From bfcfd4f8d7f9cc3af33d602353b441d46d3fc169 Mon Sep 17 00:00:00 2001
From: Jef Roosens <Jef.Roosens@UGent.be>
Date: Fri, 27 Dec 2024 17:23:14 +0100
Subject: [PATCH] deel ch04

---
 04_exploitation.md | 72 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 72 insertions(+)
 create mode 100644 04_exploitation.md

diff --git a/04_exploitation.md b/04_exploitation.md
new file mode 100644
index 0000000..7491a32
--- /dev/null
+++ b/04_exploitation.md
@@ -0,0 +1,72 @@
+# Exploitation
+
+* **exploit**: code or technique that a threat uses to take advantage of a
+  vulnerability
+* why exploitation?
+    1. validating vulnerabilities
+    2. assess impact
+    3. prioritise fixes to vulnerabilities that can exploited
+    4. test incident response
+    5. exploited machine can work as pivot point
+* risks
+    * system downtime
+    * system disruption
+    * data loss
+    * general bad things
+* always verify exploit is allowed by Rules of Engagement
+* most frequent initial access vectors
+    1. valid account usage, e.g. obtaining valid credentials
+    2. phishing
+    3. exploiting remote vulnerabilities
+    4. external remote services (e.g. managed filetransfer services)
+
+## Categories
+
+* **remote exploit**: attack a service listening on the network
+* **client-side exploit**: attack a client application that fetches content
+  from a server
+* **local privilege escalation exploit**: attack to gain higher privileges on
+  machine attacker is already on
+    * often not patched quickly as they're not considere critical
+    * various types
+        * race conditions
+        * kernel exploits
+        * local exploit of high-privileged program or service
+* hardware and firmware exploits
+* cryptographic exploits
+
+### Client-side exploit
+
+* wait for target user to access infected file on attacker-controller server
+* target machine opens connection with attacker
+    * doesn't get blocked by firewall
+    * requires user interaction to run client program
+    * usually requires privilege escalation
+* companies often wait too long to update software -> effective strategy
+* exploit kits
+    * sophisticated delivery method for malware
+    * can be rented as a SaaS
+    * automatically inspects host for vulnerabilities
+    * gate servers to only forward vulnerable hosts to infected page
+
+#### Pentesting
+
+* email campaign
+    * send phishing mails to employees and exploit those that click
+        * risk of going out of scope (e.g. forwarding the email)
+    * better: spear-phishing emails with links or attachments
+        * only register how many clicks happened
+        * use controller company user that clicks link on purpose to see if
+          exploit works
+        * combined this is a safer method that provides useful statistics
+* identify software used by company
+    1. ask target personnel
+    2. analyse metadata from documents
+    3. analyse cached DNS records
+    4. have target personnel surf to testing systems ([www.gotya.org])
+    5. assume very popular software is used (Adobe Reader, Microsoft Office...)
+    6. let personnel run software inventory tool
+* important to use representative machine
+    * don't use newly patched laptop
+
+## Metasploit