Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Recall module for dumping all users Microsoft Recall DBs & screenshots #335

Open
wants to merge 20 commits into
base: main
Choose a base branch
from

Conversation

Marshall-Hallenbeck
Copy link
Collaborator

@Marshall-Hallenbeck Marshall-Hallenbeck commented Jun 6, 2024

  • Gets all users Recall folders and dumps them, then renames screenshots to include .jpg (unnecessary but helpful).
  • Parses the DB files and saves the window names and content, and then another file with window name and content separated by a comma, so you can see which application name the content was saved from.
  • Parses out the App names and paths and saves them to a file
  • Parses out the Web URIs and saves them to a file
  • You can specify to only dump specific users via USERS option
  • Can silence the spammy file download information by setting the SILENT option

I cherry-picked the download_folder functionality from #320 and then improved it due to STATUS_SHARING_VIOLATION which occurs when a file has a handle by another process open with READ|WRITE (by default we attempt to get the file with only READ).

Screenshots:
Silent run:
image
Loud run:
successful_run
Showing downloaded screenshots:
screenshots_downloaded

@Marshall-Hallenbeck Marshall-Hallenbeck added enhancement New feature or request new module labels Jun 6, 2024
@Marshall-Hallenbeck Marshall-Hallenbeck self-assigned this Jun 6, 2024
@Marshall-Hallenbeck Marshall-Hallenbeck marked this pull request as ready for review June 7, 2024 00:17
@julianwieg
Copy link

Nice one 👍

@oatzs
Copy link

oatzs commented Jun 7, 2024

kek

@bsmartt13
Copy link

bsmartt13 commented Jun 10, 2024

Pardon my ignorance, what are you showing in the screenshot exactly? Is that a DomainAdmin account (Recall) authenticating to a box on the network he runs collecting the recall databases of users on that system? Assuming I’ve understood this correctly this feels very misleading as domain admin has full control if your domain admin is spying on you (there’s better ways to do it) instead of pushing out GPO disabling recall, you’ve got bigger problems.

Edit: @Marshall-Hallenbeck just want to be clear, netexec is a clutch util that I love. Maybe a recall feature is apt here. I’ve just been skeptical about the risks posed by recall which led me to your screenshots being passed around on twitter with some ridiculous claims attached. That’s why I ask.

@Marshall-Hallenbeck
Copy link
Collaborator Author

@bsmartt13 In this instance it's just a standalone VM in Azure, so no domain. It's a local admin to the box, but being an admin isn't even necessary apparently, since you can icacls the folder and have access (see TotalRecall code for that).

This may be irrelevant now that Microsoft has announced some new updates, but we'll have to see how it works in practice.

Signed-off-by: Marshall Hallenbeck <[email protected]>
@HumzAhme
Copy link

@Marshall-Hallenbeck netexec is a clutch util and a recall feature

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants