On this crazy ball flying through space that we call home, there are few things as exciting as seeing that meterpreter session pop up after firing off an exploit. Sometimes, your compromise has yielded you a domain administrator and you can pretty much do anything you want; you can probably just log in to other systems on the domain to gather yourself a handful of compromised computers and grab the loot you find on them. However, the more likely scenario is that you just successfully pulled off an exploit on one of only a few machines that are actually visible from your position in the network due to firewalling and segmentation—you've established a foothold. The word foothold is borrowed from rock climbing terminology: it's a spot in the rock face where you can place your feet for security as you prepare to progress further. Getting a foothold in a pen test means you've found a hole in the rock of your client's defense that you can use to launch yourself up, but the climbing lies before you.

In this chapter, we're going to review concepts and methods for leveraging the foothold position to progress deeper into a target. We'll start with an introduction to enumeration from our foothold position as a means of gathering the data necessary to find deeper points of compromise. We'll understand the concept of pivoting through the network and leveraging pilfered credentials to compromise systems deeper in our target's network.