ch04 done?

04_exploitation.md

@@ -70,3 +70,83 @@
     * don't use newly patched laptop
 
 ## Metasploit
+
+![Metasploit architecture](./img/ch04/metasploit_architecture.jpg)
+
+* free open-source exploitation framework
+* types of modules
+    * **exploit**: technique that takes advantage of flaw in target
+    * **payload**: makes target do something the attacker wants (e.g. open
+      shell)
+        * **single**: standalone payload that does both functionality and
+          communication (useful for low bandwidth)
+        * **stager**: part that establishes communication
+        * **stage**: implements a function using stager as communication
+          channel
+    * **auxiliary**: other useful modules, e.g. port scanning
+    * **post**: used post-exploitation to reconfigure or plunder target (e.g.
+      set up persistency)
+* Jordan Peele's **NOP** instruction
+    * CPU instruction that does nothing
+    * **buffer alignment**: align code/payload in memory
+        * required when precies memory control is important
+        * useful in buffer overflow attacks
+    * **sliding to payload** (*NOP sled*): pad payload with NOPs to account for
+      innacurate memory accesses
+        * NOP slide ensure payload is executed if memory is accessed anywhere
+          inside the sled
+    * **stabilizing exploits**: provide padding around exploits to stabilize
+      memory access
+* some commands
+    * `msfconsole`: main REPL where the magic happens
+    * `msfrpcd`: RPC daemon providing access to Metasploit's functionality
+        * enables integration with other applications
+    * `msfvenom`: tool to convert payloads to standalone executable files
+      (optionally with detection evasion)
+* PsExec
+    * Microsoft SysInternals tool for remote administration of hosts
+    * often exploited as it's very powerful
+* data execution prevention (**DEP**)
+    * security feature in modern OSs
+    * only allows memory marked as executable to be executed
+    * can be enforced by hardware
+* **meterpreter**
+    * interactive Metasploit interpreter
+    * payload acting as interactive shell running in-memory on exploited hosts
+        * not persisted
+        * leaves no trace
+        * no separate process created
+        * can migrate to other processes
+* support database for persistent data
+* exploits often provide shell access, not terminal
+    * interactive stuff doesn't work (e.g. password prompts)
+    * shell can be used to set up terminal (e.g. install SSH server)
+
+### antivirus evasion
+
+* antivirus techniques
+    * **signature**: identify malware by comparing against a DB of known
+      malware signatures
+    * **heuristic**: analyse behaviour and structure of code (statically?)
+      (self-replication, touching weird files...)
+    * **behavioral**: actively monitor behavior in real-time dynamically
+    * **sandboxing**: run file in controlled environment to observe without
+      harming system
+    * **integrity checking**: check integrity of system files and applications
+      (periodically compare checksums)
+* evasion tactics
+    * shut down antivirus
+    * **ghost writing**: insert dummy instructions that preserve behavior of
+      file
+        * simpler AVs simply compare checksums of fragments; modifying code
+          with NOP instructions changes checksum and avoids matching checksums
+    * **anti-emulation techniques**: detect when running in sandbox and change
+      behavior to be less suspicious
+    * **obfuscation**: encode or encrypt malware to avoid signature matching
+    * **fileless malware**: load malware directly into memory
+        * avoid file system changes checks
+        * by injecting into existing process, processing scanning checks are
+          evaded
+    * no need to evade all AVs
+        * OSINT step can gather which AV is used
+        * exploits can be tailored to avoid specific AV