Post-exploitation is the phase where you establish persistent access and avoid relying on a single entry point. The aim is to be able to access the environment whenever you want for a longer time period. It’s important to note that this phase happens after the initial exploitation of the target machine. In this phase, attackers install backdoors, get higher privileges, move within the environment, and plant rootkits in the targeted environment.

As we focus on maintaining access, in this chapter, we will be covering the following main topics:

• Privilege escalation
• Lateral movement
• Backdoors and Trojan horses
• Rootkits
• Maintaining access in a cloud environment
• Maintaining access exercises and best practices

In order to follow along with this chapter, you will need the following:

• Kali Linux 2022.1 or later
• Metasploitable 2
• unix-privsec-check
• Netcat
• TightVNC
• chkrootkit
• rkhunter

The initial access to the target environment, in most cases, is with a low privileged user. This means the access includes no or a very limited set of permissions. The immediate objective then is to expand the access from the normal user account to an account with more permissions or administrative access. The process to move from normal to administrative access (or access with more permissions) is called privilege escalation.

There are multiple ways or methods to elevate privileges, such as the following:

• Rootkits (these will be explained in more detail in the Rootkits section later in this chapter)
• Unpatched vulnerabilities
• Zero days
• Misconfigurations

Regarding unpatched vulnerabilities, you will find a lot of tools utilizing these to automate privilege escalation. One common tool is the Metasploit Framework (https://docs.metasploit.com/), which is installed by default in Kali Linux. In addition, administrators or system admins tend...

Lateral movement is the process where you try to pivot from a compromised system into other systems within the same or different subnets within the environment. It is an important step in maintaining access as it enables you to move around the environment, obtaining additional credentials, thus making it difficult for system admins or remediation teams to remove your access completely without proper scoping. The following is a diagram of lateral movement after initial exploitation.

Figure 7.3 – Lateral movement (Source: https://www.microsoft.com/en-us/security/blog/2020/06/10/the-science-behind-microsoft-threat-protection-attack-modeling-for-finding-and-stopping-evasive-ransomware/)

Now let’s look at a lateral movement tool, evil-winrim, next.

Evil-WinRM

Evil-WinRM (https://github.com/Hackplayers/evil-winrm) is an open source tool that can help with connecting to remote systems using Windows Remote Management (WinRM...

Backdoors and Trojan horses are two very common malware types used to maintain access to the environment. One of the first tasks once access to the environment is established is to ensure the access is kept, and backdoors and Trojan horses are used most of the time to achieve this.

A backdoor is a program or a service that will allow bypassing security controls implemented in the environment – for example, not providing a username or password to get access to a system. On the other hand, Trojan horses are a program or service that looks legitimate and has useful functionality within the system but has hidden functionality. It is named for the historical wooden horse that was used in the Trojan War by the Greeks to enter the city of Troy.

In the previous paragraphs, we talked about backdoors and Trojan horses as separate methods to maintain access. However, both techniques can be used together. When used together, it is called a Trojan horse...

Rootkits have been available since the 90s and are widely used. Rootkits are tools that have the following capabilities:

• Have a backdoor into the target system
• Keep it hidden that the target system is compromised or infected

The main use of rootkits is to infect the operating system itself, and thus they are one of the most effective backdoors as they hide everything from end users or system admins.

The name refers to root and kit as the first variants of these tools targetted Linux/Unix systems to get root (superuser) access. However, the first known variant that targeted Windows was in 1999, and macOS in 2009.

Some rootkits allow you to gather information about the target system and even through the local network. In recent years, rootkits have included spyware and bots in their packages.

There are multiple common modes for these rootkits:

• User mode: In this mode, the rootkit modifies legitimate system files and processes to hide its presence...

The tools and examples covered in this chapter are still applicable to the cloud environment, specifically if Infrastructure as a Service (IaaS) is used. Similarly, some Platform as a Service (PaaS) services may rely on vulnerable dependencies that can be used to maintain access.

Other methods commonly used in cloud environments include some of the following:

• Default weak configuration or protocols that can help maintain access:
  • For example, in a few cases when default legacy protocols are enabled, it can be used as a way to access the cloud environment by bypassing any MFA controls
  • Another example is the use of a default account for running virtual machines on the cloud as a way to ensure maintaining access
• Creating new accounts that look similar to existing accounts as a means to have access.
• Capturing many valid accounts and only using a few during any movement within the environments. This allows you to return to the...

As you work through this exercise, please keep in mind that this stage is where you maintain access within the environment after gaining the initial access. Information gathered during previous phases can be helpful in making it easier for persistence in this phase. In addition, you might start another round of reconnaissance and scanning but this time from within the environment. During this phase, you expand your footprints within the environment to maintain access and persistence.

The following activities aim to give you a feel for using the tools. Please remember to stay within the ethical boundaries and don’t conduct these activities on any organization systems that would be deemed illegal.

Privilege escalation and lateral movement

Let’s begin with privilege escalation activities using the following:

1. Use unix-privsec-check to find the weakness in the local compromised system to discover whether there is any path to escalate...

This chapter focused on how an ethical hacker can maintain access to the system. It explained how to pivot, escalate privileges, and utilize various backdoors so that the system can be returned to. In addition, it showed how to leverage various tools for the preceding skills.

Congratulations on completing this book on ethical hacking! You have now learned how to think like a hacker and how to exploit security vulnerabilities. This knowledge can be used to protect yourself and your organization from cyberattacks.

Ethical hacking is a complex and ever-evolving field, but it is an essential skill for anyone who wants to work in cybersecurity. With the increasing number of cyberattacks, there is a high demand for ethical hackers who can help organizations protect their data and systems.

If you are interested in a career in ethical hacking, there are many resources available to you. There are online courses, bootcamps, and degree programs that can teach you the skills you...