Part 5: Post-Exploitation and Advanced Techniques
"Getting a shell is not the end of the engagement. It is the beginning of the interesting part."
You have a foothold. Maybe it is a Meterpreter session on a clinical workstation at MedSecure. Maybe it is a web shell on ShopStack's staging server that you uploaded through a file upload vulnerability. Maybe it is SSH access to a Linux box with a low-privilege account. Whatever the vector, you are in.
Now what?
This is the question that separates junior testers from senior ones, and it is the question that Part 5 answers comprehensively. Because getting initial access -- as hard as it sometimes is -- is only the first step in demonstrating real impact. Your client does not care that you got a shell on one workstation. They care whether an attacker could reach the patient records database, exfiltrate credit card data, compromise the domain, or hold the entire organization hostage with ransomware. Proving that potential requires everything this part teaches: persistence, pivoting, lateral movement, data exfiltration, wireless attacks, social engineering execution, evasion techniques, and the cryptographic knowledge to understand (and break) the protocols that are supposed to protect everything.
Part 5 is also where we venture into territory that demands the highest level of ethical awareness. The techniques in these chapters -- maintaining persistent access, evading security controls, manipulating people through social engineering -- are powerful and potentially harmful. Every technique we teach here is presented in the context of authorized testing with proper scope, rules of engagement, and client communication. We will remind you of this throughout, not because we doubt your intentions, but because the power of these techniques demands constant mindfulness.
What You Will Learn
Five chapters cover the advanced techniques that extend your initial access into full operational capability.
Chapter 24: Post-Exploitation and Pivoting is the operational core of this part. Once you have a foothold, you need to establish persistence (surviving reboots and password changes), exfiltrate data (proving impact to the client), pivot into otherwise unreachable network segments, and move laterally to additional targets. You will learn persistence mechanisms on both Linux and Windows, data exfiltration techniques ranging from simple file transfers to covert channels, and pivoting tools like SSH tunnels, Chisel, and Ligolo that let you route your attacks through compromised hosts to reach internal networks. We also cover the ethical obligation of cleaning up after yourself -- removing your persistence mechanisms, your tools, and your artifacts when the engagement concludes. In our MedSecure scenario, we demonstrate pivoting from a compromised DMZ web server through to the internal clinical network, reaching systems that were never intended to be internet-accessible.
Chapter 25: Wireless Network Attacks adds an entirely new attack vector. Wireless networks are everywhere in enterprise environments, and they are frequently the weakest link. We cover the evolution of wireless security protocols from WEP through WPA3, wireless reconnaissance and monitoring mode, WPA/WPA2 cracking through handshake capture and PMKID attacks, evil twin and rogue access point attacks, the newer Dragonblood attacks against WPA3, and Bluetooth and BLE exploitation. MedSecure's guest wireless network, which shares a VLAN with certain medical devices, becomes a realistic and concerning attack path. We also cover wireless intrusion detection so you understand the defensive perspective.
Chapter 26: Social Engineering Attacks moves from the reconnaissance we covered in Chapter 9 to active exploitation of human psychology. You will learn to design and execute phishing campaigns, craft targeted spear phishing and whaling attacks, conduct vishing (voice phishing) and smishing (SMS phishing) campaigns, and execute physical social engineering including tailgating, USB drops, and badge cloning. We cover deepfakes and AI-powered social engineering as an emerging threat vector, and we introduce frameworks like the Social Engineering Toolkit and GoPhish for professional campaign management. The ethical guardrails here are critical -- social engineering testing can cause real psychological distress if handled poorly, and we discuss how to design campaigns that test security without causing harm to individuals.
Chapter 27: Evasion and Anti-Detection Techniques addresses the reality that modern environments are not undefended. Endpoint Detection and Response solutions, antivirus, intrusion detection systems, web application firewalls, and security operations centers all stand between you and your objectives. This chapter teaches you to understand and bypass those defenses. We cover AV and EDR evasion fundamentals, payload obfuscation and encoding, Living Off the Land techniques using legitimate system tools (LOLBins and LOLBAS), network evasion through fragmentation, tunneling, and encryption, and WAF bypass techniques. We also introduce Command and Control frameworks -- Cobalt Strike, Sliver, and Mythic -- that provide the infrastructure for sustained, stealthy operations. Understanding evasion makes you a better penetration tester and, critically, helps your clients understand the limitations of their defensive tools.
Chapter 28: Cryptography for Hackers provides the theoretical and practical knowledge to attack cryptographic implementations. We cover the primitives -- hashing, symmetric encryption, asymmetric encryption -- then dive into TLS/SSL, how it works, and the historical attacks that have broken it: POODLE, BEAST, DROWN, ROBOT, and others. Certificate attacks and PKI weaknesses, cryptographic implementation flaws (like padding oracle attacks and timing side channels), and practical encryption breaking round out the chapter. We close with modern cryptography and post-quantum considerations, because the field is shifting and testers need to understand where it is heading. When we demonstrate downgrading a TLS connection on MedSecure's patient portal to intercept credentials, the practical importance of cryptographic configuration becomes immediately clear.
Key Themes
Impact over access. Initial access is necessary but not sufficient. Clients need to understand what an attacker could actually do with that access. Post-exploitation is where you demonstrate business impact -- data exfiltration, domain compromise, regulatory violations, operational disruption. Your report's executive summary is written from the findings in this part.
Stealth is a skill, not a trick. Evasion is not about being sneaky for its own sake. Understanding detection and evasion makes you a more effective tester (you reach objectives that a noisy tester would not), a more valuable consultant (you can assess the effectiveness of your client's detection capabilities), and a more realistic simulation of advanced threat actors.
The human element is the hardest to patch. Firewalls can be configured. Software can be patched. But human psychology -- the desire to be helpful, the tendency to comply with authority, the cognitive shortcuts we all take -- is a permanent vulnerability. Social engineering testing is uncomfortable precisely because it is so effective.
Defense informs offense. Throughout this part, we discuss defensive controls not just as obstacles to bypass, but as systems to understand. Knowing how EDR works makes you better at evading it. Knowing how TLS works makes you better at attacking it. This bidirectional understanding is what makes senior penetration testers so effective.
How This Part Connects
Parts 3 and 4 taught you to gain access -- to systems, to networks, to web applications. Part 5 teaches you what to do with that access to maximize impact and demonstrate real risk. The techniques here chain directly with everything you learned before: you exploit a web application vulnerability from Part 4 to get a foothold, then use Part 5 techniques to pivot, persist, escalate, and exfiltrate.
Part 6 takes your offensive skills into specialized domains -- cloud environments, mobile applications, IoT devices, containers, and AI systems. The post-exploitation and evasion skills from this part remain relevant in every one of those domains. Pivoting through a cloud environment, evading cloud-native detection, and maintaining persistence in containerized infrastructure all build on the concepts you learn here.
You have the keys. Let us see what doors they open.