Common attack targets

This section explains common cyber attack targets and associated attack vectors and vulnerabilities

Topics covered in this section

• NIST SP 800-115's attack categories

• Expanded attack categories

NIST SP 800-115's attack categories

Most vulnerabilities exploited by penetration testing fall into the following categories (NIST SP 800-115, 2008, pp. 5-4-5-5):

• Misconfigurations. Misconfigured security settings, particularly insecure default settings, are usually easily exploitable.

• Kernel Flaws. Kernel code is the core of an OS, and enforces the overall security model for the system—so any security flaw in the kernel puts the entire system in danger.

• Buffer Overflows. A buffer overflow occurs when programs do not adequately check input for appropriate length. When this occurs, arbitrary code can be introduced into the system and executed with the privileges—often at the administrative level—of the running program.

• Insufficient Input Validation. Many applications fail to fully validate the input they receive from users. An example is a Web application that embeds a value from a user in a database query. If the user enters SQL commands instead of or in addition to the requested value, and the Web application does not filter the SQL commands, the query may be run with malicious changes that the user requested—causing what is known as a SQL injection attack.

• Symbolic Links. A symbolic link (symlink) is a file that points to another file. Operating systems include programs that can change the permissions granted to a file. If these programs run with privileged permissions, a user could strategically create symlinks to trick these programs into modifying or listing critical system files.

• File Descriptor Attacks. File descriptors are numbers used by the system to keep track of files in lieu of filenames. Specific types of file descriptors have implied uses. When a privileged program assigns an inappropriate file descriptor, it exposes that file to compromise.

• Race Conditions. Race conditions can occur during the time a program or process has entered into a privileged mode. A user can time an attack to take advantage of elevated privileges while the program or process is still in the privileged mode.

• Incorrect File and Directory Permissions. File and directory permissions control the access assigned to users and processes. Poor permissions could allow many types of attacks, including the reading or writing of password files or additions to the list of trusted remote hosts.

NIST SP 800-115 vulnerabilities mapped to their typical attack targets, vectors, and exploits:

Vulnerability (NIST SP 800-115)	Attack Target	Attack Vector	Example Exploit
Misconfigurations	OS, Cloud, Network Devices, Databases, Applications	Exploiting insecure default credentials/settings and open ports	Accessing admin panels with admin:admin credentials
Kernel Flaws	Operating System	Privilege escalation via kernel exploits	Dirty Pipe (CVE-2022-0847) for root access
Buffer Overflows	Applications, Services	Overflowing memory to execute shellcode	Stack-based overflow in legacy FTP servers
Insufficient Input Validation	Web Applications	SQLi, XSS, Command Injection	Bypassing login forms with ' OR 1=1 --
Symbolic Link (Symlink) Issues	File Systems	Tricking privileged processes to write files	Symlink attacks in /tmp directories
File Descriptor Leaks	Running Processes	Accessing sensitive files left open	Reading /etc/passwd from a crashed service
Race Conditions	Concurrent Systems	TOCTOU (Time-of-Check to Time-of-Use) attacks	Changing file permissions between check and use
Incorrect File/Directory Perms	File Systems	Reading/writing restricted files	chmod 777 exposing SSH private keys

Key Insights from NIST SP 800-115

1. Focus on Exploitability:

   • These vulnerabilities are prioritized because they’re frequently exploitable during pentests (e.g., misconfigurations are low-hanging fruit).

   • Many stem from poor system hygiene (defaults, permissions).

2. Attack Surface Coverage:

   • Kernel flaws → OS-level compromise.

   • Input validation → Web app breaches (OWASP Top 10 overlap).

   • Race conditions/symlinks → Advanced privilege escalation.

3. Mitigation Examples:

   • Patch management (kernel flaws, buffer overflows).

   • Least privilege (permissions, file descriptors).

   • Input sanitization (SQLi/XSS prevention).

Comparison to OWASP/Other Frameworks

• NIST SP 800-115 focuses on technical vulnerabilities (e.g., kernel flaws), while OWASP Top 10 emphasizes web-specific risks.

• Shared themes: Input validation, misconfigurations appear in both.

Expanded attack categories

(Vulnerability vs. Attack Target vs. Attack Vector vs. Example Exploit)

Vulnerability Category	Attack Target	Attack Vector	Example Exploit
Security Misconfigurations	Cloud, Servers, Containers	Exposed admin interfaces, verbose errors	Kubernetes dashboard exposed (CVE-2018-18264), Jenkins RCE (misconfigured scripts)
Misconfigurations (Insecure defaults)	Servers, Cloud, IoT, APIs	Default credentials, open ports, exposed interfaces	Mirai botnet (exploited default IoT passwords), AWS S3 bucket leaks (public-by-default)
Kernel Flaws	OS (Linux/Windows/macOS)	Privilege escalation via kernel bugs	Dirty Pipe (CVE-2022-0847), Dirty COW (CVE-2016-5195)
Buffer Overflows	Applications, OS, Services	Crafted input overflowing memory	EternalBlue (MS17-010), Code Red worm (IIS buffer overflow)
Insufficient Input Validation	Web apps, APIs, Databases	SQLi, XSS, Command Injection	Equifax breach (SQLi, CVE-2017-5638), Log4Shell (CVE-2021-44228)
Symbolic Links (Symlink)	File systems, Privileged apps	Tricking apps into writing to sensitive files	Docker symlink escape (CVE-2018-15664)
File Descriptor Issues	OS, Applications	Exploiting unclosed file handles	Heartbleed (CVE-2014-0160) via OpenSSL file descriptor leaks
Race Conditions (TOCTOU)	OS, Applications	Timing attacks to bypass checks	Linux ptrace race condition (CVE-2019-13272)
Incorrect File/Directory Permissions	OS, Databases, Apps	Unauthorized access/modification	MongoDB ransomware attacks (exposed databases with weak permissions)
Broken Authentication	Web apps, APIs	Credential stuffing, session hijacking	Facebook token hijacking (2018), OAuth misconfigurations
Use of Vulnerable Components	Libraries, Frameworks	Exploiting known CVEs in dependencies	Apache Struts (Equifax breach), Log4j (Log4Shell)
Insecure Direct Object Refs.	Web apps, APIs	Manipulating object references	Accessing other users’ data via ID parameter tampering
Server-Side Request Forgery (SSRF)	Cloud, Internal Networks	Forging requests from the server	Capital One breach (CVE-2019-19781), AWS metadata theft
Unrestricted File Uploads	Web apps	Uploading malicious executables	Web shell uploads (e.g., PHP shells in CMS plugins)
Missing Encryption	Databases, Networks	Sniffing plaintext data	FTP credentials intercepted, unencrypted medical records

---

Vulnerability table based on exploitability (Ease of Attack) and impact (Potential Damage), using CVSS v3.0 scores (where applicable) and real-world prevalence:

Prioritized Vulnerability Table With Mitigation Strategies

Vulnerability	CVSS	Exploitability	Impact	Example Exploit	Mitigation Strategies
Buffer Overflows	9.8 (Critical)	Moderate-High	Critical	EternalBlue (WannaCry)	▶ Use memory-safe languages (Rust, Go). ▶ Enable DEP/ASLR. ▶ Patch OS/libc regularly.
Injection Flaws (SQLi, XSS)	9.8 (Critical)	High	Critical	Equifax (SQLi), Log4Shell	▶ Parameterized queries. ▶ Input sanitization. ▶ WAF rules (e.g., ModSecurity).
Misconfigurations	9.0 (High)	Very High	High	AWS S3 leaks, Jenkins RCE	▶ Automated scanning (Chef, Ansible). ▶ Least-privilege access. ▶ Disable default credentials.
Kernel Flaws	8.8 (High)	Moderate	Critical	Dirty Pipe (CVE-2022-0847)	▶ Immediate kernel patching. ▶ Restrict root access. ▶ Use SELinux/AppArmor.
Vulnerable Components	9.1 (Critical)	Very High	Critical	Log4Shell, Struts (Equifax)	▶ SBOM (Software Bill of Materials). ▶ Automated dependency updates (Dependabot).
Security Misconfigurations	8.5 (High)	High	High	Kubernetes API exposure	▶ CIS benchmarks. ▶ Regular audits with OpenSCAP. ▶ Disable debug modes.
Broken Authentication	8.8 (High)	High	High	Facebook token hijacking	▶ MFA enforcement. ▶ Rate-limiting login attempts. ▶ OAuth 2.0 hardening.
SSRF	8.7 (High)	Moderate-High	High	Capital One breach	▶ Network segmentation. ▶ Block internal IPs in requests. ▶ Use allowlists for URLs.
Insufficient Input Validation	8.1 (High)	High	High	Heartbleed (OpenSSL)	▶ Input length/type checks. ▶ Fuzz testing (AFL). ▶ Zero-trust input models.
Race Conditions	7.5 (High)	Hard	High	Dirty COW (Linux)	▶ Atomic operations. ▶ File-locking mechanisms. ▶ TOCTOU checks.
Unrestricted File Uploads	8.0 (High)	Moderate	High	WordPress malware uploads	▶ File type verification (magic numbers). ▶ Store uploads outside webroot. ▶ Scan with ClamAV.
XSS	7.5 (High)	Very High	Moderate	Tesla infotainment XSS	▶ CSP headers. ▶ Output encoding (OWASP ESAPI). ▶ DOM sanitization.
Symbolic Links	7.1 (High)	Moderate	High	Docker breakout	▶ Disable symlink following. ▶ chroot/jail environments. ▶ Use openat() safely.
Weak Credentials	7.5 (High)	Very High	High	Mirai botnet (IoT)	▶ Password policies (12+ chars). ▶ Block common passwords. ▶ Certificate-based auth.
Incorrect File Permissions	7.8 (High)	Moderate	High	MongoDB ransomware	▶ chmod 600 for sensitive files. ▶ Regular auditd checks. ▶ Principle of least privilege.
File Descriptor Leaks	6.5 (Medium)	Low	High	Heartbleed	▶ Secure coding (close handles). ▶ Static analysis (Coverity). ▶ Memory-safe languages.
Missing Encryption	6.8 (Medium)	Low	High	HIPAA violations	▶ TLS 1.3+ enforcement. ▶ Encrypt data at rest (AES-256). ▶ HSM for keys.

Key Mitigation Themes:

1. Automation

   • Use tools like Terraform for configs, Dependabot for dependencies, and OpenSCAP for audits.

2. Secure Defaults

   • CIS benchmarks for OS/apps, disable debug modes, and least-privilege access.

3. Zero-Trust Principles

   • Input validation, output encoding, and network segmentation for SSRF/XSS.

4. Patch Management

   • Prioritize kernel/libc updates and vulnerable component patches (e.g., Log4j).

High-Risk Focus Areas:

• Critical (9.0+ CVSS): Patch buffers/injection flaws within 24hrs of CVE disclosure.

• High (7.0–8.9 CVSS): Automate scans for misconfigs/weak creds weekly.

• Medium (5.0–6.9 CVSS): Enforce encryption/MFA by policy.

---

A consolidated toolkit and response playbook for each vulnerability category, combining automated tools, manual testing techniques, and incident response steps:

Vulnerability Response Toolkit & Playbook

Vulnerability	Detection Tools	Exploitation Tools	Response Playbook
Buffer Overflows	▶ Nessus (CVE scans) ▶ AFL (fuzzing)	▶ Metasploit (EternalBlue module) ▶ GDB (debugging)	1. Apply patches. 2. Enable DEP/ASLR. 3. Test with checksec.
SQLi/XSS	▶ Burp Suite ▶ OWASP ZAP	▶ SQLmap ▶ BeEF (XSS)	1. Sanitize inputs. 2. Deploy WAF (ModSecurity). 3. Revoke stolen sessions.
Misconfigurations	▶ AWS Config ▶ OpenVAS	▶ Nmap (service scanning) ▶ Shodan	1. Apply CIS benchmarks. 2. Disable default creds. 3. Isolate exposed systems.
Kernel Flaws	▶ Lynis (Linux audits) ▶ KernelPatchCheck	▶ DirtyPipe exploit (PoC)	1. Patch kernel. 2. Restrict root. 3. Monitor /proc/self/mem access.
Vulnerable Components	▶ Dependency-Check ▶ Snyk	▶ Exploit-DB (search CVEs)	1. Update libraries. 2. Use virtual patching (WAF). 3. Isolate affected systems.
SSRF	▶ Burp Collaborator ▶ SSRFmap	▶ Gopherus (exploit crafting)	1. Block internal IPs. 2. Use allowlists. 3. Audit outbound traffic.
Weak Credentials	▶ Hydra (brute-force) ▶ CrackMapExec	▶ John the Ripper	1. Enforce MFA. 2. Reset passwords. 3. Monitor auth logs.
Race Conditions	▶ TimeCheck (custom scripts) ▶ AFL	▶ TOCTOU exploits (PoC)	1. Use atomic operations. 2. Lock files. 3. Audit temp file usage.
Unrestricted Uploads	▶ ClamAV (malware scan) ▶ Metasploit	▶ Web shells (e.g., JSP/PHP)	1. Validate file types. 2. Store outside webroot. 3. Scan uploaded files.
Symbolic Links	▶ find / -type l (manual check)	▶ Symlink race exploits	1. Disable symlink following. 2. Use openat(). 3. Audit /tmp.

Key Tools by Function

Detection & Scanning

Tool	Purpose	Vulnerability Focus
Nessus	CVE scanning	Buffer overflows, misconfigurations
Burp Suite	Web app testing	SQLi, XSS, SSRF
OpenVAS	Open-source vulnerability scanning	Misconfigurations, weak creds
Lynis	Linux hardening audits	Kernel flaws, file permissions
Shodan	Internet-exposed device search	Misconfigurations (e.g., open Redis)

Exploitation & Testing

Tool	Purpose	Example Command
Metasploit	Exploit development/framework	use exploit/windows/smb/ms17_010
SQLmap	Automated SQLi testing	sqlmap -u "http://site.com?id=1"
Hydra	Brute-force credentials	hydra -l admin -P pass.txt ssh://IP
BeEF	XSS exploitation	Hook browsers via <script>
Gopherus	SSRF exploit crafting	Generate malicious Gopher payloads

Mitigation & Hardening

Tool	Purpose	Command/Use Case
Ansible	Config hardening	CIS benchmark playbooks
ModSecurity	WAF for injection flaws	Block SQLi/XSS patterns
SELinux	Linux MAC enforcement	setenforce 1 (enforcing mode)
ClamAV	Malware scanning	clamscan /var/www/uploads
Dependabot	Dependency updates	Auto-PR for vulnerable libraries

Incident Response Workflow

1. Detection

   • Use SIEM (Splunk, ELK) to alert on anomalies (e.g., sudo failures, unexpected outbound traffic).

2. Containment

   • Isolate affected systems (network segmentation).

   • Revoke compromised credentials/API keys.

3. Eradication

   • Apply patches (e.g., apt-get update && apt-get upgrade).

   • Reimage systems if rootkits are suspected.

4. Recovery

   • Restore from clean backups.

   • Audit logs for persistence (e.g., cronjobs, SSH keys).

Note:

• For DevOps: Embed Trivy in CI/CD to scan containers for CVEs.

• For Cloud: Use AWS GuardDuty or Azure Defender for misconfig monitoring.

• For Red Teams: Chain vulnerabilities (e.g., XSS → Cookie theft → SSRF).

References

NIST Special Publication 800-115: Technical Guide to Information Security Testing and Assessment (NIST 800-115). Retrieved January 21, 2020, from http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf