Post-Exploitation
⚡ Prerequisites
Basic familiarity with Linux & Windows
Basic understanding of TCP & UDP protocols
Basic familiarity with Metasploit and Exploitation
📕 Learning Objectives
Perform post exploitation
Perform Win/Linux local enumeration
Upgrade shells and elevate privileges
Establish persistence and dump account hashes
Pivot to other systems and clear tracks
🔬 Training list - PentesterAcademy/INE Labs
subscription required
Post-Exploitation Introduction
🗒️ Post-Exploitation is the final phase of interaction with a target during a pentest. Using various attacking techniques, the pentester determines the value of the compromised system and keeps control of it for future usage, depending on the kind of access and the stealthiness he must have.
It is what the pentester does after the initial foothold and the techniques depends on the target characteristics (operating system, infrastructure).
The techniques must follow the Rules of Engagement agreed upon with the client before the penetration test, based on the company infrastructure and services.
❗Necessary permissions are required to conduct post-exploitation techniques like modifying services, system configuration, logs deletion, perform privilege escalation.
Methodology
Local Enumeration
Transferring Files
Upgrading Shells
Privilege Escalation
Persistence
Dumping & Cracking Hashes
Pivoting
Clearing Tracks
The post-exploitation process repeats itself after pivoting to another new target.
🔬 The following techniques are covered in the
Windows Local Enumeration
📝📌 Checklist - Local Windows Privilege Escalation | HackTricks
System Information
What is running on the target system?
Hostname
OS Name, Build, Service Pack, Architecture
Installed updates/Hotfixes
Users & Groups
Current user, privileges & additional user information
Other users
Groups
Members of the built-in administrators group
Network information & Services
IP address & network adapter
Internal networks and other hosts on the network
TCP/UDP services + ports
Routing table
Windows Firewall state
Running processes & services
Scheduled tasks
A process is an istance of a running program.
A service is a process that runs in the background.
Automating Local Enumeration
The Local Enumeration process can be automated with the help of scripts and Metasploit Framework modules.
Be time efficient
Additional enumeration & exploitation information
Tools:
Linux Local Enumeration
System Information
Hostname
Distribution & release version
Kernel version & Architecture
CPU information
Disk & mounted drives
Installed packages
Users & Groups
Current user & privileges
Other users
Groups
Network information & Services
IP address & network adapter
Internal networks and other hosts on the network
TCP/UDP services + ports
Running services
Scheduled Cron Jobs
Automating Local Enumeration
The Local Enumeration process can be automated with the help of scripts and Metasploit Framework modules. It is very useful to be time efficient.
Tools:
Transferring Files
Python
modules can be useful for setting up a web server that hosts the files required for transfer. These modules
Check
Python
version
SimpleHTTPServer
-python2
module
http.server
-python3
module
e.g.
Copy a file into the current directory and setup the web server to download the file into the target system
Files can be downloaded from a browser or using a
GET
request
Transferring Files
Windows
Set up a web server to host the
payload.exe
file
After gaining access to the Windows target system and spawned a command shell session, download the payload file on the target system using the
certutil
tool incmd
.
Linux
After exploiting the Linux target, transfer the
php-backdoor.php
file to the target.2 terminal sessions are necessary - use
tmux
utility to get more sessions.
tmux
- is a program, terminal multiplexer, which runs in a terminal and allows multiple other terminal programs to be run inside it
Interactive Shells
🔬 Interactive shells techniques are covered in an INE vulnerable Lab. Commands are below, assuming the target SAMBA service is already exploited through the
exploit/linux/samba/is_known_pipename
MSF module.
After the exploitation (using
MSFconsole
,netcat
, etc), a non-interactive shell is obtained since it doesn't provide with a promptThis is a command shell session
Display the list of shells on the target system
Spawn TTY Shells
Bash
Upgrade to a simple
bash
orsh
session (assumingbash
is installed on the target system)
From the non-interactive shell session, check
Python
version (if present)
Spawn a
bash
session withPython
. Specified shell must be listed inside/etc/shells
Fully Interactive TTY
Background (
CTRL+Z
) the current remote shellUpdate the local terminal line settings with
stty
and bring the remote shell back withfg
Reinitialize the terminal with
reset
📌 For more information on Full TTY Shells check
Perl
Spawn a
bash
session withPerl
.
Windows Privilege Escalation
Privilege Escalation vulnerabilities can be identified by using various automation scripts and tools, based on the target system configuration.
PrivescCheck - a PowerShell script to enumerate common Windows configuration issues that can be leveraged for local privilege escalation
🔬 Check
Linux Privilege Escalation
Privesc vulnerabilities can be identified automatically using the LinEnum tool.
The below labs will focus on manual Linux Privilege Escalation techniques, instead
Linux file Permissions are important
🔬 Check
Windows Persistence
🗒️ Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. - MITRE ATT&CK
❗ Persistence techniques and methods usually require administrative access and must follow the rules of engagement agree with the customer.
🔬 Check the Windows Persistence Labs
Linux Persistence
Linux Server SSH
service is typically enabled and an attacker can take advantage of it.
If password login is disabled and key-based authentication is enabled, the attacker can copy a user's
SSH
private key and use it for future access.
Linux Cron
is a service that repeatedly runs Cron jobs that can be used for command execution at a fixed interval and ensure persistent access to the target system.
🔬 Check the Linux Persistence Labs
Dumping & Cracking Hashes
📝 Check the already covered Credential Dumping theory here:
After the dumping process, hashes can be cracked using:
🔬 Check the Cracking Hashes Labs here
🗒️ Pivoting is a post exploitation technique of using a compromised host, a foothold
/ plant
, to attack other systems on its private internal network.
Once gained access to the first target host, a forwarded port can be used to exploit other hosts on a private network unreachable from the attacker machine.
🗒️ Port Forwarding consists of rerouting/redirecting traffic from a target system's particular port to an attacker system's specific port.
The service will be remotely available to the attacker system
🔬 Check the Pivoting Lab here
Clearing Tracks
According to the rules of engagement, the pentester may be required to clear any changes that have been made to the target systems as a result of the exploitation and post-exploitation stages.
A good practice is to store all artifacts payloads, scripts and binaries in these folders:
Windows -
C:\Temp
Linux -
/tmp
Metasploit Framework generates and stores a lot of artifacts on the target. Some modules provides removal resource scripts.
Windows
Delete the Windows Event Log can be a good post-exploitation clearing technique.
❗ Avoid it during a regular Penetration Test, because data inside the Win Event Log is important to the customer.
Metasploit e.g.
Use the
Cleanup RC File
Linux
bash
history logs the activity and the used commandsTo clear the
bash history
~/.bash_history
file content can be deleted too
When using Metasploit Framework exploits, proceed manually to clear artifacts from the
/tmp
directory or other used directories.
Last updated