Forum Thread: How Would I Download Files from a Compromised Windows System

You could script netcat, but downloading multiple files would be complicated.
SSH is not a reliable way in this case.
I searched for some meterpreter scripting.
http://www.offensive-security.com/metasploit-unleashed/Custom_Scripting

Basically you could write a ruby script to locate all the "sales" files and then download them with meterpreter

Searching deeper I found another solution:
You can download files with meterpreter with the syntax:
meterpreter> download WINDOWSPATH LINUXPATH (in case you are using Kali)
But there's more!
You can create a list of files to download.

NOTE:I've never done this before, so I don't know if it actually works, people with more knowledge may confirm, thank you.

If you know the extension of the sals files, this will be easier.
To create the list, run the file collector script with this syntax (once you got the meterpreter shell):

Where -d means directory,use -r if you want to search in sub-folders, use -f if you want to search for specific extensions (-r -f anyfile.txt -o ecc...), that fits perfectly if you know the file type and if it is different from common ones.

Where WDP is the path of the directory, so if you know where the sales files are just write down the complete path, if you don't, generally go with "C:\\".

Where LDP (for example /root/filelist.txt) is the directory you want the filelist to be written to (-o) in your linux machine (in case you are using Kali).

Now that you have a list of files, you can start downloading them:

So if you want to search for files that have "sales" in the name, I guess you could make the WDP something like this, however i'm not 100% sure this will work, waiting for confirm:

If you want more on meterpreter scripting, there's "Metasploit Unleashed", an online free "course" to metasploit.
But before trying this, you should wait for confirm, however there's documentation online.

EDIT: found this article that explains it easier, I hope this is not spam:http://www.vidsploit.com/meterpreter/search-for-interesting-files/

Q:Is there a way to write the "anything symbol" in these posts?

@Bryan: That's great, any way to get code (box) formatting in the text editor? I would love to make more technical guides on exploits, plus it would look cooler..

@CIUFFY: I like that detail.

@Alex: You can search source forge for pillage modules for MSF if you have too. Good Luck. Got System?

In this case I had system becuase I had admin rights, but what do you do if you have a Meterpreter shell with user rights on a patched system? I'm attacking a Windows 7 SP1 machine so I used kiTrap0D and schelevator but they aren't working. Are there any ways to get the hashes as user or are modern exploits I'm missing? I found a tutorial on fuzzysecurity.com that explains priv escalation and am wondering if there are any easier ways than going though all those steps.

Another question, why would non-server windows systems ever be unpatched? Don't all windows systems update without asking you whenever Microsoft rolls out an update? I'd understand if people torrented windows on a large scale but most have legitimate copies of it and as far as I know you can't opt-out of updates.

Greetings, let me answer in reverse.

• "I know you can't opt-out of updates." Yes you can.

• "I'd understand if people torrented windows on a large scale but most have legitimate copies of it" I don't know anyone with a legit copy of windows anything ever. No wait , I got windows 95 free on disc with a 4 GB HDD I bought back in the day..

• "Don't all windows systems update without asking you whenever Microsoft rolls out an update?" No. They don't --> \Windows Update\Change settings >Important updates> "Check for updates BUT let me choose whether to download and install them"

• "Why would non-server windows systems ever be unpatched?" That could a few different things. Could be most likely the above answer. Could be they need the updated windows update user agent. Could also be a honeypot. Could be a VM.. You did have msf check for VM. Yes?

• Privesc Has no easy road for the weary. You need to go through the steps. I have not read that guide but I am pretty sure it probably says how to dump hashes when pilfering the system. But if you have admin you can dump hashes now?!. You need a better back door than what you are thinking anyway.

• When I asked "Got System?" We meant "NT AUTHORITY\SYSTEM" Not Admin.

exit

I got NT AUTHORITY\SYSTEM earlier but I can only do it from admin privilege, I get stuck unable to get SYSTEM when I start with user. The question you're responding to doesn't have much to do with the original one, they we're just additional question I had that I felt didn't warrant a new thread.

Could be a VM.. You did have msf check for VM. Yes?

I'm targeting a laptop right beside me. Sorry for not mentioning that. I didn't know about just how many people torrented windows though. Thanks for the info.

Alex:

Just a comment about updating. Many commercial entities disable updating on their production systems because they don't want the system offline. In addition, updates will often "break" a system and many firms delay updates until they can test them in a offline environment. As a result, MANY systems don't get updated.

OTW

*Thank you!*

@CyberHitchHiker: Yeah I do, I'll be sure to check around for good pillage modules as I assumed any good modules came with MSF.

@CIUFFY: Thanks a lot! I'll be sure to report back the results when I get back to my computer.

Alex:

Meterpreter has an upload and download function for moving files. In addition, consider ftp and tftp as well as netcat and hping for moving files.

OTW