The first step of every attack is reconnaissance, i.e., to acquire information about the target.
We see the targets of our scans as passive entities, and this leads to underestimating the risk of performing a network scan. However, the tools we use to scan are not immune to vulnerabilities.
In this presentation, we will show that scanners are exposed to the same risks as their targets. Our methodology is based on a novel attacker model where the scan author becomes the victim of a counter-strike. We developed a working prototype, called RevOK, and we applied it to 78 scanning systems. Out of them, 36 were found vulnerable to XSS. Among these, we found two XSS vulnerabilities (CVE-2020-7354 and CVE-2020-7355) in Metasploit Pro, a mainstream penetration testing tool. Chaining these vulnerabilities with the Metasploit Pro diagnostic console leads to the complete takeover of the attacker machine.
During this presentation, we will show these attacks in a live demo.