Timely discussion considering advisory published last night http://isc.sans.org/diary.html?storyid=8152&rss
On Wed, Feb 3, 2010 at 2:27 PM, Robin Wood <[email protected]> wrote: > Some good suggestions. > > If you ask at the PDC booth they may be able to point you in my > direction or if not see me after the Social Zombies talk at 11 on > Saturday. > > Robin > > On 3 February 2010 16:40, David Porcello <[email protected]> wrote: >> >> Robin, glad you brought this up! I've been meaning to chat with Carlos about >> data mining options through meterpreter, both at the filesystem and network >> layer. JCran made a good point that many real-world attacks/bots have been >> automating this type of thing for years (think regex-ing for e-mail >> addresses), so we should too! >> >> Examples: >> >> :: Search local profiles & user shares for documents containing passwords, >> e-mail addresses, IPs, SSNs, & CC numbers (ROE permitting!) >> :: Dump "interesting" strings from live network interfaces: passwords, email >> contents, URLs (HTTP GETs/POSTs), SSNs and CC numbers >> :: Save all transferred HTTP/SMTP attachments to local dir (file carving) >> >> My favorite regexs for these are on my blog (http://grep8000.blogspot.com), >> but the variety of tools and methods has made this difficult to automate. A >> "data_miner" meterpreter script would be glorious.. just not sure how to >> integrate ngrep, pcregrep, etc. without dropping a local toolkit first. >> Another option for network-layer queries would be to extend the meterpreter >> sniffer, but that's a bit out of my current expertise.. >> >> I'll be at shmoo this weekend and would love to discuss further! >> >> grep8000. >> >> >> -----Original Message----- >> From: [email protected] >> [mailto:[email protected]] On Behalf Of Robin Wood >> Sent: Tuesday, February 02, 2010 4:49 PM >> To: PaulDotCom Mailing List >> Subject: [Pauldotcom] what files do you go for when you compromise a machine? >> >> I'm sure everyone has a set of files they look for when they get access to a >> box. For example, I like to look through all the "My Documents" and Desktop >> directories to see if there is anything useful in there, I would also look >> for .pst files. >> >> I'm thinking of creating a Metasploit module, similar to winenum, which will >> search the compromised machine for these files or check the specified >> directories so having a good base list to start with would be useful. >> >> Any suggestions? >> >> Robin >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> >> NOTICE: The information contained in this e-mail and any attachments is >> intended solely for the recipient(s) named above, and may be confidential >> and legally privileged. If you received this e-mail in error, please notify >> the sender immediately by return e-mail and delete the original message and >> any copy of it from your computer system. If you are not the intended >> recipient, you are hereby notified that any review, disclosure, >> retransmission, dissemination, distribution, copying, or other use of this >> e-mail, or any of its contents, is strictly prohibited. >> >> Although this e-mail and any attachments are believed to be free of any >> virus or other defects, it is the responsibility of the recipient to ensure >> that it is virus-free and no responsibility is accepted by the sender for >> any loss or damage arising if such a virus or defect exists. >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
