on client side %appdata% is the place to search for application files there look for specific files from Mozilla products the sqlite db's are gold, registry keys for putty, conf files for filezilla, pgp/gpg keys among some. Do be careful downloading office files and pdf's depending on the scope and clients things can go weird fast specially if it is a hospital and all of the sudden you have client data on your machine, same thing for downloading employee personal data and the policies in the client are lax and other information that might not be good to have in your machine so ROE's are the limiting factor when it comes to document folders. PST's can be a PITA depending their size so it would be good to list them and then decide if to download them or not. In meterpreter to know if a file exists there are only 2 ways of doing it:
- File stat and if it returns error then the file is not there (I do not recommend) - list folder content and look if the file exists (better approach, do a list and save in an array that can be searched) I recommend you take a look at my Pidgin script part of the framework and my browser enum script in my site for when you have system privs how to enumerate the accounst and path to appdata depending on the OS since it changes depending of the version of windows. Hope it helps. Cheers, Carlos On Feb 2, 2010, at 5:48 PM, Robin Wood wrote: > I'm sure everyone has a set of files they look for when they get > access to a box. For example, I like to look through all the "My > Documents" and Desktop directories to see if there is anything useful > in there, I would also look for .pst files. > > I'm thinking of creating a Metasploit module, similar to winenum, > which will search the compromised machine for these files or check the > specified directories so having a good base list to start with would > be useful. > > Any suggestions? > > Robin > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
