Discovering and Exploiting N-Days

- [Discovering and Exploiting N-Days w/ Corey Ham - YouTube](https://www.youtube.com/watch?v=pi2fDbGRIG0) - https://cham423.notion.site/Discovering-and-Exploiting-N-Days-90cf191871eb4bc295cbcb7241c1bae2 # N-Days - known vulns - vulns have lifecycles - workarounds and detections are usually available, but not always patches ## History of N-Days - ![](__attachments/BHIS%20Videos/IMG-Discovering%20and%20Exploiting%20N-Days-2024063021.png) - Tons of huge malware projects relied on EternalBlue - Huge attacks took place after the patch - Got leaked by ShadowBrokers - Apache Struts was used in the Equifax breach - ProxyNotShell - used against Rackspace in 2022 - BlackEnergy - Ukraine powergrid - patching SIEMENS PLC is really not fun - Spectre/Meltdown - CPU microcode vulns - sidechannel attacks - memory leaks - continue to be released ## N-Day Usage is Less Common Now - usually creds and phishing rather than vulns - Good security integrations with products - Reverse proxies - Next-Gen FWs - Endpoint products - N-days are resource intensive and not low-hanging # Finding N-Days ## High-Level - Vuln mgmt team - know env, do recon - listen to your vendors - scan yourself lots - follow the news ## Live Engagement - look at bug bounties - don't break stuff and validate your findings with some concrete ## Recon - be careful with cloud IPs - they rotate a lot - Use hostnames where possible - There are HUNDREDS of additional recon techniques that you can use to gather information about a target. Some of my favorites: - [https://ip-netblocks.whoisxmlapi.com/overview](https://ip-netblocks.whoisxmlapi.com/overview) - [https://github.com/projectdiscovery/subfinder](https://github.com/projectdiscovery/subfinder) - [https://github.com/aboul3la/Sublist3r](https://github.com/aboul3la/Sublist3r) - [https://github.com/lanmaster53/recon-ng](https://github.com/lanmaster53/recon-ng) - [https://github.com/owasp-amass/amass](https://github.com/owasp-amass/amass) - [https://aadinternals.com/aadinternals/#get-aadinttenantdomains](https://aadinternals.com/aadinternals/#get-aadinttenantdomains) - [https://drs.whoisxmlapi.com/](https://drs.whoisxmlapi.com/) ## Shodan - You can do basic wildcard needle in haystack search - Scope values to specific fields - Shodan CLI is legit ## Nuclei - Get tool like Shodan - GoAnywhere - MFT - managed file transfer vuln - lots of bad stuff - Checking if target has GoAnywhere vuln - nuclei templates - like Nessus plugins - path traversal vuln with certain words that match vuln - Nuclei puts API tokens and stuff in unknown, so it matters -