Re: File Share Vacuum

[John_Simons () MCKINSEY COM (John Simons)]

Look for backups of the registry file.  Files with the .reg extension that
are larger than 100kb.

How about offering this product as a commercial security tool to scan for
workstation vulnerabilities?  $$ Cha-Ching!

> Jonas Denily wrote:
> > I recently decided to create a program for Windows users to scan their
> > network for open file shares.  When a share is detected, you can map a
> > drive
> > or you may brute force crack the share if protected.  The vacuum part is
> > the
> > ability to scan the remote HD for files that may contain important
> > information.  I have set up a great many such as FTP sitelists, ICQ dat
> > files, various ISP ins files, *.pwl, etc.

> Also look for *.id files (Lotus Notes), and preferences.js and prefs.js.
> Bookmark.htm, and the history file, too.
>
> > I was wondering how I would go
> > about searching the registry remotely or I would be greatly appreciative
if
> > someone could send me a list of file names, default directory, and
> > program/version they belong too. I am currently compiling a large list
of
> > these and the user has the ability to choose which ones to vacuum and
also
> > add custom files.  If you know of any of these such files, please email
me.
> Ideally, you'll need registry access.  Citrix/MS Terminal Server client
> store some passwords there, for example.
>
> By default, NT machines allow remote access to the registry if you
> connects as a user with sufficient privs (well, by default, everyone
> can read and write WAY too much of the registry.)  For Win9x, it's not
> so automatic:
>
>
> http://msdn.microsoft.com/library/winresource/dnwin95/S647C.htm
>
> Basically, you'd be looking for the ADMIN$ share.  If that's not there,
> you'll have to figure out a way to push code onto the box.
>
> Sounds like a fun project in general, though.  I'd often thought that
> it would be worthwhile to have a good list of things that are interesting
> to steal off a Windows box.

+-------------------------------------------------------------+
| This message may contain confidential and/or privileged     |
| information.  If you are not the addressee or authorized to |
| receive this for the addressee, you must not use, copy,     |
| disclose or take any action based on this message or any    |
| information herein.  If you have received this message in   |
| error, please advise the sender immediately by reply e-mail |
| and delete this message.  Thank you for your cooperation.   |
+-------------------------------------------------------------+