Hello and welcome to another penetration testing execution Standard discussion. Today we're going to be looking at the purpose of the post exploitation section and phase of penetration testing.
Please keep in mind that pee test videos do cover tools and techniques that could be used for system hacking. Any tools discussed or demonstrated daring. Our videos should be researched and understood by the user. Police researcher laws and regulations in your given area regarding the use of such tools or techniques to ensure that you don't violate any laws.
Now the objectives for this particular discussion are somewhat short. We're going to discuss the purpose of the post exploitation phase and what we're doing,
and then we'll discuss what is not in post exploitation.
So the purpose of Pitt post exploitation is to determine the value of machines compromised and two main king control of the machines for later use. The value of a machine is determined by the sensitivity of the data stored on it and the machines usefulness and further compromise of the network.
The methods described in this phase are meant to help the test or identify and documents sensitive data
configuration settings, communication channels and relationships with other network devices that can be used to further infiltrate the network. Set up one or more methods of access the machine at a later time.
In cases where these methods differ from the agreed upon rules of engagement, the rules of engagement are what should be followed in lieu of
any conversations that you have with the client. So those were going to be numero uno. Even if they say you could do something, make sure that the rules of engagement or updated
now what should not be done in this particular phase, and we'll talk about this and protecting yourself and the client as well do not destroy data that would be a horrible thing to do to destroy data that is not backed up. Do not take systems off line unless the rules of engagement state otherwise,
do not remove E p. A child from the environment. This is particular to HIPPA in the U. S. And other areas as well.
Do not view or remove personal or protected information from the environment. Do not view or remove credit card or account number information from the environment. Establish a manner upfront in which the client will accept that you have access the data sets, such as a snippet of the directory review of permissions. And for some reason,
they want you to access that information and provide them with proof downs in the account numbers.
Then you need to make sure they're aware of the risks that that Carrie and it could be considered a violation in an exposure of that information against the law. So please take the time to check that out and ensure that you're covered.
So let's do a quick check on learning to row falls. The scope of work would determine what data you could remove from the environment, if any.
All right, if you need additional town, please pause the video and take a moment. So remember that the scope of work tells us what is in the scope within the scope, what we contest against, what environments we contest against. But it doesn't tell you particularly what the test
would be met with, like how you would go about doing the test. The rules of engagement
would really determine what data could be removed from the environment, if any. So this is a false statement.
we discussed the purpose of post exploitation, that being to see what systems we can get into, how sensitive data is and whether or not we can move further into the network. And we discussed what should not be done in post exploitation, such as the destruction of data, damaging of systems and things, that nature which we will get into a little bit deeper
in another discussion.
So with that in mind, I want to thank you for your time today, and I look forward to seeing you again soon.