How do those vulnerability digging masters dig loopholes?

foreword

When it comes to security, you have to talk about loopholes, and when it comes to loopholes, you will inevitably talk about three mountains:

Vulnerability Analysis Vulnerability Exploitation Vulnerability Mining

From a personal point of view, although the three are usually compatible and interdependent, the difficulty is not the same. In this article, I will talk about my own experience and thoughts on these three.

Vulnerability analysis

Vulnerability analysis is relatively simple. Usually, there are one or two sentences describing the cause of the vulnerability in the public vulnerability. For some bugs found by oneself, it is generally easier to reproduce and debug from the crash log. Although some bugs are relatively cumbersome to troubleshoot, it is always possible to reduce the scope step by step and lock in the final goal. Therefore, there are many articles about vulnerability analysis on the Internet. On the one hand, the analysis has traces to follow, and on the other hand, the analyzed vulnerabilities may not necessarily be their own "original" vulnerabilities, and the source of material is more extensive.

Although vulnerability analysis is simple, it is the only way for every security researcher. Just like Zha Mabu and standing on plum blossom piles in martial arts training, it is a basic skill that has been accumulated over time. When I was studying the kernel, I was keen to write articles on vulnerability analysis for a while. Later, as I became more proficient, the speed of writing articles and records was far behind the progress of the analysis, so now I am often too lazy to write.

Basic skills are essential, but no matter how stable you are, it doesn't mean you can stand alone in martial arts. A big guy once said that if he wanted to, he could write several analysis articles a day without repetition. After all, the purpose of vulnerability analysis is to learn, absorb, transform, learn from history, and finally form your own unique understanding.

exploit

Exploitation of vulnerabilities is relatively complicated, especially for binary vulnerabilities. Successful exploitation requires an exquisite memory layout, so a good understanding of the data structures involved in the program is required. Moreover, not all vulnerabilities can be converted into effective exploits. Generally, vulnerabilities that are easier to write and exploit are called good-looking ones. For vulnerabilities that are not in good condition, I prefer to call them bugs. Of course, some people think that the bug at least caused the program to crash, so it can be regarded as a DoS (denial of service) vulnerability.

Of course, whether the vulnerability can be exploited is actually related to people. For complex systems, you think that the loopholes that cannot be exploited can be successfully exploited in a way that you did not expect. For example, the Android CVE-2019-2025 (water drop) vulnerability belongs to a conditional competition in Binder, and the competition window has only a few assembly instructions. The appearance of the vulnerability is quite bad, and even the Exploitability Score given by CVSS is only 1.8 points, but the bigwigs of 360 have also used the scheduler to stably exploit and escalate their privileges.

As a result, there are far fewer articles about exploits. On the one hand, due to the consideration of responsible disclosure of security issues, security researchers will not give complete details of exploitation to avoid abuse by script kiddies; In many cases, it varies from person to person, and if they are too similar, they will inevitably be suspected of being fried rice, unless there are some unique thinking supplements, or new ideas for use.

Most of the time, articles about exploits turn into articles about exploit analysis, which also shows that exploits are quite difficult, and there are not many people who can independently write original exploits and share them. As far as I feel, exploiting is more like another form of software development, where primitives are first constructed from vulnerabilities, and then the final exploit is realized from primitives.

Vulnerability mining

Vulnerability mining can be said to be one of the highlands that security researchers yearn for. No matter how many vulnerabilities you have analyzed and how many exploits you have written, if you have not discovered original vulnerabilities yourself, your security research career will be incomplete. But vulnerability mining is not deterministic. As long as there are loopholes in the vulnerability analysis, it can definitely be analyzed clearly, but it is only a matter of time; as long as the exploit is not obviously unusable, at least there is a possibility of successful exploitation.

Vulnerability mining is not the case. Even if you stare at a certain application and dig hard, there is no guarantee of results. Maybe the other party has no vulnerabilities that can be triggered. It is said that there is no absolutely safe system in the world, but there are a lot of relatively safe systems, at least until something goes wrong, you don't know it.

Lifting method

1. Collect as much information as possible (main domain name, IP segment, search engine, GitHub, etc.).

2. After collecting the information, expand the collected information to increase the amount of information collected (you can use the SubDomain tool to collect manufacturer domain name information in batches, and the domain name corresponds to the IP. After there is more data, it can be used to analyze the real address of the domain name, and potentially IP segments).

3. Perform a large number of cracks on IP segments, sub-domain names, etc. Here we need to collect some commonly used ports for SRC development and naming habits of some domain names (there are many ready-made ports on GitHub. When collecting information, you can pay more attention to it. ).

4. Collect the naming habits of the other party's email account (because many official backgrounds log in with internal email accounts)

5. Generally, there are not many loopholes in the main site of a large manufacturer. If a loophole is found, there are not many points. If a novice encounters this type of site, he should take the initiative to detour and look at other sub-sites.

6. Logical loopholes. There are many loopholes of this type. Generally, all major manufacturers basically exist. A certain amount of analysis and understanding, but the good thing is that this kind of vulnerability generally only needs to dig one hole, and the reward is basically good.

7. For weak passwords and this kind of loopholes, new white hats are best to collect some weak password dictionaries in advance. I usually use TOP2000. For account collection, you can look at their mailbox structure, for example: liudehua, liudh, ldh, liudehua+numbers and other accounts in this format. When you encounter a system with only a background system, you can use the collected account + common user name to carry out crack.

8. Generally, after discovering a vulnerability, you can try to analyze a series of hazards caused by the vulnerability. Remember that a weak password is not just a weak password problem. There may be other loopholes in the system. At this time, we can use the weak password to enter the background. Analyze their other existing vulnerabilities, such as: uploading, injection, logic and other vulnerabilities. This kind of general harm is relatively large, and it is easy to cause other problems if it is used maliciously. Remember: when you find a vulnerability with a weak password, you must not submit it easily. You can use the weak password to dig some other vulnerabilities. Just submit it (in fact, it is also a kind of helplessness).

9. When it comes to the bottom line, be strict with yourself, and don't secretly use it for messing around after you find a loophole.

Clarify needs and determine direction

cyber security

Network security is a very broad concept, and it involves many positions, including security services, security operation and maintenance, penetration testing, web security, security development, security pre-sales, etc. You can look at the matching degree between the requirements of each position below and your own interests and abilities, and then decide which direction is most suitable for you.

Penetration Tester/Web Security Engineer

It mainly simulates hacking attacks, uses hacking techniques, digs out vulnerabilities, and puts forward repair suggestions; it needs to use database, network technology, programming technology, penetration technology, etc.

job requirements:

1. Familiar with penetration testing steps, methods, and processes, and have the ability to independently carry out penetration work;

2. Familiar with WEB security and vulnerability mining, familiar with the principles, methods, means of utilization and solutions of vulnerabilities;

3. Master at least one programming language and be able to write vulnerability detection

or use tools;

4. Understand the process and method of code security audit and the use of mainstream code audit tools;

5. Relevant certificates in the field of information security such as CISP/CISP-PTE/CISP-PTS are preferred.

Security operation and maintenance / security service engineer

It is mainly the operation and maintenance and emergency response work of the security defense system. Proficiency in configuring security devices and strong log analysis capabilities. It is necessary to be proficient in penetration technology and security equipment principles, with a wide range of knowledge requirements and strong practical capabilities.

job requirements:

1. Familiar with Owasp ****0 vulnerability principle, attack and defense;

2. Familiar with common safety equipment, and be able to analyze and dispose based on safety equipment;

3. Familiar with Linux and other operating systems, able to carry out emergency response work;

4. Familiar with the security assessment process;

5. Familiar with various security tools, such as vulnerability scanning, baseline checking and other tools;

6. Holding information security related certificates such as CISP, CISSP, CISA, ISO27001, etc. is preferred.

Security Development Engineer

Plan, design and establish the company's overall application security architecture, identify the security risks of the application system in the stages of architecture design, development testing, release, operation and maintenance, propose effective solutions and implement them, and design and develop the company's internal security platform. Develop an iterative platform.

job requirements:

1. Have working experience in IT technology;

2. Proficient in at least one language such as Python/Go/C/C++, and mainstream WEB frameworks;

3. Understand commonly used design patterns and open source frameworks such as Spring Boot, Spring MVC, Vue, JavaScript, etc., have a solid development or development management technology foundation, and have strong self-learning ability;

4. Familiar with information security related knowledge, working experience in well-known network security companies at home and abroad is preferred;

5. Those who have CISD/CISP/CISSP and other network and information security related certification certificates are preferred.

Safety pre-sales engineer

Communicate with customers, and design technical solutions based on our own products to meet the safety needs of Party A. Need to be proficient in server, network technology, security equipment, offensive and defensive technology, and closely track security trends, expressive ability and document ability.

job requirements:

1. Have good communication skills and document writing skills;

2. Possess relevant working experience in information security, have experience in implementing and maintaining network security or data security products, and be familiar with common Linux operating commands;

3. Familiar with laws and regulations related to network security and important standards, such as digital security law, personal security law, security 2.0, ISO27001, etc.;

4. Familiar with the bidding process of the project, able to independently compile the bidding documents, participate in the bidding meeting, give technical explanations and answer questions according to the requirements of the bidding documents;

5. Bonus conditions: have experience in technology research and development in information security companies; have information security qualifications such as CISSP, CISA, and CISP.

A variety of ways, joint efforts

Take the direction of web security as an example:

First, you can buy a copy of "White Hats Talk about Web Security" and read it first. The author is Wu Hanqing. First understand the principles of common vulnerabilities, there is no need to study too deeply, because it is difficult to understand just by looking at it, and then combined with practice to understand it will get twice the result with half the effort.

Second, read more articles on security official accounts, and some blog posts, and then try to do some ctf topics, which can expand your knowledge and help you understand. Several better ctf platforms include bugku and xctf , There is hackthebox abroad, but hackthebox is more difficult, so it is not recommended to go there as soon as you come up. The topics of ctf should not be limited to web topics, and other topics can be done. After all, there are many types of topics in some security competitions.

Third, you can dig out some public welfare loopholes. Before digging, see how others dig. There are skills in digging loopholes. Read more articles and learn about src.

Fourth, learn python well. It is the most suitable language for network security. It is very nice to use it to write scripts for attacks. Of course, if you can, you must also learn java well. Many vulnerability scanners are written in java, and the reverse direction requires java code auditing capabilities. You must also learn the course of web design well, all of which come from the basics.

Fifth, the end of web security is intranet penetration. After taking down a website, the next thing to take down is its host. You must learn the basics of Linux. This is the last one you have accumulated before.

at last

Statistics show that there is currently a gap of 1.4 million cyber security talents in China...
Whether you are a cyber security enthusiast or a practitioner with certain work experience,
whether you are a fresh graduate or a professional who wants to change jobs ,
you all need this job. super super comprehensive information
almostBeats 90% of self-study materials on the market
And covers the entire network security learning category
to bookmark it!It will definitely help your study!

Friends, if you need a full set of network security introduction + advanced learning resource package, you can click to get it for free (if you encounter problems with scanning codes, you can leave a message in the comment area to get it) ~

CSDN spree: "Hacker & Network Security Introduction & Advanced Learning Resource Pack" free sharing

1. A full set of toolkits and source codes necessary for network security

2. Video Tutorial

Although there are a lot of learning resources on the Internet, they are basically incomplete. This is the online security video tutorial I recorded myself. I have supporting video explanations for every knowledge point on the road map.

3. Technical documents and e-books

The technical documents are also compiled by myself, including my experience and technical points in participating in the network protection operation, CTF and digging SRC vulnerabilities.

I have also collected more than 200 e-books on Internet security, basically I have popular and classic ones, and I can also share them.

4. NISP, CISP and other certificate preparation packages

5. Information security engineer exam preparation spree

6. Interview questions for network security companies

The interview questions about cyber security that have been sorted out in the past few years, if you are looking for a job in cyber security, they will definitely help you a lot.


Friends, if you need a full set of network security introduction + advanced learning resource package, you can click to get it for free (if you encounter problems with scanning codes, you can leave a message in the comment area to get it) ~

CSDN spree: "Hacker & Network Security Introduction & Advanced Learning Resource Pack" free sharing