Quantify Cyber Risk Now

header ads

Post Exploitation - Local File Pilfering | Lucideus


When penetration testers compromise one machine in a target organization, they should carefully analyze that machine to determine if it contains any information that can be used to further the goals of the penetration test, demonstrating the risk to the target organization and possibly leading to compromise of other systems on the target network. Before grabbing files from a target system, however, testers must make sure that such local file and information pilfering is allowed in the Rules of Engagement for the project by checking with target system personnel.

What to Grab?

1. Password Representations
UNIX/Linux: /etc/passwd and /etc/shadow or variants
Windows: SAM database and cached credentials using Meterpreter Hashdump

2. Crypto Keys
SSH keys for ssh clients and sshd: Public and private keys
PGP and GnuPG keys: Public and secret ring

The pentester may access stored SSH public and private keys for clients and servers. Similarly, the public and secret keyrings of a Pretty Good Privacy (PGP) or Gnu Privacy Guard (GnuPG) installation may prove useful. Of course, the attacker would need the victim's passphrase associated with such keys to use them. However, because many users manually synchronize the passwords for their crypto keys with their operating system password, the tester may have already determined the associated password.

3. Windows credentials cached in Microsoft Credential Manager
(creddump tool from http://www.oxid.it/creddump.html can gather)

4. Windows service account passwords stored in clear text in LSA secrets section of the Registry
  • HKLM\Security\Policy\Secrets: But not directly readable or parsable from an admin account
    Instead, gather this information with free LSASecretsDump from http://www.nirsoft.net/utils
  • RSA SecurID Authentication Manager server seed files ( .asc or .xml)
  • With these files, Cain can calculate tokens' display at arbitrary points in the future

5. Additional items to snag:
  • Source code
- Especially interesting for web servers; locally, we can analyze it for vulnerabilities
- Look through admin or other scripts for hard-coded passwords
  • User's left-behind password.txt files in desktop directories
  • Wireless client profiles, including pre-shared keys
# More Stuff to Pilfer

1. Machines with which the compromised system has recently Communicated.

- Windows:
C: \> netstat -na
C: \> arp -a
C: \> ipconfig / displaydns

- Linux and UNIX:
# netstat -natu
# arp -a

2. Routing tables to find other networks that may be in scope
Linux, UNIX, and Windows:
netstat -nr

3. Clear-Text passwords
  • c:\unattend.txt 
  • c:\sysprep.ini - [Clear Text] 
  • c:\sysprep\sysprep.xml - [Base64] findstr /si password *.txt | *.xml | *.ini 
  • reg query HKLM /s | findstr /i password > temp.txt 
  • reg query HKCU /s | findstr /i password > temp.txt 
  • reg query HKLM /f password /t REG_SZ /s reg query HKCU /f password /t REG_SZ /s


4. Additional system-specific information
  • DNS servers: Zone files
  • Web servers: Document root, especially local scripts
  • Mail servers: E-mail address inventory, address aliases, a sample of e-mail that tester sent to it
  • Clients: Inventory of software: c : \> dir / s "c: \Program Files"
  • Many more possibilities here

On Windows, the tester could run the netstat - na command to see current TCP and UDP port usage, indicating which machines have an established TCP connection or who have recently communicated with the box. The arp - a command dumps the system's ARP cache, showing the machines on the same subnet that the system has sent packets to in the last 10 minutes or so. Finally, the Windows ipconfig /displaydns command dumps the Windows DNS cache, showing recently resolved names, with a display including the remaining DNS Time-To-Live value, providing the tester with an estimate of how recently the record was resolved. On Linux and UNIX, the tester can run netstat - natu to see all TCP and UDP port usage, as well as arp - a to dump the ARP cache. Linux machines typically do not maintain an operating system-wide DNS cache.

It also can be worthwhile to grab the routing table of a compromised target because it could reveal additional networks that we could focus on if they are in scope. On Windows, Linux, and most UNIXes, this information is available by running netstat -nr.

Additional information items that a pen tester may want to consider grabbing include the zone files of a DNS server, which include information about names, IP addresses, and other tidbits. In a web server, the tester may want to grab all files and directories under the document root. On mail servers, the tester may consider grabbing files that contain an inventory of e-mail addresses and aliases. The tester could even get a copy of an e-mail the tester sends to an example account on the server to demonstrate successful compromise of the mail server.

Post a comment