deel ch04
Jef Roosens
parent
a6b2734b12
commit
bfcfd4f8d7
|
|
@ -0,0 +1,72 @@
|
|||
# Exploitation
|
||||
|
||||
* **exploit**: code or technique that a threat uses to take advantage of a
|
||||
vulnerability
|
||||
* why exploitation?
|
||||
1. validating vulnerabilities
|
||||
2. assess impact
|
||||
3. prioritise fixes to vulnerabilities that can exploited
|
||||
4. test incident response
|
||||
5. exploited machine can work as pivot point
|
||||
* risks
|
||||
* system downtime
|
||||
* system disruption
|
||||
* data loss
|
||||
* general bad things
|
||||
* always verify exploit is allowed by Rules of Engagement
|
||||
* most frequent initial access vectors
|
||||
1. valid account usage, e.g. obtaining valid credentials
|
||||
2. phishing
|
||||
3. exploiting remote vulnerabilities
|
||||
4. external remote services (e.g. managed filetransfer services)
|
||||
|
||||
## Categories
|
||||
|
||||
* **remote exploit**: attack a service listening on the network
|
||||
* **client-side exploit**: attack a client application that fetches content
|
||||
from a server
|
||||
* **local privilege escalation exploit**: attack to gain higher privileges on
|
||||
machine attacker is already on
|
||||
* often not patched quickly as they're not considere critical
|
||||
* various types
|
||||
* race conditions
|
||||
* kernel exploits
|
||||
* local exploit of high-privileged program or service
|
||||
* hardware and firmware exploits
|
||||
* cryptographic exploits
|
||||
|
||||
### Client-side exploit
|
||||
|
||||
* wait for target user to access infected file on attacker-controller server
|
||||
* target machine opens connection with attacker
|
||||
* doesn't get blocked by firewall
|
||||
* requires user interaction to run client program
|
||||
* usually requires privilege escalation
|
||||
* companies often wait too long to update software -> effective strategy
|
||||
* exploit kits
|
||||
* sophisticated delivery method for malware
|
||||
* can be rented as a SaaS
|
||||
* automatically inspects host for vulnerabilities
|
||||
* gate servers to only forward vulnerable hosts to infected page
|
||||
|
||||
#### Pentesting
|
||||
|
||||
* email campaign
|
||||
* send phishing mails to employees and exploit those that click
|
||||
* risk of going out of scope (e.g. forwarding the email)
|
||||
* better: spear-phishing emails with links or attachments
|
||||
* only register how many clicks happened
|
||||
* use controller company user that clicks link on purpose to see if
|
||||
exploit works
|
||||
* combined this is a safer method that provides useful statistics
|
||||
* identify software used by company
|
||||
1. ask target personnel
|
||||
2. analyse metadata from documents
|
||||
3. analyse cached DNS records
|
||||
4. have target personnel surf to testing systems ([www.gotya.org])
|
||||
5. assume very popular software is used (Adobe Reader, Microsoft Office...)
|
||||
6. let personnel run software inventory tool
|
||||
* important to use representative machine
|
||||
* don't use newly patched laptop
|
||||
|
||||
## Metasploit
|
||||
Loading…
Reference in New Issue