Dear PenTest Readers,
In the current edition, we focus on three cybersecurity topics. Our contributors did an amazing job, and provided you with more than 150 pages of articles this month!
To start with, we would like to take a closer look at Fuzzing - it’s role in pentesting, attack vectors, tools, and case studies of using this technique. Maksim Shudrak opens the issue with his great article, entitled “Leveraging Coverage-Guided Fuzzing To Find Exploitable Bugs”. On the example of the Google OSS-Fuzz Project, the author explains the efficiency and the importance of this sophisticated technique. Alcyon Junior brings a new article to the table, and this time he shows the different types of fuzzing attacks. Mukul Kantiwal also introduces the reader to the topic with a tool tutorial - SPIKE fuzzing creation kit. If you are into fuzzing techniques, or have always wanted to learn about them, the perfect time is now!
The next things presented in this edition are two brilliant articles on MITRE ATT&CK Framework. Rui Miguel Silva, Marcos Oliveira, David Cravinho, and Nelson Godinho publish the first part of their comprehensive presentation on the topic. Undoubtedly, the framework provides an invaluable guidance for every pentester. We can’t wait for part two! :) Mauricio Harley also approaches MITRE ATT&CK, demonstrating MITRE CALDERA, a tool built out from ATT&CK, which is a very interesting training platform.
The third thematic block is something dedicated to those of you, who are not only into offensive security, but also enthusiasts of malware analysis. Michael Haephrati and Filip Jelic describe the route towards analyzing seven malware samples. Their extensive analysis, presented to you in two parts, shows their brilliant research on hiding mechanisms against several well-known tools. Filipi Pires also relates to malware analysis, focusing on malicious PDFs. As we all know, this topic never gets outdated.
Last but not least, two of the contributors take a closer look at the role of AI in cybersecurity. Mohan Santokhi publishes a thorough paper looking at this matter from various perspectives, and Juned Ghanchi deals with the countering DDoS attacks with the help of Artificial Intelligence and Machine Learning.
As always, we would like to thank all our amazing contributors, reviewers, and proofreaders, who helped in the creation of this edition. And of course, thank you, our readers, for being with us!
Without further ado,
Enjoy the reading!
PenTest Magazine's Editorial Team
Table of Contents
Leveraging Coverage-Guided Fuzzing to Find Exploitable Bugs
by Maksim Shudrak
As an example of coverage-guided fuzzing efficiency, Google OSS-Fuzz project, which relies on AFL and libfuzzer, discovered ~27000 new bugs in over 160 projects in the last few years by generating trillions of test cases per week. So far, AFL is the most effective fuzzer in the industry.
Fuzzing Attack Types
by Alcyon Junior
Fuzzing may also be accustomed to detect bugs and memory leaks (when let alone without a memory debugger). The methodology is helpful in large applications, where any bug that affects the security of memory usage can generate a blunder during the execution of the program. Since fuzzing often generates invalid entries, these are accustomed test routines that cater to possible errors, which are important for software that's not controlling these entries. Fuzzing will be thought of as the way to automate negative tests.
Practical Introduction to Fuzzing Using Spike Fuzzer
by Mukul Kantiwal
Our lab for fuzzing is set and now we know how to use spike fuzzer to fuzz the application. Spike fuzzer is a great tool and it will be of great help in fuzzing. You can also write your own program in any programming language of your choice and use it for fuzzing instead of spike fuzzer. This article was about setting up a lab for fuzzing and a small glimpse of how fuzzing is done. Here, we fuzzed the STATS command of vulnserver as well as the TRUN command. We were able to crash vulnserver by sending a bunch of characters with the TRUN command through spike fuzzer. We can use this knowledge in exploiting further and controlling the EIP properly.
MITRE ATT&CK Framework. Part 1.
by Daniel Cravinho, Marcos Oliveira, Nelson Godinho, Rui Miguel Silva
When implementing the MITRE ATT&CK Framework, it is necessary to safeguard factors such as investing in the continuous training of SOC teams, adapting the qualities and characteristics of the team to the type of threats that are intended to mitigate, maintaining motivated and non-passive teams `waiting for an attack to occur, fostering proactivity, that is, trying to always be one step ahead of the opponent and making tests and simulation of attacks periodically.
The MITRE ATT&CK Framework - MITRE CALDERA Demonstration
by Mauricio Harley
I will guide you through the framework’s sections to give you a better understanding of its purpose and how it’s structured. However, as it’s informative only, it would actually be more interesting if we got our hands dirty, as I usually do in my articles. For this, I included a demonstration of MITRE CALDERA, a tool built from ATT&CK to enable a very interesting exercising and training platform.
Analysis of Seven Samples for Hiding Techniques and Ways of Revealing. Part 1.
by Michael Haephrati, Filip Jelic
This article was written for the purpose of bringing real life examples of malware analysis. It describes the route towards analyzing seven malware samples given to us for analysis. During this analysis, we tried to focus on the methods of hiding used by these samples. We checked the hiding mechanisms towards several well-known tools starting with Windows Task Manager, as well as other tools listed below. We used various methods to detect hiding mechanisms used by the samples. The following is a list of the samples we have examined.
Analysis of Seven Samples for Hiding Techniques and Ways of Revealing. Part 2.
by Michael Haephrati, Filip Jelic
Most of the samples we have tested have no capabilities of hiding a process or network/disk activity due to lack of Administrative privileges. Some samples do perform Privilege Escalation, but lack in hiding mechanisms. Sample 7 (e_bug9_pre.exe) seems to have the ability to bypass User Access Control and elevate itself to Administrative privileges, but our test showed that elevated process is not hidden, as it is shown even in Windows Task Manager. All samples can be detected by most major anti-virus programs (as shown in the VirusTotal links in each section of this article).
Malware Analysis – Dissecting a PDF file [FULL ARTICLE AVAILABLE IN THE FREE PREVIEW VERSION]
by Filipi Pires
There are a large number of cyber threats today. Many of these cyber threats can be based on malicious code, also known as Malware (Malicious Software or maldoc - Malicious Document). The term Malware is a generic term that covers all types of programs specifically developed to perform malicious actions on a computer, thus the term malware has become the name for any type of program specifically developed to perform harmful actions and malicious activities on a compromised system.
Artificial Intelligence for Cybersecurity
by Mohan Santokhi
There is a tremendous interest in the cybersecurity arena with regards to use of Artificial Intelligence, particularly in areas such as Network Intrusion Detection, Malware detection, Phishing detection and Security surveillance, however, replicating the success of image classification, speech analysis, speech synthesis and machine translation is proving to be more challenging for Cybersecurity. The challenge is more to do with the lack of public datasets and appropriate feature engineering rather than AI techniques. For cybersecurity use cases there is much more diversity in dataset features than people intuitively expect, which leads to misconceptions about what technology can realistically achieve. As a result, we need to be more cautious when assessing vendor’s claims and not to be blown away by the hype. This paper provides an introduction to AI concepts and models which will be helpful in assessing vendors’ products. Security surveillance has benefited greatly from the success of image classification and object detection. Open source trained models are available to construct embedded AI based Security surveillance systems.
Countering DDoS Attacks: How AI and ML Can Help
by Juned Ghanchi
DDoS attacks are likely to grow into a bigger headache with greater adoption of smart devices powered by the Internet of Things (IoT) and transition to 5G networks. IoT devices increase the possibility of cybercriminals planting malware and converting these devices into bots. The cybercriminals remotely control this group of bots, collectively called botnets—a network of bots. Cybercriminals can then manipulate these devices at whim and orchestrate a DDoS attack at scale. Since DDoS attacks emanate from multiple internet devices, it becomes difficult to identify malicious traffic from normal traffic on the internet.