Chapter 24 Quiz: Post-Exploitation and Pivoting

Test your understanding of post-exploitation concepts, persistence mechanisms, pivoting techniques, lateral movement, and cleanup procedures.

Question 1: What is the primary difference between pivoting and lateral movement?

A) Pivoting is offensive; lateral movement is defensive B) Pivoting establishes network connectivity through a compromised host; lateral movement involves authenticating to and controlling additional hosts C) Pivoting requires credentials; lateral movement does not D) There is no meaningful difference; the terms are interchangeable

Correct Answer: B

Explanation: Pivoting creates a network path through a compromised host to reach otherwise inaccessible network segments (using tools like SSH tunnels, Chisel, or Ligolo-ng). Lateral movement involves actually authenticating to and gaining control of additional systems (using techniques like Pass-the-Hash, PsExec, or WinRM). Pivoting enables the network path; lateral movement uses that path to compromise new hosts.

Question 2: Which SSH command creates a SOCKS5 proxy on local port 1080 through a pivot host?

A) ssh -L 1080:pivot-host:1080 user@pivot-host B) ssh -R 1080 user@pivot-host C) ssh -D 1080 user@pivot-host D) ssh -S 1080 user@pivot-host

Correct Answer: C

Explanation: The -D flag creates a dynamic port forward, which acts as a SOCKS proxy. Traffic sent to local port 1080 is forwarded through the SSH connection to the pivot host, which then forwards it to the final destination. -L creates a local port forward to a specific host/port, -R creates a remote port forward, and -S is not a standard SSH option for this purpose.

Question 3: What advantage does Ligolo-ng offer over SOCKS-based pivoting tools?

A) It is easier to install B) It supports only TCP traffic, making it lighter C) It creates a TUN interface allowing all protocols (TCP, UDP, ICMP) without proxychains D) It requires no agent on the compromised host

Correct Answer: C

Explanation: Ligolo-ng creates a virtual TUN network interface on the attacker's machine, allowing tools to interact with the target network as if directly connected. This supports all protocols (TCP, UDP, ICMP), unlike SOCKS proxies which are limited to TCP. Tools work natively without requiring proxychains configuration.

Question 4: In a Pass-the-Hash attack, what does the attacker use instead of a plaintext password?

A) A Kerberos ticket B) The NTLM hash of the password C) A digital certificate D) A session token

Correct Answer: B

Explanation: Pass-the-Hash exploits the fact that Windows NTLM authentication accepts the NTLM hash directly for authentication, without requiring the plaintext password. If an attacker obtains NTLM hashes from memory (Mimikatz), the SAM database, or network capture, they can authenticate to other systems without knowing the actual password.

Question 5: Which of the following is NOT a common Linux persistence technique?

A) Adding an SSH key to authorized_keys B) Creating a malicious cron job C) Adding a Registry Run key D) Creating a custom systemd service

Correct Answer: C

Explanation: Registry Run keys are a Windows-specific persistence mechanism. Linux persistence techniques include SSH key injection, cron jobs, systemd services, LD_PRELOAD hijacking, bashrc/profile modifications, and others.

Question 6: What is the purpose of Kerberoasting?

A) Brute-forcing Kerberos authentication B) Requesting service tickets for accounts with SPNs and cracking them offline C) Creating forged Kerberos tickets D) Intercepting Kerberos traffic on the network

Correct Answer: B

Explanation: Kerberoasting targets Active Directory service accounts that have Service Principal Names (SPNs). Any authenticated domain user can request service tickets for these accounts. The tickets are encrypted with the service account's password hash, allowing offline cracking attempts without triggering account lockout.

Question 7: During a penetration test, you discover a database containing sensitive patient records. What is the appropriate action?

A) Download the database for inclusion in the report B) Browse the records to assess data sensitivity C) Document access evidence (table names, record counts, column headers) without viewing actual data content D) Delete the database to demonstrate the risk

Correct Answer: C

Explanation: Professional ethical hackers never access, copy, or browse real sensitive data (PII, PHI, financial records). The goal is to demonstrate that access is possible, not to handle actual sensitive data. Documenting table structures, record counts, and column headers without viewing actual content provides sufficient evidence while maintaining ethical and legal boundaries.

Question 8: What is a Golden Ticket attack?

A) Compromising the Domain Controller's operating system B) Forging a Kerberos TGT using the KRBTGT account's hash, enabling impersonation of any user C) Using a stolen administrator password to access the domain D) Creating a new domain administrator account

Correct Answer: B

Explanation: A Golden Ticket is a forged Kerberos Ticket Granting Ticket (TGT) created using the KRBTGT account's password hash. This allows the attacker to impersonate any user in the domain, including domain administrators, and the ticket remains valid until the KRBTGT password is changed twice (to invalidate both the current and previous keys).

Question 9: Which data exfiltration channel is most likely to bypass network security controls?

A) FTP to an external server B) SMTP with large attachments C) DNS tunneling D) Unencrypted HTTP to a suspicious domain

Correct Answer: C

Explanation: DNS tunneling is often the most reliable exfiltration channel because DNS traffic is rarely blocked entirely (organizations need DNS to function) and many security solutions do not deeply inspect DNS query content. Tools like dnscat2 and iodine encode data in DNS subdomain queries and responses, enabling exfiltration and even interactive shell access through DNS.

Question 10: What is the purpose of the proxychains tool in the context of pivoting?

A) To create encrypted tunnels B) To route tool traffic through SOCKS or HTTP proxies C) To scan for open proxy servers D) To chain multiple VPN connections

Correct Answer: B

Explanation: Proxychains intercepts network connections from command-line tools and routes them through one or more SOCKS or HTTP proxies. In the context of pivoting, it allows tools like nmap, curl, and ssh to send their traffic through a SOCKS proxy created by an SSH tunnel or Chisel, enabling access to internal networks through a pivot host.

Question 11: Which Windows command creates a port forward using only built-in tools?

A) route add B) netsh interface portproxy add v4tov4 C) iptables -t nat -A PREROUTING D) ssh -L

Correct Answer: B

Explanation: The netsh interface portproxy command is a built-in Windows utility that creates port forwarding rules without requiring any additional software. iptables is a Linux tool, ssh requires an SSH client, and route add manages routing tables rather than port forwarding.

Question 12: What distinguishes C2 (Command and Control) frameworks from individual post-exploitation tools?

A) C2 frameworks are always more stealthy B) C2 frameworks provide centralized management of multiple compromised hosts with structured communication C) C2 frameworks only work on Windows D) C2 frameworks do not require agents on compromised systems

Correct Answer: B

Explanation: C2 frameworks like Cobalt Strike, Sliver, and Mythic provide a centralized interface for managing multiple compromised hosts (implants/beacons), structured communication channels (HTTP, DNS, SMB), and organized post-exploitation modules. Individual tools (like standalone reverse shells or manual scripts) handle specific tasks but lack the centralized management that C2 frameworks provide.

Question 13: During cleanup after a penetration test, which of the following should you NOT do?

A) Remove all uploaded tools and binaries B) Delete security logs that contain evidence of your testing activities C) Remove all persistence mechanisms D) Document all changes made to the environment

Correct Answer: B

Explanation: Penetration testers should never delete security logs. Deleting logs would itself be suspicious, might violate the engagement agreement, and deprives the client of valuable information about their detection capabilities. Instead, testers should document which log entries relate to testing activities so the client can distinguish test activity from potential real threats.

Question 14: What is Overpass-the-Hash?

A) Cracking an NTLM hash to recover the plaintext password B) Converting an NTLM hash into a Kerberos ticket for authentication C) Using multiple hashes simultaneously to authenticate D) Bypassing NTLM authentication entirely

Correct Answer: B

Explanation: Overpass-the-Hash (also called Pass-the-Key) converts an NTLM hash into a Kerberos ticket. This combines the accessibility of Pass-the-Hash (only needing the hash, not the plaintext password) with Kerberos authentication, which may be required or preferred in environments that restrict NTLM.

Question 15: In cloud environments, which lateral movement technique exploits instance metadata to obtain credentials?

A) SAML token forging B) IAM role assumption C) Metadata service exploitation (IMDS) D) Cross-account trust abuse

Correct Answer: C

Explanation: Cloud instances often have access to an Instance Metadata Service (IMDS) that provides temporary security credentials associated with the instance's IAM role. An attacker who compromises a cloud instance can query the metadata service (typically at 169.254.169.254) to obtain these credentials and use them to access other cloud resources.

Question 16: Which of the following describes the ADCS ESC1 attack?

A) Exploiting a misconfigured certificate template that allows the requester to specify an arbitrary Subject Alternative Name (SAN) B) Cracking the CA's private key C) Forging certificates without CA involvement D) Exploiting a vulnerability in the Certificate Authority software

Correct Answer: A

Explanation: ESC1 (Escalation 1) in the ADCS attack framework involves misconfigured certificate templates that allow the requester to specify a Subject Alternative Name (SAN). An attacker can request a certificate with a SAN set to a domain administrator's UPN, then use that certificate to authenticate as the administrator. This is a configuration vulnerability, not a software vulnerability.

Question 17: What is the recommended approach when a penetration test engagement spans multiple days and requires maintaining access to a compromised system?

A) Re-exploit the vulnerability each day B) Install persistence with unique authentication, document everything, and remove all persistence during cleanup C) Share the credentials with the client so they can provide access each day D) Leave the vulnerability unpatched to ensure consistent access

Correct Answer: B

Explanation: Professional testers install persistence mechanisms when authorized and practical, using unique authentication to prevent unauthorized access by third parties. Every persistence mechanism must be documented in real-time and removed during the cleanup phase. This approach is more efficient than daily re-exploitation and more secure than leaving vulnerabilities exposed.