Comment on page
Linux Post Exploitation Command List
things to pull when all you can do is blindly read like in LFI/dir traversal (Don’t forget %00!)
File | Contents and Reason |
/etc/resolv.conf | Contains the current name servers (DNS) for the system. This is a globally readable file that is less likely to trigger IDS alerts than /etc/passwd |
/etc/motd | Message of the Day |
/etc/issue | current version of distro |
/etc/passwd | List of local users |
/etc/shadow | List of users’ passwords’ hashes (requires root) |
/home/xxx/.bash_history | Will give you some directory context |
Command | Description and/or Reason |
uname -a | Prints the kernel version, arch, sometimes distro |
ps aux | List all running processes |
top -n 1 -d | Print process, 1 is a number of lines |
id | Your current username, groups |
arch, uname -m | Kernel processor architecture |
w | who is connected, uptime and load avg |
who -a | uptime, runlevel, tty, proceses etc. |
gcc -v | Returns the version of GCC. |
mysql --version | Returns the version of MySQL. |
perl -v | Returns the version of Perl. |
ruby -v | Returns the version of Ruby. |
python --version | Returns the version of Python. |
df -k | mounted fs, size, % use, dev and mount point |
mount | mounted fs |
last -a | Last users logged on |
lastcomm | |
lastlog | |
lastlogin (BSD) | |
getenforce | Get the status of SELinux (Enforcing, Permissive or Disabled) |
dmesg | Informations from the last system boot |
lspci | prints all PCI buses and devices |
lsusb | prints all USB buses and devices |
lscpu | prints CPU information |
lshw | list hardware information |
ex | |
cat /proc/cpuinfo | |
cat /proc/meminfo | |
du -h --max-depth=1 / | note: can cause heavy disk i/o |
which nmap | locate a command (ie nmap or nc) |
locate bin/nmap | |
locate bin/nc | |
jps -l | |
java -version | Returns the version of Java. |
Command | Description and/or Reason |
hostname -f | |
ip addr show | |
ip ro show | |
ifconfig -a | |
route -n | |
cat /etc/network/interfaces | |
iptables -L -n -v | |
iptables -t nat -L -n -v | |
ip6tables -L -n -v | |
iptables-save | |
netstat -anop | |
netstat -r | |
netstat -nltupw | root with raw sockets |
arp -a | |
lsof -nPi | |
cat /proc/net/* | more discreet, all the information given by the above commands can be found by looking into the files under /proc/net, and this approach is less likely to trigger monitoring or other stuff |
Command | Description and/or Reason |
cat /etc/passwd | local accounts |
cat /etc/shadow | password hashes on Linux |
/etc/security/passwd | password hashes on AIX |
cat /etc/group | groups (or /etc/gshadow) |
getent passwd | should dump all local, LDAP, NIS, whatever the system is using |
getent group | same for groups |
pdbedit -L -w | Samba’s own database |
pdbedit -L -v | |
cat /etc/aliases | mail aliases |
find /etc -name aliases | |
getent aliases | |
ypcat passwd | displays NIS password file |
ls -alh /home/*/
ls -alh /home/*/.ssh/
cat /home/*/.ssh/authorized_keys
cat /home/*/.ssh/known_hosts
cat /home/\*/.*hist* # you can learn a lot from this
find /home/\*/.vnc /home/\*/.subversion -type f
grep ^ssh /home/*/.*hist*
grep ^telnet /home/*/.*hist*
grep ^mysql /home/*/.*hist*
cat /home/*/.viminfo
sudo -l # if sudoers is not. readable, this sometimes works per user
crontab -l
cat /home/*/.mysql_history
sudo -p (allows the user to define what the password prompt will be, useful for fun customization with aliases or shell scripts)
File/Folder | Description and/or Reason |
/home/*/.ssh/id* | SSH keys, often passwordless |
/tmp/krb5cc_* | Kerberos tickets |
/tmp/krb5.keytab | Kerberos tickets |
/home/*/.gnupg/secring.gpgs | PGP keys |
ls -aRl /etc/ * awk '$1 ~ /w.$/' * grep -v lrwx 2>/dev/nullte
cat /etc/issue{,.net}
cat /etc/master.passwd
cat /etc/group
cat /etc/hosts
cat /etc/crontab
cat /etc/sysctl.conf
for user in $(cut -f1 -d: /etc/passwd); do echo $user; crontab -u $user -l; done # (Lists all crons)
cat /etc/resolv.conf
cat /etc/syslog.conf
cat /etc/chttp.conf
cat /etc/lighttpd.conf
cat /etc/cups/cupsd.confcda
cat /etc/inetd.conf
cat /opt/lampp/etc/httpd.conf
cat /etc/samba/smb.conf
cat /etc/openldap/ldap.conf
cat /etc/ldap/ldap.conf
cat /etc/exports
cat /etc/auto.master
cat /etc/auto_master
cat /etc/fstab
find /etc/sysconfig/ -type f -exec cat {} \;
File | Description and/or Reason |
uname -a | often hints at it pretty well |
lsb_release -d | Generic command for all LSB distros |
/etc/os-release | Generic for distros using “systemd” |
/etc/issue | Generic but often modified |
cat /etc/*release | |
/etc/SUSE-release | Novell SUSE |
/etc/redhat-release, /etc/redhat_version | Red Hat |
/etc/fedora-release | Fedora |
/etc/slackware-release, /etc/slackware-version | Slackware |
/etc/debian_release, /etc/debian_version | Debian |
/etc/mandrake-release | Mandrake |
/etc/sun-release | Sun JDS |
/etc/release | Solaris/Sparc |
/etc/gentoo-release | Gentoo |
/etc/arch-release | Arch Linux (file will be empty) |
arch | OpenBSD; sample: “OpenBSD.amd64” |
rpm -qa --last | head
yum list | grep installed
Debian
* dpkg -l
* dpkg -l | grep -i “linux-image”
* dpkg --get-selections
{Free,Net}BSD: pkg_info
Solaris: pkginfo
Gentoo: cd /var/db/pkg/ && ls -d */* # always works
Arch Linux: pacman -Q
cat /etc/apt/sources.list
ls -l /etc/yum.repos.d/
cat /etc/yum.conf
ls -dlR */
s -alR | grep ^d
find /var -type d
ls -dl \`find /var -type d\`
ls -dl \`find /var -type d\` | grep -v root
find /var ! -user root -type d -ls
find /var/log -type f -exec ls -la {} \;
find / -perm -4000 (find all suid files)
ls -alhtr /mnt
ls -alhtr /media
ls -alhtr /tmp
ls -alhtr /home
cd /home/; treels /home/*/.ssh/*
find /home -type f -iname '.*history'
ls -lart /etc/rc.d/
locate tar | grep .tar$ # Remember to updatedb before running locate
locate tgz | grep .tgz$
locate sql | grep .sql$
locate settings | grep .php$
locate config.inc | grep .php$
ls /home/\*/id*
.properties | grep .properties # java config files
locate .xml | grep .xml # java/.net config files
find /sbin /usr/sbin /opt /lib \`echo $PATH | ‘sed s/:/ /g’\` -perm /6000 -ls # find suids
locate rhosts
crontab -l 2>/dev/null
ls -alh /var/spool/cron 2>/dev/null
ls -al /etc/ | grep cron 2>/dev/null
ls -al /etc/cron* 2>/dev/null
cat /etc/cron* 2>/dev/null
cat /etc/at.allow 2>/dev/null
cat /etc/at.deny 2>/dev/null
cat /etc/cron.allow 2>/dev/null
cat /etc/cron.deny 2>/dev/null
cat /etc/crontab 2>/dev/null
cat /etc/anacrontab 2>/dev/null
cat /var/spool/cron/crontabs/root 2>/dev/null
echo 'services running as root'; ps aux | grep root; echo 'permissions'; ps aux | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++'; echo 'nfs info'; ls -la /etc/exports 2>/dev/null; cat /etc/exports 2>/dev/null