RE: Content filesystem scan

From: Jeremiah Brott (jeremiah@access2networks.com)
Date: Sun Feb 18 2007 - 21:55:58 EST

• Next message: jezzzz .: "What protocol to choose for a new fuzzer?"
• Previous message: Sels, Roger: "Re: Expresscard/54 vs PCMCIA: WiFi"
• In reply to: dfullerton@mantor.org: "Content filesystem scan"
• Next in thread: Peter Parker: "Re: Content filesystem scan"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Danny,

Another great tool to use in this process would be foremost.
This tool will allow you to search for files based on the header,
footer & internal data structures. You can use this tool directly on
the file system, or work with images generated by dd, Encase & Safe Back.

Good Luck.

-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On
Behalf Of dfullerton@mantor.org
Sent: Thursday, February 15, 2007 12:33 PM
To: pen-test@securityfocus.com
Subject: Content filesystem scan

Hi guys,

I'm about to begin a penetration test on a pretty big distributed file
system (Terabytes) and would like to known if any of you have some advice on
how to scan for script variable named "pass, password, passwd, key,
passphrase" or like. A lot of scripts reside on the file system so I guess
will be able to find some of them with open ACL'™s and sensible information
like user/password.

Presently I'm using this command to generate a listing of all accessible
file with a brief content description: "find /bigfs -type f -size -100000c
-exec /pathto/file -m /pathto/magic {} \; 2> /dev/null > ~/scan_bigfs.list".
>From there I've populated a database (~460K entries) to filter out stuff
like trusted image, bin, lib, doc, include, conf. Then, I guess manipulating
different type of file with different handler would be the way to go.

type:ASCII = grep;
type:Unicode = strings, grep;
type:bin = strings, grep;
type:tar/gz/other = untar/gunzip,scan again.

Any comments will be appreciated.

Thanks,

Danny Fullerton
---------------
IT Security Specialist, GCIH GHTQ
http://www.mantor.org/~northox
Mantor Organization

___________________________________
NOCC, http://nocc.sourceforge.net

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=70160000
0008bOW
------------------------------------------------------------------------

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

• Next message: jezzzz .: "What protocol to choose for a new fuzzer?"
• Previous message: Sels, Roger: "Re: Expresscard/54 vs PCMCIA: WiFi"
• In reply to: dfullerton@mantor.org: "Content filesystem scan"
• Next in thread: Peter Parker: "Re: Content filesystem scan"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:35 EDT