Pen testing tool or exploit? 6 samples of ways hackers get in

Attackers use the same tools in attacks that pen testers use to test. Six sample vulnerabilities and exploits.

primary attack mutineers

Under attack

How can you tell the difference between an exploit or a pen testing tool? Attackers use the same tools in attacks that pen testers use to test. Six sample vulnerabilities and exploits. In all cases, ask your vendor for a patch.

1 xssploit

XSSploit / Cross-Site Scripting Vulnerabilities

Cross-site scripting (XSS) vulnerabilities in web applications enable attackers to inject scripts to gain access to PII. Cyber thugs use the XSSploit vulnerability scanner/exploit generator to locate and leverage these vulnerabilities. XSSploit from information security vendor SCRT is a threat or a pen test tool, depending on who wields it.

2 sqlmap

sqlmap / SQL Injection Vulnerabilities

SQL Injection vulnerabilities exist where websites rely on databases. Coding flaws permit attackers to control these databases and retrieve their contents. The sqlmap tool (written in Python) automates these abuses, extracts data, and controls the file system beneath the database. Developers such as Miroslav Stampar maintain this exploit/pen test tool.

3 metasploit

Metasploit / numerous security holes

Metasploit from Rapid7 locates a virtually unlimited number of holes in software such as Windows, Mac, and Linux and provides hundreds of exploits to leverage those openings. Developer HD Moore created the Metasploit Framework in 2003. Metasploit is one of the most popular exploit/pen test tools that attackers and pen testers use.

4 w3afpsd

w3af / multiple vulnerabilities

The w3af web application attack and auditing framework strives to ferret out and exploit all web application security shortcomings. Written in Python, the tool uncovers vulnerabilities such as SQL Injection and XSS, enabling its user to launch a broad range of attacks. Created by Andres Riancho (2007), w3af later partnered with Rapid 7.

5 wordpress

WordPress Stored XSS security hole (WordPress v. 4.2 and others)

WordPress experiences recurring stored XSS vulnerabilities, which enable an unauthorized user to inject poisonous JavaScript strings via blog comment fields. Attackers use them to usurp administrative control over web servers. There is a code snippet for this exploit here.

6 manageengine

ManageEngine SupportCenter Plus web application v. 7.9 / holes, plural

Vulnerabilities in SupportCenter Plus enable hackers to retrieve passwords, gain administrative privileges, and execute code remotely. Simply open a modestly privileged user account in SupportCenter Plus, surf using link formulas  and the keys to the kingdom, or at least the rest of SupportCenter Plus are yours. Find this very recent vulnerability in the Exploit Database here.

Copyright © 2015 IDG Communications, Inc.