I apologize to those in my talk (and throughout the rest of the cons last week) that asked about availability of the tools I describe in my talk. I stated that they should’ve been in the Metasploit trunk on the day of my Black Hat USA talk this past Wednesday, backed by assurances from Rapid7 that it would be there. Apparently I was talking to someone at Rapid7 that was unable to make those assurances, so it looks like I’ll be starting over the process of getting it available in the main distribution today. Edit: It’s in now. If you svn update metasploit, enum_drives and imager will be in “modules/post/windows/gather” and nbd_server will be in “modules/post/windows/manage”.
In the meantime, you can drop the following files into your own copy of Metasploit to use the tools introduced in my talk today:
- enum_drives.rb – Enumerates physical disks and logical volumes for use in the other two modules
- imager.rb – Images physical/logical drives over a meterpreter shell. Options are similar to those that forensics folk use in dd
- nbd_server.rb – Maps a remote physical/logical drive to a local network block device server. You can then mount and/or use any forensics tools you’d like on it.
Also, here are the final slides as I presented them, and the whitepaper that I originally submitted with my talk proposal:
Video of both the Black Hat USA and DefCon versions of the talk will be available at some point.
Great ! Now this calls for some serious lab-time !
After svn update in bt5, executing “run modules/post/windows/gather/enum_drives.rb” on meterpreter does not show any output. Anybody successfully tested this?
I’ll give this a shot on my test VMs when I get back home today, or earlier if I get the time to set it up here today.
the path for the enum_drives module is post/windows/gather/forensics/enum_drives
executing “run modules/post/windows/gather/enum_drives.rb(imager, listdevices)” on meterpreter does not show any output why?..syntax error…..