This step
exploits vulnerabilities found to verify if the vulnerabilities are real and
what possible information or access can be obtained. Exploitation separates
Penetration Testing services from passive services such as Vulnerability
Assessments and Audits. Exploitation and all the following steps have legal
ramifications without authorization from the asset owners of the target.
The success
of this step is heavily dependent on previous efforts. Most exploits are
developed for specific vulnerabilities and can cause undesired consequences if
executed incorrectly. Best practice is identifying a handful of vulnerabilities
and developing an attack strategy based on leading with the most vulnerable
first.
Exploiting
targets can be manual or automated depending on the end objective. Some
examples are running SQL Injections to gain admin access to a web application or
social engineering a Helpdesk person into providing admin login credentials.
Kali Linux
offers a dedicated catalog of tools titled Exploitation
Tools for exploiting targets that range from exploiting
specific services to social engineering packages.
The
following is the list of Exploitation goals:
- Exploit vulnerabilities
- Obtain foothold
- Capture unauthorized data
- Aggressively social engineer
- Attack other systems or applications
- Document findings
No comments:
Post a Comment