-
-
Notifications
You must be signed in to change notification settings - Fork 358
Linux Post Exploitation Command List
Michel Barbosa edited this page Aug 29, 2013
·
5 revisions
## Collecting Information
### Blind Files
things to pull when all you can do is blindly read like in LFI/dir traversal (Don’t forget %00!)
### System
### Networking
| File | Contents and Reason |
|---|---|
| /etc/resolv.conf | Contains the current name servers (DNS) for the system. This is a globally readable file that is less likely to trigger IDS alerts than /etc/passwd |
| /etc/motd | Message of the Day |
| /etc/issue | current version of distro |
| /etc/passwd | List of local users |
| /etc/shadow | List of users’ passwords’ hashes (requires root) |
| /home/xxx/.bash_history | Will give you some directory context |
| Command | Description and/or Reason |
|---|---|
| uname -a | Prints the kernel version, arch, sometimes distro |
| ps aux | List all running processes |
| top -n 1 -d | Print process, 1 is a number of lines |
| id | Your current username, groups |
| arch, uname -m | Kernel processor architecture |
| w | who is connected, uptime and load avg |
| who -a | uptime, runlevel, tty, proceses etc. |
| gcc -v | Returns the version of GCC. |
| mysql --version | Returns the version of MySQL. |
| perl -v | Returns the version of Perl. |
| ruby -v | Returns the version of Ruby. |
| python --version | Returns the version of Python. |
| df -k | mounted fs, size, % use, dev and mount point |
| mount | mounted fs |
| last -a | Last users logged on |
| lastcomm | |
| lastlog | |
| lastlogin (BSD) | |
| getenforce | Get the status of SELinux (Enforcing, Permissive or Disabled) |
| dmesg | Informations from the last system boot |
| lspci | prints all PCI buses and devices |
| lsusb | prints all USB buses and devices |
| lscpu | prints CPU information |
| lshw | list hardware information |
| ex | |
| cat /proc/cpuinfo | |
| cat /proc/meminfo | |
| du -h --max-depth=1 / | note: can cause heavy disk i/o |
| which nmap | locate a command (ie nmap or nc) |
| locate bin/nmap | |
| locate bin/nc | |
| jps -l | |
| java -version | Returns the version of Java. |
| Command | Description and/or Reason |
|---|---|
| hostname -f | |
| ip addr show | |
| ip ro show | |
| ifconfig -a | |
| route -n | |
| cat /etc/network/interfaces | |
| iptables -L -n -v | |
| iptables -t nat -L -n -v | |
| ip6tables -L -n -v | |
| iptables-save | |
| netstat -anop | |
| netstat -r | |
| netstat -nltupw | root with raw sockets |
| arp -a | |
| lsof -nPi | |
| cat /proc/net/* | more discreet, all the information given by the above commands can be found by looking into the files under /proc/net, and this approach is less likely to trigger monitoring or other stuff |