-
Notifications
You must be signed in to change notification settings - Fork 19
Logs
Because documentation is so important during a penetration test, the Intersect framework implements a logging system that works both on your local system and on the target system when executing custom scripts.
Private information, such as passwords and private keys, are not saved to any log files what-so-ever. Either way, it would still be a good idea to encrypt any data you might be transmitting from the target system back to your local machine.
When you build an Intersect script using the Create application, information you enter is gathered in the ‘build_log’ file located in the Logs directory. The information that’s gathered includes, which modules you added to your script, global variables you set (port numbers, listener IP addresses, etc) and the name you saved your script as.
These log files can be used to help you keep track of which settings and modules you set for each script, which host each script was built for and also shows any errors you might have encountered during the Create process.
Down the line, the framework will include a Reports application that can read and parse both local Create logs and Intersect script logs to generate an HTML report file. The HTML report will contain information on what modules were executed against which target hosts, what information was gathered, etc.
Below is a sample ‘build_log’ file.
[ New Build Process Started ]
4-9-2012 @ 23:57 archive added to queue
4-9-2012 @ 23:57 creds added to queue
4-9-2012 @ 23:57 extras added to queue
4-9-2012 @ 23:57 network added to queue
4-9-2012 @ 23:57 scrub added to queue
4-9-2012 @ 23:57 egressbuster added to queue
4-9-2012 @ 23:57 persistent added to queue
4-9-2012 @ 23:57 [Error] User selected invalid script name.
4-9-2012 @ 23:57 User renamed script as: /home/ohdae/Git/Intersect-2.5/Scripts/Logtest.py
4-9-2012 @ 23:57 Task logging ENABLED
4-9-2012 @ 23:57 PORT: 4444
4-9-2012 @ 23:57 RHOST: 192.168.1.4
4-9-2012 @ 23:57 RPORT: 4444
4-9-2012 @ 23:57 PPORT: 8080
4-9-2012 @ 23:57 Building Script with:
['archive', 'creds', 'extras', 'network', 'scrub', 'egressbuster', 'persistent']
4-9-2012 @ 23:57 Script saved to: /home/ohdae/Git/Intersect-2.5/Scripts/Logtest.py
When Intersect’s session directory is created, a file called ‘ActivityLog’ is placed in the directory. ActivityLog gathers information on which modules are executed and what tasks those modules perform. If no tasks or modules are executed, the session directory and ActivityLog file are both removed. There are different sub-sections within ActivityLog for each module you run through your Intersect script. Again, no passwords, clear-text or otherwise, will be saved to the log file.
This log file can be very useful in helping you write a report, document which actions were performed by your Intersect script, analyzing data or locating any problems that might have occurred while running Intersect scripts.
Below is a sample of an ‘ActivityLog’ file.
Intersect Framework
Custom script activity log
Start Time: 4-10-2012 @ 1:42
[ Network Module ]
Temporary directory [ network ] created
nstat.txt contents added to: Connections.txt
lsof.txt contents added to: Connections.txt
IPTables information saved.
IPAddresses.txt contents added to: NetworkInfo.txt
hostname.txt contents added to: NetworkInfo.txt
ifconfig.txt contents added to: NetworkInfo.txt
/etc/hosts.deny copied to: /root/collect/network
/etc/hosts.allow copied to: /root/collect/network
/etc/host.conf copied to: /root/collect/network
/etc/resolv.conf copied to: /root/collect/network
[ Credentials Module ]
Temporary directory [ credentials ] created
User list required for module
passwd, shadow, lastlog and mail aliases collected.
ssh_locations.txt contents added to: SSH_Locations.txt
ssh_contents.txt contents added to: SSH_Locations.txt
/etc/sudoers copied to: /root/collect/credentials
/etc/ssh/sshd_config copied to: /root/collect/credentials
/root/.ssh/id_rsa copied to: /root/collect/credentials
/root/.ssh/id_rsa.pub copied to: /root/collect/credentials
/root/.ssh/known_hosts copied to: /root/collect/credentials
/etc/gshadow copied to: /root/collect/credentials
/etc/ca-certificates.conf copied to: /root/collect/credentials
/etc/passwd copied to: /root/collect/credentials