Via digininja's Twitter account, I have found this blog post that describes a set of Metasploit Linux Post Exploitation modules.
I think the list of executed commands is more or less complete, but I would also add the following :
# currently logged users and server uptime.
w
# all opened connections (TCP,UDP and Unix sockets) and the respective PID/UID
netstat -pan
# same as before but only TCP and UDP
lsof -nn | egrep "TCP|UDP"
# the mount command only displays the currently mounted devices. We may find a commented line or a device that is not automatically mounted
/etc/fstab
# Is the server exporing NFS volumes?
cat /etc/exports
# tree view of all the processes
ps faxu
# last users that logged to the system. The -a flag puts the complete remote hostname on the last column
last -a
# similar to the previous one
lastlog
# quick view of the log policy in the computer. The default is 4 weeks worth of logs.
ls -lat /var/log
# Are they sending logs to a centralized system?
cat /etc/syslog.conf
0 comments:
Post a Comment