Post Exploitation Phase: Attacking Beyond the Perimeter
Hack Your Pentesting Routine
In this Cup O’ Joe series, we’re discussing the ten key phases of a penetration test, talking about the serious pain points in each, and demonstrating how PlexTrac can eliminate these problems.
In my plan, there are 10 phases of the penetration test engagement, each defined by a different group of stakeholders, participants, or activities requiring a serious context shift.
Check out the complete discussion of the preceding phases in my “Introducing ALL the Phases of Pentesting” article. Want to learn more about how PlexTrac can transform your pentesting practice today? Request a demo.
Post Exploitation Definition
The penetration testing execution standard (PTES) states the purpose of the Post Exploitation phase is to determine the value of the compromised machine and to maintain control of the machine for later use. Post exploitation, as I define it, is the phase containing techniques used to acquire situation awareness, maintain reliable re-entry, attain privilege escalation, and harvest credentials to pivot and move laterally.
Each new asset acquired has the potential to provide a new attack direction, with differing access controls and permission on the network. When a new system is acquired, I will evaluate it for what it has the ability to reach on the network and determine what advantages it may provide. Once acquired, I want to ensure I have continued access to the system, even if my initial attack vector becomes disabled. Then I am able to examine the system for elevated keys, certificates and passwords, or additional ways to elevate my privileges. Finally, this system may provide a shorter path to my target, and I’ll use it to pivot to a new network or move laterally.
Not all engagements will include this phase. The rules of engagement may be so strict that any post-exploitation techniques are forbidden. Sometimes this is because the client feels the network or devices are too risky or fragile, but more often it’s due to fear or embarrassment. I’ve had plenty of engagements that had rules against reusing the credentials of or accessing the systems belonging to the C-suite. While the CFO might end up feeling embarrassed if their system was compromised, they are a genuine and valuable target and should be included as part of the scope. Push for Post Exploitation permission in the scope of work whenever possible.
The Security Maturity Framework
The Security Maturity Framework describes the steps an organization takes as it works towards a mature and effective security program.
Vulnerability scans are the beginning of the work an org undertakes, and these tests are noisy and full of false positives. The difference between a vuln scan and a pentest is the latter typically has goals of determining if the security controls in place can prevent an attacker from breaching a specified target. A pentest without post-exploitation is nothing more than a validated vulnerability scan. A pentest without exploitation will never be able to determine if the organization can withstand a breach.
Post exploitation testing is best performed by those with a high degree of experience. As you navigate deeper into the network, you will be accessing and targeting servers and applications the client uses to run their business. Being overly casual about your approach or blindly blasting the network with exploits can cause systems to become unstable.
You may also find yourself inside systems you shouldn’t be. I remember an engagement arranged to test segmentation and compliance for PCI. I discovered a network that wasn’t in the scoping documents, but was ripe for exploitation. After obtaining a shell on one Windows system, I recognized a file structure and naming conventions that felt vaguely familiar. A quick Google confirmed that I had managed to exploit an ATM machine belonging to one of my clients’ customers. While not a disaster, it did result in frantic phone calls with my project manager, their legal team, their project manager, and our legal team. This is a level of excitement that we hope to avoid.
So Much Data
Post exploitation is an extension of the tactics, techniques, and procedures (TTPs) we used in the previous phases. This usually means there are no special tools required. However, this stage can generate a large amount of data that must be managed and maintained. Tools like Bloodhound can help organize the network and authentication data, but you need something to manage your notes or run logs.
Given the litigious nature of the business world, it’s very important to keep records of your activity. Even if they don’t go as far as to sue you, clients will want good notes to troubleshoot if something goes down. PlexTrac lets you store these run logs in your preferred format as a way of defending you against unwarranted accusations.
All evidence and artifacts from the engagement can be associated with the report created in PlexTrac.
Store the run notes from each day’s activities as well as any screenshots and other evidence. PlexTrac is also useful for storing copies of the Statement of Work and the Rules of Engagement documents so the operator has all the details close at hand.
A Well Organized Pentest Begins and Ends with PlexTrac
Keeping all the details of a highly complex attack chain is a difficult task. PlexTrac lets you store them in a single source of truth for your team.
Catch up on the entire Hack Your Pentesting Routine series on the PlexTrac blog.