# Exploitation

* **exploit**: code or technique that a threat uses to take advantage of a
  vulnerability
* why exploitation?
    1. validating vulnerabilities
    2. assess impact
    3. prioritise fixes to vulnerabilities that can exploited
    4. test incident response
    5. exploited machine can work as pivot point
* risks
    * system downtime
    * system disruption
    * data loss
    * general bad things
* always verify exploit is allowed by Rules of Engagement
* most frequent initial access vectors
    1. valid account usage, e.g. obtaining valid credentials
    2. phishing
    3. exploiting remote vulnerabilities
    4. external remote services (e.g. managed filetransfer services)

## Categories

* **remote exploit**: attack a service listening on the network
* **client-side exploit**: attack a client application that fetches content
  from a server
* **local privilege escalation exploit**: attack to gain higher privileges on
  machine attacker is already on
    * often not patched quickly as they're not considere critical
    * various types
        * race conditions
        * kernel exploits
        * local exploit of high-privileged program or service
* hardware and firmware exploits
* cryptographic exploits

### Client-side exploit

* wait for target user to access infected file on attacker-controller server
* target machine opens connection with attacker
    * doesn't get blocked by firewall
    * requires user interaction to run client program
    * usually requires privilege escalation
* companies often wait too long to update software -> effective strategy
* exploit kits
    * sophisticated delivery method for malware
    * can be rented as a SaaS
    * automatically inspects host for vulnerabilities
    * gate servers to only forward vulnerable hosts to infected page

#### Pentesting

* email campaign
    * send phishing mails to employees and exploit those that click
        * risk of going out of scope (e.g. forwarding the email)
    * better: spear-phishing emails with links or attachments
        * only register how many clicks happened
        * use controller company user that clicks link on purpose to see if
          exploit works
        * combined this is a safer method that provides useful statistics
* identify software used by company
    1. ask target personnel
    2. analyse metadata from documents
    3. analyse cached DNS records
    4. have target personnel surf to testing systems ([www.gotya.org])
    5. assume very popular software is used (Adobe Reader, Microsoft Office...)
    6. let personnel run software inventory tool
* important to use representative machine
    * don't use newly patched laptop

## Metasploit