Loot
Grab all the things
Passwords and hashes
First grab the passwd and shadow file.
Crack the password using john the ripper
like this:
Interesting files
Mail
Tcp-dump
Fast command:
First figure out what interfaces the machine is using: ifconfig
. Then you can just start tapping in on that and start to capture those packets.
Commands and flags
Let's start with the basics. tcpdump
- this command will output all network traffic straight to the terminal. Might be hard to understand if there is a lot of traffic.
-A
- stands for Ascii, and output it in ascii.
-w file.pcap
- the w-flag will save the output into the filename of your choice. The traffic is stored in pcap-format, which is the standard packet-analysis-format.
-i any
- will capture traffic for all interfaces.
-D
- show list of all interfaces
-q
- be less verbose. Be more quiet
-s
- The default size that tcpdump captures is only 96 bytes. If you want it to capture more you have to define it yourself -s0
gives you the whole packet.
-c
- count. Set how many packets you want to intercept. And then stop. Is useful if you have a non-interactive shell, this way to can capture packets without having to leave with ctr-c
.
port 22
- only see traffic on a specific port.
-vvv
- Verbose. Depending on how verbose you want the output.
Useful commands
Lots of good stuff here http://www.rationallyparanoid.com/articles/tcpdump.html
This will grep all GET from the wlan0 interface. This will not get any SSL-encrypted traffic.
Print the traffic in hex with ascii interpretation.
Only record tcp-traffic
Sniffing for passwords
Once we have dumped some of the traffic we can insert it into metasploit and run psnuffle
on it. It can sniff passwords and usernames from pop3, imap, ftp, and HTTP GET. This is a really easy way to find usernames and passwords from traffic that you have already dumped, or are in the process of dumping.
https://www.offensive-security.com/metasploit-unleashed/password-sniffing/
References
http://www.thegeekstuff.com/2010/08/tcpdump-command-examples/
https://danielmiessler.com/study/tcpdump/
https://www.sans.org/reading-room/whitepapers/testing/post-exploitation-metasploit-pivot-port-33909
Last updated