Re: Content filesystem scan

From: Peter Parker (peterparker@fastmail.fm)
Date: Mon Feb 19 2007 - 11:20:30 EST


Hi,

Dont know what would be a better solution on a TB filesystem.. but few
pointers that you may consider.

1. Get the filesystem listing dumped using # find / -type f -perm -x
-size -xxxxxc -ls > fslist.txt (this should be very quick and fast)
2. Parse the file so that you have only the file pathname
3. Then you may consider something like
 # for var in `cat fslist.txt`
    do
        grep -l -f patterns.txt $var >> patternfound.txt
    done

hth,

On Thu, 15 Feb 2007 12:33:27 -0500, dfullerton@mantor.org said:
> Hi guys,
>
> I'm about to begin a penetration test on a pretty big distributed file
> system (Terabytes) and would like to known if any of you have some advice
> on how to scan for script variable named "pass, password, passwd, key,
> passphrase" or like. A lot of scripts reside on the file system so I
> guess will be able to find some of them with open ACL'™s and sensible
> information like user/password.
>
> Presently I'm using this command to generate a listing of all accessible
> file with a brief content description: "find /bigfs -type f -size
> -100000c -exec /pathto/file -m /pathto/magic {} \; 2> /dev/null >
> ~/scan_bigfs.list". From there I've populated a database (~460K entries)
> to filter out stuff like trusted image, bin, lib, doc, include, conf.
> Then, I guess manipulating different type of file with different handler
> would be the way to go.
>
> type:ASCII = grep;
> type:Unicode = strings, grep;
> type:bin = strings, grep;
> type:tar/gz/other = untar/gunzip,scan again.
>
> Any comments will be appreciated.
>
> Thanks,
>
> Danny Fullerton
> ---------------
> IT Security Specialist, GCIH GHTQ
> http://www.mantor.org/~northox
> Mantor Organization
>
> ___________________________________
> NOCC, http://nocc.sourceforge.net
>
>
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
>
> http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
> ------------------------------------------------------------------------
>

-- 
  peter
  peterparker@fastmail.fm
-- 
http://www.fastmail.fm - Does exactly what it says on the tin
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:35 EDT