Some common file types I like to look for, and quite often found in the directories you are searching: *.rdp (often has saved credentials to another box, also shows you another machine on the network) *.pcf (Cisco VPN client configuration file; Also can have saved creds, plus you can extract the VPN group passwords from them instantly with Cain & Abel or some other tools-And this is assuming they are using secondary authentication at all! Seen many lazy administrators recycle a password from elsewhere on the network for the VPN Group password). *.bkf (ntbackup files-can find backups of data you can't always find elsewhere) *.qbb, *.qbw (Quickbooks backup/Quickbooks data-just because it's financial data and good to show the customer you can get it) recursing through the Favorites folders of all the local user profiles on the machine is an excellent way to find company Intranet sites, web based applications, etc. Those are off the top of my head, but it's an interesting discussion topic, where our users are keeping data they probably shouldn't be :-)
________________________________ From: [email protected] on behalf of Robin Wood Sent: Tue 2/2/2010 3:48 PM To: PaulDotCom Mailing List Subject: [Pauldotcom] what files do you go for when you compromise a machine? I'm sure everyone has a set of files they look for when they get access to a box. For example, I like to look through all the "My Documents" and Desktop directories to see if there is anything useful in there, I would also look for .pst files. I'm thinking of creating a Metasploit module, similar to winenum, which will search the compromised machine for these files or check the specified directories so having a good base list to start with would be useful. Any suggestions? Robin _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com <http://pauldotcom.com/> ****************************************************************************** This email contains confidential and proprietary information and is not to be used or disclosed to anyone other than the named recipient of this email, and is to be used only for the intended purpose of this communication. ******************************************************************************
<<winmail.dat>>
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
