PaulDotCom mailing list archives

what files do you go for when you compromise a machine?

From: gbugbear at gmail.com (Tim Mugherini)
Date: Thu, 4 Feb 2010 09:10:29 -0500

Timely discussion considering advisory published last night

http://isc.sans.org/diary.html?storyid=8152&rss


On Wed, Feb 3, 2010 at 2:27 PM, Robin Wood <dninja at gmail.com> wrote:

Some good suggestions.

If you ask at the PDC booth they may be able to point you in my
direction or if not see me after the Social Zombies talk at 11 on
Saturday.

Robin

On 3 February 2010 16:40, David Porcello <DPorcello at vermontmutual.com> wrote:


Robin, glad you brought this up! I've been meaning to chat with Carlos about data mining options through 
meterpreter, both at the filesystem and network layer. JCran made a good point that many real-world attacks/bots 
have been automating this type of thing for years (think regex-ing for e-mail addresses), so we should too!

Examples:

:: Search local profiles & user shares for documents containing passwords, e-mail addresses, IPs, SSNs, & CC numbers 
(ROE permitting!)
:: Dump "interesting" strings from live network interfaces: passwords, email contents, URLs (HTTP GETs/POSTs), SSNs 
and CC numbers
:: Save all transferred HTTP/SMTP attachments to local dir (file carving)

My favorite regexs for these are on my blog (http://grep8000.blogspot.com), but the variety of tools and methods has 
made this difficult to automate. A "data_miner" meterpreter script would be glorious.. just not sure how to 
integrate ngrep, pcregrep, etc. without dropping a local toolkit first. Another option for network-layer queries 
would be to extend the meterpreter sniffer, but that's a bit out of my current expertise..

I'll be at shmoo this weekend and would love to discuss further!

grep8000.


-----Original Message-----
From: pauldotcom-bounces at mail.pauldotcom.com [mailto:pauldotcom-bounces at mail.pauldotcom.com] On Behalf Of 
Robin Wood
Sent: Tuesday, February 02, 2010 4:49 PM
To: PaulDotCom Mailing List
Subject: [Pauldotcom] what files do you go for when you compromise a machine?

I'm sure everyone has a set of files they look for when they get access to a box. For example, I like to look 
through all the "My Documents" and Desktop directories to see if there is anything useful in there, I would also 
look for .pst files.

I'm thinking of creating a Metasploit module, similar to winenum, which will search the compromised machine for 
these files or check the specified directories so having a good base list to start with would be useful.

Any suggestions?

Robin
_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

NOTICE: The information contained in this e-mail and any attachments is intended solely for the recipient(s) named 
above, and may be confidential and legally privileged. If you received this e-mail in error, please notify the 
sender immediately by return e-mail and delete the original message and any copy of it from your computer system. If 
you are not the intended recipient, you are hereby notified that any review, disclosure, retransmission, 
dissemination, distribution, copying, or other use of this e-mail, or any of its contents, is strictly prohibited.

Although this e-mail and any attachments are believed to be free of any virus or other defects, it is the 
responsibility of the recipient to ensure that it is virus-free and no responsibility is accepted by the sender for 
any loss or damage arising if such a virus or defect exists.
_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Current thread:

what files do you go for when you compromise a machine?, (continued)
- - what files do you go for when you compromise a machine? Robin Wood (Feb 02)
    - what files do you go for when you compromise a machine? Carlos Perez (Feb 02)
    - what files do you go for when you compromise a machine? xgermx (Feb 02)
    - what files do you go for when you compromise a machine? NetEvil (Feb 02)
    - what files do you go for when you compromise a machine? Nicholas B. (Feb 02)
    - what files do you go for when you compromise a machine? Robin Wood (Feb 02)
    - what files do you go for when you compromise a machine? Andrew Ellis (Feb 03)
    - what files do you go for when you compromise a machine? Robin Wood (Feb 03)
- what files do you go for when you compromise a machine? David Porcello (Feb 03)
  - what files do you go for when you compromise a machine? Robin Wood (Feb 03)
    - what files do you go for when you compromise a machine? Tim Mugherini (Feb 04)