.

Automated post-compromise infomation gathering

<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Mon Aug 10, 2009 1:24 pm

Automated post-compromise infomation gathering

Hi All,

I'm looking for a method to automatically gather system/user information post compromise. I've used DarkOperator's winenumn meterpreter script, but I don't fancy having to stare intently at a box waiting for compromised systems to connect back to by server to initiate info gathering.

More information would always be better, but initially a minimum would be system and username of compromised account for client-side/user awareness suffs. Not too concerned at this point if it is via a (free) framework (metasploit etc) or a standalone solution. I know Assagai is in the pipeline which sounds like it should handle my requirements needs but I haven't seen any release date information yet.

Don't think for a second I'm dealing with anything innovative or unique so I'm wondering how others deal with the same scenario.

Thanks in advance,
Andrew
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Mon Aug 10, 2009 2:23 pm

Re: Automated post-compromise infomation gathering

Andrew, do you mean something like the MIRROR incident response toolset?

http://mirror.codeplex.com/
~~~~~~~~~~~~~~
Ketchup
<<

Jhaddix

User avatar

Sr. Member
Sr. Member

Posts: 317

Joined: Wed Oct 29, 2008 10:25 pm

Post Mon Aug 10, 2009 3:07 pm

Re: Automated post-compromise infomation gathering

hmm... i thought assagai was a phishing framework, ill have to re look into that project.

Depending on your scope you could just cmd.exe > batch script something couldnt you?

i mean thats all MIRROR is but with sysinternals tools built in...
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Tue Aug 11, 2009 12:16 am

Re: Automated post-compromise infomation gathering

If I remember correctly, I too think that Assagai was some kind of Phishing Framework.

MIRROR should be able to do what you want.

If you don't care and have some time to spend maybe you could write such a program in Python, which shouldn't be too hard.
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Tue Aug 11, 2009 4:33 am

Re: Automated post-compromise infomation gathering

Hi guys,

thanks for the responses. Your right, Assagai is supposedly going to be a phishing framework, but from the little I've read about it it should have some decent tracking and metric capabilities built in.

To expand a little on what I'm toying with I'm looking at a way to track and record which users clicked the link, or opened the attachment, or did 'other bad stuffs'.

Batch scripting cmd.exe shells was the first thing that sprung to mind, but I didn't want to re-invent the wheel if it had already been done. I don't have any real world experience with MIR-ROR, didn't think it would be that simple to tie into client's connection back. Looks like I'll need to re-evaluate and give it a closer look.

Andrew
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Tue Aug 11, 2009 3:18 pm

Re: Automated post-compromise infomation gathering

I've been playing with this some more after getting home from work.

Decided to go down the automated cmd route, which turned out to be simpler than I had expected. For testing purposes I've used metasploit's msfpayload to generate a windows executable returning a reverse cmd shell. On the listening side I've simply got a netcat listener, feeding in a textfile containing commands to run once the connection is established:
# nc -vnlp 4444 < commands.txt

I still need to decide exactly which commands I want to run to gather which data, how I want to distribute my shellcode to unsuspecting guinea pigs.

Thanks for the assistance and suggestions.
<<

dalepearson

Sr. Member
Sr. Member

Posts: 357

Joined: Thu Nov 09, 2006 10:03 am

Post Tue Aug 11, 2009 5:00 pm

Re: Automated post-compromise infomation gathering

Sounds like you got it covered Andrew, you might want to take a look at http://trac.metasploit.com/wiki/AutomatingMeterpreter

Happy Hunting.
Dale
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Wed Aug 12, 2009 10:23 am

Re: Automated post-compromise infomation gathering

Sounds like just the thing, cheers Dale much appreciated :D
<<

Jhaddix

User avatar

Sr. Member
Sr. Member

Posts: 317

Joined: Wed Oct 29, 2008 10:25 pm

Post Wed Aug 12, 2009 2:12 pm

Re: Automated post-compromise infomation gathering

while that script is awesome it could use the systeminfo command, it returns a plethora of information that is useful.

Example:

C:\Documents and Settings\Ender>systeminfo

Host Name:                 DESKTOP
OS Name:                   Microsoft Windows XP Professional
OS Version:                5.1.2600 Service Pack 3 Build 2600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          Jason
Registered Organization:
Product ID:                
Original Install Date:     6/13/2010, 12:00:44 AM
System Up Time:            0 Days, 4 Hours, 19 Minutes, 37 Seconds
System Manufacturer:       GBT___
System Model:              NVDAACPI
System type:               X86-based PC
Processor(s):              1 Processor(s) Installed.
                          [01]: x86 Family 15 Model 75 Stepping 2 AuthenticAMD
~2211 Mhz
BIOS Version:              GBT    - 42302e31
Windows Directory:         C:\WINDOWS
System Directory:          C:\WINDOWS\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (GMT-08:00) Pacific Time (US & Canada)
Total Physical Memory:     3,327 MB
Available Physical Memory: 2,409 MB
Virtual Memory: Max Size:  2,048 MB
Virtual Memory: Available: 1,997 MB
Virtual Memory: In Use:    51 MB
Page File Location(s):     D:\pagefile.sys
Domain:                    SHARE
Logon Server:              \\DESKTOP
Hotfix(s):                 115 Hotfix(s) Installed.
                          [01]: File 1
                          [02]: File 1
                          [03]: File 1
                          [04]: File 1
                          [05]: File 1
                          [06]: File 1
                          [07]: File 1
                          [08]: File 1
                          [09]: File 1
                          [10]: File 1
                          [11]: File 1
                          [12]: File 1
                          [13]: File 1
                          [14]: File 1
                          [15]: File 1
                          [16]: File 1
                          [17]: File 1
                          [18]: File 1
                          [19]: File 1
                          [20]: File 1
                          [21]: File 1
                          [22]: File 1
                          [23]: File 1
                          [24]: File 1
                          [25]: File 1
                          [26]: File 1
                          [27]: File 1
                          [28]: File 1
                          [29]: File 1
                          [30]: File 1
                          [31]: File 1
                          [32]: File 1
                          [33]: File 1
                          [34]: File 1
                          [35]: File 1
                          [36]: File 1
                          [37]: File 1
                          [38]: File 1
                          [39]: File 1
                          [40]: File 1
                          [41]: File 1
                          [42]: File 1
                          [43]: File 1
                          [44]: File 1
                          [45]: File 1
                          [46]: File 1
                          [47]: File 1
                          [48]: File 1
                          [49]: File 1
                          [50]: File 1
                          [51]: File 1
                          [52]: Q147222
                          [53]: Q954430
                          [54]: IDNMitigationAPIs - Update
                          [55]: NLSDownlevelMapping - Update
                          [56]: KB929399
                          [57]: KB952069_WM9
                          [58]: KB973540_WM9
                          [59]: KB936782_WMP11
                          [60]: KB939683
                          [61]: KB954154_WM11
                          [62]: KB959772_WM11
                          [63]: KB941569
                          [64]: KB938127-v2-IE7 - Update
                          [65]: KB969897-IE7 - Update
                          [66]: KB972260-IE7 - Update
                          [67]: MSCompPackV1 - Update
                          [68]: KB898461 - Update
                          [69]: KB923561 - Update
                          [70]: KB938464-v2 - Update
                          [71]: KB946648 - Update
                          [72]: KB950760 - Update
                          [73]: KB950762 - Update
                          [74]: KB950974 - Update
                          [75]: KB951066 - Update
                          [76]: KB951376-v2 - Update
                          [77]: KB951748 - Update
                          [78]: KB951978 - Update
                          [79]: KB952004 - Update
                          [80]: KB952287 - Update
                          [81]: KB952954 - Update
                          [82]: KB954459 - Update
                          [83]: KB954550-v5 - Update
                          [84]: KB954600 - Update
                          [85]: KB955069 - Update
                          [86]: KB955839 - Update
                          [87]: KB956572 - Update
                          [88]: KB956744 - Update
                          [89]: KB956802 - Update
                          [90]: KB956803 - Update
                          [91]: KB957097 - Update
                          [92]: KB958644 - Update
                          [93]: KB958687 - Update
                          [94]: KB959426 - Update
                          [95]: KB960225 - Update
                          [96]: KB960803 - Update
                          [97]: KB960859 - Update
                          [98]: KB961118 - Update
                          [99]: KB961371 - Update
                          [100]: KB961373 - Update
                          [101]: KB961501 - Update
                          [102]: KB967715 - Update
                          [103]: KB968389 - Update
                          [104]: KB968537 - Update
                          [105]: KB969897 - Update
                          [106]: KB969898 - Update
                          [107]: KB970238 - Update
                          [108]: KB971557 - Update
                          [109]: KB971633 - Update
                          [110]: KB971657 - Update
                          [111]: KB973346 - Update
                          [112]: KB973354 - Update
                          [113]: KB973507 - Update
                          [114]: KB973815 - Update
                          [115]: KB973869 - Update
NetWork Card(s):           5 NIC(s) Installed.
                          [01]: 1394 Net Adapter
                                Connection Name: 1394 Connection
                          [02]: NVIDIA nForce Networking Controller
                                Connection Name: Local Area Connection
                                DHCP Enabled:    Yes
                                DHCP Server:     192.168.1.1
                                IP address(es)
                                [01]: 192.168.1.56
                          [03]: VMware Virtual Ethernet Adapter for VMnet1
                                Connection Name: VMware Network Adapter VMnet1
                          [04]: VMware Virtual Ethernet Adapter for VMnet8
                                Connection Name: VMware Network Adapter VMnet8
                          [05]: Cisco AnyConnect VPN Virtual Miniport Adapter f
or Windows
                                Connection Name: Cisco AnyConnect VPN Client Co
nnection

C:\Documents and Settings\Ender>
Last edited by Jhaddix on Thu Aug 13, 2009 2:57 pm, edited 1 time in total.
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Thu Aug 13, 2009 4:08 am

Re: Automated post-compromise infomation gathering

Thanks Jason,

I'll be adding that to my toolbox. Looks like it grabs most of what I'm looking for in one simple command :)
<<

LSOChris

Post Sat Sep 05, 2009 8:35 am

Re: Automated post-compromise infomation gathering

if you are going to use metasploit you might as well just write your own meterpreter script to do it, even if its a simple as pushing up and your batch script and running in it...even though writing to disk should be avoided.

Return to Tools

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software