Post Exploitation Recon

I frequently experience dead-ends on the more difficult CTF boxes. I’ve found that once acquiring a reverse shell I need to do some extensive internal recon. Sometimes the service that will be vulnerable is hidden and you must find it. Here are some ideas…

Running nmap Through SOCKS4 Proxy (SSH) with Proxychains

Connect to the remote host (server) using SSH and create a SOCKS proxy using the “-D” command.

ssh -D 1080 root@192.168.0.20

Update your proxychains.con (sudo vim /etc/proxychains.conf)
Make sure this is the only enabled entry because we’re only trying to route traffic through the local SSH proxy.

socks4 127.0.0.1 1080

By prepending the proxychains command we can route all traffic through the proxy which will result in the nmap scan running on the remote server.

proxychains nmap 127.0.0.1

Scanning for Other Hosts

You can also scan for other servers on the network using this command.

proxychains nmap -n -sT -p 80, 443, 22 192.168.10.0/24

pspy

pspy is a python script that monitors running programs to identify processes that are running under hidden chron jobs. This is very useful for finding hidden services that may be running intermittently.

You can use it in VulnHub: Symfonos 3

GitHub: pspy

Packet Dumping

If you are on the host and tcpdump is available you could monitor packets to look for login/password credentials or other sensitive information.

tcpdump -D
tcpdump -w dump.pcap -i etho0