Windows artifacts module
Stephen Haywood
sinn3r
parent
02bd1f3407
commit
6ad2eda24c
|
|
@ -1,7 +1,3 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
|
@ -9,7 +5,6 @@
|
|||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require 'digest/md5'
|
||||
require 'rex'
|
||||
require 'msf/core'
|
||||
require 'msf/core/post/file'
|
||||
|
|
@ -24,100 +19,88 @@ class Metasploit3 < Msf::Post
|
|||
def initialize(info={})
|
||||
super( update_info( info,
|
||||
'Name' => 'Windows File and Registry Artifacts Enumeration',
|
||||
'Description' => %q{ This module will check the file system and registry for particular artifacts. The
|
||||
list of artifacts is read from data/post/artifacts or a user specified file. Any
|
||||
matches are written to the loot. },
|
||||
'Description' => %q{
|
||||
This module will check the file system and registry for particular artifacts. The
|
||||
list of artifacts is read from data/post/artifacts or a user specified file. Any
|
||||
matches are written to the loot. },
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [ 'averagesecurityguy <stephen[at]averagesecurityguy.info>' ],
|
||||
'Version' => '$Revision$',
|
||||
'Platform' => [ 'windows' ],
|
||||
'SessionTypes' => [ 'meterpreter' ]
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptPath.new('ARTIFACTS', [false, 'Full path to artifacts file.', nil]),
|
||||
OptPath.new( 'ARTIFACTS',
|
||||
[
|
||||
true,
|
||||
'Full path to artifacts file.',
|
||||
::File.join(Msf::Config.data_directory, 'post', 'enum_artifacts_list.txt')
|
||||
])
|
||||
], self.class)
|
||||
|
||||
end
|
||||
|
||||
def run
|
||||
# Store any found artifacts so they can be written to loot
|
||||
found = Array.new
|
||||
files_found = []
|
||||
reg_found = []
|
||||
|
||||
if datastore['ARTIFACTS']
|
||||
filename = datastore['ARTIFACTS']
|
||||
else
|
||||
filename = ::File.join(Msf::Config.data_directory, 'post', 'artifacts')
|
||||
print_line(filename)
|
||||
# Check artifacts file path
|
||||
filename = datastore['ARTIFACTS']
|
||||
if not ::File.exists?(filename)
|
||||
print_error("Artifacts file does not exist!")
|
||||
return
|
||||
end
|
||||
|
||||
if ::File.exists?(filename)
|
||||
print_status("Processing artifacts file...")
|
||||
|
||||
file = ::File.open(filename, "r")
|
||||
file.each_line do |line|
|
||||
line.strip!
|
||||
next if line.length < 1
|
||||
next if line[0,1] == "#"
|
||||
|
||||
if line =~ /^reg/
|
||||
type, reg_key, val, data = line.split("|")
|
||||
reg_data = registry_getvaldata(reg_key, val)
|
||||
if reg_data.to_s == data
|
||||
found << "Matching registry entry: #{reg_key}\\#{val}"
|
||||
end
|
||||
end
|
||||
|
||||
if line =~ /^file/
|
||||
type, file, hash = line.split("|")
|
||||
digest = file_remote_digestmd5(file)
|
||||
if digest == hash then found << "Matching file entry: #{file}" end
|
||||
|
||||
# Start enumerating
|
||||
print_status("Processing artifacts file...")
|
||||
file = ::File.open(filename, "r")
|
||||
file.each_line do |line|
|
||||
line.strip!
|
||||
next if line.length < 1
|
||||
next if line[0,1] == "#"
|
||||
|
||||
# Check registry
|
||||
if line =~ /^reg/
|
||||
type, reg_key, val, data = line.split("|")
|
||||
reg_data = registry_getvaldata(reg_key, val)
|
||||
if reg_data.to_s == data
|
||||
reg_found << "#{reg_key}\\#{val}"
|
||||
end
|
||||
end
|
||||
|
||||
print_status("Artifacts file processed successfully.")
|
||||
else
|
||||
print_error("Artifacts file does not exist!")
|
||||
# Check file
|
||||
if line =~ /^file/
|
||||
type, file, hash = line.split("|")
|
||||
digest = file_remote_digestmd5(file)
|
||||
if digest == hash
|
||||
files_found << file
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
if found.length > 0
|
||||
print_status("Artifacts found, saving to loot")
|
||||
|
||||
# Store artifacts in the loot.
|
||||
loot_file = store_loot( 'enumerated.artifacts',
|
||||
'text/plain',
|
||||
session,
|
||||
found.join("\n"),
|
||||
nil,
|
||||
'Enumerated Artifacts')
|
||||
|
||||
print_status("Enumerated artifacts stored in #{loot_file}")
|
||||
|
||||
# Reporting. In case the user wants to separte artifact types (file vs registry),
|
||||
# we've already done it at this point.
|
||||
if files_found.empty?
|
||||
print_status("No file artifacts found")
|
||||
else
|
||||
print_status("No artifacts found.")
|
||||
save(files_found, "Enumerated File Artifacts")
|
||||
end
|
||||
|
||||
if reg_found.empty?
|
||||
print_status("No registry artifacts found")
|
||||
else
|
||||
save(reg_found, "Enumerated Registry Artifacts")
|
||||
end
|
||||
end
|
||||
|
||||
def get_base(str)
|
||||
case str
|
||||
when "HKEY_CLASSES_ROOT"
|
||||
return HKEY_CLASSES_ROOT
|
||||
when "HKEY_CURRENT_USER"
|
||||
return HKEY_CURRENT_USER
|
||||
when "HKEY_LOCAL_MACHINE"
|
||||
return HKEY_LOCAL_MACHINE
|
||||
when "HKEY_USERS"
|
||||
return HKEY_USERS
|
||||
when "HKEY_PERFORMANCE_DATA"
|
||||
return HKEY_PERFORMANCE_DATA
|
||||
when "HKEY_CURRENT_CONFIG"
|
||||
return HKEY_CURRENT_CONFIG
|
||||
when "HKEY_DYN_DATA"
|
||||
return HKEY_DYN_DATA
|
||||
else
|
||||
print_error "Unrecognized base key #{str}"
|
||||
return nil
|
||||
end
|
||||
end
|
||||
def save(data, name)
|
||||
f = store_loot('enumerated.artifacts', 'text/plain', session, data.join("\n"), name)
|
||||
print_status("#{name} stored in: #{f}")
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
=begin
|
||||
To-do: Use CSV or yaml format to store enum_artifacts_list.txt
|
||||
=end
|
||||
Loading…
Reference in New Issue