Pillaging / Data Harvesting
Last updated
Was this helpful?
Last updated
Was this helpful?
Once we have built our way into the victim machine, we can move on to the next phase: Data Harvesting / Pillaging.
Pillaging is the step in which you access sensitive data and intellectual property of the target organization.
Demonstrating the feasibility of an external hacker accessing this information might be the goal of the overall engagement, so this phase is critical.
However, according to the type of machine you have compromised, you may or may not find what you are looking for. This presents the need to further exploit and infiltrate the network.
Therefore in this step we will also harvest data and information necessary for this purpose.
This encompasses getting local information such as files, enumerating credentials, accounts, IM logs, and more, but also network information such as internal network blocks in use, domains, intranet servers, shared hard drives, printers, repositories, and so on.
Network information will also be used in the Mapping the internal network phase.
Important Since there is an infinite list of commands that we can run on the target machines, we will not list all of them here. Instead, we will see the most important and then we will give you some references at the end of this section.
The important thing to remember here is that we need to get as much [information][] as we can: system info, applications, services, networks, documents, messaging, and so on.
In the next sections we will see a list of scripts and commands related to data harvesting, that a penetration testers could use through a meterpreter session or shell.
Notice that we have already seen some of these scripts in previous phases, but for different purposes. We will still mention them here since they are very important for the success of this step.
Let us start harvesting basic information about the system.
sysinfo With sysinfo command we are able to get basic information about the remote system. Notice that the script works both on Windows and Linux OS.
getuid With getuid, we can check the user that we are running as on the target machine.
Starting from this information, we can already start making assumption about the role of the victim machine.
For example, if the previous command show us that the victim machine is a server, one of the most important things to check is which services are running on it.
In other words, we have to figure out the role of the machine in the remote network.
You should try to get answers to questions like:
Is this a workstation?
Which department is it from?
R&D?
Marketing?
...
Is this a server?
What server?
Mail server?
Web server?
RADIUS?
...
During the Pillaging step, we should be able to give an accurate answer to those questions according to the information we get on the system.
Let us start uncovering some of the commands we can run to collect more information.
Metasploit already implements some enumeration scripts that could be used for this purpose: - run /post/windows/gather/ Result: meterpreter > run post/windows/gather/ Display all 106 possibilites? (y or n) run post/windows/gather/arp_scanner run post/windows/gather/bitcoin_jacker run post/windows/gather/cachedump run post/windows/gather/checkvm - run /post/linux/gather/ Result: run post/windows/gather/arp_scanner run post/windows/gather/bitcoin_jacker run post/windows/gather/cachedump run post/windows/gather/checkvm
Although they are very useful and will save us a lot of time, we can use Windows or Unix commands from an interactive shell in order to get the same results. For example, let us first run the enum_services scripts and then check how we can get similar results from a shell. ``` [*] Listing Services Info for matching services, please wait... [+] New service credentials detected: AeLookupSvc is running as `` [+] New service credentials detected: ALG is running as 'NT AUTHORITY\LocalService' [+] New service credentials detected: aspnet_state is running as 'NT AUTHORITY\NetworkService' Services ========
Important It is important to know that many post exploitation scripts are implemented as modules and can be used outside the meterpreter session.
As we said before, post exploitation scripts and modules usually contain and execute a well-defined set of OS commands. In other words, we can get similar information by running the correct commands from a shell terminal on the target machine.
wmic In the previous case we can get services information with the wmic command. As we can see we get similar information. Example:
net start Another useful command that we can use to list services that are currently running is net start. Inspecting the results of these commands gives us a better idea of the machine role. Inspecting the results of these commands gives us a better idea of the machine role. For example, services like DNS or IIS tell us that the exploited machine have a server role.
service --status-all As you can imagine, these commands rely on the OS we are dealing with. For example if we want a list of services running on the exploited Linux machine, we will run service --status-all
Example:
ps In addition to services running on the machine, listing running process could also be very useful to understand the role of the machine. The easiest way to check them is by running the ps command on the meterpreter.
Some critical information to retrieve in a Windows networked environment, is if the compromised machine is part of a domain, or even, if it is a domain controller.
net view/domain To gather this information we can run the command net view/domain or run the script named enum_domains.
Here is an example of what we may get. In this case the machine is in the domain ELSLAB and we also know the name of the Domain Controller.
net group "Domain Controllers" /domain We can also print the list of Domain Controllers with the following command:
Let us now focus on which command we can use to get information about users.
net user (Windows) and cat /etc/passwd (Linux) With these commands we are able to list users on the system.
run post/windows/gather/enum_ad_users Notice that since the Windows machine is part of a domain, we can also use meterpreter scripts to enumerate accounts and other information in the default active domain:
net user /domain Similar information can be obtained with the net user /domain command. Remember that most of the scripts automate and organize information that can be gathered with shell commands.
net localgroup Moreover we can check which groups exist on the machine or which users are within a group with the net localgroup [group_name] command.
net share and enum_shares The last command we will see is useful to display all the resources shared on the victim.
We can use net share from the command prompt or enum_share from meterpreter.
The list of commands in this section is just a small fraction of the ones that are available in Meterpreter or in the OS shells.
For example we did not yet gather networking information such as IP addresses, ARP tables, DNS, current connections, and so on. In addition to this information, we also still need to check installed applications and local files.
as you have already seen, you have a number of different commands and methods to retrieve information, depending on the victim OS.
Showing all of them is merely impossible, but fellow pentesters have shared a few documents with us listing all potential commands for:
We strongly suggest you take a look at these documents in order to understand what type of commands and information you may need to gather from exploited machines.
Before seeing how to harvest files from the victim, it is useful to know that Metasploit implements scripts that automatically retrieve information from the system. The two main scripts that we can use against Windows machines are
scraper
harvests system info including network shares, registry hives, and password hashes
winenum
retrieves all kinds of information about the system including environment variables, network interfaces routing, user accounts, and much more.
If we inspect the code of these 2 scripts, we can see the list of commands that they will run on the remote machine (see img-218)
Notice that they will automatically save all information gathered into local files, so we can inspect them later. meterpreter > run winenum [*] Running Windows Local Enumeration Meterpreter Script [*] New session on 192.168.102.157:47451... [*] Saving general report to /root/.msf5/logs/scripts/winenum/ELS_20160303.5433/ELS_20160303.5433.txt [*] Checking if ELS is a Virtual Machine ........ [*] This is a VMware Workstation/Fusion Virtual Machine [*] UAC is Disabled [*] Running Command List ... [*] running command arp -a [*] running command cmd.exe /c set [*] running command ipconfig /all
Once we have information about the system, networks, users, groups, services, and so on, we can start getting not only actual files and documents, but also keystrokes. We will look for usernames, passwords, IM logs, private documents, and so on.
Metasploit offers some great scripts that could be used in this step. For example with screenshoot command we are able to get the screen of the victim. (see img-221)
Another way to get sensitive information from the target machine is by running a keylogger. Although there are many keylogger tools that we can use and install on the remote machine, Metasploit also offers a few scripts to do this: keyscan_start and keylogrecorder
Let us see how the 2 script works:
keyscan_start, keystart_dump, winlogon.exe The first script we are going to use is keystart_scan. Notice that we already migrated in explorer.exe
Once the sniffer is running we just have to wait for the user to type something on the keyboard.
Notice that the keystrokes will not be automatically printed on the screen. Instead we have to run keyscan_dump to see them.
As we can see, it seems the user typed bank of america and then some credentials. While the sniffer is running, we can dump the keystrokes by simply executing keyscan_dump. To stop the sniffer we just need to run keyscan_stop
Let's now migrate to winlogon.exe and try to dump the user login credentials.
keylogrecorder The next script we want to use is keylogrecorder:
As we can see, with the -c option we can instruct the script which type of key to capture (user or winlogon)
Different form previous script, keylogrecorder automatically migrates to the correct process, but it also stores all the keystrokes into a local file.
In order to see the keystrokes we just need to open the file stored in the Metasploit logs folder.
Now let's see a few commands that allows us to list files, create files, folders, move between directories, and so on. From the meterpreter help manual we can see the list of commands that are implemented. ``` Stdapi: File system Commands ============================
It does not matter the OS of the exploited machine. These commands work the same way. For example, with the commands pwd and getwd we are able to get the working directory and then we could list files.
Let's suppose we want to search for a specific file extension such as KeePass database file. We can do this with the following command: search -d C:\\Users\\els\\ -f *.kdbx Description: - -d is the path where to begin searching from - -f is the file pattern to search
Once we have located the file we need, we can download it to our machine with the command download. We can use this command to retrieve all the files we need. For example we can search for IM logs like Skype, Windows Live Messenger, software configuration files such as FTP clients, SVN clients, and so on, and then download the files locally in order to inspect them.
enum_application As you can imagine, knowing what software is installed on the machine is important. As you already know, we can list them with the enum_application script:
As you can imagine the task to perform, the commands, the tools, and the paths to check, strongly depends on the OS you are pentesting.
Moreover, the role of the victim machine on the remote network will suggest what to look for. (see vid-242) In the following video we will see how to use the previous commands in order to gather as much information as we can from the target machine.
In our case we will gather them from an employee workstation, so we will try to get system, user, network information, installed applications, account credentials, IM logs, and so on.
6.3.1. Exfiltration over DNS with Iodine (DNS Tunnelling)
Most of the time, with real world-attacks the objective of malicious actors is not only compromise systems for use of nefarious purposes, but it also often their objective to exfiltrate sensitive information, and a lot of the time, they do so over protocols that are not typically monitored.
This is a popular method due to the fact that many organizations are not logging or alerting on anomalous DNS traffic which makes it a go-to vector for exfiltrating data out of the target network, and over often under-monitored "channel".
In a typical scenario with DNS Tunneling, the attacker DNS tunnel client component initiates a connection to the attacker-controlled DNS tunnel server component through an organization's DNS server, and can be generalized with the diagram below (see img-248): Attacker-----------DNS Tunnel--------------Attacker-Controlled (DNS Tunnel Client Component) (DNS Tunnel Server Component) | ^ | | ----------> FooCorp DNS Server-------------------
Some pre-requisites for using Iodine to create a DNS tunnel for exfiltration are: 1. Control over a domain name that you own and its DNS configuration, and; 2. An IP address to act as the authoritative Name Server for your domain name for which you have SSH access to as well
Since DNS Tunneling requires a client/server model, you'll want those 2 pieces in place in order to experiment with this method.
In the video we'll show how we can configure a DNS tunneling implementation with Iodine using a domain name we have registered with GoDaddy, in addition to using IP address hosted on a VPS provider to act our exfiltration tunnel endpoint.
(see vid-253)
[Windows][]
[Linux][]
[OSX][]
[Metasploit][].
At the following [link][] you can find a few more links containing post-exploitation commands. You can also download them locally and access it from a web browser.
Notice that there are many other lists available online. [Here][] and [Here][] you can find a few more commands to run on Windows and Linux/Unix/BSD machine.
Once we have downloaded and analyzed files on the remote file system, we can move on with our investigation and start searching for credentials stored on the system. We can use Metasploit modules or use third party software ([Nirsoft][] has many of these tools for windows)
Instead of using meterpreter scripts, we could also use external tools. In our lab environment, we will use the tool to extract credentials saved in the web browser installed on the target machine.
One method that has been increasingly seen in the wild is the use of DNS for data exfiltration, also known as "".
One tool that can be used for this purpose is known as "".
Once the DNS tunnel is established, the client transmits all network traffic, encoded, and in the form of DNS queries, typically as [TXT][] records, through the tunnel, which is then decoded at the other end by the server component or attacker-controlled "DNS Server".