OSCP Playbook
Search
K
Comment on page

Linux Post Exploitation Command List

Collection Information

Blind Files

things to pull when all you can do is blindly read like in LFI/dir traversal (Don’t forget %00!)
File
Contents and Reason
/etc/resolv.conf
Contains the current name servers (DNS) for the system. This is a globally readable file that is less likely to trigger IDS alerts than /etc/passwd
/etc/motd
Message of the Day
/etc/issue
current version of distro
/etc/passwd
List of local users
/etc/shadow
List of users’ passwords’ hashes (requires root)
/home/xxx/.bash_history
Will give you some directory context

System

Command
Description and/or Reason
uname -a
Prints the kernel version, arch, sometimes distro
ps aux
List all running processes
top -n 1 -d
Print process, 1 is a number of lines
id
Your current username, groups
arch, uname -m
Kernel processor architecture
w
who is connected, uptime and load avg
who -a
uptime, runlevel, tty, proceses etc.
gcc -v
Returns the version of GCC.
mysql --version
Returns the version of MySQL.
perl -v
Returns the version of Perl.
ruby -v
Returns the version of Ruby.
python --version
Returns the version of Python.
df -k
mounted fs, size, % use, dev and mount point
mount
mounted fs
last -a
Last users logged on
lastcomm
lastlog
lastlogin (BSD)
getenforce
Get the status of SELinux (Enforcing, Permissive or Disabled)
dmesg
Informations from the last system boot
lspci
prints all PCI buses and devices
lsusb
prints all USB buses and devices
lscpu
prints CPU information
lshw
list hardware information
ex
cat /proc/cpuinfo
cat /proc/meminfo
du -h --max-depth=1 /
note: can cause heavy disk i/o
which nmap
locate a command (ie nmap or nc)
locate bin/nmap
locate bin/nc
jps -l
java -version
Returns the version of Java.

Networking

Command
Description and/or Reason
hostname -f
ip addr show
ip ro show
ifconfig -a
route -n
cat /etc/network/interfaces
iptables -L -n -v
iptables -t nat -L -n -v
ip6tables -L -n -v
iptables-save
netstat -anop
netstat -r
netstat -nltupw
root with raw sockets
arp -a
lsof -nPi
cat /proc/net/*
more discreet, all the information given by the above commands can be found by looking into the files under /proc/net, and this approach is less likely to trigger monitoring or other stuff

User Accounts

Command
Description and/or Reason
cat /etc/passwd
local accounts
cat /etc/shadow
password hashes on Linux
/etc/security/passwd
password hashes on AIX
cat /etc/group
groups (or /etc/gshadow)
getent passwd
should dump all local, LDAP, NIS, whatever the system is using
getent group
same for groups
pdbedit -L -w
Samba’s own database
pdbedit -L -v
cat /etc/aliases
mail aliases
find /etc -name aliases
getent aliases
ypcat passwd
displays NIS password file

Obtain user's information

ls -alh /home/*/
ls -alh /home/*/.ssh/
cat /home/*/.ssh/authorized_keys
cat /home/*/.ssh/known_hosts
cat /home/\*/.*hist* # you can learn a lot from this
find /home/\*/.vnc /home/\*/.subversion -type f
grep ^ssh /home/*/.*hist*
grep ^telnet /home/*/.*hist*
grep ^mysql /home/*/.*hist*
cat /home/*/.viminfo
sudo -l # if sudoers is not. readable, this sometimes works per user
crontab -l
cat /home/*/.mysql_history
sudo -p (allows the user to define what the password prompt will be, useful for fun customization with aliases or shell scripts)

Credentials

File/Folder
Description and/or Reason
/home/*/.ssh/id*
SSH keys, often passwordless
/tmp/krb5cc_*
Kerberos tickets
/tmp/krb5.keytab
Kerberos tickets
/home/*/.gnupg/secring.gpgs
PGP keys

Configs

ls -aRl /etc/ * awk '$1 ~ /w.$/' * grep -v lrwx 2>/dev/nullte
cat /etc/issue{,.net}
cat /etc/master.passwd
cat /etc/group
cat /etc/hosts
cat /etc/crontab
cat /etc/sysctl.conf
for user in $(cut -f1 -d: /etc/passwd); do echo $user; crontab -u $user -l; done # (Lists all crons)
cat /etc/resolv.conf
cat /etc/syslog.conf
cat /etc/chttp.conf
cat /etc/lighttpd.conf
cat /etc/cups/cupsd.confcda
cat /etc/inetd.conf
cat /opt/lampp/etc/httpd.conf
cat /etc/samba/smb.conf
cat /etc/openldap/ldap.conf
cat /etc/ldap/ldap.conf
cat /etc/exports
cat /etc/auto.master
cat /etc/auto_master
cat /etc/fstab
find /etc/sysconfig/ -type f -exec cat {} \;

Determine Distro

File
Description and/or Reason
uname -a
often hints at it pretty well
lsb_release -d
Generic command for all LSB distros
/etc/os-release
Generic for distros using “systemd”
/etc/issue
Generic but often modified
cat /etc/*release
/etc/SUSE-release
Novell SUSE
/etc/redhat-release, /etc/redhat_version
Red Hat
/etc/fedora-release
Fedora
/etc/slackware-release, /etc/slackware-version
Slackware
/etc/debian_release, /etc/debian_version
Debian
/etc/mandrake-release
Mandrake
/etc/sun-release
Sun JDS
/etc/release
Solaris/Sparc
/etc/gentoo-release
Gentoo
/etc/arch-release
Arch Linux (file will be empty)
arch
OpenBSD; sample: “OpenBSD.amd64”

Installed Packages

rpm -qa --last | head
yum list | grep installed
Debian
* dpkg -l
* dpkg -l | grep -i “linux-image”
* dpkg --get-selections
{Free,Net}BSD: pkg_info
Solaris: pkginfo
Gentoo: cd /var/db/pkg/ && ls -d */* # always works
Arch Linux: pacman -Q

Package Sources

cat /etc/apt/sources.list
ls -l /etc/yum.repos.d/
cat /etc/yum.conf

Finding Important Files

ls -dlR */
s -alR | grep ^d
find /var -type d
ls -dl \`find /var -type d\`
ls -dl \`find /var -type d\` | grep -v root
find /var ! -user root -type d -ls
find /var/log -type f -exec ls -la {} \;
find / -perm -4000 (find all suid files)
ls -alhtr /mnt
ls -alhtr /media
ls -alhtr /tmp
ls -alhtr /home
cd /home/; treels /home/*/.ssh/*
find /home -type f -iname '.*history'
ls -lart /etc/rc.d/
locate tar | grep .tar$ # Remember to updatedb before running locate
locate tgz | grep .tgz$
locate sql | grep .sql$
locate settings | grep .php$
locate config.inc | grep .php$
ls /home/\*/id*
.properties | grep .properties # java config files
locate .xml | grep .xml # java/.net config files
find /sbin /usr/sbin /opt /lib \`echo $PATH | ‘sed s/:/ /g’\` -perm /6000 -ls # find suids
locate rhosts

What jobs are scheduled? (Cronjobs)

crontab -l 2>/dev/null
ls -alh /var/spool/cron 2>/dev/null
ls -al /etc/ | grep cron 2>/dev/null
ls -al /etc/cron* 2>/dev/null
cat /etc/cron* 2>/dev/null
cat /etc/at.allow 2>/dev/null
cat /etc/at.deny 2>/dev/null
cat /etc/cron.allow 2>/dev/null
cat /etc/cron.deny 2>/dev/null
cat /etc/crontab 2>/dev/null
cat /etc/anacrontab 2>/dev/null
cat /var/spool/cron/crontabs/root 2>/dev/null

The following command will list processes running by root, permissions and NFS exports.

echo 'services running as root'; ps aux | grep root; echo 'permissions'; ps aux | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++'; echo 'nfs info'; ls -la /etc/exports 2>/dev/null; cat /etc/exports 2>/dev/null