Post-exploitation scripting (Part 2)

Post-exploitation scripting (Part 2)
Gathering Network Information

Read part 1 here :- Post-exploitation scripting (Part 1)empire_logo_black4

  • Why Post-Exploitation Is Important
  • Windows Shell Commands
  • Gathering Network Information
  • Scripting Metasploit Meterpreter
  • Database Post-Exploitation



Adding users and groups

Now that we know how to list users, let’s create new users. Creating accounts shows that we acquired administrative access to the machine, but it can also open the door for someone else to compromise a machine if we pick a weak password.We will use the net user and net localgroup commands to create our users and groups.

net user admin SecUr3P4Ssw0Rd! /add
net localgroup “System Admins” /add
net localgroup Administrators “System Admins” /add
net localgroup “System Admins” admin /add

Contents of c:groups.txt
Contents of c:groups.txt

When adding new users to the system, we have to be careful to make sure we are not making it
weaker by testing the system. Only use strong passwords. Our testing career will be short-lived
if we facilitate other people getting into the systems we are testing!

We begin by adding a new user called admin with a password of SecUr3P4Ssw0Rd!. Using the user admin may reduce our chances of detection, as it sounds like a legitimate username. We create a new local group called System Admins and then add that group to the Administrators group. Now, any users that are inserted into the System Admins group will be an administrator due to inheritance, so we add our admin user to the System Admins group. We now have our own admin user on the system. If we wanted to do this within the domain, we would add a /DOMAIN flag to the user creation, and instead of localgroup we’d use the net
group command. If our local admin user is created successfully, our output should appear similar to Figure.


Once we gain access into a new host on a network, we want to find out as much as possible about the network where that host lives. We want to know what other hosts are there, what type of networks the host can access, and to whom the host is talking. To determine these things, it is helpful if we have some basic shell scripts handy to pull this information quickly.

Adding a Local Admin User in Windows
Adding a Local Admin User in Windows

Windows network information gathering

When looking at a Windows box, a number of things interest us. We want to know what interfaces a machine has, to determine what network the host is on and how large the network is.We want the routing table, to know more about the gateway and any special routing rules in place. We want to know about open connections and the processes managing them, so we can identify the system’s function and with what other systems it is communicating.

ipconfig /all >> c:network.txt
route print >> c:network.txt
arp ea >> c:network.txt
netstat eano >> c:network.txt
tasklist /V >> c:network.txt

To gather information about all network interfaces on the system and include important things such as domain name system (DNS) servers, Dynamic Host Configuration Protocol (DHCP) servers, and DNS names we use the ipconfig command. The /all flag tells ipconfig to give us any information that it has about the network interfaces. This ensures that we aren’t missing anything.We send the output into the network.txt file so that we can offload one file with all our data. The route command with the print argument displays all routing information for the system. From here we can determine the default gateway and see any special routing rules. This will be useful in determining what types of attacks will give us the best result for pivoting to the next resource. The arp command allows us to manipulate the system’s Address Resolution Protocol (ARP) table, and the ea flag tells the arp command to print all the ARP entries it has cached. This will tell us what other systems on the local network the host knows about. This helps us understand what other hosts are on the local network without having to send out additional traffic. The netstat command lists the open network connections and other network statistics. When using netstat the ea option tells it to list all the connections, the en
option tells it to only use numeric output so that it does not try to do DNS resolution, and the eo option lists the process that owns the connection. While this tells us what connections are open, we only know what process ID is using those connections. When we merge this information from the tasklist command, we can see what
application is using each connection. The tasklist command lists all the processes running on the system, and when we use the verbose option, /V, we get the process name, the ID, and even the path to the binary. This is useful both when we’re looking at system information on a target host, as well as when we’re troubleshooting malware.

Linux network information gathering

Many of the commands we used when gathering Windows information are going to be similar on Linux.We want to gather the IP addresses on the system, the route, the DNS information, and the network connections along with the processes that own them. In order to gather the information about what process owns each connection, we will need to be root on the system.
Let’s build our script

ip addr >> /tmp/net.txt
echo “————-” >> /tmp/net
cat /etc/resolv.conf >> /tmp/net
echo “————-” >> /tmp/net
netstat ern >> /tmp/net
echo “————-” >> /tmp/net
netstat eanlp >> /tmp/net

For each Linux command we are running, we may not have distinct headers to indicate that it’s a new command, so we add a line separator between each command so that we can easily find the output from each command. We begin with the ip command, which shows information about the IP stack. The addr option tells the command to list each IP address on the system. To determine DNS information, there isn’t an easy command that we can run, like there is in Windows. The easiest way to gather DNS information is by looking in the /etc/resolv.conf file. This file is the configuration file for the system’s DNS information, and if all the system tools consult this file, it should be good enough for us. To gather routing information and other connection information, we can use the netstat command, just like onWindows. To gather the routing information, we can
use the er option. By specifying the en option to any command, we instruct netstat not to use DNS resolution which would slow down our execution. Once the routing information is printed to our file, we use netstat again to print all the connections along with the process that owns each connection. The ea flag tells netstat to print
all the connections, the el flag tells netstat to print listening connections as well, and the ep flag tells netstat to print the process that owns each connection.We now know all we want to know about the networking on the host we have compromised. If we also wanted to know about the users on the system, we could grab the /etc/ passwd file. This file contains most of the login information about each user on the system. The /etc/passwd file contains the user ID, the home directory, the default shell, and frequently, information such as name and office number. To learn more about the /etc/passwd file, we can use the man 5 passwd command, which will elaborate on what each field in the file does.

The man command allows us to reference system documentation from within the system itself.
To find information about a command, type man <commandname> or man –k <concept>, where
<concept> can be anything from passwords to strings. The –k command searches for keywords,
so if we don’t find what we’re looking for using the command name, we can search for the
concept that we are looking for to find the answer.

Regards to original Author for Book!

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button