One of my Twitter followers, @KuteKetX, was teasing me about my “Hacking” post, saying that that wasn’t real hacking. Yeah, yeah, I know. Well, just like the term “dark web,” “hacking” is just sort of a catch-all term. I blame pop culture for this.
OWASP, for instance, calls them “attacks,” which is more appropriate. Or perhaps “exploits.” There are too many of these to count, in all honesty, but even just mentioning a few would suffice.
One type of attack is a path traversal attack (a.k.a. directory traversal), which exploits application vulnerabilities and allows adversaries to access files they would not normally be able to enter. The attacker does this by manipulating variables designating the locations of files with dot-dot-slash arrangements.
If you want some more exhaustive lists of exploits, Exploit Database has its fair share, as do Shodan Exploits and CVE – take your pick. The issue is that as soon as one vulnerability is patched, another pops open; the list never ends.
I suppose you could say that some “real” hacking is done via the terminal; using OS’s like Kali Linux provide many of the tools for you. Personally, I don’t think that disqualifies it; it just makes the process a little easier.
For instance, Kali includes Wireshark, which is a network protocol analyzer; it lets you capture network traffic and browse it in a graphical format.
This isn’t hacking, per se, but capturing traffic with Wireshark (or other such tools) can be used to this end – once you have the traffic data in your possession, it’s yours to manipulate as you see fit.
Some of the things you can do with it are:
- Capture packet data from a network
- Inspect files containing said network data
- Import packets from text files with hex dumps of network data
- Display captured packets, including comprehensive protocol information
Obviously, these aren’t all the possible methods of attack and/or network analysis, but just a few good examples.
Sounds like this post deserves a sequel or two! What else would you like to know?