metasploit-framework/modules/post/windows/gather/enum_artifacts.rb

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'rex'
require 'msf/core'
require 'msf/core/post/file'
require 'msf/core/post/windows/registry'

class Metasploit3 < Msf::Post

	include Msf::Auxiliary::Report
	include Msf::Post::File
	include Msf::Post::Windows::Registry

	def initialize(info={})
		super( update_info( info,
			'Name'          => 'Windows File and Registry Artifacts Enumeration',
			'Description'   => %q{
				This module will check the file system and registry for particular artifacts. The
				list of artifacts is read from data/post/artifacts or a user specified file. Any
				matches are written to the loot. },
			'License'       => MSF_LICENSE,
			'Author'        => [ 'averagesecurityguy <stephen[at]averagesecurityguy.info>' ],
			'Platform'      => [ 'windows' ],
			'SessionTypes'  => [ 'meterpreter' ]
		))

		register_options(
			[
				OptPath.new( 'ARTIFACTS',
					[
						true,
						'Full path to artifacts file.',
						::File.join(Msf::Config.data_directory, 'post', 'enum_artifacts_list.txt')
					])
			], self.class)
	end

	def run
		# Store any found artifacts so they can be written to loot
		files_found = []
		reg_found   = []

		# Check artifacts file path
		filename = datastore['ARTIFACTS']
		if not ::File.exists?(filename)
			print_error("Artifacts file does not exist!")
			return
		end

		# Start enumerating
		print_status("Processing artifacts file...")
		file = ::File.open(filename, "rb")
		file.each_line do |line|
			line.strip!
			next if line.length < 1
			next if line[0,1] == "#"

			# Check registry
			if line =~ /^reg/
				type, reg_key, val, data = line.split("|")
				reg_data = registry_getvaldata(reg_key, val)
				if reg_data.to_s == data
					reg_found << "#{reg_key}\\#{val}"
				end
			end

			# Check file
			if line =~ /^file/
				type, file, hash = line.split("|")
				digest = file_remote_digestmd5(file)
				if digest == hash
					files_found << file
				end
			end
		end

		# Reporting.  In case the user wants to separte artifact types (file vs registry),
		# we've already done it at this point.
		if files_found.empty?
			print_status("No file artifacts found")
		else
			save(files_found, "Enumerated File Artifacts")
		end

		if reg_found.empty?
			print_status("No registry artifacts found")
		else
			save(reg_found, "Enumerated Registry Artifacts")
		end
	end

	def save(data, name)
		f = store_loot('enumerated.artifacts', 'text/plain', session, data.join("\n"), name)
		print_status("#{name} stored in: #{f}")
	end

end

=begin
To-do: Use CSV or yaml format to store enum_artifacts_list.txt
=end
Added enum_artifacts 2012-01-06 22:43:50 +00:00			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
			`# Framework web site for more information on licensing and terms of use.`
			`# http://metasploit.com/framework/`
			`##`

			`require 'rex'`
Used msf library for digest, fixed name. 2012-01-12 17:49:50 +00:00			`require 'msf/core'`
			`require 'msf/core/post/file'`
Added enum_artifacts 2012-01-06 22:43:50 +00:00			`require 'msf/core/post/windows/registry'`

			`class Metasploit3 < Msf::Post`

			`include Msf::Auxiliary::Report`
Used msf library for digest, fixed name. 2012-01-12 17:49:50 +00:00			`include Msf::Post::File`
Added enum_artifacts 2012-01-06 22:43:50 +00:00			`include Msf::Post::Windows::Registry`
MSFTidy fixes. 2012-01-18 21:01:00 +00:00
Added enum_artifacts 2012-01-06 22:43:50 +00:00			`def initialize(info={})`
			`super( update_info( info,`
Used msf library for digest, fixed name. 2012-01-12 17:49:50 +00:00			`'Name' => 'Windows File and Registry Artifacts Enumeration',`
Windows artifacts module 2012-01-12 23:26:35 +00:00			`'Description' => %q{`
MSFTidy fixes. 2012-01-18 21:01:00 +00:00			`This module will check the file system and registry for particular artifacts. The`
Windows artifacts module 2012-01-12 23:26:35 +00:00			`list of artifacts is read from data/post/artifacts or a user specified file. Any`
			`matches are written to the loot. },`
Added enum_artifacts 2012-01-06 22:43:50 +00:00			`'License' => MSF_LICENSE,`
			`'Author' => [ 'averagesecurityguy <stephen[at]averagesecurityguy.info>' ],`
			`'Platform' => [ 'windows' ],`
			`'SessionTypes' => [ 'meterpreter' ]`
			`))`
Windows artifacts module 2012-01-12 23:26:35 +00:00
Added enum_artifacts 2012-01-06 22:43:50 +00:00			`register_options(`
			`[`
Windows artifacts module 2012-01-12 23:26:35 +00:00			`OptPath.new( 'ARTIFACTS',`
			`[`
			`true,`
			`'Full path to artifacts file.',`
			`::File.join(Msf::Config.data_directory, 'post', 'enum_artifacts_list.txt')`
			`])`
Added enum_artifacts 2012-01-06 22:43:50 +00:00			`], self.class)`
			`end`

			`def run`
			`# Store any found artifacts so they can be written to loot`
Windows artifacts module 2012-01-12 23:26:35 +00:00			`files_found = []`
			`reg_found = []`
Added enum_artifacts 2012-01-06 22:43:50 +00:00
Windows artifacts module 2012-01-12 23:26:35 +00:00			`# Check artifacts file path`
			`filename = datastore['ARTIFACTS']`
			`if not ::File.exists?(filename)`
			`print_error("Artifacts file does not exist!")`
			`return`
Added enum_artifacts 2012-01-06 22:43:50 +00:00			`end`
Windows artifacts module 2012-01-12 23:26:35 +00:00
			`# Start enumerating`
			`print_status("Processing artifacts file...")`
MSFTidy fixes. 2012-01-18 21:01:00 +00:00			`file = ::File.open(filename, "rb")`
Windows artifacts module 2012-01-12 23:26:35 +00:00			`file.each_line do \|line\|`
			`line.strip!`
			`next if line.length < 1`
			`next if line[0,1] == "#"`

			`# Check registry`
			`if line =~ /^reg/`
			`type, reg_key, val, data = line.split("\|")`
			`reg_data = registry_getvaldata(reg_key, val)`
			`if reg_data.to_s == data`
			`reg_found << "#{reg_key}\\#{val}"`
Added enum_artifacts 2012-01-06 22:43:50 +00:00			`end`
Windows artifacts module 2012-01-12 23:26:35 +00:00			`end`

			`# Check file`
			`if line =~ /^file/`
			`type, file, hash = line.split("\|")`
			`digest = file_remote_digestmd5(file)`
			`if digest == hash`
			`files_found << file`
Used msf library for digest, fixed name. 2012-01-12 17:49:50 +00:00			`end`
Added enum_artifacts 2012-01-06 22:43:50 +00:00			`end`
Windows artifacts module 2012-01-12 23:26:35 +00:00			`end`
Added enum_artifacts 2012-01-06 22:43:50 +00:00
Windows artifacts module 2012-01-12 23:26:35 +00:00			`# Reporting. In case the user wants to separte artifact types (file vs registry),`
			`# we've already done it at this point.`
			`if files_found.empty?`
			`print_status("No file artifacts found")`
Added enum_artifacts 2012-01-06 22:43:50 +00:00			`else`
Windows artifacts module 2012-01-12 23:26:35 +00:00			`save(files_found, "Enumerated File Artifacts")`
Added enum_artifacts 2012-01-06 22:43:50 +00:00			`end`

Windows artifacts module 2012-01-12 23:26:35 +00:00			`if reg_found.empty?`
			`print_status("No registry artifacts found")`
Added enum_artifacts 2012-01-06 22:43:50 +00:00			`else`
Windows artifacts module 2012-01-12 23:26:35 +00:00			`save(reg_found, "Enumerated Registry Artifacts")`
Added enum_artifacts 2012-01-06 22:43:50 +00:00			`end`
			`end`

Windows artifacts module 2012-01-12 23:26:35 +00:00			`def save(data, name)`
			`f = store_loot('enumerated.artifacts', 'text/plain', session, data.join("\n"), name)`
			`print_status("#{name} stored in: #{f}")`
			`end`

Added enum_artifacts 2012-01-06 22:43:50 +00:00			`end`

Windows artifacts module 2012-01-12 23:26:35 +00:00			`=begin`
			`To-do: Use CSV or yaml format to store enum_artifacts_list.txt`
MSFTidy fixes. 2012-01-18 21:01:00 +00:00			`=end`