<a href="http://pauldotcom.com/2010/02/last-year-on-the-show.html">http://pauldotcom.com/2010/02/last-year-on-the-show.html</a>
Figure 1: strings output of a Linux VM's memory image. The highlighted "forensics" happens to be the root password.
Let's say you're a penetration tester (or an Amortized Perennial Threat as Shawn Moyer says he is) and you're working for a client who wants you to go beyond the shell. Your client has requested that you go after important company data. Databases are an obvious target, but companies also have critical information floating around in Microsoft Office documents (e.g. business plans, bid contracts, vulnerability remediation tracking information, etc.).
What is the best way to locate these documents? You could manually navigate the various common directories where people store documents, read the directory listings and copy down those files that look interesting. But this is a labor intensive process and you may miss something if the user has tucked important files in odd locations.
If only there were a place on the file system that held information about files, a place where we could look and see all of the files that had been opened on the system and that would map back to the location of those files, even if those files were on network shares or removable media. Fortunately for us, there is such a location, in fact, there are two well known ones.
These shortcuts or link files are created by Windows to facilitate the "Recent" document features of modern Windows operating systems. For Windows XP the default location for link files is under Documents and Settings/<username>/Recent with Microsoft Office files having their own location in Documents and Settings/<username>/Application Data/Microsoft/Office/Recent/. Vista and later versions of Windows have moved the recent link files to Users/<username>/AppData/Roaming/Microsoft/Windows/Recent/ and Users/<username>/AppData/Roaming/Microsoft/Office/Recent. There may be other locations specific to other applications as well.
Enough drivel, here's a couple of screen shots:
Figure 2: dumplinks help screen
And one of the script in action, dumping to the console:
Figure 3: dumplinks sending everything to the console
Of course there are other tools and techniques that cross-over from forensics to penetration testing. I will be back with another, as soon as I can find the time. For now, enjoy the dumplinks.
![linux-svn解除安裝與安裝[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)