Post Exploitation
After we have obtain access to targets, we can start to look for the valuable information, which includes, but not limited,
Acconut & passwords
Pivoting attack
Private networks
Banking / High sensitive information
Password hashes
Linux Post Exploitation Command List
- https://github.com/mubix/post-exploitation/wiki/Linux-Post-Exploitation-Command-List
- Useful commands
rout -n
netstat -anop
netstat -r
arp -a
cat /etc/passwd
cat /etc/shadow
Look for the command history
cat ~/.bash_history
Look for old password
cat /etc/shadow | head -n 5
root:$1$XROmcfDX$tF93GqnLHOJeGRHpaNyIs0:14513:0:99999:7:::
bin:*:14513:0:99999:7:::
daemon:*:14513:0:99999:7:::
adm:*:14513:0:99999:7:::
lp:*:14513:0:99999:7:::
cat /etc/passwd | head -n 10
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/var/spool/news:
Look for pivoting opportunity
locate route
/sbin/route
/sbin/route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.56.0 * 255.255.255.0 U 0 0 0 eth0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default 192.168.56.100 0.0.0.0 UG 0 0 0 eth0
locate netstat
netstat -ano
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State Timer
tcp 0 0 0.0.0.0:32768 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 1 0 192.168.56.103:139 192.168.56.101:32811 CLOSE_WAIT keepalive (6990.88/0/0)
tcp 0 0 192.168.56.103:32773 192.168.56.101:4444 ESTABLISHED off (0.00/0/0)
udp 0 0 0.0.0.0:32768 0.0.0.0:* off (0.00/0/0)
udp 0 0 127.0.0.1:32769 0.0.0.0:* off (0.00/0/0)
udp 0 0 192.168.56.103:137 0.0.0.0:* off (0.00/0/0)
udp 0 0 0.0.0.0:137 0.0.0.0:* off (0.00/0/0)
udp 0 0 192.168.56.103:138 0.0.0.0:* off (0.00/0/0)
udp 0 0 0.0.0.0:138 0.0.0.0:* off (0.00/0/0)
udp 0 0 0.0.0.0:820 0.0.0.0:* off (0.00/0/0)
udp 0 0 0.0.0.0:111 0.0.0.0:* off (0.00/0/0)
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 9 [ ] DGRAM 899 /dev/log
unix 2 [ ACC ] STREAM LISTENING 1233 /dev/gpmctl
unix 2 [ ] DGRAM 1276
unix 2 [ ] DGRAM 1251
unix 2 [ ] DGRAM 1214
unix 2 [ ] DGRAM 1148
unix 2 [ ] DGRAM 1072
unix 2 [ ] DGRAM 962
unix 2 [ ] DGRAM 908
unix 2 [ ] STREAM CONNECTED 567
locate arp
...
/lib/modules/2.4.7-10/modules.parportmap
/sbin/arp
/sbin/arping
/sbin/arp
...
/sbin/arp
Address HWtype HWaddress Flags Mask Iface
192.168.56.100 ether 08:00:27:5E:55:C8 C eth0
192.168.56.101 ether 08:00:27:B9:41:99 C eth0