Extraction scripts for Linux & Windows footholds during penetration tests
Two lightweight scripts designed to rapidly collect sensitive artifacts, configuration leaks, and credentials from compromised DMZ hosts.
Perfect for penetration testing labs, AD environments, internal pivoting, and CTF-style workflows (CPTS, OSCP, HTB, ProLabs, etc.).
These scripts focus on gathering everything that can help you achieve the critical next step:
Turn a DMZ foothold into an internal network foothold.
A bash script that performs a deep but safe reconnaissance of a compromised Linux host:
- System & network fingerprinting
- User, group, sudoers, cron jobs
- SSH keys, user histories, known_hosts
- Running processes & active sockets
- Web roots + config sweeps (php, ini, xml, json, yaml, env, etc.)
- Database connection string discovery
- File-system search for password-like patterns
- Backup directories, app directories, operational scripts
- Automatic packaging into a compressed archive
chmod +x dmz_loot.sh
bash dmz_loot.shIt outputs a tarball in /tmp/ containing all collected data.
A PowerShell script for harvesting high-value artifacts from a Windows server/workstation foothold.
- Domain, system, and network enumeration (systeminfo, whoami /all, nltest, gpresult)
- Local users, groups, RDP/logged-on sessions
- Installed software inventory (registry parsing)
- Services, scheduled tasks, running processes
- Config file sweeps across key directories
- Credential-like keyword searches across app config files
- SSH keys, RDP files, KeePass databases, backups
- Credential Manager metadata
- Automatic ZIP packaging
powershell -ExecutionPolicy Bypass -File .\dmz_loot_windows.ps1It outputs a ZIP file in %TEMP%.
In real red team / pentest workflows β especially in exam environments β the single hardest jump is:
DMZ01 β first domain credential β internal foothold
Most of the time, the key isn't a zero-day.
It's:
- A password in a config file
- A reused service credential
- A DB connection string
- An SSH key referencing internal hosts
- A scheduled task invoking something with cleartext creds
- Browser/PowerShell history
- Backup scripts
- IIS/nginx/apache config leaks
These scripts automate harvesting all of that quickly and consistently, so you can focus on pivoting and lateral movement.
dmz_loot_HOST_YYYY-MM-DD_HH-MM-SS/
βββ loot.log
βββ system_network.txt
βββ users_auth_cron.txt
βββ processes_connections.txt
βββ ssh/
βββ history/
βββ web_configs/
βββ config_sweep/
βββ db_configs/
βββ archive.tar.gz
dmz_loot_HOST_YYYY-MM-DD_HH-MM-SS/
βββ loot.log
βββ system_network.txt
βββ users_groups_sessions.txt
βββ processes.txt
βββ services.txt
βββ scheduled_tasks.txt
βββ registry/
βββ filesystem/
βββ user_profiles/
βββ credential_manager.txt
βββ loot.zip
These scripts are built for:
- Penetration testers
- Red team operators
- Cybersecurity students
- HTB / CPTS / OSCP preparation
- Researchers working in controlled environments
They do not perform exploitation or privilege escalation.
They simply collect, organize, and package potentially sensitive data already available on a compromised host.
These scripts are for authorized penetration testing and educational use only.
Do not use them on networks or systems without explicit written permission.
If you'd like a post-loot analysis checklist or automated parsing tools (turning outputs into credential lists, pivot targets, and AD enumeration suggestions), feel free to reach out or open an issue.