OSCP Notes
Search…
Linux Post Exploitation Command List

Collection Information

Blind Files

things to pull when all you can do is blindly read like in LFI/dir traversal (Don’t forget %00!)
File
Contents and Reason
/etc/resolv.conf
Contains the current name servers (DNS) for the system. This is a globally readable file that is less likely to trigger IDS alerts than /etc/passwd
/etc/motd
Message of the Day
/etc/issue
current version of distro
/etc/passwd
List of local users
/etc/shadow
List of users’ passwords’ hashes (requires root)
/home/xxx/.bash_history
Will give you some directory context

System

Command
Description and/or Reason
uname -a
Prints the kernel version, arch, sometimes distro
ps aux
List all running processes
top -n 1 -d
Print process, 1 is a number of lines
id
Your current username, groups
arch, uname -m
Kernel processor architecture
w
who is connected, uptime and load avg
who -a
uptime, runlevel, tty, proceses etc.
gcc -v
Returns the version of GCC.
mysql --version
Returns the version of MySQL.
perl -v
Returns the version of Perl.
ruby -v
Returns the version of Ruby.
python --version
Returns the version of Python.
df -k
mounted fs, size, % use, dev and mount point
mount
mounted fs
last -a
Last users logged on
lastcomm
lastlog
lastlogin (BSD)
getenforce
Get the status of SELinux (Enforcing, Permissive or Disabled)
dmesg
Informations from the last system boot
lspci
prints all PCI buses and devices
lsusb
prints all USB buses and devices
lscpu
prints CPU information
lshw
list hardware information
ex
cat /proc/cpuinfo
cat /proc/meminfo
du -h --max-depth=1 /
note: can cause heavy disk i/o
which nmap
locate a command (ie nmap or nc)
locate bin/nmap
locate bin/nc
jps -l
java -version
Returns the version of Java.

Networking

Command
Description and/or Reason
hostname -f
ip addr show
ip ro show
ifconfig -a
route -n
cat /etc/network/interfaces
iptables -L -n -v
iptables -t nat -L -n -v
ip6tables -L -n -v
iptables-save
netstat -anop
netstat -r
netstat -nltupw
root with raw sockets
arp -a
lsof -nPi
cat /proc/net/*
more discreet, all the information given by the above commands can be found by looking into the files under /proc/net, and this approach is less likely to trigger monitoring or other stuff

User Accounts

Command
Description and/or Reason
cat /etc/passwd
local accounts
cat /etc/shadow
password hashes on Linux
/etc/security/passwd
password hashes on AIX
cat /etc/group
groups (or /etc/gshadow)
getent passwd
should dump all local, LDAP, NIS, whatever the system is using
getent group
same for groups
pdbedit -L -w
Samba’s own database
pdbedit -L -v
cat /etc/aliases
mail aliases
find /etc -name aliases
getent aliases
ypcat passwd
displays NIS password file

Obtain user's information

1
ls -alh /home/*/
2
ls -alh /home/*/.ssh/
3
cat /home/*/.ssh/authorized_keys
4
cat /home/*/.ssh/known_hosts
5
cat /home/\*/.*hist* # you can learn a lot from this
6
find /home/\*/.vnc /home/\*/.subversion -type f
7
grep ^ssh /home/*/.*hist*
8
grep ^telnet /home/*/.*hist*
9
grep ^mysql /home/*/.*hist*
10
cat /home/*/.viminfo
11
sudo -l # if sudoers is not. readable, this sometimes works per user
12
crontab -l
13
cat /home/*/.mysql_history
14
sudo -p (allows the user to define what the password prompt will be, useful for fun customization with aliases or shell scripts)
Copied!

Credentials

File/Folder
Description and/or Reason
/home/*/.ssh/id*
SSH keys, often passwordless
/tmp/krb5cc_*
Kerberos tickets
/tmp/krb5.keytab
Kerberos tickets
/home/*/.gnupg/secring.gpgs
PGP keys

Configs

1
ls -aRl /etc/ * awk '$1 ~ /w.$/' * grep -v lrwx 2>/dev/nullte
2
cat /etc/issue{,.net}
3
cat /etc/master.passwd
4
cat /etc/group
5
cat /etc/hosts
6
cat /etc/crontab
7
cat /etc/sysctl.conf
8
for user in $(cut -f1 -d: /etc/passwd); do echo $user; crontab -u $user -l; done # (Lists all crons)
9
cat /etc/resolv.conf
10
cat /etc/syslog.conf
11
cat /etc/chttp.conf
12
cat /etc/lighttpd.conf
13
cat /etc/cups/cupsd.confcda
14
cat /etc/inetd.conf
15
cat /opt/lampp/etc/httpd.conf
16
cat /etc/samba/smb.conf
17
cat /etc/openldap/ldap.conf
18
cat /etc/ldap/ldap.conf
19
cat /etc/exports
20
cat /etc/auto.master
21
cat /etc/auto_master
22
cat /etc/fstab
23
find /etc/sysconfig/ -type f -exec cat {} \;
Copied!

Determine Distro

File
Description and/or Reason
uname -a
often hints at it pretty well
lsb_release -d
Generic command for all LSB distros
/etc/os-release
Generic for distros using “systemd”
/etc/issue
Generic but often modified
cat /etc/*release
/etc/SUSE-release
Novell SUSE
/etc/redhat-release, /etc/redhat_version
Red Hat
/etc/fedora-release
Fedora
/etc/slackware-release, /etc/slackware-version
Slackware
/etc/debian_release, /etc/debian_version
Debian
/etc/mandrake-release
Mandrake
/etc/sun-release
Sun JDS
/etc/release
Solaris/Sparc
/etc/gentoo-release
Gentoo
/etc/arch-release
Arch Linux (file will be empty)
arch
OpenBSD; sample: “OpenBSD.amd64”

Installed Packages

1
rpm -qa --last | head
2
yum list | grep installed
3
Debian
4
* dpkg -l
5
* dpkg -l | grep -i “linux-image”
6
* dpkg --get-selections
7
{Free,Net}BSD: pkg_info
8
Solaris: pkginfo
9
Gentoo: cd /var/db/pkg/ && ls -d */* # always works
10
Arch Linux: pacman -Q
Copied!

Package Sources

1
cat /etc/apt/sources.list
2
ls -l /etc/yum.repos.d/
3
cat /etc/yum.conf
Copied!

Finding Important Files

1
ls -dlR */
2
s -alR | grep ^d
3
find /var -type d
4
ls -dl \`find /var -type d\`
5
ls -dl \`find /var -type d\` | grep -v root
6
find /var ! -user root -type d -ls
7
find /var/log -type f -exec ls -la {} \;
8
find / -perm -4000 (find all suid files)
9
ls -alhtr /mnt
10
ls -alhtr /media
11
ls -alhtr /tmp
12
ls -alhtr /home
13
cd /home/; treels /home/*/.ssh/*
14
find /home -type f -iname '.*history'
15
ls -lart /etc/rc.d/
16
locate tar | grep .tar$ # Remember to updatedb before running locate
17
locate tgz | grep .tgz$
18
locate sql | grep .sql$
19
locate settings | grep .php$
20
locate config.inc | grep .php$
21
ls /home/\*/id*
22
.properties | grep .properties # java config files
23
locate .xml | grep .xml # java/.net config files
24
find /sbin /usr/sbin /opt /lib \`echo $PATH | ‘sed s/:/ /g’\` -perm /6000 -ls # find suids
25
locate rhosts
Copied!

What jobs are scheduled? (Cronjobs)

1
crontab -l 2>/dev/null
2
ls -alh /var/spool/cron 2>/dev/null
3
ls -al /etc/ | grep cron 2>/dev/null
4
ls -al /etc/cron* 2>/dev/null
5
cat /etc/cron* 2>/dev/null
6
cat /etc/at.allow 2>/dev/null
7
cat /etc/at.deny 2>/dev/null
8
cat /etc/cron.allow 2>/dev/null
9
cat /etc/cron.deny 2>/dev/null
10
cat /etc/crontab 2>/dev/null
11
cat /etc/anacrontab 2>/dev/null
12
cat /var/spool/cron/crontabs/root 2>/dev/null
Copied!

The following command will list processes running by root, permissions and NFS exports.

1
echo 'services running as root'; ps aux | grep root; echo 'permissions'; ps aux | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++'; echo 'nfs info'; ls -la /etc/exports 2>/dev/null; cat /etc/exports 2>/dev/null
Copied!
Last modified 1yr ago