I like to look for the passwords.txt/passwords.xls/passwords.doc in addition to other configuration files. Finding and reviewing these can be a bit tedious on the command line.
The script is based on the enum_files post module and it will let you pick the extensions you are interested in as well as which drive to search. Instead of just downloading all those files it creates two output files per file type (in loot). One file that is easy to read and a second that is easy to cut in paste into your meterpreter console to download any files you find interesting.
msf use post/windows/gather/gold_digger
msf post(gold_digger) > info
Name: Windows Gather Generic File Collection
Module: post/windows/gather/gold_digger
Platform: Windows
Arch:
Rank: Normal
Provided by:
3vi1john
RageLtMan
CG
Description:
This module looks for all office files, creates a list and the path
to those files to download later if you want (check your loot
folder). Based on enum_files.rb. Creates two output files in loot.
one with the raw path and second that is more readable. Notes: Does
not decend into Users\$user\AppData by default (not sure why). You
have to force that directory with the SEARCH_FROM option.
msf post(gold_digger) > show options
Module options (post/windows/gather/gold_digger):
Name Current Setting Required Description
---- --------------- -------- -----------
FILE_GLOBS *.doc*,*.xls*,*.ppt*,*.pdf yes The file pattern to search for in a filename
SEARCH_FROM no Search from a specific location. Ex. C:\
SESSION yes The session to run this module on.In action:
[*] Searching C:\Users\ for *.doc* through windows user profile structure
[*] Found C:\Users\user\Documents\Derbycon3.docx adding to the list
[*] Found C:\Users\user\Documents\Speaker Attachments.docx adding to the list
[*] Found C:\Users\user\Desktop\runroute.doc adding to the list
...
[*] Searching C:\Users\ for *.xls* through windows user profile structure[*] Found C:\Users\user\Documents\servers.xlsx adding to the list
...
[*] Searching C:\Users\ for *.pdf* through windows user profile structure[*] Found C:\Users\user\Desktop\scan.pdf adding to the list
...
[*] Done!
[*] Post module execution completed
Of course you can also give it full drives like C:\\ or X:\\ or change extensions you are looking for.
You can get it here:
https://github.com/carnal0wnage/Metasploit-Code/blob/master/modules/post/windows/gather/gold_digger.rb
2 comments:
Maybe the access to the directory must be accepted only with privileges for the current user manipulation of the files.
i assume you mean the appdata folder. if you manually set it, i think it will index if for you, just doesnt descend into it.
Post a Comment