what files do you go for when you compromise a machine?

[netevil at hackers.it (NetEvil)]

...this hurts a lot to me :(
damn! :) I would love to be there with gurus like you..
..hope you'll share your chat results after shmoocon! ;D


> sure thing bro, I will be flying tomorrow afternoon.
> On Feb 2, 2010, at 7:47 PM, Robin Wood wrote:
>
> > On 2 February 2010 23:42, Carlos Perez  
> > <carlos_perez at darkoperator.com> wrote:
> > > on client side %appdata% is the place to search for application  
> > > files there look for specific files from Mozilla products the  
> > > sqlite db's are gold, registry keys for putty, conf files for  
> > > filezilla, pgp/gpg keys among some. Do be careful downloading  
> > > office files and pdf's depending on the scope and clients things  
> > > can go weird fast specially if it is a hospital and all of the  
> > > sudden you have client data on your machine, same thing for  
> > > downloading employee personal data and the policies in the client  
> > > are lax and other information that might not be good to have in  
> > > your machine so ROE's are the limiting factor when it comes to  
> > > document folders. PST's can be a PITA depending their size so it  
> > > would be good to list them and then decide if to download them or  
> > > not. In meterpreter to know if a file exists there are only 2 ways  
> > > of doing it:
> > >
> > > - File stat and if it returns error then the file is not there (I  
> > > do not recommend)
> > > - list folder content and look if the file exists (better  
> > > approach, do a list and save in an array that can be searched)
> > >
> > > I recommend you take a look at my Pidgin script part of the  
> > > framework and my browser enum script in my site for when you have  
> > > system privs how to enumerate the accounst and path to appdata  
> > > depending on the OS since it changes depending of the version of  
> > > windows. Hope it helps.
> > >
> > > Cheers,
> > > Carlos
> >
> > I think we need to have a chat at Shmoocon!
> >
> > Robin
> >
> >
> > > On Feb 2, 2010, at 5:48 PM, Robin Wood wrote:
> > >
> > > > I'm sure everyone has a set of files they look for when they get
> > > > access to a box. For example, I like to look through all the "My
> > > > Documents" and Desktop directories to see if there is anything  
> > > > useful
> > > > in there, I would also look for .pst files.
> > > >
> > > > I'm thinking of creating a Metasploit module, similar to winenum,
> > > > which will search the compromised machine for these files or  
> > > > check the
> > > > specified directories so having a good base list to start with  
> > > > would
> > > > be useful.
> > > >
> > > > Any suggestions?
> > > >
> > > > Robin
> > > > _______________________________________________
> > > > Pauldotcom mailing list
> > > > Pauldotcom at mail.pauldotcom.com
> > > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > > Main Web Site: http://pauldotcom.com
> > >
> > > _______________________________________________
> > > Pauldotcom mailing list
> > > Pauldotcom at mail.pauldotcom.com
> > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > Main Web Site: http://pauldotcom.com
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom at mail.pauldotcom.com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com