After exploiting a vulnerability and getting inside a network on an engagement, we often want to show what trophies we can collect as a way of demonstrating impact to the client. To tackle these post-exploitation efforts, we regularly leverage various tools to improve our efficiency.
Similar to previous blog posts – like our selected pen testing tools round-ups (2019 and 2020 editions) and red teaming tools list – we’ve compiled some post-exploitation tools below that we’ve found helpful on our security engagements. Let us know which you find useful and which don’t make your cut.
Its Use: With the powerful post-exploitation toolset GhostPack, you can do all kinds of things; you can attack KeePass 2.X databases, copy locked files, tamper with Active Directory certificates, and more.
Why We Like It: GhostPack is sort of a “one-stop shop” for your hacking needs. Among the 13 tools it contains are the enormously useful Rubeus, Seatbelt, and SharpUp. Rubeus is a C# toolset that interacts directly with the Kerberos protocol in Active Directory environments, allowing you to directly communicate with Kerberos attributes like tickets and general authentication that you can then leverage to move around a network. Seatbelt is a C# project you can use for security-oriented host “safety checks,” and SharpUp is a C# tool that identifies local privilege escalation paths. These tools are used by countless red teamers and network pen testers. If you’re not using them already, there’s no time like the present to start!
Its Use: Mimikatz can help you extract passwords and other credentials from Windows environments. It is an extremely popular pen testing tool, having existed for over a decade. But Mimikatz is regularly maintained and updated, ensuring that it remains a cutting-edge asset
Why We Like It: Think of Mimikatz as a Swiss Army knife for network pen testing. It comes with several built-in tools and is useful for Kerberoasting, password dumping, you name it, Mimikatz can probably do it. And Mimikatz isn’t just for the offensive security professionals out there – defensive security teams can benefit from it, too (which also bodes well if you find yourself in a purple team scenario).
Creator: The Metasploit Project (@metasploit), which is operated by Rapid7 as a collaboration with the open source community
Its Use: Metasploit is arguably the world’s leading penetration testing framework, created by H.D. Moore in 2003. Metasploit includes modules for just about every phase of a pen test, which helps with its popularity. It includes ~250 post-exploitation modules that can be used for capturing keystrokes, gathering information on your network, displaying operating system environment variables, and so on.
Why We Like It: Metasploit’s post-exploitation modules are vast, but one module sticks out above them all – the Meterpreter payload. Meterpreter allows you to explore the targeted system, and execute code, and since it works via in-memory DLL injection, you don’t risk leaving behind any evidence of your actions. Metasploit’s post-exploitation capabilities are also extremely versatile, with modules for Windows, Linux, and OS X.
Its Use: This post-exploitation tool is intended to help you bypass endpoint detection and application blocklisting.
Why We Like It: You can use PowerHub to transfer files without alerting any security protections in your testing environment, which will make your next pen test smoother and easier. Stay a step ahead of Windows Defender with this tool.
Its Use: LOLBAS is a dictionary for finding possible privilege escalation paths using binaries on Windows machines. LLOLBAS is the ingestor that works in conjunction with LOLBAS. The ingestor finds all the binaries on the LOLBAS list that are on the Windows machine so you’re not guessing or sorting through the list trying to find them (which can be tedious).
Why We Like It: The LOLBAS Project helps you to search for possible privilege escalation paths on your machine whereas LLOLBAS allows you to tailor those paths to the specific machine. With these two tools combined, you are (almost) unstoppable on an engagement. And as an added benefit, it’s convenient to have offline tools available if a situation arises that demands them.
Its Use: PHPSploit acts as a full-featured C2 framework, silently persisting on web servers via a single-line PHP backdoor.
Why We Like It: PHPSploit is a terrific asset to have on hand for your next offsec engagement – it’s efficient, it’s user-friendly, and it works quietly. As its GitHub description states, PHPSploit is designed “by paranoids, for paranoids.”
Its Use: You can use swap_digger for automating Linux swap analysis during post-exploitation or forensics.
Why We Like It: All kinds of good stuff can be found in Linux swap spaces – everything from passwords and email addresses to GPG private keys. Swap_digger can help you comb through these swap spaces and find high-impact trophies that will make your assessment more successful.
Creator: RedCode Labs
Its Use: Bashark is a post-exploitation toolkit that – as the name implies – is written in the programming language Bash. It’s a simple script that can yield big results.
Why We Like It: Bashark works quickly and stealthily, allows you to add new commands by creating Bash functions, and cleans up any traces that might be left behind after using the script in your target environment – so it’s like you were never there (insert creepy music).
Its Use: Use the BeRoot Project to find common misconfigurations that can be leveraged for privilege escalation in Windows, Linux, and OS X environments.
Why We Like It: Identifying common misconfigurations is one of the most surefire ways to get a foothold into the network, so the faster you can find these misconfigurations the better. And the BeRoot Project helps immensely on that front.
Hopefully, you’re walking away from this write-up with some additional post-exploitation tools to put to use during a future penetration testing engagement. On our Twitter as well as our subreddit and Discord server, we constantly share post-exploitation and other pen testing tools, so join us on those platforms to keep adding to your hacking toolset.
Now, we’d like to know: What are your thoughts? Did we miss your favorite post-exploitation tool? Tell us on one of our social channels – or drop a comment below!