Notes on my research from topics involving Linux, Network Security, Pentesting, Network/Computer Forensics and more. My intention is to use the knowledge for good and to raise awareness with regards to cyber security threats and other vulnerabilities. Therefore, as I learn, you can learn too.
Wednesday, December 9, 2009
Video Demo of me exploiting Internet explorer 6 on XP SP2
It cannot be stressed enough why you should always try to keep your software patched and up to date. Alot of individuals understand that updates can add new features and fix some bugs but don't have a clue about the security aspects of it. You may have come around the term 'exploit' before but don't really quite grasp the concept of it. An exploit is special code that attempts to capitalize on what is known as software vulnerabilities, and in capitalize i mean do something that is of the benefit to the attacker. In the hacker culture, most of the time we would want to exploit software in hopes of gaining "shell" access which is basically a command prompt environment of the exploited machine. Picture being at a Windows machine at the command line and the amount of power you have at your arsenal. You can create user accounts, kill process, create and delete files, etc. This is what the hacker hopes to gain from his exploit, such an environment where he can command your machine via a shell, i.e. command prompt from his own attacking machine.
In my video demonstration, im gonna exploit a vulnerability in IE 6 on a XP SP2 machine. The attacker sets up his machine as a special type of web server awaiting a user to connect to his machine using internet explorer(you can force a user to connect to your machine via dns spoofing on a LAN, see my earlier post on dnspoof). When the victim browses to the attackers web page(of was forced onto the page by the attacker) an exploit is run on the victims browser and on the attacking machine if the exploit was successful you would get a command prompt/shell of the victims machine. From here the attacker can take command of the victim's computer and is only limited by his imagination.
No comments:
Post a Comment