Trustwave SpiderLabs Exposes Unique Cybersecurity Threats in the Public Sector. Learn More

Trustwave SpiderLabs Exposes Unique Cybersecurity Threats in the Public Sector. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Scavenger: Post-Exploitation Tool for Collecting Vital Data

‘Scavenger’ - definition [noun]: a person who searches for and collects discarded items.

In the context of cybersecurity, I have developed Scavenger, a multi-threaded post-exploitation scanning tool for mapping systems and finding "interesting" and most frequently used files and folders. Once credentials are gained, it can scan remote systems (*nix, Windows, and OSX) via SMB and SSH services to scrape each system looking for interesting things and then cache the result.

15146_1

Problem Definition:
Scavenger confronts a challenging issue typically faced by Penetration Testing consultants during internal penetration tests; the issue of having too much access to too many systems with limited days for testing.

During internal penetration tests, the penetration testing consultant will often obtain Domain Administrative (DA) level access to the Windows Active Directory domain. In a nutshell, this is the “keys to the kingdom” - full control of everything connected to that Windows Active Directory domain. The penetration tester has seemingly achieved ultimate success equating to full access to all systems, however, their job is far from complete (we at SpiderLabs are very thorough), and depending on the length of the engagement it most likely has just begun. 

Let’s say for example, an engagement runs for a week starting Monday and ending Friday and the penetration tester obtains privileged access on the first day. This means he/she would start searching for and categorizing sensitive information almost immediately. Even with a solid four days left in the penetration test engagement, you can imagine how massive this undertaking will be having access to every Windows workstation and server that are part of that particular Windows Active Directory. The extent of access can easily total hundreds or even thousands of systems making the task of wading through mountains of files to find useful pieces information extremely difficult. 

This is where Scavenger can make a tremendous impact to both the speed and efficiency of the penetration test. Sensitive information can take many forms depending on what is being sought – but in the case of a penetration tester, it usually resides around passwords and usernames to other systems or even different Windows domains. Scavenger proactively seeks out and and scrapes this type of information.

15147_2

Password files can be found in various places, but in most cases, the penetration tester won’t know how relevant they are or in the case of old files relevant at all.

Scavenger can help with this problem, as it can in a post-exploitation scenario obtain a list of “latest” accessed/modified/created files and folders and keep (cache) these result in an ordered database.

15148_3

15149_4

While looking for potentially useful files and folders, Scavenger also scans these filenames for various interesting phrases for example "password" or "secret." Once detected Scavenger then downloads the flagged file to the local system.

15150_5

Trustwave’s SpiderLabs conducts numerous PCI and other regulation-related penetration tests; thus, in the PCI scenario, the penetration testers are most likely trying to find Card Holder Data. Scavenger is set up to proactively search for Card Holder Data in all the folders it finds. Scavenger will then automatically extract and download these files expediting the entire process significantly.

15151_6

In addition, Scavenger has the ability to compare and contrast the cached list of files and folders previously obtained with a newly scanned and acquired list after a non-determined duration of time (hours or days). Coming back to our example where we obtained Domain Admin level access on the initial day of the penetration test, the penetration tester can then wait several days and use Scavenger to re-scan and compare the previous “new” list of files found to the latest list of files. 

This gives the penetration tester the ability to quickly determine what changed in that time period for instance whether new files have been created and/or if old files have been accessed or modified in any way. For example, if the penetration tester sees an administrator frequently accessing certain password or credit card database files, it’s a sure bet that what’s in those files are invaluable and can be leveraged for further penetration testing.

15152_7

15153_8

Scavenger can also extract password hashes from the local SAM file or the Active Directory database (ntds.dit). When password hashes are obtained, they can be cracked offline using a brute-force attack.

15154_9

Furthermore, Scavenger also detects saved passwords in some applications for example passwords that are saved in Chrome, and also other applications like WinSCP.

15155_10

Future work:
Future features of Scavenger will include the addition of services like NFS, FTP and database connections as well as adding more capabilities for retrieving passwords from remote Linux or Windows systems, without touching the disk of the remote system. Scavenger will also be able to handle SSH services running on a non-standard TCP port, with the user supplying the TCP port number of the services via an IP address list with TCP port numbers specified. In addition, Scavenger will be configured to use more post-exploitation techniques on remote Windows and Linux systems. 

You can find more information and download Scavenger on the Trustwave SpiderLabs GitHub page at https://github.com/SpiderLabs/scavenger.

15156_11

 

 

Latest SpiderLabs Blogs

Important Security Defenses to Help Your CISO Sleep at Night

This is Part 13 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here.

Read More

2024 Public Sector Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies

Trustwave SpiderLabs’ 2024 Public Sector Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies report details the security issues facing public sector security teams as...

Read More

How to Create the Asset Inventory You Probably Don't Have

This is Part 12 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here.

Read More