Back to CompTIA PenTest+ (PenTest+)

Post-Exploitation and Lateral Movement

Maintain persistence, perform lateral movement, and document findings to support remediation efforts (14% of exam).

Covers post-exploitation activities including establishing persistence mechanisms, performing lateral movement across networks, and properly cleaning up artifacts after testing. Emphasizes documentation including creating attack narratives that clearly describe the attack path and providing actionable remediation recommendations for identified vulnerabilities.
5 minutes 5 Questions

In the context of CompTIA PenTest+, Post-Exploitation and Lateral Movement are critical phases that occur immediately after initial system compromise. While Post-Exploitation focuses on the local machine, Lateral Movement focuses on the network. Post-Exploitation aims to stabilize the foothold and…

Concepts covered: Maintaining access and persistence, Persistence mechanisms, Registry persistence, Scheduled task persistence, Service creation for persistence, Startup folder persistence, Web shell deployment, Backdoor installation, Lateral movement techniques, PsExec and remote execution, WMI for lateral movement, PowerShell remoting, SSH pivoting, RDP hijacking, Pass-the-credential attacks, Internal network pivoting, Tunneling and port forwarding, Proxychains usage, Chisel and tunneling tools, Data exfiltration techniques, Covert channels, DNS exfiltration, HTTPS exfiltration, Artifact cleanup procedures, Log manipulation and clearing, Covering tracks, Tool removal and cleanup, Attack narrative creation, Timeline documentation, Screenshot and evidence capture, Remediation recommendation writing, Post-engagement debriefing, Lessons learned documentation

Test mode:
Start practice test
PenTest+ - Post-Exploitation and Lateral Movement Example Questions

Test your knowledge of Post-Exploitation and Lateral Movement

Question 1

What is the primary purpose of the Linux cron daemon when utilized as a persistence mechanism during a penetration test?

Correct Answer: Executing scheduled commands or scripts at specified time intervals to maintain access

The primary purpose of the Linux cron daemon as a persistence mechanism is to execute scheduled commands or scripts at specified time intervals to maintain access.

Cron is a time-based job scheduler in Linux that allows attackers to schedule malicious scripts or commands to run at regular intervals (hourly, daily, weekly, etc.). This makes it an ideal persistence mechanism because:

  1. It operates automatically without user interaction
  2. It runs continuously in the background as a system service
  3. It can execute commands at predictable intervals to re-establish connections or maintain backdoors
  4. It survives system reboots and continues operating

During a penetration test, testers might add entries to crontab files to simulate an attacker maintaining persistent access through scheduled reverse shells, beacon callbacks, or other automated tasks that reconnect to the tester's command and control infrastructure.

The other options are incorrect because:

System boot initialization describes init scripts or systemd services, not cron's primary function. While cron does start at boot, its purpose is ongoing scheduled execution, not one-time boot tasks.

Sudo elevation is unrelated to cron's scheduling function. Cron runs commands with the privileges of the user whose crontab contains the entry, but it doesn't inherently involve sudo or privilege escalation mechanisms.

System backup operations, while a legitimate use of cron, are not its primary purpose as a persistence mechanism in penetration testing contexts. This describes administrative use rather than adversarial persistence techniques.

Question 2

Which PowerShell cmdlet is used to establish an interactive one-to-one remote session with a target system through WinRM?

Correct Answer: Enter-PSSession

The correct answer is Enter-PSSession.

Enter-PSSession is the PowerShell cmdlet specifically designed to establish an interactive one-to-one remote session with a target system through Windows Remote Management (WinRM). When you use this cmdlet, it creates an interactive session where your PowerShell prompt changes to reflect the remote computer name, and all subsequent commands you type are executed on the remote system. This is the equivalent of an interactive SSH session in the Windows environment.

Why the other options are incorrect:

Connect-PSSession is used to reconnect to previously created sessions that were disconnected, not to establish a new interactive session. It's useful for resuming work on a session that was temporarily disconnected.

New-PSSession creates a persistent PowerShell session (PSSession) on a remote computer, but it does not make it interactive. Instead, it returns a session object that you can use with other cmdlets like Invoke-Command to run commands. The session remains in the background and doesn't provide an interactive prompt.

Invoke-PSSession is not a valid PowerShell cmdlet. The correct cmdlet for running commands in a session is Invoke-Command, which executes commands on local or remote computers but doesn't provide an interactive shell experience.

Question 3

Which tool's native functionality would be MOST suitable for exfiltrating data through ICMP echo request packets when you need to extract 75MB of configuration files from a hardened Linux server that has all TCP/UDP ports blocked except for essential services, but ICMP is permitted for network diagnostics?

Correct Answer: ptunnel can establish a tunnel over ICMP echo request and reply packets, allowing arbitrary data transmission through this protocol while appearing as standard network diagnostic traffic

For exfiltrating 75MB of configuration files through ICMP when TCP/UDP ports are blocked, the tool that creates a proper tunnel over ICMP echo request and reply packets is the most suitable solution.

This tool specifically establishes a bidirectional tunnel that encapsulates data within ICMP packets, making it appear as legitimate network diagnostic traffic. It handles the complexity of reliably transmitting large amounts of data by managing packet sequencing, error handling, and data integrity across the ICMP protocol. This is essential when dealing with 75MB of data that needs to be systematically extracted.

The key advantage is that it was purpose-built for creating tunnels over ICMP, providing a reliable transport layer on top of what is normally just a diagnostic protocol. This makes it ideal for sustained data exfiltration operations through restrictive network environments.

Why the other options are less suitable:

The option mentioning ncat with an ICMP flag is incorrect because ncat (netcat) does not have native ICMP functionality. Ncat operates over TCP and UDP protocols and does not support creating ICMP-based connections. This is a fictional capability.

While hping3 is a legitimate tool that can craft custom ICMP packets with payloads, it is primarily a packet crafting and testing tool rather than a data exfiltration solution. It would require significant manual scripting to handle 75MB of data transmission, manage packet sequencing, handle reliability, and reassemble data on the receiving end. It's not designed as a file transfer mechanism.

The tool mentioned in the fourth option does provide ICMP-based communication, but it was primarily designed for establishing remote shell access rather than efficient file transfer. While it can technically move data, it's optimized for interactive command execution rather than bulk data exfiltration. For a 75MB transfer, a tool specifically designed for tunneling would be more efficient and reliable.

More Post-Exploitation and Lateral Movement questions
987 questions (total)
Start 100 question test