2012-01-06 22:43:50 +00:00
|
|
|
##
|
2014-10-17 16:47:33 +00:00
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
2013-10-15 18:50:46 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2012-01-06 22:43:50 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
require 'rex'
|
2012-01-12 17:49:50 +00:00
|
|
|
require 'msf/core'
|
2012-01-27 00:35:39 +00:00
|
|
|
require 'yaml'
|
2012-10-23 18:24:05 +00:00
|
|
|
require 'msf/core/auxiliary/report'
|
2012-01-06 22:43:50 +00:00
|
|
|
|
2016-03-08 13:02:44 +00:00
|
|
|
class MetasploitModule < Msf::Post
|
2012-01-06 22:43:50 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
include Msf::Auxiliary::Report
|
|
|
|
include Msf::Post::File
|
|
|
|
include Msf::Post::Windows::Registry
|
|
|
|
|
|
|
|
def initialize(info={})
|
|
|
|
super( update_info( info,
|
|
|
|
'Name' => 'Windows Gather File and Registry Artifacts Enumeration',
|
|
|
|
'Description' => %q{
|
|
|
|
This module will check the file system and registry for particular artifacts. The
|
|
|
|
list of artifacts is read from data/post/enum_artifacts_list.txt or a user specified file. Any
|
|
|
|
matches are written to the loot. },
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Author' => [ 'averagesecurityguy <stephen[at]averagesecurityguy.info>' ],
|
|
|
|
'Platform' => [ 'win' ],
|
|
|
|
'SessionTypes' => [ 'meterpreter' ]
|
|
|
|
))
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
OptPath.new( 'ARTIFACTS',
|
|
|
|
[
|
|
|
|
true,
|
|
|
|
'Full path to artifacts file.',
|
|
|
|
::File.join(Msf::Config.data_directory, 'post', 'enum_artifacts_list.txt')
|
|
|
|
])
|
|
|
|
], self.class)
|
|
|
|
end
|
|
|
|
|
|
|
|
def run
|
|
|
|
# Store any found artifacts so they can be written to loot
|
|
|
|
evidence = {}
|
|
|
|
|
|
|
|
# Load artifacts from yaml file. Artifacts are organized by what they
|
|
|
|
# are evidence of.
|
|
|
|
yaml = YAML::load_file(datastore['ARTIFACTS'])
|
|
|
|
yaml.each_key do |key|
|
|
|
|
print_status("Searching for artifacts of #{key}")
|
|
|
|
files = yaml[key]['files']
|
|
|
|
regs = yaml[key]['reg_entries']
|
|
|
|
found = []
|
|
|
|
|
|
|
|
# Process file entries
|
|
|
|
vprint_status("Processing #{files.length.to_s} file entries for #{key}.")
|
|
|
|
|
|
|
|
files.each do |file|
|
|
|
|
digest = file_remote_digestmd5(file['name'])
|
|
|
|
# if the file doesn't exist then digest will be nil
|
|
|
|
next if digest == nil
|
|
|
|
if digest == file['csum'] then found << file['name'] end
|
|
|
|
end
|
|
|
|
|
|
|
|
# Process registry entries
|
|
|
|
vprint_status("Processing #{regs.length.to_s} registry entries for #{key}.")
|
|
|
|
|
|
|
|
regs.each do |reg|
|
|
|
|
rdata = registry_getvaldata(reg['key'], reg['val'])
|
|
|
|
if rdata.to_s == reg['data']
|
|
|
|
found << reg['key'] + '\\' + reg['val']
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
# Did we find anything? If so store it in the evidence hash to be
|
|
|
|
# saved in the loot.
|
|
|
|
if found.empty?
|
|
|
|
print_status("No artifacts of #{key} found.")
|
|
|
|
else
|
|
|
|
print_status("Artifacts of #{key} found.")
|
|
|
|
evidence[key] = found
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
save(evidence, "Enumerated Artifacts")
|
|
|
|
end
|
|
|
|
|
|
|
|
def save(data, name)
|
|
|
|
str = ""
|
|
|
|
data.each_pair do |key, val|
|
|
|
|
str << "Evidence of #{key} found.\n"
|
|
|
|
val.each do |v|
|
|
|
|
str << "\t" + v + "\n"
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
f = store_loot('enumerated.artifacts', 'text/plain', session, str, name)
|
|
|
|
print_status("#{name} stored in: #{f}")
|
|
|
|
end
|
2012-01-12 23:26:35 +00:00
|
|
|
|
2012-01-06 22:43:50 +00:00
|
|
|
end
|