Post exploitation is an important process in a penetration test as it allows the attacker to gather information from them system that he has exploited.A lot of penetration testers are using the metasploit framework modules for system exploitation.However Metasploit provides and modules for post exploitation activities for a variety of systems.In this article we will examine how we can use metasploit to perform post exploitation on a Linux system.

We will assume that we have already exploited the system.So we will put the session in the background with the command Ctrl+Z.

Putting the session in the background
Putting the session in the background

 

It is necessary to know the session ID for the post exploitation modules that we are going to use.This can be obtained with the command session.

Obtain the Session ID
Obtain the Session ID

 

As we can see the ID is 1.One of the first modules that we are going to try is the hashdump which it will try to collect the password hashes of the system.The only setting that we need to insert is the session ID which is already known from before.

Configuring the hasdump module
Configuring the hashdump module

 

Collecting Password Hashes
Collecting Password Hashes

 

Another useful module is the checkvm which it will try to discover if the system is a virtual machine.From the image below it seems that our system is VMware virtual machine.

Virtual machine discovery
Virtual machine discovery

 

Another very interesting post exploitation module of Metasploit is the enum_configs which it will obtain all the important configuration files and it will stored them in our system.In the next image we can see the command that we have used for this module and a sample of the configuration files that has obtained from the remote system.

Sample of Configuration files obtained
Sample of Configuration files obtained

 

Now if we want to check these .txt files we can open another console and we can type for example nano /root/.msf4/loot/20130104144725_default_172.16.212.133_linux.enum.conf_373751.txt

Opening the conf files
Opening the conf files

 

We can also enumerate the network configurations with the enum_network module.

Enumerating network information
Enumerating network configurations

 

If we want to discover what kind of installations exist on the remote system like IDS,antivirus,firewalls etc. then we can use the following module:

Enumerating Protections
Enumerating Protections

 

We can also enumerate the entire system by obtaining information regarding the user accounts,the installed packages,the services,the hard disk,the Linux version etc.

Enumerating the system
Enumerating the system

 

Essential information can be discovered and from the user history.Of course there is a metasploit module for this as well that it will store this kind of information on our local system.

Gathering User History Information
Gathering User History Information

 

Last Logs
Last Logs

 

Conclusion

In this article we examine the post exploitation modules of metasploit framework that can be used against a Linux system and what kind of information they can obtain.From the information that we have gathered of course we can conduct further attacks on this system and we can even find alternate ways of exploitation.Additionally during our post exploitation activities we can discover usernames and even plain text passwords which these credentials can be re-used later in other systems on the network.

5 Comments

  2. Pingback: Post Exploitation in Linux With Metasploit | Shall we play a game?
  3. Pingback: Security News #0×30 « CyberOperations

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s