cyberwart

At BH/Defcon HD Moore gave a great talk entitled “Tactical Exploitation”. They dragged the talk out a bit long, but mixed in there were several neat tricks and a more importantly a hacking philosophy that I couldn’t agree with more.

Tactical Exploitation is about being clever. It’s not exploit development, it’s taking existing technology and leveraging it to the attacker’s advantage. A good example is misusing the way NTLM/Netbios works. I’ve seen shops that build HUGE parallel clusters to crack NTLM passwords…. it works, but they never quite understood that you didn’t need to crack the hashes. Rather, you can simply grab them and re-use them. Yes, there are some reasons to crack them, but that’s beyond the scope here. Tactical Exploitation realizes that you only need the hash, and then builds it into an attack. For example, they use file shares embedded in html to cause users to auto connect.

Tactical exploitation is powerful because it’s so simple. Some customer’s hear “0-day” or “exploit development” and instantly you lose relevance. All but a few government and financial institutions care about this level of attack. They (sometimes rightly) regard that threat as beyond their capability and/or as a realistic threat given their business. Therefore tests can rapidly spiral into patch management audits — which prove very little. However, by leveraging misconfiguration, user error, and a few clever hacks you can typically gain access.

Tying these tactical attacks together, you can achieve strategic exploitation of the target and be assured of a successful PT.