Exploit research: Keeping tabs on the hacker underground

Protecting an organization against malicious hackers is a constant challenge, especially when attack methods are constantly evolving. But, according to information security threats expert Ed Skoudis, there are effective methods security pros can use to stay informed about the latest exploits and hacker methods. In this tip, Skoudis outlines the top Web sites that can help security pros anticipate the attack techniques of tomorrow.

Computer attackers are constantly innovating, improving their attack technology and business schemes. A key resource bad guys often rely on is the exploit techniques pioneered and shared by security researchers and people in the computer underground; a mixture of white hat and gray hat security pros.

Vulnerability disclosure is a controversial topic with no shortage of opinions, but regardless of your personal stance, the reality is malicious hackers will use whatever information is available to them. That means security professionals should keep abreast of the latest exploits and attack techniques by carefully monitoring certain Web sites of researchers and the computer underground. Monitoring what they are working on today can help anticipate the techniques attackers will likely use tomorrow.

To that end, let's look at some of the most valuable Web sites for understanding late-breaking attack techniques.


  • The Metasploit Project: This Web site, written by security luminaries including H.D. Moore and the researcher known as Skape, not only distributes one of the most powerful free exploitation tools available today, but also hosts blog-like Metasploit news that describes some of the latest security research focused on exploiting all kinds of machines, including Windows, Linux and even Apple's iPhone.


  • Secunia: Secunia is a company dedicated to providing its clients, as well as the public, with intelligence about the latest vulnerabilities in computer systems. Its free summaries of recently discovered flaws are among the most up-to-date anywhere, providing solid details about mitigating flaws if such defenses are available. One of the best aspects of Secunia's vulnerability lists is its freshness. Whenever I hear about a new vulnerability, I almost always check to see if Secunia has published any information. Quite often, it already has a write-up with lots of fascinating details. It's important to note that Secunia publishes information about vulnerabilities, but doesn't distribute exploitation code to take advantage of flaws.


  • The French Security Incident Response Team: Like Secunia, this site contains detailed information about the latest vulnerabilities. An independent and privately held vulnerability research firm, FrSIRT offers free information about the latest flaws via its Web site, where it also sells commercial vulnerability alert services with more flexible notification, search and alert options.


  • Milw0rm: Unlike Secunia, the Milw0rm Web site distributes exploitation code. Every day, exploits for between one and a dozen or more vulnerabilities are published on Milw0rm, which freely distributes the code. The site categorizes each exploit, separating remote exploits, local privilege-escalation attacks, Web application exploits and denial-of-service attacks. Some of Milw0rm's code is merely proof-of-concept (often called "PoC" in the slang of the computer underground), showing that a vulnerability exists by crashing a service or writing a file, but not giving the attacker control of the target machine. Other Milw0rm code provides a full-blown exploit for the vulnerability, letting an attacker use it to compromise and control a target machine.


  • Packetstorm Security: While Milw0rm focuses on exploit code, Packetstorm Security has a broader appeal, with offensive and defensive security tools, late-breaking research papers, news stories and exploit code. One of the most interesting features of Packetstorm is its vast archive of attack tools and exploit code ranging back more than a decade. It also includes a huge collection of several dozen online hacking magazines. This comprehensive archive is really helpful, because the individual hacking magazine Web sites are often quite ephemeral, frequently disappearing or moving to other servers without any notice.


  • The SANS Internet Storm Center: This site contains content written by volunteers or "handlers," each of whom takes approximately one 24-hour shift per month, monitoring information about computer attacks and writing a daily diary. With a lively and interactive readership of tens of thousands who report the attacks and anomalous activity they experience on their networks, the Internet Storm Center often gets wind of a major computer attack before other organizations, sometimes detecting new attack techniques and summarizing them for the public before companies offering commercial alerting services do.

    For more information:
    Ed Skoudis discusses logic bomb attacks and explains how an enterprise can prepare for a hacker's detonation.

    In this Q&A, expert Mike Chapple examines whether smurf attacks cause more than just a denial of service.

    In this Messaging Security School tip, learn how to prevent spam bots from hijacking an enterprise network.
  • Offensive Computing: The Offensive Computing site, operated by Danny Quist and the researcher known as Valsmith, provides keen insight into the latest malware tactics. By collecting (and distributing) samples of malicious code found in the wild, this site is dedicated to learning more about malware by sharing information among researchers. A community of malware researchers shares information via this site, with frequent write-ups that include awesome tips on in-depth analysis techniques.


  • Insecure.org: No such list would be complete without this site, the flagship site of the Nmap scanning tool. Written and maintained by the well-known researcher who goes by the name Fyodor, Nmap has pioneered some incredibly powerful port-scanning features. And with its recently added Nmap Scripting Engine, Nmap is growing into a very useful general-purpose vulnerability-scanning tool with possibilities of bundling in exploitation functionality.

    These eight sites provide a lot of fine-grained knowledge about computer attacks from the perspective of gray hats and white hats. Most information security professionals do not need to understand the technical details of every single vulnerability, exploit and tool covered by the Web sites in this list. However, even a cursory understanding will help technical security personnel hone their skills and anticipate attackers' next moves.

    Finally, remember that the information on these sites changes rapidly. In order to keep up to date, users should survey all of them regularly. I personally check out each of these sites at least once per week, and some of them every day!

    About the author:
    Ed Skoudis is a SANS instructor and a founder and senior security consultant with Intelguardians, a Washington, DC-based information security consulting firm. His expertise includes hacker attacks and defenses, the information security industry and computer privacy issues. In addition to Counter Hack Reloaded, Ed is also the author of Malware: Fighting Malicious Code. He was also awarded 2004, 2005 and 2006 Microsoft MVP awards for Windows Server Security, and is an alumnus of the Honeynet Project. As an expert on SearchSecurity.com, Ed answers your questions related to information security threats.

This was last published in February 2008

Dig Deeper on Hacker tools and techniques: Underground hacking sites