Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: What would you grab?

  1. #1
    Moderator theprez98's Avatar
    Join Date
    Jan 2010
    Location
    Maryland
    Posts
    2,533

    Default What would you grab?

    Here's a hypothetical scenario:

    There is a box with Windows XP (SP2/SP3) recently installed. All you have is a printout of the directory structure/file list, but no actual content of the files. If you SSH in and grab a handful of files from this box, what files (or types of files) would you grab?
    "\x74\x68\x65\x70\x72\x65\x7a\x39\x38";

  2. #2
    Developer
    Join Date
    Mar 2007
    Posts
    6,124

    Default

    All the files with microsoft type extensions is usually a safe bet. Like .xml, .ppt or .doc . Or the other thing to do is see what software is listed in program files and then figure out the file extension for it. For example if you could see QuickBooks was installed then You would look for files of that type to gain financial data. a QuickBooks data file name always ends with .qbw and a QuickBooks backup file name always ends with .qbb. Just a example Here is a file extension site I use http://filext.com/index.php

  3. #3
    Senior Member Thorn's Avatar
    Join Date
    Jan 2010
    Location
    The Green Dome
    Posts
    1,509

    Default

    First grab the complete "Doccuments and Settings", since 99% of anything of note will be in the users' subdirectories. Then I'd take a quick look around for any unually sounding directoy names at the C:\ root level. Depending on the permissions of the box, the users' permissions and how much they know about "folders", some users are smart enough to actually place files in non-standard directories. Sometimes they even know and understand hidden directories, although in my experience it's pretty rare.

    Also, make sure that your settings are such that you can see hidden directories and files. You'll need that if you want to see and grab things like a given user's .PST file.
    Thorn
    Stop the TSA now! Boycott the airlines.

  4. #4
    Very good friend of the forum Virchanza's Avatar
    Join Date
    Jan 2010
    Posts
    863

    Default

    Quote Originally Posted by theprez98 View Post
    Here's a hypothetical scenario:

    There is a box with Windows XP (SP2/SP3) recently installed. All you have is a printout of the directory structure/file list, but no actual content of the files. If you SSH in and grab a handful of files from this box, what files (or types of files) would you grab?
    The files I've been given permission by the owner to take, naturally.

    Assuming I had the owner's permission to take any files I want, and assuming I am doing pentesting on behalf of the owner, I'd take the files that comprise the system registry. I'd also take whatever files contain login passwords and wireless keys.

  5. #5
    Moderator theprez98's Avatar
    Join Date
    Jan 2010
    Location
    Maryland
    Posts
    2,533

    Default

    Quote Originally Posted by Virchanza View Post
    The files I've been given permission by the owner to take, naturally.

    Assuming I had the owner's permission to take any files I want, and assuming I am doing pentesting on behalf of the owner, I'd take the files that comprise the system registry. I'd also take whatever files contain login passwords and wireless keys.
    For the sake of this scenario, permission is granted to take anything.
    "\x74\x68\x65\x70\x72\x65\x7a\x39\x38";

  6. #6
    Developer balding_parrot's Avatar
    Join Date
    May 2007
    Posts
    3,399

    Default

    Anything on the desktop, this is somewhere people often put files as they have easy access to them there, also it could give clues to other software on the computer. Favorites folder. Start menu folder. As well as obvious things like registry SAM etc

  7. #7
    Senior Member Thorn's Avatar
    Join Date
    Jan 2010
    Location
    The Green Dome
    Posts
    1,509

    Default

    Quote Originally Posted by theprez98 View Post
    For the sake of this scenario, permission is granted to take anything.
    Virchanza brings up an interesting point. My assumption, since it is "a box", that this is closer to a forensic or investigative probe. Virchanza's view is somewhat broader, in that by collecting things like login passwords and wireless keys, it would imply that he sees you looking beyond this particular box.

    So the answers somewhat dependent on the scope of the probe. Is it merely this particular box, or could it extend beyond it?
    Thorn
    Stop the TSA now! Boycott the airlines.

  8. #8
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    This really depends upon what you're attempting to prove. If you want to prove the box is insecure, any personal file would do.

    If you really want to embarrass the person, look for their saved webcam feeds.

    I heard rumors of years ago when some of the first P2P file sharing programs were out is was rather easy to do an SMB scan of certain cable segments and find those programs and then actively browse entire harddrives, and webcam saved folders were of particular interest. Of course, ICQ chats were of interest as well.

    Of course, this is all rumor.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  9. #9
    Moderator theprez98's Avatar
    Join Date
    Jan 2010
    Location
    Maryland
    Posts
    2,533

    Default

    Quote Originally Posted by Thorn View Post
    So the answers somewhat dependent on the scope of the probe. Is it merely this particular box, or could it extend beyond it?
    Quote Originally Posted by streaker69 View Post
    This really depends upon what you're attempting to prove. If you want to prove the box is insecure, any personal file would do.
    For the sake of this scenario, its more like a black box test, no knowledge beyond what is already presented. There may be more beyond this box, or there may not be. So I guess in a narrow sense, finding as much useful data on this box is good, but also in a broader sense, finding if this box has information useful beyond itself is also good.
    "\x74\x68\x65\x70\x72\x65\x7a\x39\x38";

  10. #10
    Just burned his ISO
    Join Date
    Aug 2007
    Posts
    14

    Default

    I will first look in "Documents and settings" to have an idea of what kind of files is there. Next I will look into program files, just to have a pick on what is installed. Checking the root directory will be another.
    I wonder if you can get hold of ie browsing history ???

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •