Abstract. Pentesting is becoming an important activity even for smaller
companies. One of the most important economic pressures is the cost of
such tests. In order to automate pentests, tools such as Metasploit can be
used. Post-exploitation activities can, however, not be automated easily.
Our contribution is to extendMeterpreter-scripts so that post-exploitation
can be scripted. Moreover, using a multi-step approach (pivoting), we can
automatically exploit machines that are not directly routable: Once the
first machine is exploited, the script continues to then automatically launch
an attack on the next machine, etc.