Post Exploitation

Module Map

1. Introduction

2. Privilege Escalation and Maintaining Access

3. Pillaging

4. Mapping the internal network

5. Exploitation through Pivoting

6.1. Introduction

Post-exploitation is the last technical stage of Penetration testing process (before reporting phase).

The Post Exploitation encompasses all the activities that the penetration tester undertakes when the target system has been compromised: determine the machine value and the network infrastructure, maintain access, gather information, and so on.

In other words, what you do, or have to do, when you get access on the target.

It is important to know that these activities are not always the same depending on what kind of access you have, what system you have compromised, how stealthy you need to be, and so on.

This means that we will run different activities, task, and tools on Windows and Linux OS.

Moreover, you should never forget about the rules of the engagement.

When running post-exploitation tasks, be sure you have the permissions, and the right to modify services, machine configurations, escalate privileges, gather sensitive information, delete logs, and so on.

Record your changes

You should always keep track of actions taken against the compromised machines. This includes date and time, changes made to machines documents, services, applications, and configurations, but also private data discovered, methods used to maintain access, and so on.

This information (containing the list of changes made) should then be included in the final report.

Handling Information

All data discovered and gathered must be protected. This means that you must encrypt it on your pentesting machine, and permanently delete it once the pentest is completed.

Even when reporting sensitive information to your client, such as a screenshot containing username or passwords, be sure to always obfuscate and mask data.

Maintaining Access Clean-up

As you will see later on, one of the first steps you will run once you compromise a machine is maintain access or persistence. It allows you to get back on the machine whenever you want: usually a backdoor on the system.

When using such methods, implement some type of authentication (in order to avoid others from using it) and delete everything once the pentest is complete.

Permanent Edits

Another important thing you should be aware of is how to handle permanent changes on the exploited system.

If the rule of engagements permits these edits, and if you are going to delete logs from the remote machine, be sure to back them up before actually deleting or modifying them.

Methodology

In order to run a thorough and complete post-exploitation phase, we propose a methodology that you can apply during your engagements.

This is a cyclic process composed of 4 steps. 1. Privilege Escalation and Maintaining Access 2. Data Harvesting 3. Internal Network Scan 4. Exploitation of New Systems and Pivoting

Note that this is a cyclic process due to the fact that you could discover new networks, new hosts, new targets, and then get access to them trough exploitation.

Moreover, note that each host you compromise can store and provide information that others do not store.

The post-exploitation phase really allows you to infiltrate an entire network instead of just a single host.

In the next section, we will analyze each step in the process and see what tools, commands, and activities a penetration tester can use in each step of the Post-Exploitation process.