We’re going to make some assumptions at the start of this attack. We will assume we already have full access to any credentials we need. Why? Because we’ve already shown you how you can grab any credential you might need all the way up to the highest level of administrative rights. The question you now need to ask is this: what can you do with those rights?
Credentials are the means, but data is the ends. So the first thing you do with all these rights you’ve stolen is find the good data. Most times, organizations leave a ton of very good data sitting around in files and folders relatively unguarded. Naturally, attackers have developed mechanisms to crawl through that data to find the information they want. We will explore two platforms, built by penetration testers and other white hat hackers, which will give us a clear route to the best data.
For the first two steps of this process, we’ll take a “paper or plastic” approach, looking at both a Python-based and a PowerShell based system. First, let’s have a look at smbmap. This is a freely available tool built in Python. You should set up a Python 2.7 based testbed, and you will need a few non-standard modules including the impacket modules from the experts at CORE Security.
The smbmap utility has a ton of features, but we’ll start with the basics to simply find where we can access data. This is as simple as running the tool with some credentials and a list of hosts you want it to scan.
Figure 1 shows us this. The bit that’s blurred in the picture is a has we’re passing as the secret for the thor account. True to its name, smbmap will find all the file shares on those hosts and determine what sort of access the use you used to run it has to those shares. You can easily limit this to non-default and admin shares (e.g. exclude C$), or supply more preferences to limit the selection of shares to other qualities you may be interested in. Since we have access to an infinite amount of rights, we can also see what happens when we run this with a user that has Domain Admin level access to note the difference.
Figure 2 shows that we certainly have access to a lot more. We also see we get an error about being unable to remove a directory in the SYSVOL share on DC02. We’ll leave it as a small challenge problem to the reader to figure out why this is happening. The hint we will give you is that to determine access smbmap must be doing something to show it has write to the share. There are only so many ways to do it, and, like any good reconnaissance tool, it does try to clean up after itself.
Next, we will look at a PowerShell based method to places where data we want may live. For this, we turn to PowerSploit, a tool we’ve been using throughout our explorations into attacks on the credential side as well. PowerSploit, like smbmap, has a huge number of features. We will start with how to find shares we can target. That means using the Invoke-ShareFinder cmdlet. It will run with the rights you have.
Behind the scenes, Invoke-ShareFinder is doing most of the same things as smbmap. However, it doesn’t show you as much of the information. The assumption is you will use Invoke-ShareFinder in conjunction with other parts of PowerSploit’s framework to feed into activities like finding specific files and other angles of attack. We’ll see a bit of that in the next step of our attack.
What we have now is a survey of where the data we may want to steal lives. This will always be the first step to taking a treasure trove of information away from any infiltration. However, what we need now is to see what exact files we want to grab. That’s what we’ll zero in on in our next post.
Of course, all these steps did was get the information we could have gotten from popping open File Explorer and poking around. An attacker doesn’t have the time to do that again and again, so these are scripted methods to cut to the chase and be automation-friendly about it. Like we saw with Empire, the real bad guy have used these methods are part of larger frameworks that look to quickly and efficiently strip your data out of systems they’ve penetrated. But if this is just using the same methods to get the info as File Explorer, how can you protect yourself?
We have several recommendations for things you can do.
Post #1: File System Attacks
Learn about how STEALTHbits addresses file system security and governance with StealthAUDIT for File Systems.
Jonathan Sander is STEALTHbits’ Chief Technology Officer (CTO). As CTO, he is responsible for driving technical innovation, ensuring that STEALTHbits is well positioned in their current and emerging markets, and he will also lead corporate development efforts. Jonathan also plays the role of evangelist at STEALTHbits venues large and small. Prior to STEALTHbits, Jonathan was VP of Product Strategy for Lieberman Software.
As part of Quest Software from 1999 through 2013, he worked with the security and ITSM portfolios. He helped launch Quest’s IAM solutions, directing all business development and product strategy efforts. Previous to that, Mr. Sander was a consultant at Platinum Technology focusing on the security, access control and SSO solutions. He graduated from Fordham University with a degree in Philosophy.
Proper data security begins with a strong foundation. Find out what you're standing on with a free deep-dive into the security of your Structured and Unstructured Data, Active Directory, and Windows infrastructure.
Read more© 2022 Stealthbits Technologies, Inc.
Leave a Reply