1
00:00:01,060 --> 00:00:07,060
‫So up to now, we learned the exploitation concept and how to exploit systems using an exploitation

2
00:00:07,060 --> 00:00:08,740
‫framework, Métis exploit.

3
00:00:09,650 --> 00:00:14,190
‫Now it's time to compromise the exploited systems and gather as much as we can.

4
00:00:14,990 --> 00:00:18,140
‫So welcome to the post exploitation phase.

5
00:00:20,020 --> 00:00:26,740
‫As I mentioned before, putting the reporting and the cleaning steps aside, a penetration test briefly

6
00:00:26,740 --> 00:00:28,180
‫consist of four phases.

7
00:00:28,930 --> 00:00:32,380
‫Reconnaissance is the act of gathering data on your target.

8
00:00:33,100 --> 00:00:38,230
‫Scanning is to find more about the target gaps, vulnerabilities, weaknesses, et cetera.

9
00:00:39,040 --> 00:00:43,240
‫Exploitation is to take control of the network devices.

10
00:00:44,260 --> 00:00:50,320
‫And the purpose of the post exploitation phase is to determine the value of the machine compromised

11
00:00:51,040 --> 00:00:56,980
‫and to maintain control of the machine for later use, the value of the machine is determined by the

12
00:00:56,980 --> 00:01:02,500
‫sensitivity of the data stored on it and the machine's usefulness and further compromising the network.

13
00:01:03,890 --> 00:01:09,440
‫As you can imagine, by the definition of the post exploitation phase, the phases of a penetration

14
00:01:09,440 --> 00:01:10,640
‫test are iterative.

15
00:01:11,330 --> 00:01:17,600
‫You gather more in the post exploitation phase and you use the gathered information to find more systems

16
00:01:17,600 --> 00:01:19,550
‫and to exploit other systems.

17
00:01:20,180 --> 00:01:26,930
‫When you exploit other systems, you gather more in that systems exploitation phases and to use that

18
00:01:26,930 --> 00:01:30,940
‫information to hack more systems, et cetera, et cetera.

19
00:01:32,930 --> 00:01:36,300
‫So we have now successfully compromised the target system.

20
00:01:36,800 --> 00:01:44,210
‫Now what as I mentioned before, exploitation and post exploitation phases are the phases that separate

21
00:01:44,210 --> 00:01:47,900
‫the penetration test from the ordinary vulnerability assessments.

22
00:01:48,840 --> 00:01:54,240
‫The actions you can take in the post exploitation phase is limited to the contract you signed with a

23
00:01:54,240 --> 00:01:56,620
‫customer before the penetration test.

24
00:01:57,180 --> 00:02:00,600
‫So here are just a few examples of what you can do in this phase.

25
00:02:01,640 --> 00:02:08,000
‫As you may remember, I mentioned before, all the sessions we create between the victim and us via

26
00:02:08,000 --> 00:02:13,730
‫Métis Boit framework run in the memory, that means the session dies when the victim's system is shut

27
00:02:13,730 --> 00:02:14,930
‫down or restarted.

28
00:02:15,560 --> 00:02:18,310
‫Well, you can exploit the same vulnerability again.

29
00:02:18,710 --> 00:02:24,500
‫But what are the vulnerabilities patched or what if the signature of your payload is defined into the

30
00:02:24,500 --> 00:02:26,000
‫security measures database?

31
00:02:27,080 --> 00:02:32,570
‫So what I want to say is we'd better have a persistent access to the victim machine.

32
00:02:33,640 --> 00:02:39,460
‫Now, one of the very first things when we hack a system is collecting usernames and passwords or password

33
00:02:39,460 --> 00:02:40,650
‫hashes from the system.

34
00:02:41,650 --> 00:02:47,830
‫Crack the password to see how sufficient the institute's password policy is, and of course, you're

35
00:02:47,830 --> 00:02:53,290
‫able to use that password for other accounts you encounter throughout the test because of the human

36
00:02:53,290 --> 00:02:53,590
‫element.

37
00:02:55,070 --> 00:03:01,220
‫Collecting sensitive data from the computer and the network is another critical point of post exploitation.

38
00:03:02,990 --> 00:03:05,690
‫Really, you won't believe what you've gathered.

39
00:03:06,890 --> 00:03:12,530
‫It's another common case to find some backups inside the computers, and these backups are, well,

40
00:03:12,530 --> 00:03:15,700
‫they're sometimes accessible without an authentication step.

41
00:03:16,280 --> 00:03:19,520
‫You think I'm kidding, but you learn and you will find.

42
00:03:20,670 --> 00:03:25,710
‫So at the end of the post exploitation phase, you will probably have a lot of data and credentials

43
00:03:25,860 --> 00:03:28,230
‫that you are not authorized to have.