Honeysploit: Exploiting the Exploiters

Curtis Brazzell
18 min readApr 26, 2020

“TrstdXploitz” by “L33terman6000”

I’ve been wanting to perform an experiment for some time now and finally got around to it. I present to you what I think is a unique spin on an old idea, a new type of honeypot. Follow along as I explain the adventure that unfolded, including personal threats, Distributed Denial of Service attacks, the Dark Web, and some shocking statistics! Warning: Some egos were likely harmed during the making of this blog.

As a Security Consultant, I’m always advising my clients during web application security assessments to review third party code before merging it in with their code. I’ve written another blog about not trusting appliances or software on your network just because they claim to help with security. As a penetration tester I often rely on third party scripts and tools to help me do my day-to-day job, as do our blue team counterparts. It seems everyone in the Cyber Security industry does, thanks to the vast number of open-source contributions available to the community. When we forensically analyze malware we take precautions in order to avoid infection for ourselves and our clients. Why then, do we feel so comfortable running our infosec tools without checking the source? Is it because they’re open source and we assume something would have been caught? Is it due to the widespread use or the fact that someone well known in the industry shared it? Is it because of where we got it from? Just to be clear, I’m not above any of you that may be guilty of this. I’m just as much at risk as anyone else.. which got me thinking.

As many pentesters do, I often come across new vulnerabilities in customers’ environments which do not yet have weaponized exploit code available in our favorite exploitation frameworks. I turn to Proof of Concepts (PoC’s) in places such as Exploit-DB and GitHub to see if I can snag something I can use or re-author for my purposes. I know Exploit-DB and GitHub both do some work to validate and filter out malware, and with stars and watchers you can get a sense of how popular the code is. Most exploit code looks pretty similar, with a string of hex characters used as shellcode as part of the payload, and is often written in Python, Ruby, Go, Bash, etc.

I’ve always been a little skeptical of running these Proof of Concepts/Exploits because these “researchers” are also “hackers”, by definition. It’s a little of a grey area for some who research during the day and moonlight as black hats. I try to take…

--

--

Curtis Brazzell

Passionate geek for Information/Cyber Security! I’m always learning and am happy to contribute anything I can share with the community. Follow me @ Twitter!