11 Post-engagement cleanup


This chapter covers

  • Killing active shell connections
  • Removing unnecessary user accounts
  • Deleting miscellaneous files
  • Reversing configuration changes
  • Closing backdoors

You’ve completed the first three phases of your internal network penetration test (INPT)! Before moving on to the writing your deliverable, I want to cover some post-engagement cleanup etiquette. You’ve spent the last week or two bombarding your client’s network with attacks and compromising countless systems on their domain. This was not a stealthy red team engagement, so you’ve no doubt left lots of traces in your wake--traces such as user accounts, backdoors, binary files, and changes to system configurations. Leaving the network in this state may or may not be in breach of your contract with your client (that’s probably a topic for another book). But it would definitely be considered unprofessional (maybe even a bit immature) and would leave your client with a less than pleasant feeling about the pentest if they discovered the files you carelessly left behind while you were attacking their network.

11.1 Killing active shell connections

11.2 Deactivating local user accounts

11.2.1 Removing entries from /etc/passwd

11.3 Removing leftover files from the filesystem

11.3.1 Removing Windows registry hive copies

11.3.2 Removing SSH key pairs

11.3.3 Removing ntds.dit copies

11.4 Reversing configuration changes

11.4.1 Disabling MSSQL stored procedures

11.4.2 Disabling anonymous file shares

11.4.3 Removing crontab entries

11.5 Closing backdoors

11.5.1 Undeploying WAR files from Apache Tomcat

11.5.2 Closing the Sticky Keys backdoor

11.5.3  Uninstalling persistent Meterpreter callbacks