Dear Readers,

We would like to introduce a new compendium made by Hakin9. This time we are diving into deep water of Exploitation. With this new issue you will get a huge load of knowledge. Everyone will find something interesting. We start with the chapter „Exploitation for Beginners” which will teach you basics of exploitation. It will be a guide for next sections which will give you even more advanced knowledge. Our step-by-step tutorials will help you become a exploiting experts. In this issue you will also find sections such as „Windows Exploitation” which will show you how many exploits you can find in this operation system, and teach you how to protect it from vulnarabilities. In the last section you will find articles on the most advanced level. „How to Perform Web Attacks”contain tutorials about most popular attacks which you can perform. You will learn it with articles written by our most experienced experts.

We hope you will like it!


Exploitation For Beginners
A Beginners’ Guide to Software Exploitation
By Deepanshu Khanna, Linux Security Expert, Penetration Tester at “Prediqnous – Cyber Security & IT Intelligence”
In the world of IT (Information Technology) Security, software exploitation remains one of the leading hacker’s techniques over the past many years. This has actually led to the discovery of many attacks like BUFFER OVERFLOW, REVERSE ENGINEERING, XSS (Cross Site Scripting), Format String, and many more on the list. Now this paper has actually been divided into two parts.
An Introduction to Exploiting Software 
By Claudio Varini, a Ph.D in Computer Science from the University of Bielefeld
Software is basically a sequence of commands that are executed in the order the human programmer intended. However, humans are not perfect and software can contain bugs. A bug is a non-intended code sequence or a condition that someone never thought of when programming. A common bug is the off-by-one error.
Exploiting File Uploads for Fun and Profit
By Pankaj Kohli, Security Consultant at Citibank
File uploading is a scary thing for web developers. You’re allowing complete strangers to put whatever they want onto your precious web server. By uploading malicious code, an attacker can compromise the web server or even serve malware to its users.

Windows Exploitation
Win 2k12 – Old and New in Dumping Password Hash 
By Gugliemo Scaiola, MCT, MCSA, MCSE, Security+, Lead Auditor ISO 27001, ITIL, eCPPT, CEI, CHFI, CEH, ECSA
The history of password hash came from a long time ago, in this long time few improvement was applied to this technology. Not only Microsoft use the password hash, but considering the market share of windows you can understand mastering hashdump in windows environment can be a very valuable trick in your pentest skill.
Why XSS is Critical for my Web– Application? Demonstration of the Impact Magnitude of XSS Vulnerability using The Browser Exploitation Framework (BeEF) 
By Ashutosh Bahuguna, Scientist at Indian Computer Emergency Response Team (CERT-In)
Today almost for every organization web-applications are the integral part of information infrastructure to allow information exchange with customers. Web-application is the low-hanging fruits for the attacker and custom developed insecure code brings new set of vulnerabilities which cannot be prevented solely by traditional security devices and approaches like firewall and IDS/IPS. Web-applications have been continuously targeted by attackers for various interests. Cross Site Scripting Attack (XSS), SQL injection, File Inclusion, malicious File upload are few attacks to name in web-application domain.
How ToAnalyze a PDF Exploit 
By Jaromir Horejsi, A Computer Virus Researcher and Analyst
Every year, millions of computers become victims of computer malware. In many cases, computers get infected by downloading and installing suspicious applications, opening and executing email or, for example, sharing data using infected USB drives. Cybercriminals can, however, uses stealthier and less obvious ways to compromise victims’ computers. In many cases, just opening a PDF file may lead your computer to infection. A large number of malware exploits vulnerabilities in Adobe reader or Java, which lead to shellcode execution to obtain the next stage malware.
Windows Exploits (Router Advertisement Flood) 
By Bamidele Ajayi, OCP, MCTS, MCITP EA, CISA, CISM
Exploits are attacks that take advantage of vulnerabilities in systems’ weakness or design where the vendors issue a fix or patch in response. However, in our article the reverse is the case which has led to DoS of windows boxes supporting Ipv6 through the use of Router advertisement flood.

How To Perform Web Attacks?
HTML Hacking: Stealing localStorage with XSS and MiTM Attacks 
By Christopher Duffy, CEH, CHFI,CNDA, EDRP, RHCSA, RHCT, CWSP, CWNA, ISO-27000, GPEN, VCP 3, CIW:WSP, CIW:WSS, CIW:WSE, CIW:WSA, CIW:WFA, Security+, Network+
Hypertext Markup Language version 5 was designed to provide increased functionality to web users. The changes have enabled richer content, improved multimedia capabilities and decreased bandwidth requirements. Unfortunately, web servers that utilize the new HTML5 features are often configured insecurely.
Manually Exploiting JBoss jmx-console
By Tony Lee, Scientist at FireEye 
and Chris Lee, Security Consultant at Foundstone
JavaBeans Open Source Software Application Server is a very popular open source implementation for handling JavaServer Pages (JSP). JBoss contains a web accessible administrator page called the JMX Console.
Cross-site Request Forgery 
By Daan Vellinga, Information Security Consultant at Vest
Cross site request forgery deserves its complex name. That is not, however, because it is difficult to perform, but because of how difficult it is to protect against. In this article I will tell you about both of these subjects – attack and defence.
How To Perform MiTM Attack 
By Chintan Gurjar, Freelance Penetration Tester
and Edmand Desler, Freelance Network Engineer

Today, we are giving you demonstration of MITM attack, that how an attacker can perform MITM attack to see your credentials in plain text in order to gain access to your account. You will also learn that how http configuration can be done at server
Web Exploit – Clickjacking
By Bamidele Ajayi, OCP, MCTS, MCITP EA, CISA, CISM
Clickjacking, also known as a “UI redress attack”, is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page.
SQL Injection Story-Overwiew of the World’s Most Known Web Application Vulnerability
By Dalibor Vlaho, CEH, ISE
SQL Injection is the world’s most known Web Application Vulnerability beside Cross Site Scripting (XSS). SQL Injection term is present for more then ten years and same method of attack is still considered as one of the most powerful attacks out there.
SQL-Injection: If You Know It, You Prevent It 
By Mattia Folador, CEH, CHFI
Every professional in the field of IT Security has heard about SQL-Injection at least once in her carrier. It is taught in many Itrelated degree courses and almost every computer scientist will quote the classic string “or 1=1– ”, if asked. Considered that, one may think that such a vulnerability is extinct or about to be completely defeated by protections such as input sanitization procedures or Web Application Firewalls.


April 19, 2022
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023