Final step - Post-exploitation
Post-exploitation βοΈ is the last step of the pentester activities. Once we got access to the target, and escalated to administrator, we are trying to maintain and expand our access to other machines.
Pivoting to another victim is called lateral movement π.
Common activities π€
- πͺ Leave a backdoor (persistence)
- π Deface the public website
- πΈοΈ Redirect users to a malicious website
- π° Stealing data (files, photos, emails, source code...)
- π Stealing credentials (authentication tokens, password, keepass)
- π Mess with timestamp/... to complicate forensics
- π§Ή Cleanup logs
- β¨οΈ installing keyloggers
- 𧨠Edit software configurations/users permissions
- π² Reset user passwords to access their account
π» To-do π»
Stuff that I found, but never read/used yet.
Windows
- πͺ Create a new administrator
PS > net user <username> <password> /add
PS > net localgroup administrators <username> /add
- See also VSS
Linux
- πͺ You can give capabilities to a file with
setcap
- SSH key
- Passive attacks (monitor)
- Active attacks
- Meterpreter
- /.dockerenv (check if we are in a docker)
- KeePass (see exploitation note too?)
- Vulnerable security questions (unencrypted, easy to guess, reset passwords)
- Pass-The-Hash Attack
- rootkit, bootkit
- Credential dumping
- Forensics: clear PowerShell history