Lesson Notes
Maintaining Access & Pivoting
Module 6: Ethical Hacking Phases. Encrypted C2 channels (e.g. SSH tunneling).
Module 6: Maintaining Access & Pivoting — Comprehensive Theory Guide
After gaining initial access to a host, attackers (and authorized penetration testers) often need to maintain that access and move laterally to other systems. This lesson covers the concepts in detail: command-and-control (C2) channels—especially encrypted C2 over HTTPS or SSH tunnels—and pivoting, using one compromised host as a relay to reach other hosts that are not directly accessible from the internet. You will understand why encryption in C2 makes traffic difficult for defenders to inspect (they see encrypted flows, not plaintext commands) and how defenders rely on behavioral and flow analysis, network segmentation, and assume-breach thinking. Always clean up and document for reporting; only perform these activities in an authorized lab or engagement.
Command-and-Control (C2) and Why It Is Encrypted
C2 is the channel between the compromised host (the implant or agent) and the operator (attacker or pentester). The operator sends commands; the implant sends back output, files, or beaconing traffic. If C2 is carried over HTTPS or another encrypted protocol, network defenders cannot decrypt the content with passive monitoring—they see only that the host is making TLS connections to certain IPs or domains. Real malware and advanced pentesters often use TLS-wrapped C2 (e.g. HTTPS callbacks, DNS over HTTPS) or tunnel traffic through SSH. SSH dynamic port forwarding (-D) creates a SOCKS proxy: you configure your tools to use the proxy, and all that traffic is sent over the SSH connection to the compromised host, which then originates the requests. Local forwarding (-L) and remote forwarding (-R) tunnel specific ports. From the network perspective, only SSH (or HTTPS) traffic is visible; the actual C2 or pivoted traffic is inside the encrypted tunnel.
Pivoting: Using a Compromised Host as a Stepping Stone
Pivoting means using a host you have compromised as a relay to reach other hosts that are not directly routable from your machine (e.g. internal servers behind a firewall). From the compromised host you can run Nmap, exploit other internal services, or use it as a proxy (SSH -D or -L) so that your tools appear to come from that host. Traffic may be encrypted (e.g. SSH tunnel) or plain (e.g. internal RDP over the pivot). In a pentest, document every pivot: which host was used, what was accessed, and what the impact was. Pivoting demonstrates the risk of lateral movement and the need for network segmentation and monitoring.
Defender Perspective: Behavioral and Flow Analysis
Defenders cannot rely on decrypting C2 traffic (without lawful intercept or endpoint visibility). They use: flow data (who talked to whom, when, how much), behavioral analysis (unusual outbound connections, beaconing, data exfiltration volume), and endpoint detection (suspicious processes, injected code). Assume-breach: assume an attacker will get in and focus on limiting lateral movement (segmentation), detecting post-compromise activity, and responding. Encrypted C2 is the norm; defense is about visibility, segmentation, and response.
Cleanup and Reporting
In an authorized pentest, clean up when the engagement ends: remove shells, reverse connections, persistence mechanisms, and test accounts. Leave the environment as you found it (except for evidence you are authorized to retain for the report). Document every action related to maintaining access and pivoting so the report accurately reflects what was achieved and what the client should fix. Ethical practice requires staying in scope and not leaving backdoors. Next: incident response and forensics, including decrypting TLS in Wireshark when keys are available.
Key Takeaway for Lesson 23
Encrypted C2 (HTTPS, SSH tunnels) is common in real attacks and in pentests; defenders see encrypted flows and use behavioral and flow analysis. Pivoting uses a compromised host to reach other systems; document and clean up. Next: incident response and forensics (Wireshark TLS decryption).