LinuxUnixBSDPost Exploitation
LinuxUnixBSDPost Exploitation
Command List.
If for any reason you cannot access/edit these files in the future, please contact [email protected]
You can download these files using Google Doc’s File->Download As method.
If you are viewing this on anything other than Google Docs then you can get access to the latest links to
the the Linux/Unix/BSD, OSX, and Windows docs here: https://bitly.com/nuc0N0
DISCLAIMER: Anyone can edit these docs, and all that entails and infers
Table of Contents
Linux/Unix/BSD Post-Exploitation Command List.
Table of Contents
Blind Files
System
Networking
Configs
Determine Distro:
Installed Packages
Package Sources
Finding Important Files
Covering Your Tracks
Actions Per User
Priv (sudo’d or as root)
Reverse Shell
Fun if Win
Blind Files
(things to pull when all you can do is blindly read) LFI/dir traversal (Don’t forget %00!)
Linux/Unix/BSD Post Exploitation Command List - Page: 1
File Contents and Reason
System
ps aux
top -n 1 -b
id
arch
who -a
● gcc -v
● mysql --version
● perl -v
● ruby -v
● python --version
Linux/Unix/BSD Post Exploitation Command List - Page: 2
● df -k
● mount
● last -a
● lastlog
● lastlogin (*bsd)
● getenforce
● dmesg
● lspci
● lsusb
● lshw
● free -m
● cat /proc/cpuinfo
● cat /proc/meminfo
● du -h --max-depth=1 /
● which nmap (see if it’s already installed)
● locate bin/nmap
● which nc (see if it’s already installed)
● locate bin/<whatever you want>
● whoami
● jps -l
● java -version
Networking
● hostname -f
● ip addr show
● ifconfig -a
● route -n
● cat /etc/network/interfaces
● iptables -L -n
● iptables-save
● netstat -anop
● netstat -r
● netstat -nltupw (root with raw sockets)
● arp -a
● lsof -nPi
Configs
● ls -aRl /etc/ | awk '$1 ~ /w.$/' | grep -v lrwx 2>/dev/null
● cat /etc/issue{,.net}
● cat /etc/passwd
● cat /etc/shadow (gotta try..)
● cat /etc/shadow~ # (sometimes there when edited with gedit)
Linux/Unix/BSD Post Exploitation Command List - Page: 3
● cat /etc/master.passwd
● cat /etc/group
● cat /etc/hosts
● cat /etc/crontab
● cat /etc/sysctl.conf
● for user in $(cut -f1 -d: /etc/passwd); do echo $user; crontab -u $user -l; done # (Lists all crons)
● cat /etc/resolv.conf
● cat /etc/syslog.conf
● cat /etc/chttp.conf
● cat /etc/lighttpd.conf
● cat /etc/cups/cupsd.conf
● cat /etc/inetd.conf
● cat /opt/lampp/etc/httpd.conf
● cat /etc/samba/smb.conf
● cat /etc/openldap/ldap.conf
● cat /etc/ldap/ldap.conf
● pdbedit -L -w
● pdbedit -L -v
● cat /etc/exports
● cat /etc/auto.master
● cat /etc/auto_master
● cat /etc/fstab
● cat /etc/exports
● find /etc/sysconfig/ -type f -exec cat {} \;
● cat /etc/sudoers
Determine Distro:
● lsb_release -d # Generic for all LSB distros
● cat /etc/*release
● /etc/SUSE-release # Novell SUSE
● /etc/redhat-release, /etc/redhat_version # Red Hat
● /etc/fedora-release # Fedora
● /etc/slackware-release, /etc/slackware-version # Slackware
● /etc/debian_release, /etc/debian_version, # Debian
● /etc/mandrake-release # Mandrake
● /etc/sun-release # Sun JDS
● /etc/release # Solaris/Sparc
● /etc/gentoo-release # Gentoo
● /etc/lsb-release # ubuntu
● /etc/rc.conf # arch linux
● arch # on OpenBSD sample: OpenBSD.amd64
● uname -a (often hints at it pretty well)
Package Sources
● cat /etc/apt/sources.list
● ls -l /etc/yum.repos.d/
● cat /etc/yum.conf
Reverse Shell
Linux/Unix/BSD Post Exploitation Command List - Page: 6
starting list sourced from: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
Fun if Win
If tux is a parallel O.S. installed with Windows and the logged-in user access level includes those
Windows partition, attacker can mount them up and do a much deeper information gathering, credential
theft and root-ing.
## GOING TO MOVE EVERYTHING HERE FOR LEGIBILITY ONCE EDITING DIES DOWN
-=SYSTEM=-