Karim Habeeb

Karim Habeeb

penetration testing & Red teaming

Linux Post Exploitation Command List

3 minute read

In regards to gathering information related to Privilege Escalation, once access to a host has been obtained there are several subcategories we can use to distinguish the different types of information we will gather.

  • System
  • Network Information
  • environmental variables
  • User Information
  • Cleartext Credentials
  • Finding Important Files
  • Services
  • Cronjobs
  • Installed Software Version Information
  • Cleartext Credentials

System

Hostname

hostname

Kernel Version

uname -a
uname -mrs
dmesg | grep Linux
ls /boot | grep vmlinuz-

Operating System

cat /etc/issue
cat /etc/*-release
cat /etc/lsb-release
cat /etc/redhat-release

Running Processes

ps auxw

Last users logged on

last -a

Network Information

IP address

ifconfig

Network Routes

route -n

Network configuration settings? What can you find out about this network? DHCP server? DNS server? Gateway?

cat /etc/resolv.conf
cat /etc/sysconfig/network
cat /etc/networks
iptables -L
hostname
dnsdomainname

Arp Cache

arp -a

Current Network Connections

netstat -auntp

Users & hosts are communicating with the system

lsof -i
lsof -i :80
grep 80 /etc/services
netstat -antup
netstat -antpx
netstat -tulpn

environmental variables

cat /etc/profile
cat /etc/bashrc
cat ~/.bash_profile
cat ~/.bashrc
cat ~/.bash_logout
env
set

User Information

Current user permissions

find / -user username

UID and GID Information for all users

for user in $(cat /etc/passwd |cut -f1 -d":"); do id $user; done

Root accounts

cat /etc/passwd |cut -f1,3,4 -d":" |grep "0:0" |cut -f1 -d":" |awk '{print $1}'

Samba’s own database

pdbedit -L -w

Finding Important Files

find /var -type d
ls -dl \`find /var -type d\`
ls -dl \`find /var -type d\` | grep -v root
find /var ! -user root -type d -ls
find /var/log -type f -exec ls -la {} \;
find / -perm -4000 
ls -alhtr /mnt
ls -alhtr /media
ls -alhtr /tmp
ls -alhtr /home
find /home -type f -iname '.*history'
locate tar | grep .tar$
locate tgz | grep .tgz$
locate sql | grep .sql$
locate settings | grep .php$  
locate config.inc | grep .php$
locate .xml | grep .xml

Sensitive data

Sensitive files can be found

cat /etc/passwd
cat /etc/group
cat /etc/shadow
ls -alh /var/mail/
cat /var/apache2/config.inc
cat /var/lib/mysql/mysql/user.MYD
cat /root/anaconda-ks.cfg

Private-key information

cat ~/.ssh/authorized_keys
cat ~/.ssh/identity.pub
cat ~/.ssh/identity
cat ~/.ssh/id_rsa.pub
cat ~/.ssh/id_rsa
cat ~/.ssh/id_dsa.pub
cat ~/.ssh/id_dsa
cat /etc/ssh/ssh_config
cat /etc/ssh/sshd_config
cat /etc/ssh/ssh_host_dsa_key.pub
cat /etc/ssh/ssh_host_dsa_key
cat /etc/ssh/ssh_host_rsa_key.pub
cat /etc/ssh/ssh_host_rsa_key
cat /etc/ssh/ssh_host_key.pub
cat /etc/ssh/ssh_host_key

log files

cat /var/webmin/miniserv.log
cat /var/www/logs/access_log
cat /var/www/logs/access.log
cat /etc/httpd/logs/access_log
cat /etc/httpd/logs/access.log
cat /etc/httpd/logs/error_log
cat /etc/httpd/logs/error.log
cat /var/log/apache2/access_log
cat /var/log/apache2/access.log
cat /var/log/chttp.log
cat /var/log/cups/error_log
cat /var/log/dpkg.log
cat /var/log/faillog
cat /var/log/httpd/access_log
cat /var/log/httpd/access.log
cat /var/log/httpd/error_log
cat /var/log/apache2/error_log
cat /var/log/apache2/error.log
cat /var/log/apache/access_log
cat /var/log/apache/access.log
cat /var/log/auth.log
cat /var/log/httpd/error.log
cat /var/log/lastlog
cat /var/log/lighttpd/access.log
cat /var/log/lighttpd/error.log
cat /var/log/lighttpd/lighttpd.access.log
cat /var/log/lighttpd/lighttpd.error.log
cat /var/log/messages
cat /var/log/secure
cat /var/log/syslog
cat /var/log/wtmp
cat /var/log/xferlog
cat /var/log/yum.log
cat /var/run/utmp

Services

Services are configured on the system and what ports are they opening

netstat -auntp

Service configuration files readable or modifiable by our current user

find /etc/init.d/ ! -uid 0 -type f 2>/dev/null |xargs ls -la

Configuration files contain any information we can use to our advantage

cat /etc/mysql/my.cnf

stop or start the service as our current user

service service_name start/stop

Cronjobs

Tasks is the system configured to run and at which times

crontab -l 2>/dev/null
ls -alh /var/spool/cron 2>/dev/null
ls -al /etc/ | grep cron 2>/dev/null
ls -al /etc/cron* 2>/dev/null
cat /etc/cron* 2>/dev/null
cat /etc/at.allow 2>/dev/null
cat /etc/at.deny 2>/dev/null
cat /etc/cron.allow 2>/dev/null
cat /etc/cron.deny 2>/dev/null
cat /etc/crontab 2>/dev/null
cat /etc/anacrontab 2>/dev/null
cat /var/spool/cron/crontabs/root 2>/dev/nul

Any custom jobs or tasks configured as root that world-writable

find /etc/cron* -type f -perm -o+w -exec ls -l {} \;

Installed Software Version Information

Software packages are installed on the system

ls -alh /usr/bin/
ls -alh /sbin/
dpkg -l

cleartext credentials

there are a number of additional useful one-liners and commands we can use to help us gather information from Linux systems

grep -r password /etc/*.conf 2> /dev/null

Find dotfiles files with “history” in their names (i.e., .bash_history)

find /* -name *.*history* -print 2> /dev/null

Grep the apache access.log file for “user” and “pass” strings

cat /var/log/apache/access.log |grep -E "^user|^pass"

Dump cleartext Pre-Shared Wireless Keys from Network Manager

cat /etc/NetworkManager/system-connections/* |grep -E "^id|^psk"