I have a project on deck for aftet to catalog as many of these files as is possible as well as those on *nix platforms.. I hope to make some sort of submission db for them so all of the credential stores people come across for borh O/S and applications are well documented. How can we know what needs to be protected if we don't have this sort of info when doing so?
On 2/2/10, Carlos Perez <[email protected]> wrote: > sure thing bro, I will be flying tomorrow afternoon. > On Feb 2, 2010, at 7:47 PM, Robin Wood wrote: > >> On 2 February 2010 23:42, Carlos Perez <[email protected]> >> wrote: >>> on client side %appdata% is the place to search for application files >>> there look for specific files from Mozilla products the sqlite db's are >>> gold, registry keys for putty, conf files for filezilla, pgp/gpg keys >>> among some. Do be careful downloading office files and pdf's depending on >>> the scope and clients things can go weird fast specially if it is a >>> hospital and all of the sudden you have client data on your machine, same >>> thing for downloading employee personal data and the policies in the >>> client are lax and other information that might not be good to have in >>> your machine so ROE's are the limiting factor when it comes to document >>> folders. PST's can be a PITA depending their size so it would be good to >>> list them and then decide if to download them or not. In meterpreter to >>> know if a file exists there are only 2 ways of doing it: >>> >>> - File stat and if it returns error then the file is not there (I do not >>> recommend) >>> - list folder content and look if the file exists (better approach, do a >>> list and save in an array that can be searched) >>> >>> I recommend you take a look at my Pidgin script part of the framework and >>> my browser enum script in my site for when you have system privs how to >>> enumerate the accounst and path to appdata depending on the OS since it >>> changes depending of the version of windows. Hope it helps. >>> >>> Cheers, >>> Carlos >> >> I think we need to have a chat at Shmoocon! >> >> Robin >> >> >>> >>> >>> On Feb 2, 2010, at 5:48 PM, Robin Wood wrote: >>> >>>> I'm sure everyone has a set of files they look for when they get >>>> access to a box. For example, I like to look through all the "My >>>> Documents" and Desktop directories to see if there is anything useful >>>> in there, I would also look for .pst files. >>>> >>>> I'm thinking of creating a Metasploit module, similar to winenum, >>>> which will search the compromised machine for these files or check the >>>> specified directories so having a good base list to start with would >>>> be useful. >>>> >>>> Any suggestions? >>>> >>>> Robin >>>> _______________________________________________ >>>> Pauldotcom mailing list >>>> [email protected] >>>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>>> Main Web Site: http://pauldotcom.com >>> >>> _______________________________________________ >>> Pauldotcom mailing list >>> [email protected] >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> Main Web Site: http://pauldotcom.com >>> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > -- Sent from my mobile device _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
