PaulDotCom mailing list archives
what files do you go for when you compromise a machine?
From: dninja at gmail.com (Robin Wood)
Date: Wed, 3 Feb 2010 19:25:10 +0000
On 3 February 2010 17:48, Andrew Ellis <only.samurai at gmail.com> wrote:
I'd take a look for any SVN checkouts, repos, etc. The same for git and CVS. I'm only really familiar with SVN, so this list is only for SVN, but should find repos and checkouts: .svn/entries db/revs svn-commit.tmp Nabbing custom code can be a pretty good find, especially if it's for a customer who's business revolves around that code
Good suggestion, I'll add MS SourceSafe or whatever they are calling now, I haven't used it for years. Robin
On Wed, Feb 3, 2010 at 1:54 AM, Robin Wood <dninja at gmail.com> wrote:On 3 February 2010 00:28, Nicholas B. <nberthaume at gmail.com> wrote:I have a project on deck for aftet to catalog as many of these files as is possible as well as those on *nix platforms.. ?I hope to make some sort of submission db for them so all of the credential stores people come across for borh O/S and applications are well documented. How can we know what needs to be protected if we don't have this sort of info when doing so?If you get the db going maybe the two can be tied together somehow. Users could ask my script for just files with credentials which would then hit your database to find the list.On 2/2/10, Carlos Perez <carlos_perez at darkoperator.com> wrote:sure thing bro, I will be flying tomorrow afternoon. On Feb 2, 2010, at 7:47 PM, Robin Wood wrote:On 2 February 2010 23:42, Carlos Perez <carlos_perez at darkoperator.com> wrote:on client side %appdata% is the place to search for application files there look for specific files from Mozilla products the sqlite db's are gold, registry keys for putty, conf files for filezilla, pgp/gpg keys among some. Do be careful downloading office files and pdf's depending on the scope and clients things can go weird fast specially if it is a hospital and all of the sudden you have client data on your machine, same thing for downloading employee personal data and the policies in the client are lax and other information that might not be good to have in your machine so ROE's are the limiting factor when it comes to document folders. PST's can be a PITA depending their size so it would be good to list them and then decide if to download them or not. In meterpreter to know if a file exists there are only 2 ways of doing it: - File stat and if it returns error then the file is not there (I do not recommend) - list folder content and look if the file exists (better approach, do a list and save in an array that can be searched) I recommend you take a look at my Pidgin script part of the framework and my browser enum script in my site for when you have system privs how to enumerate the accounst and path to appdata depending on the OS since it changes depending of the version of windows. Hope it helps. Cheers, CarlosI think we need to have a chat at Shmoocon! RobinOn Feb 2, 2010, at 5:48 PM, Robin Wood wrote:I'm sure everyone has a set of files they look for when they get access to a box. For example, I like to look through all the "My Documents" and Desktop directories to see if there is anything useful in there, I would also look for .pst files. I'm thinking of creating a Metasploit module, similar to winenum, which will search the compromised machine for these files or check the specified directories so having a good base list to start with would be useful. Any suggestions? Robin _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com-- Sent from my mobile device _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com-- Andrew Ellis http://blog.psych0tik.net _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- what files do you go for when you compromise a machine?, (continued)
- Message not available
- what files do you go for when you compromise a machine? Robin Wood (Feb 02)
- Message not available
- what files do you go for when you compromise a machine? Robin Wood (Feb 02)
- Message not available
- what files do you go for when you compromise a machine? Robin Wood (Feb 02)
- what files do you go for when you compromise a machine? Carlos Perez (Feb 02)
- what files do you go for when you compromise a machine? xgermx (Feb 02)
- what files do you go for when you compromise a machine? NetEvil (Feb 02)
- what files do you go for when you compromise a machine? Nicholas B. (Feb 02)
- what files do you go for when you compromise a machine? Robin Wood (Feb 02)
- what files do you go for when you compromise a machine? Andrew Ellis (Feb 03)
- what files do you go for when you compromise a machine? Robin Wood (Feb 03)
- what files do you go for when you compromise a machine? Robin Wood (Feb 03)
- what files do you go for when you compromise a machine? Tim Mugherini (Feb 04)