Don't forget about stored IE and Firefox passwords as well as browser cache/cookies.
On Tue, Feb 2, 2010 at 6:03 PM, Carlos Perez <[email protected]>wrote: > sure thing bro, I will be flying tomorrow afternoon. > On Feb 2, 2010, at 7:47 PM, Robin Wood wrote: > > > On 2 February 2010 23:42, Carlos Perez <[email protected]> > wrote: > >> on client side %appdata% is the place to search for application files > there look for specific files from Mozilla products the sqlite db's are > gold, registry keys for putty, conf files for filezilla, pgp/gpg keys among > some. Do be careful downloading office files and pdf's depending on the > scope and clients things can go weird fast specially if it is a hospital and > all of the sudden you have client data on your machine, same thing for > downloading employee personal data and the policies in the client are lax > and other information that might not be good to have in your machine so > ROE's are the limiting factor when it comes to document folders. PST's can > be a PITA depending their size so it would be good to list them and then > decide if to download them or not. In meterpreter to know if a file exists > there are only 2 ways of doing it: > >> > >> - File stat and if it returns error then the file is not there (I do not > recommend) > >> - list folder content and look if the file exists (better approach, do a > list and save in an array that can be searched) > >> > >> I recommend you take a look at my Pidgin script part of the framework > and my browser enum script in my site for when you have system privs how to > enumerate the accounst and path to appdata depending on the OS since it > changes depending of the version of windows. Hope it helps. > >> > >> Cheers, > >> Carlos > > > > I think we need to have a chat at Shmoocon! > > > > Robin > > > > > >> > >> > >> On Feb 2, 2010, at 5:48 PM, Robin Wood wrote: > >> > >>> I'm sure everyone has a set of files they look for when they get > >>> access to a box. For example, I like to look through all the "My > >>> Documents" and Desktop directories to see if there is anything useful > >>> in there, I would also look for .pst files. > >>> > >>> I'm thinking of creating a Metasploit module, similar to winenum, > >>> which will search the compromised machine for these files or check the > >>> specified directories so having a good base list to start with would > >>> be useful. > >>> > >>> Any suggestions? > >>> > >>> Robin > >>> _______________________________________________ > >>> Pauldotcom mailing list > >>> [email protected] > >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > >>> Main Web Site: http://pauldotcom.com > >> > >> _______________________________________________ > >> Pauldotcom mailing list > >> [email protected] > >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > >> Main Web Site: http://pauldotcom.com > >> > > _______________________________________________ > > Pauldotcom mailing list > > [email protected] > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > > Main Web Site: http://pauldotcom.com > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
