Wednesday, June 8, 2011

Metasploit Linux Post Exploitation

 Via digininja's Twitter account, I have found this blog post that describes a set of Metasploit Linux Post Exploitation modules.


I think the list of executed commands is more or less complete, but I would also add the following :

# currently logged users and server uptime.
w

# all opened connections (TCP,UDP and Unix sockets) and the respective PID/UID
netstat -pan

# same as before but only TCP and UDP
lsof -nn | egrep "TCP|UDP"

# the mount command only displays the currently mounted devices. We may find a commented line or a device that is not automatically mounted
 /etc/fstab

#  Is the server exporing NFS volumes?
cat /etc/exports

# tree view of all the processes
ps faxu

# last users that logged to the system. The -a flag puts the complete remote hostname on the last column
last -a

# similar to the previous one
lastlog

#  quick view of the log policy in the computer. The default is 4 weeks worth of logs.
ls -lat /var/log

# Are they sending logs to a centralized system?
cat /etc/syslog.conf

No comments:

Post a Comment