Bird
Raised Fist0
Cybersecurityknowledge~5 mins

Post-exploitation and pivoting in Cybersecurity - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepVisualPracticeChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What is post-exploitation in cybersecurity?
Post-exploitation refers to the actions an attacker takes after gaining access to a system. It involves exploring the system, gathering information, maintaining access, and preparing for further attacks.
Click to reveal answer
beginner
Define pivoting in the context of a cyber attack.
Pivoting is when an attacker uses a compromised system as a stepping stone to access other systems within the same network that were not directly accessible before.
Click to reveal answer
intermediate
Why is maintaining access important during post-exploitation?
Maintaining access allows attackers to return to the compromised system later without repeating the initial breach, enabling long-term control and data extraction.
Click to reveal answer
intermediate
Name two common techniques used for pivoting.
Two common pivoting techniques are: 1) VPN pivoting, where attackers route traffic through the compromised machine, and 2) SSH tunneling, which creates encrypted tunnels to access other systems.
Click to reveal answer
intermediate
How does post-exploitation help in lateral movement within a network?
Post-exploitation provides attackers with information and tools to move laterally, meaning they can explore and compromise other machines on the network by exploiting trust relationships and credentials.
Click to reveal answer
What is the main goal of post-exploitation?
ATo explore and control the compromised system
BTo scan for vulnerabilities
CTo install antivirus software
DTo disconnect the network
Pivoting allows attackers to:
AEncrypt data on the compromised system
BAccess other systems through a compromised host
CPrevent network traffic
DInstall firewalls
Which of the following is NOT a post-exploitation activity?
AInitial vulnerability scanning
BMaintaining access
CGathering system information
DCredential harvesting
SSH tunneling is used in pivoting to:
ADelete system logs
BScan for open ports
CInstall malware
DCreate encrypted connections to other systems
Maintaining access during post-exploitation helps attackers to:
ADisconnect the network
BImmediately delete all files
CReturn to the system without re-exploiting
DNotify system administrators
Explain what post-exploitation is and why it is important in a cyber attack.
Think about what an attacker does after breaking into a system.
You got /3 concepts.
    Describe pivoting and how attackers use it to move within a network.
    Consider how attackers reach systems they can't access directly.
    You got /3 concepts.

      Practice

      (1/5)
      1. What is the main purpose of post-exploitation in cybersecurity?
      easy
      A. To prevent unauthorized access to a network
      B. To install antivirus software
      C. To perform actions after gaining access to a system
      D. To encrypt data before sending

      Solution

      1. Step 1: Understand post-exploitation context

        Post-exploitation refers to activities done after an attacker has gained access to a system.

      2. Step 2: Identify main goal

        The main goal is to explore, gather information, and maintain control over the compromised system.

      3. Final Answer:

        To perform actions after gaining access to a system -> Option C

      4. Quick Check:

        Post-exploitation = actions after access [OK]
      Hint: Post-exploitation happens after breaking in [OK]
      Common Mistakes:
      • Confusing post-exploitation with prevention
      • Thinking it means installing security tools
      • Mixing it with data encryption
      2. Which of the following commands is commonly used to create a pivot in a compromised network?
      easy
      A. ssh -L 8080:target:80 user@compromised
      B. netstat -an
      C. ping 192.168.1.1
      D. tracert google.com

      Solution

      1. Step 1: Identify pivoting command

        Pivoting often uses SSH tunneling to forward ports from a compromised system to reach other targets.

      2. Step 2: Analyze options

        ssh -L 8080:target:80 user@compromised uses SSH local port forwarding, which is a common pivot technique.

      3. Final Answer:

        ssh -L 8080:target:80 user@compromised -> Option A

      4. Quick Check:

        SSH tunneling = pivoting method [OK]
      Hint: Pivoting uses SSH tunnels like ssh -L [OK]
      Common Mistakes:
      • Choosing ping or tracert which are just network tests
      • Confusing netstat with pivoting
      • Not recognizing SSH port forwarding syntax
      3. After compromising a machine inside a network, which command sequence best demonstrates pivoting to access another internal host on port 3389?
      medium
      A. ssh -D 3389 user@compromised
      B. ssh -L 3389:192.168.10.5:3389 user@compromised
      C. ssh -R 3389:192.168.10.5:3389 user@compromised
      D. ssh user@192.168.10.5 -p 3389

      Solution

      1. Step 1: Understand SSH port forwarding types

        Local forwarding (-L) forwards a local port to a remote host:port, enabling pivoting.

      2. Step 2: Match command to pivoting goal

        ssh -L 3389:192.168.10.5:3389 user@compromised forwards local port 3389 to internal host 192.168.10.5 port 3389 via compromised machine, enabling access.

      3. Final Answer:

        ssh -L 3389:192.168.10.5:3389 user@compromised -> Option B

      4. Quick Check:

        Local port forwarding = pivoting access [OK]
      Hint: Use ssh -L for local port forwarding pivot [OK]
      Common Mistakes:
      • Confusing -L (local) with -R (remote) forwarding
      • Using -D which is dynamic SOCKS proxy, not direct pivot
      • Trying direct ssh to internal host without pivot
      4. You tried to pivot using ssh -R 9000:10.0.0.5:80 user@compromised but cannot access the service on port 9000 locally. What is the most likely issue?
      medium
      A. You need to use -L instead of -R for local access
      B. The target IP 10.0.0.5 is unreachable from compromised machine
      C. Port 9000 is blocked by firewall on compromised machine
      D. The remote port forwarding (-R) does not expose ports on the local machine

      Solution

      1. Step 1: Understand difference between -L and -R

        -L forwards local port to remote host; -R forwards remote port to local host.

      2. Step 2: Identify access goal

        If you want to access the service locally on port 9000, you need local forwarding (-L), not remote (-R).

      3. Final Answer:

        You need to use -L instead of -R for local access -> Option A

      4. Quick Check:

        Local access requires -L, not -R [OK]
      Hint: Use -L for local, -R for remote port forwarding [OK]
      Common Mistakes:
      • Mixing up -L and -R options
      • Assuming remote forwarding exposes local ports
      • Ignoring firewall or network reachability
      5. During a penetration test, you have compromised a Linux server inside a network. You want to access a Windows machine on the internal network that only allows RDP on port 3389. Which sequence of actions best achieves pivoting to the Windows machine?
      hard
      A. Install antivirus on Linux server to monitor Windows traffic
      B. Run a port scan from your machine directly on Windows IP to find open ports
      C. Use remote desktop client to connect directly to Windows IP from your machine
      D. Set up SSH local port forwarding from your machine to Windows RDP port via compromised Linux server

      Solution

      1. Step 1: Recognize network restrictions

        Direct access to Windows machine is blocked; only accessible via compromised Linux server inside network.

      2. Step 2: Use SSH local port forwarding

        Set up SSH tunnel from your local machine forwarding a local port to Windows machine's RDP port through Linux server.

      3. Step 3: Connect via forwarded port

        Use RDP client to connect to local forwarded port, effectively pivoting through Linux server.

      4. Final Answer:

        Set up SSH local port forwarding from your machine to Windows RDP port via compromised Linux server -> Option D

      5. Quick Check:

        Pivoting = SSH tunnel + local port forwarding [OK]
      Hint: Pivot by tunneling RDP through compromised Linux server [OK]
      Common Mistakes:
      • Trying direct connection ignoring network restrictions
      • Confusing port scanning with pivoting
      • Installing unrelated software like antivirus