Security is Everyone's Job
Post-exploitation is the phase of a penetration test where the tester tries to leverage the access gained from exploiting a vulnerability to achieve further goals, such as data exfiltration, privilege escalation, lateral movement, persistence, or pivoting.
From a pentester’s perspective, post-exploitation is a crucial phase that demonstrates the real impact and risk of a breach, as well as the effectiveness of the security controls and incident response of the target organization.
Post-exploitation also requires a high degree of experience, creativity, and stealth, as the pentester needs to navigate deeper into the network, access sensitive data and systems, evade detection and prevention mechanisms, and maintain access for future use
Post-exploitation can be challenging and rewarding for pentesters, as they can discover new attack vectors, exploit high-value targets, and simulate realistic threat scenarios.
Mimikatz: A credential-dumping tool that can extract plaintext passwords, hashes, tickets, and keys from memory. It can also perform pass-the-hash, pass-the-ticket, and other attacks. It is written in C and has a PowerShell version called PowerSploit
Empire: A post-exploitation framework that uses PowerShell and Python agents to execute modules on compromised hosts. It can perform various tasks such as bypassing UAC, dumping credentials, escalating privileges, and exfiltrating data
Responder: A network poisoning tool that listens for broadcast requests and responds with malicious answers. It can capture NTLM hashes, perform man-in-the-middle attacks, and relay credentials to other hosts
CrackMapExec: A swiss army knife for pentesting Windows networks. It can perform reconnaissance, enumeration, exploitation, and post-exploitation using various protocols such as SMB, WMI, WinRM, and MSSQL
PoshC2: A command and control framework that uses PowerShell or Python implants to communicate with compromised hosts. It can execute payloads, scripts, and modules on the fly or schedule them for later execution.
BloodHound: A graph-based analysis tool that maps the relationships and trust between Active Directory objects. It can identify attack paths, privilege escalation opportunities, and domain vulnerabilities.
PowerSploit: PowerSploit is a PowerShell post-exploitation framework that consists of various modules and scripts that can help penetration testers and hackers perform different tasks on compromised machines.
SharpSploit: SharpSploit is a .NET post-exploitation library written in C# that aims to highlight the attack surface of .NET and make the use of offensive .NET easier for red teamers. SharpSploit is named, in part, as a homage to the PowerSploit project, a personal favorite of its author. SharpSploit has various modules for credentials, enumeration, evasion, execution, lateral movement, persistence, and pivoting.