Some good suggestions. If you ask at the PDC booth they may be able to point you in my direction or if not see me after the Social Zombies talk at 11 on Saturday.
Robin On 3 February 2010 16:40, David Porcello <[email protected]> wrote: > > Robin, glad you brought this up! I've been meaning to chat with Carlos about > data mining options through meterpreter, both at the filesystem and network > layer. JCran made a good point that many real-world attacks/bots have been > automating this type of thing for years (think regex-ing for e-mail > addresses), so we should too! > > Examples: > > :: Search local profiles & user shares for documents containing passwords, > e-mail addresses, IPs, SSNs, & CC numbers (ROE permitting!) > :: Dump "interesting" strings from live network interfaces: passwords, email > contents, URLs (HTTP GETs/POSTs), SSNs and CC numbers > :: Save all transferred HTTP/SMTP attachments to local dir (file carving) > > My favorite regexs for these are on my blog (http://grep8000.blogspot.com), > but the variety of tools and methods has made this difficult to automate. A > "data_miner" meterpreter script would be glorious.. just not sure how to > integrate ngrep, pcregrep, etc. without dropping a local toolkit first. > Another option for network-layer queries would be to extend the meterpreter > sniffer, but that's a bit out of my current expertise.. > > I'll be at shmoo this weekend and would love to discuss further! > > grep8000. > > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Robin Wood > Sent: Tuesday, February 02, 2010 4:49 PM > To: PaulDotCom Mailing List > Subject: [Pauldotcom] what files do you go for when you compromise a machine? > > I'm sure everyone has a set of files they look for when they get access to a > box. For example, I like to look through all the "My Documents" and Desktop > directories to see if there is anything useful in there, I would also look > for .pst files. > > I'm thinking of creating a Metasploit module, similar to winenum, which will > search the compromised machine for these files or check the specified > directories so having a good base list to start with would be useful. > > Any suggestions? > > Robin > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > > NOTICE: The information contained in this e-mail and any attachments is > intended solely for the recipient(s) named above, and may be confidential and > legally privileged. If you received this e-mail in error, please notify the > sender immediately by return e-mail and delete the original message and any > copy of it from your computer system. If you are not the intended recipient, > you are hereby notified that any review, disclosure, retransmission, > dissemination, distribution, copying, or other use of this e-mail, or any of > its contents, is strictly prohibited. > > Although this e-mail and any attachments are believed to be free of any virus > or other defects, it is the responsibility of the recipient to ensure that it > is virus-free and no responsibility is accepted by the sender for any loss or > damage arising if such a virus or defect exists. > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
