Once a system has been compromised, the attacker needs to gain critical information about that system, its network environment, users, and user accounts. Usually, they will enter a series of commands or a script that invokes these commands from the shell prompt.
If the compromised system is based on the Unix platform, typical local reconnaissance commands will include the following:
Command |
Description |
/etc/resolv.conf |
Uses the copy command to access and review the system's current DNS settings. Because it is a global file with read privileges, it will not trigger alarms when accessed. |
/etc/passwd and /etc/shadow |
These are system files that contain username and password hashes. It can be copied by a person with root-level access, and the passwords can be broken using a tool such as John the Ripper. |
whoami and who -a |
Identifies the users on a local system. |
ifconfig -a, iptables -L -n, and netstat -r |
Provides networking information. ifconfig -a provides IP addressing details, iptables -L -n lists all of the rules held in the local firewall (if present), and netstat -r displays the routing information maintained by the kernel. |
uname -a |
Prints the kernel version. |
ps aux |
Prints the currently running services, the process ID, and additional information. |
dpkg -l yum list | grep installed and dpkg -l rpm -qa --last | head |
Identifies the installed software packages. |
These commands contain a brief synopsis of the options that are available. Refer to the appropriate command's help file for complete information on how it can be used.
For a Windows system, the following commands will be entered:
Command |
Description |
whoami /all |
Lists the current user, SID, user privileges, and groups. |
ipconfig /all and ipconfig /displaydns |
Displays information regarding the network interface, connectivity protocols, and local DNS cache. |
netstat -bnao and netstat -r |
Lists the ports and connections with the corresponding processes (-b) to no lookups (-n), all connections (-a), and parent process IDs (-o). The -r option displays the routing table. They require administrator rights to run. |
net view and net view /domain |
Queries NBNS/SMB to locate all of the hosts in the current workgroup or domain. All of the domains that are available to the host are given by /domain . |
net user /domain |
Lists all of the users in the defined domain. |
net user %username% /domain |
Obtains information on the current user if they are part of the queried domain (if you are a local user, then /domain is not required). It includes the login times, the last time that the password was changed, the logon scripts, and the group memberships. |
net accounts |
Prints the password policy for the local system. To print the password policy for the domain, use net accounts /domain. |
net localgroup administrators |
Prints the members of the administrator's local group. Use the /domain switch to obtain the administrators for the current domain. |
net group "Domain Controllers" /domain |
Prints out a list of domain controllers for the current domain. |
net share |
Displays the current shared folders, which may not provide sufficient access controls for the data shared within the folders, and the paths that they point to. |