Robin, glad you brought this up! I've been meaning to chat with Carlos about data mining options through meterpreter, both at the filesystem and network layer. JCran made a good point that many real-world attacks/bots have been automating this type of thing for years (think regex-ing for e-mail addresses), so we should too!
Examples: :: Search local profiles & user shares for documents containing passwords, e-mail addresses, IPs, SSNs, & CC numbers (ROE permitting!) :: Dump "interesting" strings from live network interfaces: passwords, email contents, URLs (HTTP GETs/POSTs), SSNs and CC numbers :: Save all transferred HTTP/SMTP attachments to local dir (file carving) My favorite regexs for these are on my blog (http://grep8000.blogspot.com), but the variety of tools and methods has made this difficult to automate. A "data_miner" meterpreter script would be glorious.. just not sure how to integrate ngrep, pcregrep, etc. without dropping a local toolkit first. Another option for network-layer queries would be to extend the meterpreter sniffer, but that's a bit out of my current expertise.. I'll be at shmoo this weekend and would love to discuss further! grep8000. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Robin Wood Sent: Tuesday, February 02, 2010 4:49 PM To: PaulDotCom Mailing List Subject: [Pauldotcom] what files do you go for when you compromise a machine? I'm sure everyone has a set of files they look for when they get access to a box. For example, I like to look through all the "My Documents" and Desktop directories to see if there is anything useful in there, I would also look for .pst files. I'm thinking of creating a Metasploit module, similar to winenum, which will search the compromised machine for these files or check the specified directories so having a good base list to start with would be useful. Any suggestions? Robin _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com NOTICE: The information contained in this e-mail and any attachments is intended solely for the recipient(s) named above, and may be confidential and legally privileged. If you received this e-mail in error, please notify the sender immediately by return e-mail and delete the original message and any copy of it from your computer system. If you are not the intended recipient, you are hereby notified that any review, disclosure, retransmission, dissemination, distribution, copying, or other use of this e-mail, or any of its contents, is strictly prohibited. Although this e-mail and any attachments are believed to be free of any virus or other defects, it is the responsibility of the recipient to ensure that it is virus-free and no responsibility is accepted by the sender for any loss or damage arising if such a virus or defect exists. _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
