diff --git a/04_exploitation.md b/04_exploitation.md index 7491a32..9714670 100644 --- a/04_exploitation.md +++ b/04_exploitation.md @@ -70,3 +70,83 @@ * don't use newly patched laptop ## Metasploit + +![Metasploit architecture](./img/ch04/metasploit_architecture.jpg) + +* free open-source exploitation framework +* types of modules + * **exploit**: technique that takes advantage of flaw in target + * **payload**: makes target do something the attacker wants (e.g. open + shell) + * **single**: standalone payload that does both functionality and + communication (useful for low bandwidth) + * **stager**: part that establishes communication + * **stage**: implements a function using stager as communication + channel + * **auxiliary**: other useful modules, e.g. port scanning + * **post**: used post-exploitation to reconfigure or plunder target (e.g. + set up persistency) +* Jordan Peele's **NOP** instruction + * CPU instruction that does nothing + * **buffer alignment**: align code/payload in memory + * required when precies memory control is important + * useful in buffer overflow attacks + * **sliding to payload** (*NOP sled*): pad payload with NOPs to account for + innacurate memory accesses + * NOP slide ensure payload is executed if memory is accessed anywhere + inside the sled + * **stabilizing exploits**: provide padding around exploits to stabilize + memory access +* some commands + * `msfconsole`: main REPL where the magic happens + * `msfrpcd`: RPC daemon providing access to Metasploit's functionality + * enables integration with other applications + * `msfvenom`: tool to convert payloads to standalone executable files + (optionally with detection evasion) +* PsExec + * Microsoft SysInternals tool for remote administration of hosts + * often exploited as it's very powerful +* data execution prevention (**DEP**) + * security feature in modern OSs + * only allows memory marked as executable to be executed + * can be enforced by hardware +* **meterpreter** + * interactive Metasploit interpreter + * payload acting as interactive shell running in-memory on exploited hosts + * not persisted + * leaves no trace + * no separate process created + * can migrate to other processes +* support database for persistent data +* exploits often provide shell access, not terminal + * interactive stuff doesn't work (e.g. password prompts) + * shell can be used to set up terminal (e.g. install SSH server) + +### antivirus evasion + +* antivirus techniques + * **signature**: identify malware by comparing against a DB of known + malware signatures + * **heuristic**: analyse behaviour and structure of code (statically?) + (self-replication, touching weird files...) + * **behavioral**: actively monitor behavior in real-time dynamically + * **sandboxing**: run file in controlled environment to observe without + harming system + * **integrity checking**: check integrity of system files and applications + (periodically compare checksums) +* evasion tactics + * shut down antivirus + * **ghost writing**: insert dummy instructions that preserve behavior of + file + * simpler AVs simply compare checksums of fragments; modifying code + with NOP instructions changes checksum and avoids matching checksums + * **anti-emulation techniques**: detect when running in sandbox and change + behavior to be less suspicious + * **obfuscation**: encode or encrypt malware to avoid signature matching + * **fileless malware**: load malware directly into memory + * avoid file system changes checks + * by injecting into existing process, processing scanning checks are + evaded + * no need to evade all AVs + * OSINT step can gather which AV is used + * exploits can be tailored to avoid specific AV diff --git a/img/ch04/metasploit_architecture.jpg b/img/ch04/metasploit_architecture.jpg new file mode 100644 index 0000000..5375457 Binary files /dev/null and b/img/ch04/metasploit_architecture.jpg differ