.

Ransack Post Exploitation Tool

<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Thu May 03, 2012 1:12 pm

Ransack Post Exploitation Tool

Ransack Post Exploitation Tool v 0.1 - Ransack is a post exploitation tool to be used by penetration testers. It is more of a proof of concept and its purpose is to grab any information deemed relevant on a system, post root compromise. This information may include config files, ssh keys, ssl keys, or any other information deemed valuable.

After seeing a lot of posts here on finding information for the OSCP exam, I figured I would try to give people something to 1) think about and 2) others to put to use while performing authorized work. As I am a stickler for going against the grain, its a simple shell script. It could have been written in Perl, Python, Ruby or another language but as usual I chose not to. The reasoning for this is logical and simple: There is never a guarantee that a specific programming language will be installed on a machine. If it is not, that would mean I would have to either install it on my own (which raises the detection rate), re-program it to match the system I am on (which again raises the ratio of detection).

Once on a system, there is no guarantee that 1) you will know what to look for 2) will NOT miss something important because you are scrambling to figure out what the system is, what it does and so fort. The goal was to ransack the system for files that are usually valuable. Those files are copied over and tar'd in order to extract and dissect the data on another machine.

Data extracted includes SSL certificates, SSH keys, config files, and so forth. It will also determine who is in a "juicy" (privileged) group and rasack their directories as well. This will include a user who may be in a group such as wheel, mysql and so forth.

Since its simply a shell script, anyone can modify it to look for just about anything and "ransack" that information as well. Most information can aide a pentester since password reuse is rampant, many configuration files will yield other networks and IP addresses and so forth.

Lastly, lest anyone complain about the tool, the tool was released to aid penetration testers. Not assist malicious individuals. The reality of life dictates people will likely use the tool for nefarious purposes. Much similar to a handgun; a police officer may use his weapon to put down someone deemed as a threat (life saving) while someone else may use a handgun to rob a bank. Don't shoot the messenger there is a valid and legitimate purpose for Ransack.

http://www.infiltrated.net/scripts/ransack.sh
sh ransack.sh
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Thu May 03, 2012 1:21 pm

Re: Ransack Post Exploitation Tool

Not to be confused with Agent Ransack

http://www.mythicsoft.com/page.aspx?typ ... &page=home
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Thu May 03, 2012 6:23 pm

Re: Ransack Post Exploitation Tool

Looks nice, why don't you use "netstat -antupe" instead though?
It lists everything listening on TCP and UDP interfaces along with process information, ports, etc. Just a suggestion, not really important  :)
I'm an InterN0T'er
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Fri May 04, 2012 7:27 am

Re: Ransack Post Exploitation Tool

The overall goal was to keep it symmetric and working across the differing platforms:

  Code:
[root@kenji ~]# uname -a
FreeBSD kenji 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Mar 20 10:42:10 EDT 2012     root@kenji:/usr/obj/usr/src/sys/SARU  i386
[root@kenji ~]# netstat -t
netstat: illegal option -- t


-t never works on any BSD nor Solaris and in HPUX it wouldn't work either. I thought about doing if [ uname == $THIS ] then ... But I was lazy and it meant more lines of code. Aside from comments, the entire thing can be streamed into under 25 lines so you can copy it right on a term without raising a bandwidth flag if someone is doing SIEM.

Return to Tools

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software