Chewing_Bever
/
net-sec-samenvatting
1
0
Fork 0
Code Issues Pull Requests Activity
net-sec-samenvatting/04_exploitation.md

2.6 KiB
Raw Blame History

Exploitation

  • exploit: code or technique that a threat uses to take advantage of a vulnerability
  • why exploitation?
    1. validating vulnerabilities
    2. assess impact
    3. prioritise fixes to vulnerabilities that can exploited
    4. test incident response
    5. exploited machine can work as pivot point
  • risks
    • system downtime
    • system disruption
    • data loss
    • general bad things
  • always verify exploit is allowed by Rules of Engagement
  • most frequent initial access vectors
    1. valid account usage, e.g. obtaining valid credentials
    2. phishing
    3. exploiting remote vulnerabilities
    4. external remote services (e.g. managed filetransfer services)

Categories

  • remote exploit: attack a service listening on the network
  • client-side exploit: attack a client application that fetches content from a server
  • local privilege escalation exploit: attack to gain higher privileges on machine attacker is already on
    • often not patched quickly as they're not considere critical
    • various types
      • race conditions
      • kernel exploits
      • local exploit of high-privileged program or service
  • hardware and firmware exploits
  • cryptographic exploits

Client-side exploit

  • wait for target user to access infected file on attacker-controller server
  • target machine opens connection with attacker
    • doesn't get blocked by firewall
    • requires user interaction to run client program
    • usually requires privilege escalation
  • companies often wait too long to update software -> effective strategy
  • exploit kits
    • sophisticated delivery method for malware
    • can be rented as a SaaS
    • automatically inspects host for vulnerabilities
    • gate servers to only forward vulnerable hosts to infected page

Pentesting

  • email campaign
    • send phishing mails to employees and exploit those that click
      • risk of going out of scope (e.g. forwarding the email)
    • better: spear-phishing emails with links or attachments
      • only register how many clicks happened
      • use controller company user that clicks link on purpose to see if exploit works
      • combined this is a safer method that provides useful statistics
  • identify software used by company
    1. ask target personnel
    2. analyse metadata from documents
    3. analyse cached DNS records
    4. have target personnel surf to testing systems ([www.gotya.org])
    5. assume very popular software is used (Adobe Reader, Microsoft Office...)
    6. let personnel run software inventory tool
  • important to use representative machine
    • don't use newly patched laptop

Metasploit