Maintaining access is one of the step when attacker want to exploit the application of the victim. It saves a lot of time when the attacker wants to go inside the application again, since once you got in the admin, and put a backdoor there, its easy to get in and out of the admin page without having to redo the hacking process again and again. That is why, this is one of the important step when hacking.

However, for a certified penetration tester, maintaining access or putting a backdoor on the system of their client is not ethical. It is not ethical because a certified penetration tester are supposed to report their findings and vulnerabilities, maintaining a backdoors that are not reported to their client.

There are several methods to create a backdoor:
– Tunneling
– Creating OS Backdoor
– Web Based Backdoor

One of the tools in OS backdoor is called cymothoa, it is for injecting a shellcode backdoor into an existing process. Other tools are intersect and Metasploit>
Tunneling is to bypass the protection that exist in the target’s network. There are several tools for this, such as, NC, socat, dns2tcp, etc.
Web based is when the target is a web application, after gaining the admin access, file containing backdoor file can be inserted.