: Use any sensitive information found to carry out a follow-up attack
Execution Flow
Explore
-
Select Target: The adversary searches for a suitable target to attack, such as government and/or private industry organizations.
-
Identify Components: After selecting a target, the adversary determines whether a vulnerable component, such as a specific make and model of a HDD, is contained within the target system.
| Techniques |
|---|
| Conduct reconnaissance to determine potential targets to exploit. |
| Techniques |
|---|
| [Remote Access Vector] The adversary gains remote access to the target, typically via additional malware, and explores the system to determine hardware components that are being leveraged. |
| [Physical Access Vector] The adversary intercepts components in transit and determines if the component is vulnerable to attack. |
Experiment
-
Optional: Create Payload: If not using an already existing payload, the adversary creates their own to be executed at defined intervals and upon system boot processes. This payload may then be tested on the target system or a test system to confirm its functionality.
Exploit
-
Insert Firmware Altering Malware: Once a vulnerable component has been identified, the adversary leverages known malware tools to infect the component's firmware and drop the payload within the component's MBR. This allows the adversary to maintain persistence on the target and execute the payload without being detected.
| Techniques |
|---|
| The adversary inserts the firmware altering malware on the target component, via the use of known malware tools. |
| [Physical Access Vector] The adversary then sends the component to its original intended destination, where it will be installed onto a victim system. |
Execution Flow
Explore
-
The attacker accesses the server using a specific URL.
Experiment
-
The attacker tries to encode some special characters in the URL. The attacker find out that some characters are not filtered properly.
Exploit
-
The attacker crafts a malicious URL string request and sends it to the server.
-
The server decodes and interprets the URL string. Unfortunately since the input filtering is not done properly, the special characters have harmful consequences.
Execution Flow
Explore
-
Determine target process: The adversary determines a process with sufficient privileges that they wish to include code into.
| Techniques |
|---|
| On Windows, use the process explorer's security tab to see if a process is running with administror privileges. |
| On Linux, use the ps command to view running processes and pipe the output to a search for a particular user, or the root user. |
Experiment
-
Attempt to include simple code with known output: The adversary attempts to include very simple code into the existing process to determine if the code inclusion worked. The code will differ based on the approach used to include code into an existing process.
Exploit
-
Include arbitrary code into existing process: Once an adversary has determined that including code into the existing process is possible, they will include code for a targeted purpose, such as accessing that process's memory.
Execution Flow
Explore
-
Acquire known Windows credential hash value pairs: The adversary must obtain known Windows credential hash value pairs of accounts that exist on the domain.
| Techniques |
|---|
| An adversary purchases breached Windows credential hash value pairs from the dark web. |
| An adversary conducts a sniffing attack to steal Windows credential hash value pairs as they are transmitted. |
| An adversary gains access to a Windows domain system/files and exfiltrates Windows credential hash value pairs. |
| An adversary examines outward-facing configuration and properties files to discover hardcoded Windows credential hash value pairs. |
Experiment
-
Attempt domain authentication: Try each Windows credential hash value pair until the target grants access.
| Techniques |
|---|
| Manually or automatically enter each Windows credential hash value pair through the target's interface. |
Exploit
-
Impersonate: An adversary can use successful experiments or authentications to impersonate an authorized user or system, or to laterally move within the domain
-
Spoofing: Malicious data can be injected into the target system or into other systems on the domain. The adversary can also pose as a legitimate domain user to perform social engineering attacks.
-
Data Exfiltration: The adversary can obtain sensitive data contained within domain systems or applications.
Execution Flow
Explore
-
Gain logical access to system: An adversary must first gain logical access to the system it wants to gather registry information from,
| Techniques |
|---|
| Obtain user account credentials and access the system |
| Plant malware on the system that will give remote logical access to the adversary |
Experiment
-
Determine if the permissions are correct: Once logical access is gained, an adversary will determine if they have the proper permissions, or are authorized, to view registry information. If they do not, they will need to escalate privileges on the system through other means
-
Peruse registry for information: Once an adversary has access to a registry, they will gather all system-specific data and sensitive information that they deem useful.
Exploit
-
Follow-up attack: Use any information or weaknesses found to carry out a follow-up attack
Execution Flow
Explore
-
Set up a sniffer: The adversary sets up a sniffer in the path between the server and the client and watches the traffic.
| Techniques |
|---|
| The adversary sets up a sniffer in the path between the server and the client. |
Exploit
-
[Capturing Application Code Bound During Patching]adversary knows that the computer/OS/application can request new applications to install, or it periodically checks for an available update. The adversary loads the sniffer set up during Explore phase, and extracts the application code from subsequent communication. The adversary then proceeds to reverse engineer the captured code.
| Techniques |
|---|
| adversary loads the sniffer to capture the application code bound during a dynamic update. |
| The adversary proceeds to reverse engineer the captured code. |
Execution Flow
Explore
-
Acquire known Kerberos credentials: The adversary must obtain known Kerberos credentials in order to access the target system, application, or service within the domain.
| Techniques |
|---|
| An adversary purchases breached Kerberos service account username/password combinations or leaked hashed passwords from the dark web. |
| An adversary guesses the credentials to a weak Kerberos service account. |
| An adversary conducts a sniffing attack to steal Kerberos tickets as they are transmitted. |
| An adversary conducts a Kerberoasting attack. |
Experiment
-
Attempt Kerberos authentication: Try each Kerberos credential against various resources within the domain until the target grants access.
| Techniques |
|---|
| Manually or automatically enter each Kerberos service account credential through the target's interface. |
| Attempt a Pass the Ticket attack. |
Exploit
-
Impersonate: An adversary can use successful experiments or authentications to impersonate an authorized user or system, or to laterally move within the domain
-
Spoofing: Malicious data can be injected into the target system or into other systems on the domain. The adversary can also pose as a legitimate domain user to perform social engineering attacks.
-
Data Exfiltration: The adversary can obtain sensitive data contained within domain systems or applications.
Execution Flow
Explore
-
Acquire known operating system credentials: The adversary must obtain known operating system credentials in order to access the target system, application, or service within the domain.
| Techniques |
|---|
| An adversary purchases breached operating system username/password combinations or leaked hashed passwords from the dark web. |
| An adversary leverages a key logger or phishing attack to steal user credentials as they are provided. |
| An adversary conducts a sniffing attack to steal operating system credentials as they are transmitted. |
| An adversary gains access to a system/files and exfiltrates password hashes. |
| An adversary examines outward-facing configuration and properties files to discover hardcoded credentials. |
Experiment
-
Attempt authentication: Try each operating system credential against various systems, applications, and services within the domain until the target grants access.
| Techniques |
|---|
| Manually or automatically enter each credential through the target's interface. |
Exploit
-
Impersonate: An adversary can use successful experiments or authentications to impersonate an authorized user or system, or to laterally move within the network
-
Spoofing: Malicious data can be injected into the target system or into other systems on the network. The adversary can also pose as a legitimate user to perform social engineering attacks.
-
Data Exfiltration: The adversary can obtain sensitive data contained within system files or application configuration.
Execution Flow
Explore
-
Determine suitable tasks to exploit: Determine what tasks exist on the target system that may result in a user providing their credentials.
| Techniques |
|---|
| Determine what tasks prompt a user for their credentials. |
Exploit
-
Impersonate Task: Impersonate a legitimate task, either expected or unexpected, in an attempt to gain user credentials.
| Techniques |
|---|
| Prompt a user for their credentials, while making the user believe the credential request is legitimate. |
Execution Flow
Explore
-
Obtain domain name and certificate to spoof legitimate site: This optional step can be used to help the adversary impersonate the legitimate organization more convincingly. The adversary can use homograph or similar attacks to convince users that they are using the legitimate website. If the adversary leverages cold-calling for this attack, this step is skipped.
-
Explore legitimate website and create duplicate: An adversary optionally creates a website (optionally at a URL that looks similar to the original URL) that closely resembles the organization's website that they are trying to impersonate. That website will contain a telephone number for the victim to call to assist them with their issue and initiate the attack. If the adversary leverages cold-calling for this attack, this step is skipped.
| Techniques |
|---|
| Optionally obtain a domain name that visually looks similar to the legitimate organization's domain name. An example is www.paypaI.com vs. www.paypal.com (the first one contains a capital i, instead of a lower case L) |
| Optionally obtain a legitimate SSL certificate for the new domain name. |
| Techniques |
|---|
| Use spidering software to get copy of web pages on legitimate site. |
| Manually save copies of required web pages from legitimate site. |
| Create new web pages that have the legitimate site's look and feel, but contain completely new content. |
Exploit
-
Convince user to provide sensitive information to the adversary.: An adversary \"cold calls\" the victim or receives a call from the victim via the malicious site and provides a call-to-action, in order to persuade the user into providing sensitive details to the adversary (e.g. login credentials, bank account information, etc.). The key is to get the victim to believe that the individual they are talking to is from a legitimate entity with which the victim does business and that the call is occurring for legitimate reasons. A call-to-action will usually need to sound legitimate and urgent enough to prompt action from the user.
-
Use stolen information: Once the adversary obtains the sensitive information, this information can be leveraged to log into the victim's bank account and transfer money to an account of their choice, or to make fraudulent purchases with stolen credit card information.
| Techniques |
|---|
| Call the user a from a spoofed legitimate-looking telephone number. |
| Techniques |
|---|
| Login to the legitimate site using another the victim's supplied credentials |
Execution Flow
Explore
-
Survey application: The attacker first takes an inventory of the functionality exposed by the application.
| Techniques |
|---|
| Spider web sites for all available links |
| Sniff network communications with application using a utility such as WireShark. |
Experiment
-
Determine user-controllable input susceptible to injection: Determine the user-controllable input susceptible to injection. For each user-controllable input that the attacker suspects is vulnerable to SQL injection, attempt to inject characters that have special meaning in SQL (such as a single quote character, a double quote character, two hyphens, a parenthesis, etc.). The goal is to create a SQL query with an invalid syntax.
-
Experiment with SQL Injection vulnerabilities: After determining that a given input is vulnerable to SQL Injection, hypothesize what the underlying query looks like. Iteratively try to add logic to the query to extract information from the database, or to modify or delete information in the database.
| Techniques |
|---|
| Use web browser to inject input through text fields or through HTTP GET parameters. |
| Use a web application debugging tool such as Tamper Data, TamperIE, WebScarab,etc. to modify HTTP POST parameters, hidden fields, non-freeform fields, etc. |
| Use network-level packet injection tools such as netcat to inject input |
| Use modified client (modified by reverse engineering) to inject input. |
| Techniques |
|---|
| Use public resources such as \"SQL Injection Cheat Sheet\" at http://ferruh.mavituna.com/makale/sql-injection-cheatsheet/, and try different approaches for adding logic to SQL queries. |
| Add logic to query, and use detailed error messages from the server to debug the query. For example, if adding a single quote to a query causes an error message, try : \"' OR 1=1; --\", or something else that would syntactically complete a hypothesized query. Iteratively refine the query. |
| Use \"Blind SQL Injection\" techniques to extract information about the database schema. |
| If a denial of service attack is the goal, try stacking queries. This does not work on all platforms (most notably, it does not work on Oracle or MySQL). Examples of inputs to try include: \"'; DROP TABLE SYSOBJECTS; --\" and \"'); DROP TABLE SYSOBJECTS; --\". These particular queries will likely not work because the SYSOBJECTS table is generally protected. |
Exploit
-
Exploit SQL Injection vulnerability: After refining and adding various logic to SQL queries, craft and execute the underlying SQL query that will be used to attack the target system. The goal is to reveal, modify, and/or delete database data, using the knowledge obtained in the previous step. This could entail crafting and executing multiple SQL queries if a denial of service attack is the intent.
| Techniques |
|---|
| Craft and Execute underlying SQL query |
Execution Flow
Explore
-
Identify application with attack potential: The adversary searches for and identifies a mobile application that could be exploited for malicious purposes (e.g. banking, voting, or medical applications).
| Techniques |
|---|
| Search application stores for mobile applications worth exploiting |
Experiment
-
Develop code to be hooked into chosen target application: The adversary develops code or leverages existing code that will be hooked into the target application in order to evade Root/Jailbreak detection methods.
| Techniques |
|---|
| Develop code or leverage existing code to bypass Root/Jailbreak detection methods. |
| Test the code to see if it works. |
| Iteratively develop the code until Root/Jailbreak detection methods are evaded. |
Exploit
-
Execute code hooking to evade Root/Jailbreak detection methods: Once hooking code has been developed or obtained, execute the code against the target application to evade Root/Jailbreak detection methods.
| Techniques |
|---|
| Hook code into the target application. |
Execution Flow
Explore
-
Identify application with attack potential: The adversary searches for and identifies a mobile application that could be exploited for malicious purposes (e.g. banking, voting, or medical applications).
| Techniques |
|---|
| Search application stores for mobile applications worth exploiting |
Experiment
-
Debug the target application: The adversary inserts the debugger into the program entry point of the mobile application, after the application's signature has been identified, to dump its memory contents.
-
Remove application signature verification methods: Remove signature verification methods from the decrypted code and resign the application with a self-signed certificate.
| Techniques |
|---|
| Insert the debugger at the mobile application's program entry point, after the application's signature has been identified. |
| Dump the memory region containing the now decrypted code from the address space of the binary. |
Exploit
-
Execute the application and evade Root/Jailbreak detection methods: The application executes with the self-signed certificate, while believing it contains a trusted certificate. This now allows the adversary to evade Root/Jailbreak detection via code hooking or other methods.
| Techniques |
|---|
| Optional: Hook code into the target application. |
Execution Flow
Experiment
-
The adversary tricks the victim into installing the Trojan Horse malware onto their system.
-
The adversary inserts themself into the communication channel initially acting as a routing proxy between the two targeted components.
| Techniques |
|---|
| Conduct phishing attacks, drive-by malware installations, or masquerade malicious browser extensions as being legitimate. |
Exploit
-
The adversary observes, filters, or alters passed data of their choosing to gain access to sensitive information or to manipulate the actions of the two target components for their own purposes.
Execution Flow
Explore
-
Survey target application and relevant OS shared code libraries: Adversary identifies vulnerable transient instruction sets and the code/function calls to trigger them as well as instruction sets or code fragments (gadgets) to perform attack.
-
Explore cache and identify impacts: Utilize tools to understand the impact of transient instruction execution upon address spaces and CPU operations.
| Techniques |
|---|
| Utilize Disassembler and Debugger tools to examine and trace instruction set execution of source code and shared code libraries on a system. |
| Techniques |
|---|
| Run OS or application specific tools that examine the contents of cache. |
Experiment
-
Cause conditions for identified transient instruction set execution: Adversary ensures that specific code/instructions of the target process are executed by CPU, so desired transient instructions are executed.
-
Cause specific secret data to be cached from restricted address space: Executed instruction sets (gadgets) in target address space, initially executed via adversary-chosen transient instructions sets, establish covert channel and transfer secret data across this channel to cache.
| Techniques |
|---|
| Prediction-based - adversary trains CPU to incorrectly predict/speculate conditions for instruction execution to be true, hence executing adversary-chosen transient instructions. These prediction-based methods include: Pattern History Table (PHT)/Input Validation Bypass, Branch Target Buffer (BTB)/Branch Target Injection, Return Stack Buffer (RSB)/Return Address Injection, and Store To Load (STL)/Speculative Store Bypass. |
| Exception/Fault-based - adversary has CPU execute transient instructions that raise an exception allowing inaccessible memory space to be accessed via out-of-order execution. These exception/fault-based methods include: Supervisor-only Bypass, Virtual Translation Bypass, System Register Bypass, FPU Register Bypass, Read-only Bypass, Protection Key Bypass, and Bounds Check Bypass. |
Exploit
-
Perform covert channel attack to obtain/access secret data: Adversary process code removes instructions/data from shared cache set, waits for target process to reinsert them back into cache, to identify location of secret data via a timing method. Adversary continuously repeat this process to identify and access entirety of targeted secret data.
| Techniques |
|---|
| Flush+Reload - adversary frequently flushes targeted memory cache line using a dedicated machine flush instruction, and uses another process to measure time taken for CPU to load victim secret data. |
| Evict+Time - adversary causes victim to load target set into cache and measures time for victim process to load this data, setting a baseline. Adversary evicts a specified cache line and causes victim process to execute again, and measures any change in execution time, to determine if cache line was accessed. |
| Prime+Probe - adversary primes cache by filling cache line(s) or set(s) with data, after some time victim process evicts this adversary data to replace it with secret data. The adversary then probes/accesses all the previously accessed cache lines detecting cache misses, which determine that their attacker data has been evicted and replaced with secret data from victim process. |
Execution Flow
Explore
-
Find target application: Find target web application that accepts a user input and retrieves data from the server
Experiment
-
Examine existing application requests: Examine HTTP/GET requests to view the URL query format. Adversaries test to see if this type of attack is possible through weaknesses in an application's protection to Server Side Request Forgery
| Techniques |
|---|
| Attempt manipulating the URL to retrieve an error response/code from the server to determine if URL/request validation is done. |
| Use a list of XSS probe strings to specify as parameters to known URLs. If possible, use probe strings with unique identifiers. |
| Create a GET request with a common server file path such as /etc/passwd as a parameter and examine output. |
Exploit
-
Malicious request: Adversary crafts a malicious URL request that assumes the privilege level of the server to query internal or external network services and sends the request to the application
Execution Flow
Explore
-
Survey physical victim environment and potential Thunderbolt system targets: The adversary monitors the target's physical environment to identify systems with Thunderbolt interfaces, identify potential weaknesses in physical security in addition to periods of nonattendance by the victim over their Thunderbolt interface equipped devices, and when the devices are in locked or sleep state.
-
Evaluate the target system and its Thunderbolt interface: The adversary determines the device's operating system, Thunderbolt interface version, and any implemented Thunderbolt protections to plan the attack.
Experiment
-
Obtain and/or clone firmware image: The adversary physically manipulates Thunderbolt enabled devices to acquire the firmware image from the target and/or adversary Thunderbolt host controller's SPI (Serial Peripheral Interface) flash.
-
Parse and locate relevant firmware data structures and information based upon Thunderbolt controller model, firmware version, and other information: The acquired victim and/or adversary firmware image is parsed for specific data and other relevant identifiers required for exploitation, based upon the victim device information and firmware version.
-
Disable Thunderbolt security and prevent future Thunderbolt security modifications (if necessary): The adversary overrides the target device's Thunderbolt Security Level to \"None\" (SL0) and/or enables block protections upon the SPI flash to prevent the ability for the victim to perform and/or recognize future Thunderbolt security modifications as well as update the Thunderbolt firmware.
-
Modify/replace victim Thunderbolt firmware image: The modified victim and/or adversary thunderbolt firmware image is written to attacker SPI flash.
| Techniques |
|---|
| Disassemble victim and/or adversary device enclosure with basic tools to gain access to Thunderbolt controller SPI flash by connecting adversary SPI programmer. |
| Adversary connects SPI programmer to adversary-controlled Thunderbolt enabled device to obtain/clone victim thunderbolt controller firmware image through tools/scripts. |
| Clone firmware image with SPI programmer and tools/scripts on adversary-controlled device. |
| Techniques |
|---|
| Utilize pre-crafted tools/scripts to parse and locate desired firmware data and modify it. |
| Locate DROM (Device Read Only Memory) data structure section and calculate/determine appropriate offset to replicate victim device UUID. |
| Locate ACL (Access Control List) data structure and calculate/determine appropriate offsets to identify victim device UUID. |
| Locate data structure containing challenge-response key information between appropriate offsets. |
| Techniques |
|---|
| The adversary-controlled Thunderbolt device, connected to SPI programmer and victim device via Thunderbolt ports, is utilized to execute commands within tools/scripts to disable SPI flash protections, modify Thunderbolt Security Level, and enable malicious SPI flash protections. |
Exploit
-
Connect adversary-controlled thunderbolt enabled device to victim device and verify successful execution of malicious actions: The adversary needs to determine if their exploitation of selected vulnerabilities had the intended effects upon victim device.
-
Exfiltration of desired data from victim device to adversary device: Utilize PCIe tunneling to transfer desired data and information from victim device across Thunderbolt connection.
| Techniques |
|---|
| Observe victim device identify adversary device as the victim device and enables PCIe tunneling. |
| Resume victim device from sleep, connect adversary-controlled device and observe security is disabled and Thunderbolt connectivity is restored with PCIe tunneling being enabled. |
| Observe that in UEFI or Thunderbolt Management Tool/UI that the Security Level does not match adversary modified Security Level of \"None\" (SL0) |
| Observe after installation of Firmware update that within Thunderbolt Management UI the \"NVM version\" is unchanged/same prior to the prompt of successful Firmware update/installation. |
Execution Flow
Explore
-
Scan for Bluetooth Enabled Devices: Using BlueZ along with an antenna, an adversary searches for devices with Bluetooth on.
| Techniques |
|---|
| Note the MAC address of the device you want to attack. |
Experiment
-
Change L2CAP Packet Length: The adversary must change the L2CAP packet length to create packets that will overwhelm a Bluetooth enabled device.
| Techniques |
|---|
| An adversary downloads and installs BlueZ, the standard Bluetooth utility package for Linux. |
Exploit
-
Flood: An adversary sends the packets to the target device, and floods it until performance is degraded.
Execution Flow
Explore
-
Find disguise and target: The adversary starts the Bluetooth service on the attacking device and searches for nearby listening devices.
| Techniques |
|---|
| Knowledge of a trusted MAC address. |
| Scanning for devices other than the target that may be trusted. |
Experiment
-
Disguise: Using the MAC address of the device the adversary wants to impersonate, they may use a tool such as spooftooth or macchanger to spoof their Bluetooth address and attempt to authenticate with the target.
Exploit
-
Use device capabilities to accomplish goal: Finally, if authenticated successfully the adversary can perform tasks/information gathering dependent on the target's capabilities and connections.
Execution Flow
Explore
-
Discovery: Using an established Person in the Middle setup, search for Bluetooth devices beginning the authentication process.
| Techniques |
|---|
| Use packet capture tools. |
Experiment
-
Change the entropy bits: Upon recieving the initial key negotiation packet from the master, the adversary modifies the entropy bits requested to 1 to allow for easy decryption before it is forwarded.
Exploit
-
Capture and decrypt data: Once the entropy of encryption is known, the adversary can capture data and then decrypt on their device.
Execution Flow
Explore
-
Identify software with frequent updates: The adversary must first identify a target software that has updates at least with some frequency, enough that there is am update infrastructure.
Experiment
-
Gain access to udpate infrastructure: The adversary must then gain access to the organization's software update infrastructure. This can either be done by gaining remote access from outside the organization, or by having a malicious actor inside the organization gain access. It is often easier if someone within the organization gains access.
Exploit
-
Alter the software update: Through access to the software update infrastructure, an adversary will alter the software update by injecting malware into the content of an outgoing update.
Execution Flow
Explore
-
Identify target application: The adversary identifies a target application or program to perform the buffer overflow on. In this attack, adversaries look for applications that use syslog() incorrectly.
Experiment
-
Find injection vector: The adversary identifies an injection vector to deliver the excessive content to the targeted application's buffer. For each user-controllable input that the adversary suspects is vulnerable to format string injection, attempt to inject formatting characters such as %n, %s, etc.. The goal is to manipulate the string creation using these formatting characters.
-
Craft overflow content: The adversary crafts the content to be injected. If the intent is to simply cause the software to crash, the content need only consist of an excessive quantity of random data. If the intent is to leverage the overflow for execution of arbitrary code, the adversary will craft a set of content that not only overflows the targeted buffer but does so in such a way that the overwritten return address is replaced with one of the adversaries' choosing which points to code injected by the adversary.
| Techniques |
|---|
| Inject probe payload which contains formatting characters (%s, %d, %n, etc.) through input parameters. |
| Techniques |
|---|
| The formatting characters %s and %d are useful for observing memory and trying to print memory addresses. If an adversary has access to the log being written to they can observer this output and use it to help craft their attack. |
| The formatting character %n is useful for adding extra data onto the buffer. |
Exploit
-
Overflow the buffer: Using the injection vector, the adversary supplies the program with the crafted format string injection, causing a buffer.
Execution Flow
Explore
-
Survey target application: Due to the number of NoSQL databases available and the numerous language/API combinations of each, the adversary must first survey the target application to learn what technologies are being leveraged and how they interact with user-driven data.
| Techniques |
|---|
| Determine the technology stack leveraged by the target application, such as the application server, drivers, frameworks, APIs, and databases being utilized. |
| Identify areas of the application that interact with user input and may be involved with NoSQL queries. |
Experiment
-
Identify user-controllable input susceptible to injection: After identifying the technology stack being used and where user-driven input is leveraged, determine the user-controllable input susceptible to injection such as authentication or search forms. For each user-controllable input that the adversary suspects is vulnerable to NoSQL injection, attempt to inject characters or keywords that have special meaning in the given NoSQL database or language (e.g., \"$ne\" for MongoDB or \"$exists\" for PHP/MongoDB), or JavaScript that can be executed within the application. The goal is to create a NoSQL query with an invalid syntax.
-
Experiment with NoSQL Injection vulnerabilities: After determining that a given input is vulnerable to NoSQL Injection, hypothesize what the underlying query looks like. Iteratively try to add logic to the query to extract information from the database, modify/delete information in the database, or execute commands on the server.
| Techniques |
|---|
| Use web browser to inject input through text fields or through HTTP GET parameters. |
| Use a web application debugging tool such as Tamper Data, TamperIE, WebScarab,etc. to modify HTTP POST parameters, hidden fields, non-freeform fields, etc. |
| Use network-level packet injection tools such as netcat to inject input |
| Use modified client (modified by reverse engineering) to inject input. |
| Techniques |
|---|
| Use public resources such as OWASP's \"Testing for NoSQL Injection\" [REF-668] or Null Sweep's \"NoSQL Injection Cheatsheet\" [REF-669] and try different approaches for adding logic to NoSQL queries. |
| Iteratively add logic to the NoSQL query and use detailed error messages from the server to debug the query. |
| Attempt an HTTP Parameter Pollution attack to replace language-specific keywords, such as \"where\" within PHP [CAPEC-460]. |
Exploit
-
Exploit NoSQL Injection vulnerability: After refining and adding various logic to NoSQL queries, craft and execute the underlying NoSQL query that will be used to attack the target system.
| Techniques |
|---|
| Craft and Execute underlying NoSQL query |
Execution Flow
Explore
-
Determine vulnerable firmware or ROM code: An adversary will attempt to find device models that are known to have unpatchable firmware or ROM code, or are deemed “end-of-support” where a patch will not be made. The adversary looks for vulnerabilities in firmware or ROM code for the identified devices, or looks for devices which have known vulnerabilities
| Techniques |
|---|
| Many botnets use wireless scanning to discover nearby devices that might have default credentials or commonly used passwords. Once these devices are infected, they can search for other nearby devices and so on. |
Experiment
-
Determine plan of attack: An adversary identifies a specific device/model that they wish to attack. They will also investigate similar devices to determine if the vulnerable firmware or ROM code is also present.
Exploit
-
Carry out attack: An adversary exploits the vulnerable firmware or ROM code on the identified device(s) to achieve their desired goal.
| Techniques |
|---|
| Install malware on a device to recruit it for a botnet. |
| Install malware on the device and use it for a ransomware attack. |
| Gain root access and steal information stored on the device. |
| Manipulate the device to behave in unexpected ways which would benefit the adversary. |
Execution Flow
Explore
-
Find programs with elevated priveleges: The adversary probes for programs running with elevated privileges.
-
Find vulnerability in running program: The adversary looks for a vulnerability in the running program that would allow for arbitrary code execution with the privilege of the running program.
| Techniques |
|---|
| Look for programs that write to the system directories or registry keys (such as HKLM, which stores a number of critical Windows environment variables). These programs are typically running with elevated privileges and have usually not been designed with security in mind. Such programs are excellent exploit targets because they yield lots of power when they break. |
| Techniques |
|---|
| Look for improper input validation |
| Look for improper failure safety. For instance when a program fails it may authorize restricted access to anyone. |
| Look for a buffer overflow which may be exploited if an adversary can inject unvalidated data. |
Exploit
-
Execute arbitrary code: The adversary exploits the vulnerability that they have found. For instance, they can try to inject and execute arbitrary code or write to OS resources.
Execution Flow
Explore
-
Identify target: The adversary must first identify a target repository for them to spoof. Typically, this will be a popular and widely used repository, as to increase the amount of victims a successful attack will exploit.
Experiment
-
Create malicious repository: The adversary must create a malicious repository that imitates the legitimate repository being spoofed. This may include creating a username that closely matches the legitimate repository owner; creating a repository name that closely matches the legitimate repository name; uploading the legitimate source code; and more.
-
Spoof commit metadata: Once the malicious repository has been created, the adversary must then spoof the commit metadata to make the repository appear to be frequently maintained and originating from trusted sources.
| Techniques |
|---|
| Git Commit Timestamps: The adversary generates numerous fake commits while setting the \"GIT_AUTHOR_DATE\" and \"GIT_COMMITTER_DATE\" environment variables to a date which is to be spoofed. |
| Git Commit Contributors: The adversary obtains a legitimate and trusted user's email address and then sets this information via the \"git config\" command. The adversary can then commit changes leveraging this username. |
Exploit
-
Exploit victims: The adversary infiltrates software and/or system environments with the goal of conducting additional attacks.
| Techniques |
|---|
| Active: The adversary attempts to trick victims into downloading the malicious software by means such as phishing and social engineering. |
| Passive: The adversary waits for victims to download and leverage malicious software. |
Execution Flow
Explore
-
Identify target: The adversary must first identify a target package whose popularity statistics will be leveraged. This will be a popular and widely used package, as to increase the perceived pedigree of the malicious package.
Experiment
-
Spoof package popularity: The adversary provides their malicious package to a package manager and uses the source code repository URL identified in Step 1 to spoof the popularity of the package. This malicious package may also closely resemble the legitimate package whose statistics are being utilized.
Exploit
-
Exploit victims: The adversary infiltrates development environments with the goal of conducting additional attacks.
| Techniques |
|---|
| Active: The adversary attempts to trick victims into downloading the malicious package by means such as phishing and social engineering. |
| Passive: The adversary waits for victims to download and leverage the malicious package. |
Execution Flow
Explore
-
System Locale Information Discovery: The adversary examines system information from various sources such as registry and native API functions and correlates the gathered information to infer the geographical location of the target system
| Techniques |
|---|
| Registry Query: Query the registry key HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\ContentIndex\\Language\\Language_Dialect on Windows to obtain system language, Computer\\HKEY_CURRENT_USER\\Keyboard Layout\\Preload to obtain the hexadecimal language IDs of the current user's preloaded keyboard layouts, and Computer\\HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\TimeZoneInformation to obtain the system timezone configuration |
| Native API Requests: Parse the outputs of Windows API functions GetTimeZoneInformation, GetUserDefaultUILanguage, GetSystemDefaultUILanguage, GetKeyboardLayoutList and GetUserDefaultLangID to obtain information about languages, keyboard layouts, and timezones installed on the system or on macOS or Linux systems, query locale to obtain the $LANG environment variable and view keyboard layout information or use timeanddatectl status to show the system clock settings. |
| Read Configuration Files: For macOS and Linux-based systems, view the /etc/vconsole.conf file to get information about the keyboard mapping and console font. |
Execution Flow
Explore
-
Identify target: The adversary must first identify a target repository that is commonly used and whose owner/maintainer has either changed/deleted their username or transferred ownership of the repository and then deleted their account. The target should typically be a popular and widely used package, as to increase the scope of the attack.
Experiment
-
Recreate initial repository path: The adversary re-registers the account that was renamed/deleted by the target repository's owner/maintainer and recreates the target repository with malicious code intended to exploit an application. These steps may need to happen in reverse (i.e., recreate repository and then rename an existing account to the target account) if protections are in place to prevent repository reuse.
Exploit
-
Exploit victims: The adversary's malicious code is incorporated into applications that directly reference the initial repository, which further allows the adversary to conduct additional attacks.
Execution Flow
Explore
-
Survey target application and relevant OS shared code libraries: Adversary identifies vulnerable transient instruction sets and the code/function calls to trigger them as well as instruction sets or code fragments (gadgets) to perform attack. The adversary looks for code gadgets which will allow them to load an adversary-controlled value into trusted memory. They also look for code gadgets which might operate on this controlled value.
| Techniques |
|---|
| Utilize Disassembler and Debugger tools to examine and trace instruction set execution of source code and shared code libraries on a system. |
Experiment
-
Fill microarchitectural buffer with controlled value: The adversary will utilize the found code gadget from the previous step to load a value into a microarchitectural buffer.
-
Set up instruction to page fault or microcode assist: The adversary must manipulate the system such that a page fault or microcode assist occurs when a valid instruction is run. If the instruction that fails is near where the adversary-controlled value was loaded, the system may forward this value from the microarchitectural buffer incorrectly.
| Techniques |
|---|
| The adversary may choose the controlled value to be memory address of sensitive information that they want the system to access |
| The adversary may choose the controlled value to be the memory address of other code gadgets that they wish to execute by hijacking the control flow of the system |
| Techniques |
|---|
| When targeting Intel SGX enclaves, adversaries that have privileges can manipulate PTEs to provoke page-fault exceptions or microcode assists. |
| When targeting Intel SGX enclaves, adversaries can indirectly revoke permissions for enclave code through the “mprotect” system call |
| An adversary can evict selected virtual memory pages using legacy interfaces or by increasing physical memory utilization |
| When attacking a Windows machine, wait until the OS clears the PTE accessed bit. When the page is next accessed, the CPU will always issue a microcode assist for re-setting this bit |
Exploit
-
Operate on adversary-controlled data: Once the attack has been set up and the page fault or microcode assist occurs, the system operates on the adversary-controlled data.
| Techniques |
|---|
| Influence the system to load sensitive information into microarchitectural state which can be read by the adversary using a code gadget. |
| Hijack execution by jumping to second stage gadgets found in the address space. By utilizing return-oriented programming, this can chain gadgets together and allow the adversary to execute a sequence of gadgets. |
Execution Flow
Explore
-
Determine Exsisting DHCP lease: An adversary observes network traffic and waits for an existing DHCP lease to expire on a target machine in the LAN.
| Techniques |
|---|
| Adversary observes LAN traffic for DHCP solicitations |
Experiment
-
Capture the DHCP DISCOVER message: The adversary captures \"DISCOVER\" messages and crafts \"OFFER\" responses for the identified target MAC address. The success of this attack centers on the capturing of and responding to these \"DISCOVER\" messages.
| Techniques |
|---|
| Adversary captures and responds to DHCP \"DISCOVER\" messages tailored to the target subnet. |
Exploit
-
Compromise Network Access and Collect Network Activity: An adversary successfully acts as a rogue DHCP server by redirecting legitimate DHCP requests to itself.
| Techniques |
|---|
| Adversary sends repeated DHCP \"REQUEST\" messages to quickly lease all the addresses within network's DHCP pool and forcing new DHCP requests to be handled by the rogue DHCP server. |
Execution Flow
Explore
-
Identify target(s): The adversary must first identify target software that allows for extensions/plugins and which they wish to exploit, such as a web browser or desktop application. To increase the attack space, this will often be popular software with a large user-base.
Experiment
-
Create malicious extension: Having identified a suitable target, the adversary crafts a malicious extension/plugin that can be installed by the underlying target software. This malware may be targeted to execute on specific operating systems or be operating system agnostic.
Exploit
-
Install malicious extension: The malicious extension/plugin is installed by the underlying target software and executes the adversary-created malware, resulting in a variety of negative technical impacts.
| Techniques |
|---|
| Adversary-Installed: Having already compromised the target system, the adversary simply installs the malicious extension/plugin themself. |
| User-Installed: The adversary tricks the user into installing the malicious extension/plugin, via means such as social engineering, or may upload the malware on a reputable extension/plugin hosting site and wait for unknowing victims to install the malicious component. |
Execution Flow
Explore
-
Survey Target: The adversary surveys the target location, looking for exposed display cables and locations to hide an SDR. This also includes looking for display cables or monitors placed close to a wall, where the SDR can be in range while behind the wall. The adversary also attempts to discover the resolution and refresh rate of the targeted display.
Experiment
-
Find target using SDR: The adversary sets up an SDR near the target display cable or monitor. They use the SDR software to locate the corresponding frequency of the display cable. This is done by looking for interference peaks that change depending on what the screen is showing. The adversary notes down the possible frequencies of unintentional emission.
| Techniques |
|---|
| An adversary can make use of many different commercially available SDR devices which are easy to setup such as a HackRF, Ubertooth, RTL-SDR, and many others. |
Exploit
-
Visualize Monitor Image: Once the SDR software has been used to identify the target, the adversary will record the transmissions and visualize the monitor image using these transmissions, which allows them to eavesdrop on the information visible on the monitor.
| Techniques |
|---|
| The TempestSDR software can be used in conjunction an SDR device to visualize the monitor image. The adversary will specify the known monitor resolution and refresh rate, or if those are not known they can use the provided auto-correlation graphs to help predict these values. The adversary will then try the different frequencies recorded from the experiment phase, looking for a viewing monitor display. Low pass filters and gain can be manipulated to make the display image clearer. |
Execution Flow
Explore
-
[Hypothesize SQL queries in application]
-
[Determine how to inject information into the queries]
| Techniques |
|---|
| Research types of SQL queries and determine which ones could be used at various places in an application. |
| Techniques |
|---|
| Add clauses to the SQL queries such that the query logic does not change. |
| Add delays to the SQL queries in case server does not provide clear error messages (e.g. WAITFOR DELAY '0:0:10' in SQL Server or BENCHMARK(1000000000,MD5(1) in MySQL). If these can be injected into the queries, then the length of time that the server takes to respond reveals whether the query is injectable or not. |
Experiment
-
Determine user-controllable input susceptible to injection: Determine the user-controllable input susceptible to injection. For each user-controllable input that the adversary suspects is vulnerable to SQL injection, attempt to inject the values determined in the previous step. If an error does not occur, then the adversary knows that the SQL injection was successful.
-
Determine database type: Determines the type of the database, such as MS SQL Server or Oracle or MySQL, using logical conditions as part of the injected queries
| Techniques |
|---|
| Use web browser to inject input through text fields or through HTTP GET parameters. |
| Use a web application debugging tool such as Tamper Data, TamperIE, WebScarab,etc. to modify HTTP POST parameters, hidden fields, non-freeform fields, etc. |
| Use network-level packet injection tools such as netcat to inject input |
| Use modified client (modified by reverse engineering) to inject input. |
| Techniques |
|---|
| Try injecting a string containing char(0x31)=char(0x31) (this evaluates to 1=1 in SQL Server only) |
| Try injecting a string containing 0x313D31 (this evaluates to 1=1 in MySQL only) |
| Inject other database-specific commands into input fields susceptible to SQL Injection. The adversary can determine the type of database that is running by checking whether the query executed successfully or not (i.e. whether the adversary received a normal response from the server or not). |
Exploit
-
Extract information about database schema: Extract information about database schema by getting the database to answer yes/no questions about the schema.
-
Exploit SQL Injection vulnerability: Use the information obtained in the previous steps to successfully inject the database in order to bypass checks or modify, add, retrieve or delete data from the database
| Techniques |
|---|
| Automatically extract database schema using a tool such as Absinthe. |
| Manually perform the blind SQL Injection to extract desired information about the database schema. |
| Techniques |
|---|
| Use information about how to inject commands into SQL queries as well as information about the database schema to execute attacks such as dropping tables, inserting records, etc. |
Execution Flow
Explore
-
Identify potential targets: An adversary identifies network boundary devices that can be compromised.
| Techniques |
|---|
| The adversary traces network traffic to identify which devices the traffic flows through. Additionally, the adversary can identify devices using fingerprinting methods or locating the management page to determine identifying information about the device. |
Experiment
-
Compromise targets: The adversary must compromise the identified targets in the previous step.
| Techniques |
|---|
| Once the device is identified, the adversary can attempt to input known default credentials for the device to gain access to the management console. |
| Adversaries with sufficient identifying knowledge about the target device can exploit known vulnerabilities in network devices to obtain administrative access. |
Exploit
-
Bridge Networks: The adversary changes the configuration of the compromised network device to connect the networks the device was segmenting. Depending on the type of network boundary device and its capabilities, bridging can be implemented using various methods.
| Techniques |
|---|
| The adversary can abuse Network Address Translation (NAT) in firewalls and routers to manipulate traffic flow to their own design. With control of the network device, the adversary can manipulate NAT by either using existing configurations or creating their own to allow two previously unconnected networks to communicate. |
| Some network devices can be configured to become a proxy server. Adversaries can set up or exploit an existing proxy server on compromised network devices to create a bridge between separate networks. |
Execution Flow
Explore
-
Identify potential targets: The adversary identifies an application or service that the target is likely to use.
| Techniques |
|---|
| The adversary stands up a server to host the transparent browser and entices victims to use it by using a domain name similar to the legitimate application. In addition to the transparent browser, the adversary could also install a web proxy, sniffer, keylogger, and other tools to assist in their goals. |
Experiment
-
Lure victims: The adversary crafts a phishing campaign to lure unsuspecting victims into using the transparent browser.
| Techniques |
|---|
| An adversary can create a convincing email with a link to download the web client and interact with the transparent browser. |
Exploit
-
Monitor and Manipulate Data: When the victim establishes the connection to the transparent browser, the adversary can view victim activity and make alterations to what the victim sees when browsing the web.
| Techniques |
|---|
| Once a victim has established a connection to the transparent browser, the adversary can use installed tools such as a web proxy, keylogger, or additional malicious browser extensions to gather and manipulate data or impersonate the victim. |
Execution Flow
Explore
-
Find and scan debug interface: The adversary must first find and scan a debug interface to determine what they are authorized to use and what devices are chained to that interface.
| Techniques |
|---|
| Use a JTAGulator on a JTAG interface to determine the correct pin configuration, baud rate, and number of devices in the chain |
Experiment
-
Connect to debug interface: The adversary next connects a device to the JTAG interface using the properties found in the explore phase so that they can send commands. The adversary sends some test commands to make sure the connection is working.
| Techniques |
|---|
| Connect a device such as a BusPirate or UM232H to the JTAG interface and connect using pin layout found from the JTAGulator |
Exploit
-
Move along debug chain: Once the adversary has connected to the main TAP, or JTAG interface, they will move along the TAP chain to see what debug interfaces might be available on that chain.
| Techniques |
|---|
| Run a command such as “scan_chain” to see what TAPs are available in the chain. |
Execution Flow
Explore
-
Survey the application for user-controllable inputs: Using a browser or an automated tool, an attacker follows all public links and actions on a web site. They record all the links, the forms, the resources accessed and all other potential entry-points for the web application.
| Techniques |
|---|
| Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL. |
| Use a proxy tool to record all user input entry points visited during a manual traversal of the web application. |
| Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery. |
Experiment
-
Probe entry points to locate vulnerabilities: The attacker uses the entry points gathered in the \"Explore\" phase as a target list and injects various Unicode encoded payloads to determine if an entry point actually represents a vulnerability with insufficient validation logic and to characterize the extent to which the vulnerability can be exploited.
| Techniques |
|---|
| Try to use Unicode encoding of content in Scripts in order to bypass validation routines. |
| Try to use Unicode encoding of content in HTML in order to bypass validation routines. |
| Try to use Unicode encoding of content in CSS in order to bypass validation routines. |
Execution Flow
Explore
-
Survey web application for URLs with parameters: Using a browser, an automated tool or by inspecting the application, an adversary records all URLs that contain parameters.
| Techniques |
|---|
| Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL. |
Experiment
-
Probe URLs to locate vulnerabilities: The adversary uses the URLs gathered in the \"Explore\" phase as a target list and tests parameters with different encodings of special characters to see how the web application will handle them.
| Techniques |
|---|
| Use URL encodings of special characters such as semi-colons, backslashes, or question marks that might be filtered out normally. |
| Combine the use of URL encodings with other encoding techniques such as the triple dot and escape slashes. |
Exploit
-
Inject special characters into URL parameters: Using the information gathered in the \"Experiment\" phase, the adversary injects special characters into the URL using URL encoding. This can lead to path traversal, cross-site scripting, SQL injection, etc.
Execution Flow
Explore
-
Adversary determines the nature of state management employed by the target. This includes determining the location (client-side, server-side or both applications) and possibly the items stored as part of user state.
Experiment
-
The adversary now tries to modify the user state contents (possibly indiscriminately if the contents are encrypted or otherwise obfuscated) or cause a state transition and observe the effects of this change on the target.
Exploit
-
Having determined how to manipulate the state, the adversary can perform illegitimate actions.
Execution Flow
Explore
-
Fingerprinting of the operating system: In order to create a valid file injection, the attacker needs to know what the underlying OS is so that the proper file seperator is used.
-
Survey the Application to Identify User-controllable Inputs: The attacker surveys the target application to identify all user-controllable inputs, possibly as a valid and authenticated user
| Techniques |
|---|
| Port mapping. Identify ports that the system is listening on, and attempt to identify inputs and protocol types on those ports. |
| TCP/IP Fingerprinting. The attacker uses various software to make connections or partial connections and observe idiosyncratic responses from the operating system. Using those responses, they attempt to guess the actual operating system. |
| Induce errors to find informative error messages |
| Techniques |
|---|
| Spider web sites for all available links, entry points to the web site. |
| Manually explore application and inventory all application inputs |
Experiment
-
Vary inputs, looking for malicious results: Depending on whether the application being exploited is a remote or local one, the attacker crafts the appropriate malicious input containing the path of the targeted file or other file system control syntax to be passed to the application
| Techniques |
|---|
| Inject context-appropriate malicious file path using network packet injection tools (netcat, nemesis, etc.) |
| Inject context-appropriate malicious file path using web test frameworks (proxies, TamperData, custom programs, etc.) or simple HTTP requests |
| Inject context-appropriate malicious file system control syntax |
Exploit
-
Manipulate files accessible by the application: The attacker may steal information or directly manipulate files (delete, copy, flush, etc.)
| Techniques |
|---|
| The attacker injects context-appropriate malicious file path to access the content of the targeted file. |
| The attacker injects context-appropriate malicious file system control syntax to access the content of the targeted file. |
| The attacker injects context-appropriate malicious file path to cause the application to create, delete a targeted file. |
| The attacker injects context-appropriate malicious file system control syntax to cause the application to create, delete a targeted file. |
| The attacker injects context-appropriate malicious file path in order to manipulate the meta-data of the targeted file. |
| The attacker injects context-appropriate malicious file system control syntax in order to manipulate the meta-data of the targeted file. |
Execution Flow
Explore
-
Probe target application: The adversary first probes the target application to determine important information about the target. This information could include types software used, software versions, what user input the application consumes, and so on.
Experiment
-
Find user-controlled variables: Using the information found by probing the application, the adversary attempts to manipulate many user-controlled variables and observes the effects on the application. If the adversary notices any significant changes to the application, they will know that a certain variable is useful to the application.
| Techniques |
|---|
| Adversaries will try to alter many common variable names such as \"count\", \"tempFile\", \"i\", etc. The hope is that they can alter the flow of the application without knowing the inner-workings. |
| Adversaries will try to alter known environment variables. |
Exploit
-
Manipulate user-controlled variables: Once the adversary has found a user-controller variable(s) that is important to the application, they will manipulate it to change the normal behavior in a way that benefits the adversary.
Execution Flow
Explore
-
Survey the application for user-controllable inputs: Using a browser, an automated tool or by inspecting the application, an adversary records all entry points to the application.
| Techniques |
|---|
| Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL. |
| Use a proxy tool to record all user input entry points visited during a manual traversal of the web application. |
| Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery. |
| Manually inspect the application to find entry points. |
Experiment
-
Probe entry points to locate vulnerabilities: The adversary uses the entry points gathered in the \"Explore\" phase as a target list and attempts to escape multiple different special characters using a backslash.
| Techniques |
|---|
| Escape a special character with a backslash to bypass input validation. |
| Try different encodings of both the backslash and the special character to see if this bypasses input validation |
Exploit
-
Manipulate input: Once the adversary determines how to bypass filters that filter out special characters using an escaped slash, they will manipulate the user input in a way that is not intended by the application.
Execution Flow
Explore
-
Survey the application for user-controllable inputs: Using a browser, an automated tool or by inspecting the application, an adversary records all entry points to the application.
| Techniques |
|---|
| Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL. |
| Use a proxy tool to record all user input entry points visited during a manual traversal of the web application. |
| Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery. |
| Manually inspect the application to find entry points. |
Experiment
-
Probe entry points to locate vulnerabilities: The adversary uses the entry points gathered in the \"Explore\" phase as a target list and looks for areas where user input is used to access resources on the target host. The adversary attempts different encodings of slash characters to bypass input filters.
| Techniques |
|---|
| Try both backslash and forward slash characters |
| Try different encodings for slash characters such as %5C |
Exploit
-
Traverse application directories: Once the adversary determines how to bypass filters that filter out slash characters, they will manipulate the user input to include slashes in order to traverse directories and access resources that are not intended for the user.
Execution Flow
Explore
-
Identify target application: The adversary, with knowledge of vulnerable libraries or shared code modules, identifies a target application or program that makes use of these.
Experiment
-
Find injection vector: The adversary attempts to use the API, and if they can they send a large amount of data to see if the buffer overflow attack really does work.
-
Craft overflow content: The adversary crafts the content to be injected based on their knowledge of the vulnerability and their desired outcome. If the intent is to simply cause the software to crash, the content need only consist of an excessive quantity of random data. If the intent is to leverage the overflow for execution of arbitrary code, the adversary will craft a set of content that not only overflows the targeted buffer but does so in such a way that the overwritten return address is replaced with one of the adversaries' choosing which points to code injected by the adversary.
| Techniques |
|---|
| Provide large input to a program or application and observe the behavior. If there is a crash, this means that a buffer overflow attack is possible. |
| Techniques |
|---|
| Create malicious shellcode that will execute when the program execution is returned to it. |
| Use a NOP-sled in the overflow content to more easily \"slide\" into the malicious code. This is done so that the exact return address need not be correct, only in the range of all of the NOPs |
Exploit
-
Overflow the buffer: Using the API as the injection vector, the adversary injects the crafted overflow content into the buffer.
Execution Flow
Explore
-
Survey the application for user-controllable inputs: Using a browser or an automated tool, an attacker follows all public links and actions on a web site. They record all the links, the forms, the resources accessed and all other potential entry-points for the web application.
| Techniques |
|---|
| Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL. |
| Use a proxy tool to record all user input entry points visited during a manual traversal of the web application. |
| Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery. |
Experiment
-
Probe entry points to locate vulnerabilities: The attacker uses the entry points gathered in the \"Explore\" phase as a target list and injects various UTF-8 encoded payloads to determine if an entry point actually represents a vulnerability with insufficient validation logic and to characterize the extent to which the vulnerability can be exploited.
| Techniques |
|---|
| Try to use UTF-8 encoding of content in Scripts in order to bypass validation routines. |
| Try to use UTF-8 encoding of content in HTML in order to bypass validation routines. |
| Try to use UTF-8 encoding of content in CSS in order to bypass validation routines. |
Execution Flow
Explore
-
Determine Application Web Server Log File Format: The attacker observes the system and looks for indicators of which logging utility is being used by the web server.
| Techniques |
|---|
| Determine logging utility being used by application web server (e.g. log4j), only possible if the application is known by the attacker or if the application returns error messages with logging utility information. |
Experiment
-
Determine Injectable Content: The attacker launches various logged actions with malicious data to determine what sort of log injection is possible.
| Techniques |
|---|
| Attacker triggers logged actions with maliciously crafted data as inputs, parameters, arguments, etc. |
Exploit
-
Manipulate Log Files: The attacker alters the log contents either directly through manipulation or forging or indirectly through injection of specially crafted request that the web server will receive and write into the logs. This type of attack typically follows another attack and is used to try to cover the traces of the previous attack.
| Techniques |
|---|
| \n |
| \n |
| Directly through log file or database manipulation, modify existing log entries. |
Execution Flow
Explore
-
Survey the target: Using a browser or an automated tool, an adversary records all instances of user-controllable input used to contruct XPath queries.
-
Determine the tructure of queries: Using manual or automated means, test inputs found for XPath weaknesses.
| Techniques |
|---|
| Use an automated tool to record all instances of user-controllable input used to contruct XPath queries. |
| Use a browser to manually explore the website and analyze how the application processes inputs. |
| Techniques |
|---|
| Use an automated tool automatically probe the inputs for XPath weaknesses. |
| Manually probe the inputs using characters such as single quote (') that can cause XPath-releated errors, thus indicating an XPath weakness. |
Exploit
-
Inject content into XPath query: Craft malicious content containing XPath expressions that is not validated by the application and is executed as part of the XPath queries.
| Techniques |
|---|
| Use the crafted input to execute unexpected queries that can disclose sensitive database information to the attacker. |
| Use a combination of single quote (') and boolean expressions such as \"or 1=1\" to manipulate XPath logic. |
| Use XPath functions in the malicious content such as \"string-length\", \"substring\", or \"count\" to gain information about the XML document structure being used. |
Execution Flow
Explore
-
Survey the application for user-controllable inputs: Using a browser or an automated tool, an attacker follows all public links and actions on a web site. They record all the links, the forms, the resources accessed and all other potential entry-points for the web application.
| Techniques |
|---|
| Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL. |
| Use a proxy tool to record all user input entry points visited during a manual traversal of the web application. |
| Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery. |
Experiment
-
Determine user-controllable input susceptible to injection: Determine the user-controllable input susceptible to injection. For each user-controllable input that the attacker suspects is vulnerable to XQL injection, attempt to inject characters that have special meaning in XQL. The goal is to create an XQL query with an invalid syntax.
| Techniques |
|---|
| Use web browser to inject input through text fields or through HTTP GET parameters. |
| Use a web application debugging tool such as Tamper Data, TamperIE, WebScarab,etc. to modify HTTP POST parameters, hidden fields, non-freeform fields, etc. |
| Use XML files to inject input. |
| Use network-level packet injection tools such as netcat to inject input |
| Use modified client (modified by reverse engineering) to inject input. |
Exploit
-
Information Disclosure: The attacker crafts and injects an XQuery payload which is acted on by an XQL query leading to inappropriate disclosure of information.
-
Manipulate the data in the XML database: The attacker crafts and injects an XQuery payload which is acted on by an XQL query leading to modification of application data.
| Techniques |
|---|
| Leveraging one of the vulnerable inputs identified during the Experiment phase, inject malicious XQuery payload. The payload aims to get information on the structure of the underlying XML database and/or the content in it. |
| Techniques |
|---|
| Leveraging one of the vulnerable inputs identified during the Experiment phase, inject malicious XQuery payload.. The payload tries to insert or replace data in the XML database. |
Execution Flow
Explore
-
Send request to target webpage and analyze HTML: Using a browser or an automated tool, an adversary sends requests to a webpage and records the received HTML response. Adversaries then analyze the HTML to identify any known underlying JavaScript architectures. This can aid in mappiong publicly known vulnerabilities to the webpage and can also helpo the adversary guess application architecture and the inner workings of a system.
| Techniques |
|---|
| Record all \"src\" values inside script tags. These JavaScript files are compared to lists of files for known architectures. If there is a large match between the \"src\" values and architecture files, then it can be assumed that particular architecture is being used. |
Execution Flow
Explore
-
Survey the application for public links: Using a browser or an automated tool, an adversary follows all public links on a web site. They record all the entry points (input) that becomes part of generated HTTP header (not only GET/POST/COOKIE, but also Content-Type, etc.)
| Techniques |
|---|
| Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters used in the HTTP headers. |
| Look for HTML meta tags that could be injectable |
| Use a proxy tool to record all links visited during a manual traversal of the web application. |
| Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery. |
Experiment
-
[Probe identified potential entry points for XSS vulnerability]
-
Craft malicious XSS URL: Once the adversary has determined which parameters are vulnerable to XSS, they will craft a malicious URL containing the XSS exploit. The adversary can have many goals, from stealing session IDs, cookies, credentials, and page content from the victim.
| Techniques |
|---|
| Manually inject various script payloads into each identified entry point using a list of common script injection probes and observe system behavior to determine if script was executed. |
| Use an automated injection attack tool to inject various script payloads into each identified entry point using a list of common script injection probes and observe system behavior to determine if script was executed. |
| Use a proxy tool to record results of manual input of XSS probes in known URLs. |
| Techniques |
|---|
| Change a URL parameter which is used in an HTTP header to include a malicious script tag. Because it is in the header it may bypass validation. |
| Send information gathered from the malicious script to a remote endpoint. |
Exploit
-
Get victim to click URL: In order for the attack to be successful, the victim needs to access the malicious URL.
| Techniques |
|---|
| Send a phishing email to the victim containing the malicious URL. This can be hidden in a hyperlink as to not show the full URL, which might draw suspicion. |
| Put the malicious URL on a public forum, where many victims might accidentally click the link. |
Execution Flow
Explore
-
Spider: Using an automated tool, an attacker follows all public links on a web site. They record all the links they find.
| Techniques |
|---|
| Use a spidering tool to follow and record all links. |
| Use a proxy tool to record all links visited during a manual traversal of the web application. |
Experiment
-
Attempt well-known or guessable resource locations: Using an automated tool, an attacker requests a variety of well-known URLs that correspond to administrative, debugging, or other useful internal actions. They record all the positive responses from the server.
| Techniques |
|---|
| Use a spidering tool to follow and record attempts on well-known URLs. |
| Use a proxy tool to record all links visited during a manual traversal of attempts on well-known URLs. |
Exploit
-
Use unauthorized resources: By visiting the unprotected resource, the attacker makes use of unauthorized functionality.
-
View unauthorized data: The attacker discovers and views unprotected sensitive data.
| Techniques |
|---|
| Access unprotected functions and execute them. |
| Techniques |
|---|
| Direct request of protected pages that directly access database back-ends. (e.g., list.jsp, accounts.jsp, status.jsp, etc.) |
Execution Flow
Explore
-
Identify inputs for OS commands: The attacker determines user controllable input that gets passed as part of a command to the underlying operating system.
-
Survey the Application: The attacker surveys the target application, possibly as a valid and authenticated user
| Techniques |
|---|
| Port mapping. Identify ports that the system is listening on, and attempt to identify inputs and protocol types on those ports. |
| TCP/IP Fingerprinting. The attacker uses various software to make connections or partial connections and observe idiosyncratic responses from the operating system. Using those responses, they attempt to guess the actual operating system. |
| Induce errors to find informative error messages |
| Techniques |
|---|
| Spidering web sites for all available links |
| Inventory all application inputs |
Experiment
-
Vary inputs, looking for malicious results.: Depending on whether the application being exploited is a remote or local one the attacker crafts the appropriate malicious input, containing OS commands, to be passed to the application
| Techniques |
|---|
| Inject command delimiters using network packet injection tools (netcat, nemesis, etc.) |
| Inject command delimiters using web test frameworks (proxies, TamperData, custom programs, etc.) |
Exploit
-
Execute malicious commands: The attacker may steal information, install a back door access mechanism, elevate privileges or compromise the system in some other way.
| Techniques |
|---|
| The attacker executes a command that stores sensitive information into a location where they can retrieve it later (perhaps using a different command injection). |
Execution Flow
Exploit
-
Attacker sets up a system mocking the one trusted by the users. This is usually a website that requires or handles sensitive information.
-
The attacker then poisons the resolver for the targeted site. This is achieved by poisoning the DNS server, or the local hosts file, that directs the user to the original website
-
When the victim requests the URL for the site, the poisoned records direct the victim to the attackers' system rather than the original one.
-
Because of the identical nature of the original site and the attacker controlled one, and the fact that the URL is still the original one, the victim trusts the website reached and the attacker can now \"farm\" sensitive information such as credentials or account numbers.
Execution Flow
Explore
-
Identify target system: The adversary first finds a target system that they want to gain elevated priveleges on. This could be a system they already have some level of access to or a system that they will gain unauthorized access at a lower privelege using some other means.
-
Find injection vector: The adversary identifies command line utilities exposed by the target host that contain buffer overflow vulnerabilites. The adversary likely knows which utilities have these vulnerabilities and what the effected versions are, so they will also obtain version numbers for these utilities.
Experiment
-
Craft overflow command: Once the adversary has found a vulnerable utility, they will use their knownledge of the vulnerabilty to create the command that will exploit the buffer overflow.
Exploit
-
Overflow the buffer: Using the injection vector, the adversary executes the crafted command, gaining elevated priveleges on the machine.
Execution Flow
Explore
-
Identify service with vulnerable handshake authentication: The adversary must first identify a vulnerable authentication protocol. The most common indication of an authentication protocol vulnerable to reflection attack is when the client initiates the handshake, rather than the server. This allows the client to get the server to encrypt targeted data using the server's pre-shared key.
Experiment
-
Send challenge to target server: The adversary opens a connection to the target server and sends it a challenge. This challenge is arbitrary and is simply used as a placeholder for the protocol in order to get the server to respond.
-
Receive server challenge: The server responds by returning the challenge sent encrypted with the server's pre-shared key, as well as its own challenge to the attacker sent in plaintext. We will call this challenge sent by the server \"C\". C is very important and is stored off by the adversary for the next step.
-
Initiate second handshake: Since the adversary does not possess the pre-shared key, they cannot encrypt C from the previous step in order for the server to authenticate them. To get around this, the adversary initiates a second connection to the server while still keeping the first connection alive. In the second connection, the adversary sends C as the initial client challenge, which rather than being arbitary like the first connection, is very intentional.
-
Receive encrypted challenge: The server treats the intial client challenge in connection two as an arbitrary client challenge and responds by encrypting C with the pre-shared key. The server also sends a new challenge. The adversary ignores the server challenge and stores the encrypted version of C. The second connection is either terminated or left to expire by the adversary as it is no longer needed.
Exploit
-
The adversary now posseses the encrypted version of C that is obtained through connection two. The adversary continues the handshake in connection one by responding to the server with the encrypted version of C, verifying that they have access to the pre-shared key (when they actually do not). Because the server uses the same pre-shared key for all authentication it will decrypt C and authenticate the adversary for the first connection, giving the adversary illegitimate access to the target system.
Execution Flow
Explore
-
The first step is exploratory meaning the attacker looks for an integer variable that they can control.
Experiment
-
The attacker finds an integer variable that they can write into or manipulate and try to get the value of the integer out of the possible range.
Exploit
-
The integer variable is forced to have a value out of range which set its final value to an unexpected value.
-
The target host acts on the data and unexpected behavior may happen.
Execution Flow
Explore
-
Determine Application's Log File Format: The first step is exploratory meaning the attacker observes the system. The attacker looks for action and data that are likely to be logged. The attacker may be familiar with the log format of the system.
| Techniques |
|---|
| Determine logging utility being used by application (e.g. log4j) |
| Gain access to application's source code to determine log file formats. |
| Install or obtain access to instance of application and observe its log file format. |
Exploit
-
Manipulate Log Files: The attacker alters the log contents either directly through manipulation or forging or indirectly through injection of specially crafted input that the target software will write to the logs. This type of attack typically follows another attack and is used to try to cover the traces of the previous attack.
| Techniques |
|---|
| \n |
| \n |
Execution Flow
Explore
-
Determine Communication Mechanism: The adversary determines the nature and mechanism of communication between two components, looking for opportunities to exploit.
| Techniques |
|---|
| Perform a sniffing attack and observe communication to determine a communication protocol. |
| Look for application documentation that might describe a communication mechanism used by a target. |
Experiment
-
Position In Between Targets: The adversary inserts themself into the communication channel initially acting as a routing proxy between the two targeted components.
| Techniques |
|---|
| Install spyware on a client that will intercept outgoing packets and route them to their destination as well as route incoming packets back to the client. |
| Exploit a weakness in an encrypted communication mechanism to gain access to traffic. Look for outdated mechanisms such as SSL. |
Exploit
-
Use Intercepted Data Maliciously: The adversary observes, filters, or alters passed data of its choosing to gain access to sensitive information or to manipulate the actions of the two target components for their own purposes.
| Techniques |
|---|
| Prevent some messages from reaching their destination, causing a denial of service. |
Execution Flow
Explore
-
Scan for WSDL Documents: The adversary scans for WSDL documents. The WDSL document written in XML is like a handbook on how to communicate with the web services provided by the target host. It provides an open view of the application (function details, purpose, functional break down, entry points, message types, etc.). This is very useful information for the adversary.
Experiment
-
Analyze WSDL files: An adversary will analyze the WSDL files and try to find potential weaknesses by sending messages matching the pattern described in the WSDL file. The adversary could run through all of the operations with different message request patterns until a breach is identified.
Exploit
-
Craft malicious content: Once an adversary finds a potential weakness, they can craft malicious content to be sent to the system. For instance the adversary may try to submit special characters and observe how the system reacts to an invalid request. The message sent by the adversary may not be XML validated and cause unexpected behavior.
Execution Flow
Explore
-
Determine what external libraries the application accesses.
Experiment
-
Block access to the external libraries accessed by the application.
-
Monitor the behavior of the system to see if it goes into an insecure/inconsistent state.
-
If the system does go into an insecure/inconsistent state, leverage that to obtain information about the system functionality or data, elevate access control, etc. The rest of this attack will depend on the context and the desired goal.
Execution Flow
Explore
-
An attacker discovers a weakness in the cryptographic algorithm or a weakness in how it was applied to a particular chunk of plaintext.
Exploit
-
An attacker leverages the discovered weakness to decrypt, partially decrypt or infer some information about the contents of the encrypted message. All of that is done without knowing the secret key.
Execution Flow
Explore
-
Obtain domain name and certificate to spoof legitimate site: This optional step can be used to help the attacker impersonate the legitimate site more convincingly. The attacker can use homograph attacks to convince users that they are using the legitimate website. Note that this step is not required for phishing attacks, and many phishing attacks simply supply URLs containing an IP address and no SSL certificate.
-
Explore legitimate website and create duplicate: An attacker creates a website (optionally at a URL that looks similar to the original URL) that closely resembles the website that they are trying to impersonate. That website will typically have a login form for the victim to put in their authentication credentials. There can be different variations on a theme here.
| Techniques |
|---|
| Optionally obtain a domain name that visually looks similar to the legitimate site's domain name. An example is www.paypaI.com vs. www.paypal.com (the first one contains a capital i, instead of a lower case L) |
| Optionally obtain a legitimate SSL certificate for the new domain name. |
| Techniques |
|---|
| Use spidering software to get copy of web pages on legitimate site. |
| Manually save copies of required web pages from legitimate site. |
| Create new web pages that have the legitimate site's look and feel, but contain completely new content. |
Exploit
-
Convince user to enter sensitive information on attacker's site.: An attacker sends an e-mail to the victim that has some sort of a call to action to get the user to click on the link included in the e-mail (which takes the victim to attacker's website) and log in. The key is to get the victim to believe that the e-mail is coming from a legitimate entity with which the victim does business and that the website pointed to by the URL in the e-mail is the legitimate website. A call to action will usually need to sound legitimate and urgent enough to prompt action from the user.
-
Use stolen credentials to log into legitimate site: Once the attacker captures some sensitive information through phishing (login credentials, credit card information, etc.) the attacker can leverage this information. For instance, the attacker can use the victim's login credentials to log into their bank account and transfer money to an account of their choice.
| Techniques |
|---|
| Send the user a message from a spoofed legitimate-looking e-mail address that asks the user to click on the included link. |
| Place phishing link in post to online forum. |
| Techniques |
|---|
| Log in to the legitimate site using another user's supplied credentials |