Linux Post Exploitation Command List
Collection Information
Blind Files
things to pull when all you can do is blindly read like in LFI/dir traversal (Don’t forget %00!)
File | Contents and Reason |
/etc/resolv.conf | Contains the current name servers (DNS) for the system. This is a globally readable file that is less likely to trigger IDS alerts than /etc/passwd |
/etc/motd | Message of the Day |
/etc/issue | current version of distro |
/etc/passwd | List of local users |
/etc/shadow | List of users’ passwords’ hashes (requires root) |
/home/xxx/.bash_history | Will give you some directory context |
System
Command | Description and/or Reason |
uname -a | Prints the kernel version, arch, sometimes distro |
ps aux | List all running processes |
top -n 1 -d | Print process, 1 is a number of lines |
id | Your current username, groups |
arch, uname -m | Kernel processor architecture |
w | who is connected, uptime and load avg |
who -a | uptime, runlevel, tty, proceses etc. |
gcc -v | Returns the version of GCC. |
mysql --version | Returns the version of MySQL. |
perl -v | Returns the version of Perl. |
ruby -v | Returns the version of Ruby. |
python --version | Returns the version of Python. |
df -k | mounted fs, size, % use, dev and mount point |
mount | mounted fs |
last -a | Last users logged on |
lastcomm | |
lastlog | |
lastlogin (BSD) | |
getenforce | Get the status of SELinux (Enforcing, Permissive or Disabled) |
dmesg | Informations from the last system boot |
lspci | prints all PCI buses and devices |
lsusb | prints all USB buses and devices |
lscpu | prints CPU information |
lshw | list hardware information |
ex | |
cat /proc/cpuinfo | |
cat /proc/meminfo | |
du -h --max-depth=1 / | note: can cause heavy disk i/o |
which nmap | locate a command (ie nmap or nc) |
locate bin/nmap | |
locate bin/nc | |
jps -l | |
java -version | Returns the version of Java. |
Networking
Command | Description and/or Reason |
hostname -f | |
ip addr show | |
ip ro show | |
ifconfig -a | |
route -n | |
cat /etc/network/interfaces | |
iptables -L -n -v | |
iptables -t nat -L -n -v | |
ip6tables -L -n -v | |
iptables-save | |
netstat -anop | |
netstat -r | |
netstat -nltupw | root with raw sockets |
arp -a | |
lsof -nPi | |
cat /proc/net/* | more discreet, all the information given by the above commands can be found by looking into the files under /proc/net, and this approach is less likely to trigger monitoring or other stuff |
User Accounts
Command | Description and/or Reason |
cat /etc/passwd | local accounts |
cat /etc/shadow | password hashes on Linux |
/etc/security/passwd | password hashes on AIX |
cat /etc/group | groups (or /etc/gshadow) |
getent passwd | should dump all local, LDAP, NIS, whatever the system is using |
getent group | same for groups |
pdbedit -L -w | Samba’s own database |
pdbedit -L -v | |
cat /etc/aliases | mail aliases |
find /etc -name aliases | |
getent aliases | |
ypcat passwd | displays NIS password file |
Obtain user's information
Credentials
File/Folder | Description and/or Reason |
/home/*/.ssh/id* | SSH keys, often passwordless |
/tmp/krb5cc_* | Kerberos tickets |
/tmp/krb5.keytab | Kerberos tickets |
/home/*/.gnupg/secring.gpgs | PGP keys |
Configs
Determine Distro
File | Description and/or Reason |
uname -a | often hints at it pretty well |
lsb_release -d | Generic command for all LSB distros |
/etc/os-release | Generic for distros using “systemd” |
/etc/issue | Generic but often modified |
cat /etc/*release | |
/etc/SUSE-release | Novell SUSE |
/etc/redhat-release, /etc/redhat_version | Red Hat |
/etc/fedora-release | Fedora |
/etc/slackware-release, /etc/slackware-version | Slackware |
/etc/debian_release, /etc/debian_version | Debian |
/etc/mandrake-release | Mandrake |
/etc/sun-release | Sun JDS |
/etc/release | Solaris/Sparc |
/etc/gentoo-release | Gentoo |
/etc/arch-release | Arch Linux (file will be empty) |
arch | OpenBSD; sample: “OpenBSD.amd64” |
Installed Packages
Package Sources
Finding Important Files
What jobs are scheduled? (Cronjobs)
The following command will list processes running by root, permissions and NFS exports.
Last updated