Trustwave SpiderLabs Uncovers Critical Cybersecurity Vulnerabilities Exposing Manufacturers to Costly Attacks. Learn More

Trustwave SpiderLabs Uncovers Critical Cybersecurity Vulnerabilities Exposing Manufacturers to Costly Attacks. Learn More

Managed Detection & Response

Eradicate cyberthreats with world-class intel and expertise

Managed Security Services

Expand your team’s capabilities and strengthen your security posture

Consulting & Professional Services

Tap into our global team of tenured cybersecurity specialists

Penetration Testing

Subscription- or project-based testing, delivered by global experts

Database Security

Get ahead of database risk, protect data and exceed compliance requirements

Email Security & Management

Catch email threats others miss with layered security & maximum control

Co-Managed SOC (SIEM)

Eliminate alert fatigue, focus your SecOps team, stop threats fast, and reduce cyber risk

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
The Trustwave Approach
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Platform
SpiderLabs Fusion Center
Security Operations Centers
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Scavenger: Post-Exploitation Tool for Collecting Vital Data

‘Scavenger’ - definition [noun]: a person who searches for and collects discarded items.

In the context of cybersecurity, I have developed Scavenger, a multi-threaded post-exploitation scanning tool for mapping systems and finding "interesting" and most frequently used files and folders. Once credentials are gained, it can scan remote systems (*nix, Windows, and OSX) via SMB and SSH services to scrape each system looking for interesting things and then cache the result.


Problem Definition:
Scavenger confronts a challenging issue typically faced by Penetration Testing consultants during internal penetration tests; the issue of having too much access to too many systems with limited days for testing.

During internal penetration tests, the penetration testing consultant will often obtain Domain Administrative (DA) level access to the Windows Active Directory domain. In a nutshell, this is the “keys to the kingdom” - full control of everything connected to that Windows Active Directory domain. The penetration tester has seemingly achieved ultimate success equating to full access to all systems, however, their job is far from complete (we at SpiderLabs are very thorough), and depending on the length of the engagement it most likely has just begun. 

Let’s say for example, an engagement runs for a week starting Monday and ending Friday and the penetration tester obtains privileged access on the first day. This means he/she would start searching for and categorizing sensitive information almost immediately. Even with a solid four days left in the penetration test engagement, you can imagine how massive this undertaking will be having access to every Windows workstation and server that are part of that particular Windows Active Directory. The extent of access can easily total hundreds or even thousands of systems making the task of wading through mountains of files to find useful pieces information extremely difficult. 

This is where Scavenger can make a tremendous impact to both the speed and efficiency of the penetration test. Sensitive information can take many forms depending on what is being sought – but in the case of a penetration tester, it usually resides around passwords and usernames to other systems or even different Windows domains. Scavenger proactively seeks out and and scrapes this type of information.


Password files can be found in various places, but in most cases, the penetration tester won’t know how relevant they are or in the case of old files relevant at all.

Scavenger can help with this problem, as it can in a post-exploitation scenario obtain a list of “latest” accessed/modified/created files and folders and keep (cache) these result in an ordered database.



While looking for potentially useful files and folders, Scavenger also scans these filenames for various interesting phrases for example "password" or "secret." Once detected Scavenger then downloads the flagged file to the local system.


Trustwave’s SpiderLabs conducts numerous PCI and other regulation-related penetration tests; thus, in the PCI scenario, the penetration testers are most likely trying to find Card Holder Data. Scavenger is set up to proactively search for Card Holder Data in all the folders it finds. Scavenger will then automatically extract and download these files expediting the entire process significantly.


In addition, Scavenger has the ability to compare and contrast the cached list of files and folders previously obtained with a newly scanned and acquired list after a non-determined duration of time (hours or days). Coming back to our example where we obtained Domain Admin level access on the initial day of the penetration test, the penetration tester can then wait several days and use Scavenger to re-scan and compare the previous “new” list of files found to the latest list of files. 

This gives the penetration tester the ability to quickly determine what changed in that time period for instance whether new files have been created and/or if old files have been accessed or modified in any way. For example, if the penetration tester sees an administrator frequently accessing certain password or credit card database files, it’s a sure bet that what’s in those files are invaluable and can be leveraged for further penetration testing.



Scavenger can also extract password hashes from the local SAM file or the Active Directory database (ntds.dit). When password hashes are obtained, they can be cracked offline using a brute-force attack.


Furthermore, Scavenger also detects saved passwords in some applications for example passwords that are saved in Chrome, and also other applications like WinSCP.


Future work:
Future features of Scavenger will include the addition of services like NFS, FTP and database connections as well as adding more capabilities for retrieving passwords from remote Linux or Windows systems, without touching the disk of the remote system. Scavenger will also be able to handle SSH services running on a non-standard TCP port, with the user supplying the TCP port number of the services via an IP address list with TCP port numbers specified. In addition, Scavenger will be configured to use more post-exploitation techniques on remote Windows and Linux systems. 

You can find more information and download Scavenger on the Trustwave SpiderLabs GitHub page at




Latest SpiderLabs Blogs

Trustwave SpiderLabs Report: LockBit 3.0 Ransomware Vs. the Manufacturing Sector

As the manufacturing sector continues its digital transformation, Operational Technology (OT), Industrial Control Systems (ICS), and Supervisory Control and Data Acquisition (SCADA) are becoming...

Read More

Overview of the Cyberwarfare used in Israel – Hamas War

On October 7, 2023, the Palestinian organization Hamas launched the biggest attack on Israel in years, resulting in numerous casualties and hostages taken. Israel responded with a large-scale ground...

Read More

The 2023 Retail Services Sector Threat Landscape: A Trustwave Threat Intelligence Briefing

The annual holiday shopping season is poised for a surge in spending, a fact well-known to retailers, consumers, and cybercriminals alike. The latter group, however, is poised to exploit any...

Read More