PaulDotCom mailing list archives
what files do you go for when you compromise a machine?
From: Russell.Butturini at Healthways.com (Butturini, Russell)
Date: Tue, 2 Feb 2010 17:35:26 -0600
Some common file types I like to look for, and quite often found in the directories you are searching: *.rdp (often has saved credentials to another box, also shows you another machine on the network) *.pcf (Cisco VPN client configuration file; Also can have saved creds, plus you can extract the VPN group passwords from them instantly with Cain & Abel or some other tools-And this is assuming they are using secondary authentication at all! Seen many lazy administrators recycle a password from elsewhere on the network for the VPN Group password). *.bkf (ntbackup files-can find backups of data you can't always find elsewhere) *.qbb, *.qbw (Quickbooks backup/Quickbooks data-just because it's financial data and good to show the customer you can get it) recursing through the Favorites folders of all the local user profiles on the machine is an excellent way to find company Intranet sites, web based applications, etc. Those are off the top of my head, but it's an interesting discussion topic, where our users are keeping data they probably shouldn't be :-) ________________________________ From: pauldotcom-bounces at mail.pauldotcom.com on behalf of Robin Wood Sent: Tue 2/2/2010 3:48 PM To: PaulDotCom Mailing List Subject: [Pauldotcom] what files do you go for when you compromise a machine? I'm sure everyone has a set of files they look for when they get access to a box. For example, I like to look through all the "My Documents" and Desktop directories to see if there is anything useful in there, I would also look for .pst files. I'm thinking of creating a Metasploit module, similar to winenum, which will search the compromised machine for these files or check the specified directories so having a good base list to start with would be useful. Any suggestions? Robin _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com <http://pauldotcom.com/> ****************************************************************************** This email contains confidential and proprietary information and is not to be used or disclosed to anyone other than the named recipient of this email, and is to be used only for the intended purpose of this communication. ****************************************************************************** -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/ms-tnef Size: 5357 bytes Desc: not available Url : http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20100202/7dc1c8b0/attachment.bin
Current thread:
- what files do you go for when you compromise a machine? Robin Wood (Feb 02)
- what files do you go for when you compromise a machine? NetEvil (Feb 02)
- what files do you go for when you compromise a machine? Butturini, Russell (Feb 02)
- Message not available
- what files do you go for when you compromise a machine? Robin Wood (Feb 02)
- Message not available
- what files do you go for when you compromise a machine? Robin Wood (Feb 02)
- what files do you go for when you compromise a machine? Robin Wood (Feb 02)
- what files do you go for when you compromise a machine? Carlos Perez (Feb 02)
- what files do you go for when you compromise a machine? Robin Wood (Feb 02)
- what files do you go for when you compromise a machine? Carlos Perez (Feb 02)
- what files do you go for when you compromise a machine? xgermx (Feb 02)
- what files do you go for when you compromise a machine? NetEvil (Feb 02)
- what files do you go for when you compromise a machine? Nicholas B. (Feb 02)
- what files do you go for when you compromise a machine? Robin Wood (Feb 02)
- what files do you go for when you compromise a machine? Andrew Ellis (Feb 03)
- what files do you go for when you compromise a machine? Robin Wood (Feb 02)