what files do you go for when you compromise a machine?

[dninja at gmail.com (Robin Wood)]

Some good suggestions.

If you ask at the PDC booth they may be able to point you in my
direction or if not see me after the Social Zombies talk at 11 on
Saturday.

Robin

On 3 February 2010 16:40, David Porcello <DPorcello at vermontmutual.com> wrote:
> Robin, glad you brought this up! I've been meaning to chat with Carlos about data mining options through meterpreter, 
> both at the filesystem and network layer. JCran made a good point that many real-world attacks/bots have been 
> automating this type of thing for years (think regex-ing for e-mail addresses), so we should too!
>
> Examples:
>
> :: Search local profiles & user shares for documents containing passwords, e-mail addresses, IPs, SSNs, & CC numbers 
> (ROE permitting!)
> :: Dump "interesting" strings from live network interfaces: passwords, email contents, URLs (HTTP GETs/POSTs), SSNs 
> and CC numbers
> :: Save all transferred HTTP/SMTP attachments to local dir (file carving)
>
> My favorite regexs for these are on my blog (http://grep8000.blogspot.com), but the variety of tools and methods has 
> made this difficult to automate. A "data_miner" meterpreter script would be glorious.. just not sure how to integrate 
> ngrep, pcregrep, etc. without dropping a local toolkit first. Another option for network-layer queries would be to 
> extend the meterpreter sniffer, but that's a bit out of my current expertise..
>
> I'll be at shmoo this weekend and would love to discuss further!
>
> grep8000.
>
>
> -----Original Message-----
> From: pauldotcom-bounces at mail.pauldotcom.com [mailto:pauldotcom-bounces at mail.pauldotcom.com] On Behalf Of Robin 
> Wood
> Sent: Tuesday, February 02, 2010 4:49 PM
> To: PaulDotCom Mailing List
> Subject: [Pauldotcom] what files do you go for when you compromise a machine?
>
> I'm sure everyone has a set of files they look for when they get access to a box. For example, I like to look through 
> all the "My Documents" and Desktop directories to see if there is anything useful in there, I would also look for 
> .pst files.
>
> I'm thinking of creating a Metasploit module, similar to winenum, which will search the compromised machine for these 
> files or check the specified directories so having a good base list to start with would be useful.
>
> Any suggestions?
>
> Robin
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
>
> NOTICE: The information contained in this e-mail and any attachments is intended solely for the recipient(s) named 
> above, and may be confidential and legally privileged. If you received this e-mail in error, please notify the sender 
> immediately by return e-mail and delete the original message and any copy of it from your computer system. If you are 
> not the intended recipient, you are hereby notified that any review, disclosure, retransmission, dissemination, 
> distribution, copying, or other use of this e-mail, or any of its contents, is strictly prohibited.
>
> Although this e-mail and any attachments are believed to be free of any virus or other defects, it is the 
> responsibility of the recipient to ensure that it is virus-free and no responsibility is accepted by the sender for 
> any loss or damage arising if such a virus or defect exists.
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com