HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 30 guests and 1 member online
 
Advertisement

You are here: Home arrow Resourcesarrow Toolsarrow Automated post-compromise infomation gathering
EH-Net
May 24, 2013, 11:47:57 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Go back to The Ethical Hacker Network Online Magazine Home Page
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: Automated post-compromise infomation gathering  (Read 9237 times)
0 Members and 1 Guest are viewing this topic.
Andrew Waite
Hero Member
*****
Offline Offline

Posts: 928



View Profile WWW
« on: August 10, 2009, 01:24:12 PM »
Hi All,

I'm looking for a method to automatically gather system/user information post compromise. I've used DarkOperator's winenumn meterpreter script, but I don't fancy having to stare intently at a box waiting for compromised systems to connect back to by server to initiate info gathering.

More information would always be better, but initially a minimum would be system and username of compromised account for client-side/user awareness suffs. Not too concerned at this point if it is via a (free) framework (metasploit etc) or a standalone solution. I know Assagai is in the pipeline which sounds like it should handle my requirements needs but I haven't seen any release date information yet.

Don't think for a second I'm dealing with anything innovative or unique so I'm wondering how others deal with the same scenario.

Thanks in advance,
Andrew
Logged
-- http://www.infosanity.co.uk
-- http://blog.infosanity.co.uk
Ketchup
Hero Member
*****
Offline Offline

Posts: 1021



View Profile
« Reply #1 on: August 10, 2009, 02:23:36 PM »
Andrew, do you mean something like the MIRROR incident response toolset?

http://mirror.codeplex.com/
Logged
~~~~~~~~~~~~~~
Ketchup
Jhaddix
Sr. Member
****
Offline Offline

Posts: 317



View Profile WWW
« Reply #2 on: August 10, 2009, 03:07:27 PM »
hmm... i thought assagai was a phishing framework, ill have to re look into that project.

Depending on your scope you could just cmd.exe > batch script something couldnt you?

i mean thats all MIRROR is but with sysinternals tools built in...
Logged
GSEC, GPEN, GWAPT, ECPPT, WAHHlive, LSOAdvancedPenTester

http://www.securityaegis.com
http://www.pentesterscripting.com
http://code.google.com/p/pentest-bookmarks/
UNIX
Hero Member
*****
Offline Offline

Posts: 1235


View Profile
« Reply #3 on: August 11, 2009, 12:16:21 AM »
If I remember correctly, I too think that Assagai was some kind of Phishing Framework.

MIRROR should be able to do what you want.

If you don't care and have some time to spend maybe you could write such a program in Python, which shouldn't be too hard.
Logged
Andrew Waite
Hero Member
*****
Offline Offline

Posts: 928



View Profile WWW
« Reply #4 on: August 11, 2009, 04:33:29 AM »
Hi guys,

thanks for the responses. Your right, Assagai is supposedly going to be a phishing framework, but from the little I've read about it it should have some decent tracking and metric capabilities built in.

To expand a little on what I'm toying with I'm looking at a way to track and record which users clicked the link, or opened the attachment, or did 'other bad stuffs'.

Batch scripting cmd.exe shells was the first thing that sprung to mind, but I didn't want to re-invent the wheel if it had already been done. I don't have any real world experience with MIR-ROR, didn't think it would be that simple to tie into client's connection back. Looks like I'll need to re-evaluate and give it a closer look.

Andrew
Logged
-- http://www.infosanity.co.uk
-- http://blog.infosanity.co.uk
Andrew Waite
Hero Member
*****
Offline Offline

Posts: 928



View Profile WWW
« Reply #5 on: August 11, 2009, 03:18:48 PM »
I've been playing with this some more after getting home from work.

Decided to go down the automated cmd route, which turned out to be simpler than I had expected. For testing purposes I've used metasploit's msfpayload to generate a windows executable returning a reverse cmd shell. On the listening side I've simply got a netcat listener, feeding in a textfile containing commands to run once the connection is established:
# nc -vnlp 4444 < commands.txt

I still need to decide exactly which commands I want to run to gather which data, how I want to distribute my shellcode to unsuspecting guinea pigs.

Thanks for the assistance and suggestions.
Logged
-- http://www.infosanity.co.uk
-- http://blog.infosanity.co.uk
dalepearson
Sr. Member
****
Offline Offline

Posts: 357


View Profile WWW
« Reply #6 on: August 11, 2009, 05:00:10 PM »
Sounds like you got it covered Andrew, you might want to take a look at http://trac.metasploit.com/wiki/AutomatingMeterpreter

Happy Hunting.
Dale
Logged
:: Subliminal Hacking :: / :: Security Active Blog ::
Andrew Waite
Hero Member
*****
Offline Offline

Posts: 928



View Profile WWW
« Reply #7 on: August 12, 2009, 10:23:02 AM »
Sounds like just the thing, cheers Dale much appreciated Cheesy
Logged
-- http://www.infosanity.co.uk
-- http://blog.infosanity.co.uk
Jhaddix
Sr. Member
****
Offline Offline

Posts: 317



View Profile WWW
« Reply #8 on: August 12, 2009, 02:12:58 PM »
while that script is awesome it could use the systeminfo command, it returns a plethora of information that is useful.

Example:

Quote
C:\Documents and Settings\Ender>systeminfo

Host Name:                 DESKTOP
OS Name:                   Microsoft Windows XP Professional
OS Version:                5.1.2600 Service Pack 3 Build 2600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          Jason
Registered Organization:
Product ID:                
Original Install Date:     6/13/2010, 12:00:44 AM
System Up Time:            0 Days, 4 Hours, 19 Minutes, 37 Seconds
System Manufacturer:       GBT___
System Model:              NVDAACPI
System type:               X86-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: x86 Family 15 Model 75 Stepping 2 AuthenticAMD
~2211 Mhz
BIOS Version:              GBT    - 42302e31
Windows Directory:         C:\WINDOWS
System Directory:          C:\WINDOWS\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (GMT-08:00) Pacific Time (US & Canada)
Total Physical Memory:     3,327 MB
Available Physical Memory: 2,409 MB
Virtual Memory: Max Size:  2,048 MB
Virtual Memory: Available: 1,997 MB
Virtual Memory: In Use:    51 MB
Page File Location(s):     D:\pagefile.sys
Domain:                    SHARE
Logon Server:              \\DESKTOP
Hotfix(s):                 115 Hotfix(s) Installed.
                           [01]: File 1
                           [02]: File 1
                           [03]: File 1
                           [04]: File 1
                           [05]: File 1
                           [06]: File 1
                           [07]: File 1
                           [08]: File 1
                           [09]: File 1
                           [10]: File 1
                           [11]: File 1
                           [12]: File 1
                           [13]: File 1
                           [14]: File 1
                           [15]: File 1
                           [16]: File 1
                           [17]: File 1
                           [18]: File 1
                           [19]: File 1
                           [20]: File 1
                           [21]: File 1
                           [22]: File 1
                           [23]: File 1
                           [24]: File 1
                           [25]: File 1
                           [26]: File 1
                           [27]: File 1
                           [28]: File 1
                           [29]: File 1
                           [30]: File 1
                           [31]: File 1
                           [32]: File 1
                           [33]: File 1
                           [34]: File 1
                           [35]: File 1
                           [36]: File 1
                           [37]: File 1
                           [38]: File 1
                           [39]: File 1
                           [40]: File 1
                           [41]: File 1
                           [42]: File 1
                           [43]: File 1
                           [44]: File 1
                           [45]: File 1
                           [46]: File 1
                           [47]: File 1
                           [48]: File 1
                           [49]: File 1
                           [50]: File 1
                           [51]: File 1
                           [52]: Q147222
                           [53]: Q954430
                           [54]: IDNMitigationAPIs - Update
                           [55]: NLSDownlevelMapping - Update
                           [56]: KB929399
                           [57]: KB952069_WM9
                           [58]: KB973540_WM9
                           [59]: KB936782_WMP11
                           [60]: KB939683
                           [61]: KB954154_WM11
                           [62]: KB959772_WM11
                           [63]: KB941569
                           [64]: KB938127-v2-IE7 - Update
                           [65]: KB969897-IE7 - Update
                           [66]: KB972260-IE7 - Update
                           [67]: MSCompPackV1 - Update
                           [68]: KB898461 - Update
                           [69]: KB923561 - Update
                           [70]: KB938464-v2 - Update
                           [71]: KB946648 - Update
                           [72]: KB950760 - Update
                           [73]: KB950762 - Update
                           [74]: KB950974 - Update
                           [75]: KB951066 - Update
                           [76]: KB951376-v2 - Update
                           [77]: KB951748 - Update
                           [78]: KB951978 - Update
                           [79]: KB952004 - Update
                           [80]: KB952287 - Update
                           [81]: KB952954 - Update
                           [82]: KB954459 - Update
                           [83]: KB954550-v5 - Update
                           [84]: KB954600 - Update
                           [85]: KB955069 - Update
                           [86]: KB955839 - Update
                           [87]: KB956572 - Update
                           [88]: KB956744 - Update
                           [89]: KB956802 - Update
                           [90]: KB956803 - Update
                           [91]: KB957097 - Update
                           [92]: KB958644 - Update
                           [93]: KB958687 - Update
                           [94]: KB959426 - Update
                           [95]: KB960225 - Update
                           [96]: KB960803 - Update
                           [97]: KB960859 - Update
                           [98]: KB961118 - Update
                           [99]: KB961371 - Update
                           [100]: KB961373 - Update
                           [101]: KB961501 - Update
                           [102]: KB967715 - Update
                           [103]: KB968389 - Update
                           [104]: KB968537 - Update
                           [105]: KB969897 - Update
                           [106]: KB969898 - Update
                           [107]: KB970238 - Update
                           [108]: KB971557 - Update
                           [109]: KB971633 - Update
                           [110]: KB971657 - Update
                           [111]: KB973346 - Update
                           [112]: KB973354 - Update
                           [113]: KB973507 - Update
                           [114]: KB973815 - Update
                           [115]: KB973869 - Update
NetWork Card(s):           5 NIC(s) Installed.
                           [01]: 1394 Net Adapter
                                 Connection Name: 1394 Connection
                           [02]: NVIDIA nForce Networking Controller
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    Yes
                                 DHCP Server:     192.168.1.1
                                 IP address(es)
                                 [01]: 192.168.1.56
                           [03]: VMware Virtual Ethernet Adapter for VMnet1
                                 Connection Name: VMware Network Adapter VMnet1
                           [04]: VMware Virtual Ethernet Adapter for VMnet8
                                 Connection Name: VMware Network Adapter VMnet8
                           [05]: Cisco AnyConnect VPN Virtual Miniport Adapter f
or Windows
                                 Connection Name: Cisco AnyConnect VPN Client Co
nnection

C:\Documents and Settings\Ender>
« Last Edit: August 13, 2009, 02:57:00 PM by Jhaddix » Logged
GSEC, GPEN, GWAPT, ECPPT, WAHHlive, LSOAdvancedPenTester

http://www.securityaegis.com
http://www.pentesterscripting.com
http://code.google.com/p/pentest-bookmarks/
Andrew Waite
Hero Member
*****
Offline Offline

Posts: 928



View Profile WWW
« Reply #9 on: August 13, 2009, 04:08:34 AM »
Thanks Jason,

I'll be adding that to my toolbox. Looks like it grabs most of what I'm looking for in one simple command Smiley
Logged
-- http://www.infosanity.co.uk
-- http://blog.infosanity.co.uk
LSOChris
Guest
« Reply #10 on: September 05, 2009, 08:35:53 AM »
if you are going to use metasploit you might as well just write your own meterpreter script to do it, even if its a simple as pushing up and your batch script and running in it...even though writing to disk should be avoided.
Logged
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.079 seconds with 23 queries.
 
Exclusive Deal

sansfire13_245x90_cw90.jpg
SANSFIRE 2013
June 15 - 22

5% Off w/ Code: EHN_5

SANS Deals 4 EH-Netters
5% OFF Any SANS Course in Any Format!
Coupon Code: EHN_5 Including SANS Rocky Mountain 2013 & SANS Boston 2013
Polls
Compared to this year, 2013 will be:
 
Recent Forum Topics
EH-Net News Feeds
Latest Additions
 
         
Advertisement

© 2013 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.