Client-side attacks are often the easiest method of getting into a secured environment. We understand that, through the clever use of different attack vectors, an attacker is able to take advantage of the inexperience or kindness of our users in order to gain access to client-side computers. Developers are often unable to check for every possible flaw in their programs in the timeframes they are allotted, and as such, many of these vulnerabilities remain undiscovered by the quality assurance teams and developers.

In this chapter, we had a chance to not only learn about buffer overflow vulnerabilities in both 32 and 64-bit code, but also actually create our own vulnerable applications. We then took advantage of this vulnerability using manual techniques as well as automated fuzzing tools such as sfuzz and BED. You learned how to create your own modules and also how to modify existing modules to fit our specific needs.

In addition, we discussed Social Engineering Toolkit, Fast-Track, and walked through setting up a Java applet attack in SET. Using the knowledge gained during these walk-throughs, you should be able to review and test the other options in your home lab to the point that you become comfortable using these tools in a production testing environment. When reviewing SET, we also touched upon antivirus avoidance and repackaging our payloads. In future chapters, we will revisit these tools to completely exploit and take control of a controlled networking environment.

In the next chapter, you will learn the steps necessary to locate and gather information from compromised hosts. This stage includes learning about the most commonly used commands needed to perform post-exploitation, as well as steps on escalating privilege and adding persistent access to the compromised machines, and more.