sure thing bro, I will be flying tomorrow afternoon. On Feb 2, 2010, at 7:47 PM, Robin Wood wrote:
> On 2 February 2010 23:42, Carlos Perez <[email protected]> wrote: >> on client side %appdata% is the place to search for application files there >> look for specific files from Mozilla products the sqlite db's are gold, >> registry keys for putty, conf files for filezilla, pgp/gpg keys among some. >> Do be careful downloading office files and pdf's depending on the scope and >> clients things can go weird fast specially if it is a hospital and all of >> the sudden you have client data on your machine, same thing for downloading >> employee personal data and the policies in the client are lax and other >> information that might not be good to have in your machine so ROE's are the >> limiting factor when it comes to document folders. PST's can be a PITA >> depending their size so it would be good to list them and then decide if to >> download them or not. In meterpreter to know if a file exists there are only >> 2 ways of doing it: >> >> - File stat and if it returns error then the file is not there (I do not >> recommend) >> - list folder content and look if the file exists (better approach, do a >> list and save in an array that can be searched) >> >> I recommend you take a look at my Pidgin script part of the framework and my >> browser enum script in my site for when you have system privs how to >> enumerate the accounst and path to appdata depending on the OS since it >> changes depending of the version of windows. Hope it helps. >> >> Cheers, >> Carlos > > I think we need to have a chat at Shmoocon! > > Robin > > >> >> >> On Feb 2, 2010, at 5:48 PM, Robin Wood wrote: >> >>> I'm sure everyone has a set of files they look for when they get >>> access to a box. For example, I like to look through all the "My >>> Documents" and Desktop directories to see if there is anything useful >>> in there, I would also look for .pst files. >>> >>> I'm thinking of creating a Metasploit module, similar to winenum, >>> which will search the compromised machine for these files or check the >>> specified directories so having a good base list to start with would >>> be useful. >>> >>> Any suggestions? >>> >>> Robin >>> _______________________________________________ >>> Pauldotcom mailing list >>> [email protected] >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> Main Web Site: http://pauldotcom.com >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
