Skip to content

Linux Post Exploitation Command List

Jump to bottom Edit New page
drak edited this page Aug 29, 2013 · 5 revisions
Table of Contents
## Collecting Information ### Blind Files things to pull when all you can do is blindly read like in LFI/dir traversal (Don’t forget %00!)
File Contents and Reason
/etc/resolv.conf Contains the current name servers (DNS) for the system. This is a globally readable file that is less likely to trigger IDS alerts than /etc/passwd
/etc/motd Message of the Day
/etc/issue current version of distro
/etc/passwd List of local users
/etc/shadow List of users’ passwords’ hashes (requires root)
/home/xxx/.bash_history Will give you some directory context
### System
Command Description and/or Reason
uname -a Prints the kernel version, arch, sometimes distro
ps aux List all running processes
top -n 1 -d Print process, 1 is a number of lines
id Your current username, groups
arch, uname -m Kernel processor architecture
w who is connected, uptime and load avg
who -a uptime, runlevel, tty, proceses etc.
gcc -v Returns the version of GCC.
mysql --version Returns the version of MySQL.
perl -v Returns the version of Perl.
ruby -v Returns the version of Ruby.
python --version Returns the version of Python.
df -k mounted fs, size, % use, dev and mount point
mount mounted fs
last -a Last users logged on
lastcomm
lastlog
lastlogin (BSD)
getenforce Get the status of SELinux (Enforcing, Permissive or Disabled)
dmesg Informations from the last system boot
lspci prints all PCI buses and devices
lsusb prints all USB buses and devices
lscpu prints CPU information
lshw list hardware information
ex
cat /proc/cpuinfo
cat /proc/meminfo
du -h --max-depth=1 / note: can cause heavy disk i/o
which nmap locate a command (ie nmap or nc)
locate bin/nmap
locate bin/nc
jps -l
java -version Returns the version of Java.
### Networking
Command Description and/or Reason
hostname -f
ip addr show
ip ro show
ifconfig -a
route -n
cat /etc/network/interfaces
iptables -L -n -v
iptables -t nat -L -n -v
ip6tables -L -n -v
iptables-save
netstat -anop
netstat -r
netstat -nltupw root with raw sockets
arp -a
lsof -nPi
cat /proc/net/* more discreet, all the information given by the above commands can be found by looking into the files under /proc/net, and this approach is less likely to trigger monitoring or other stuff
### User Accounts
Command Description and/or Reason
cat /etc/passwd local accounts
cat /etc/shadow password hashes on Linux
/etc/security/passwd password hashes on AIX
cat /etc/group groups (or /etc/gshadow)
getent passwd should dump all local, LDAP, NIS, whatever the system is using
getent group same for groups
pdbedit -L -w Samba’s own database
pdbedit -L -v
cat /etc/aliases mail aliases
find /etc -name aliases
getent aliases
ypcat passwd displays NIS password file
### Credentials
File/Folder Description and/or Reason
/home//.ssh/id SSH keys, often passwordless
/tmp/krb5cc_* Kerberos tickets
/tmp/krb5.keytab Kerberos tickets
/home/*/.gnupg/secring.gpgs PGP keys
### Configs
  • ls -aRl /etc/ * awk '$1 ~ /w.$/' * grep -v lrwx 2>/dev/nullte
  • cat /etc/issue{,.net}
  • cat /etc/master.passwd
  • cat /etc/group
  • cat /etc/hosts
  • cat /etc/crontab
  • cat /etc/sysctl.conf
  • for user in $(cut -f1 -d: /etc/passwd); do echo $user; crontab -u $user -l; done # (Lists all crons)
  • cat /etc/resolv.conf
  • cat /etc/syslog.conf
  • cat /etc/chttp.conf
  • cat /etc/lighttpd.conf
  • cat /etc/cups/cupsd.confcda
  • cat /etc/inetd.conf
  • cat /opt/lampp/etc/httpd.conf
  • cat /etc/samba/smb.conf
  • cat /etc/openldap/ldap.conf
  • cat /etc/ldap/ldap.conf
  • cat /etc/exports
  • cat /etc/auto.master
  • cat /etc/auto_master
  • cat /etc/fstab
  • find /etc/sysconfig/ -type f -exec cat {} ;
### Determine Distro
File Description and/or Reason
uname -a often hints at it pretty well
lsb_release -d Generic command for all LSB distros
/etc/os-release Generic for distros using “systemd”
/etc/issue Generic but often modified
cat /etc/*release
/etc/SUSE-release Novell SUSE
/etc/redhat-release, /etc/redhat_version Red Hat
/etc/fedora-release Fedora
/etc/slackware-release, /etc/slackware-version Slackware
/etc/debian_release, /etc/debian_version Debian
/etc/mandrake-release Mandrake
/etc/sun-release Sun JDS
/etc/release Solaris/Sparc
/etc/gentoo-release Gentoo
/etc/arch-release Arch Linux (file will be empty)
arch OpenBSD; sample: “OpenBSD.amd64”
### Installed Packages
  • rpm -qa --last | head
  • yum list | grep installed
  • Debian
    • dpkg -l
    • dpkg -l | grep -i “linux-image”
    • dpkg --get-selections
  • {Free,Net}BSD: pkg_info
  • Solaris: pkginfo
  • Gentoo: cd /var/db/pkg/ && ls -d / # always works
  • Arch Linux: pacman -Q
### Package Sources
  • cat /etc/apt/sources.list
  • ls -l /etc/yum.repos.d/
  • cat /etc/yum.conf
### Finding Important Files
  • ls -dlR */
  • ls -alR | grep ^d
  • find /var -type d
  • ls -dl `find /var -type d`
  • ls -dl `find /var -type d` | grep -v root
  • find /var ! -user root -type d -ls
  • find /var/log -type f -exec ls -la {} ;
  • find / -perm -4000 (find all suid files)
  • ls -alhtr /mnt
  • ls -alhtr /media
  • ls -alhtr /tmp
  • ls -alhtr /home
  • cd /home/; treels /home//.ssh/
  • find /home -type f -iname '.*history'
  • ls -lart /etc/rc.d/
  • locate tar | grep [.]tar$ # Remember to updatedb before running locate
  • locate tgz | grep [.]tgz$
  • locate sql | grep [.]sql$
  • locate settings | grep [.]php$
  • locate config.inc | grep [.]php$
  • ls /home//id
  • .properties | grep [.]properties # java config files
  • locate .xml | grep [.]xml # java/.net config files
  • find /sbin /usr/sbin /opt /lib `echo $PATH | ‘sed s/:/ /g’` -perm /6000 -ls # find suids
  • locate rhosts
Add a custom footer

Resources

Clone this wiki locally