‘Scavenger’ - definition [noun]: a person who searches for and collects discarded items.
In the context of cybersecurity, I have developed Scavenger, a multi-threaded post-exploitation scanning tool for mapping systems and finding "interesting" and most frequently used files and folders. Once credentials are gained, it can scan remote systems (*nix, Windows, and OSX) via SMB and SSH services to scrape each system looking for interesting things and then cache the result.
Problem Definition:
Scavenger confronts a challenging issue typically faced by Penetration Testing consultants during internal penetration tests; the issue of having too much access to too many systems with limited days for testing.
During internal penetration tests, the penetration testing consultant will often obtain Domain Administrative (DA) level access to the Windows Active Directory domain. In a nutshell, this is the “keys to the kingdom” - full control of everything connected to that Windows Active Directory domain. The penetration tester has seemingly achieved ultimate success equating to full access to all systems, however, their job is far from complete (we at SpiderLabs are very thorough), and depending on the length of the engagement it most likely has just begun.
Let’s say for example, an engagement runs for a week starting Monday and ending Friday and the penetration tester obtains privileged access on the first day. This means he/she would start searching for and categorizing sensitive information almost immediately. Even with a solid four days left in the penetration test engagement, you can imagine how massive this undertaking will be having access to every Windows workstation and server that are part of that particular Windows Active Directory. The extent of access can easily total hundreds or even thousands of systems making the task of wading through mountains of files to find useful pieces information extremely difficult.
This is where Scavenger can make a tremendous impact to both the speed and efficiency of the penetration test. Sensitive information can take many forms depending on what is being sought – but in the case of a penetration tester, it usually resides around passwords and usernames to other systems or even different Windows domains. Scavenger proactively seeks out and and scrapes this type of information.
Password files can be found in various places, but in most cases, the penetration tester won’t know how relevant they are or in the case of old files relevant at all.
Scavenger can help with this problem, as it can in a post-exploitation scenario obtain a list of “latest” accessed/modified/created files and folders and keep (cache) these result in an ordered database.
While looking for potentially useful files and folders, Scavenger also scans these filenames for various interesting phrases for example "password" or "secret." Once detected Scavenger then downloads the flagged file to the local system.
Trustwave’s SpiderLabs conducts numerous PCI and other regulation-related penetration tests; thus, in the PCI scenario, the penetration testers are most likely trying to find Card Holder Data. Scavenger is set up to proactively search for Card Holder Data in all the folders it finds. Scavenger will then automatically extract and download these files expediting the entire process significantly.
In addition, Scavenger has the ability to compare and contrast the cached list of files and folders previously obtained with a newly scanned and acquired list after a non-determined duration of time (hours or days). Coming back to our example where we obtained Domain Admin level access on the initial day of the penetration test, the penetration tester can then wait several days and use Scavenger to re-scan and compare the previous “new” list of files found to the latest list of files.
This gives the penetration tester the ability to quickly determine what changed in that time period for instance whether new files have been created and/or if old files have been accessed or modified in any way. For example, if the penetration tester sees an administrator frequently accessing certain password or credit card database files, it’s a sure bet that what’s in those files are invaluable and can be leveraged for further penetration testing.
Scavenger can also extract password hashes from the local SAM file or the Active Directory database (ntds.dit). When password hashes are obtained, they can be cracked offline using a brute-force attack.
Furthermore, Scavenger also detects saved passwords in some applications for example passwords that are saved in Chrome, and also other applications like WinSCP.
Future work:
Future features of Scavenger will include the addition of services like NFS, FTP and database connections as well as adding more capabilities for retrieving passwords from remote Linux or Windows systems, without touching the disk of the remote system. Scavenger will also be able to handle SSH services running on a non-standard TCP port, with the user supplying the TCP port number of the services via an IP address list with TCP port numbers specified. In addition, Scavenger will be configured to use more post-exploitation techniques on remote Windows and Linux systems.
You can find more information and download Scavenger on the Trustwave SpiderLabs GitHub page at https://github.com/SpiderLabs/scavenger.