In the last post, we looked at how to find file shares where data we may want to steal lives. We used both Python-based and PowerShell based approaches to this. Now we’re going to take the next step and find actual files of interest. Even the smallest organization can have many thousands of files. The bad guys would drown in all that data if they didn’t have ways to narrow down what they’re looking for.
Let’s start by seeing what PowerSploit has to offer on the PowerShell side. The companion to Invoke-ShareFinder, which we used last time, is Invoke-FileFinder. In the simplest case, you run it and throw
Its output into a CSV file (as pictured in Figure 1). You can give this lots of options, of course. You can narrow the search to only files with interesting names (e.g. “password”), or you can give it output from Invoke-ShareFinder as input to limit what shares it will probe for files. The advantage of that would be to limit the number of attempts to touch files and risk getting caught along the way.
Once you’ve got that CSV, you have the advantage of having a look at precisely what you may want to target at your own pace.
This means you can come back and use your rights to grab files in an extremely targeted manner. Here in Figure 2, I’ve limited the list to files that have a non-zero length (files that aren’t empty) and I can see two files that look interesting right near the top. All I need to do now is go back, copy the files to a staging area, and then find a means to transport them out of the network. A free trial Dropbox account will do fine. If your network blocks access to Dropbox, I’m sure I can find at least one cloud storage, FTP, or other file transfer means your admins forgot.
Turning to smbmap on the Python side, we find again that it provides a bit more fine grain detail and control.
Once again, I can pass the hash so that I may scan as any user for whom I have a credential. And now I can search not just for file names but also for file contents. In Figure 3, we can see I chose to search for the regular expression ‘[Pp]assword’ since we saw those interesting files in the CSV.
Sure enough, scanning the contents of those files shows there are plain text passwords for some accounts stored there. But there are also passwords hiding out in some other not so obvious places. The ‘runbook.txt’ file seems like a logical place you would find a password since it is a step-by-step instruction including what to enter for that password prompt. We also find one in the ‘t8.shakespeare.txt’ file. (As an aside, that password was there when I grabbed the file. I went looking online for text versions of Shakespeare to use as file contents so the index numbers would look good with lots lines in the files. My intention was to slip in some passwords to the text. The very first hit was an MIT file that already had passwords in it! They were passwords to download that same file from ftp, but it goes to show how many secrets may be hiding in unexpected places.)
Finding passwords for service, application, and other accounts are one thing you may look for, but I could just as easily used a regular expression to find phone numbers, social security numbers, or other PII. A quick google will yield a ton of regexes ready-made for any of that.
Once the bad guy has a good list of files, all that remains is to grab them. We’ve seen the bad guys use their stolen credentials to find where data lives, find the most interesting files in that data, and getting that data out is the easiest part. What can you do about this?
We have several recommendations for things you can do.
Post #1: File System Attacks
Learn about how STEALTHbits addresses file system security and governance with StealthAUDIT for File Systems.
Jonathan Sander is STEALTHbits’ Chief Technology Officer (CTO). As CTO, he is responsible for driving technical innovation, ensuring that STEALTHbits is well positioned in their current and emerging markets, and he will also lead corporate development efforts. Jonathan also plays the role of evangelist at STEALTHbits venues large and small. Prior to STEALTHbits, Jonathan was VP of Product Strategy for Lieberman Software.
As part of Quest Software from 1999 through 2013, he worked with the security and ITSM portfolios. He helped launch Quest’s IAM solutions, directing all business development and product strategy efforts. Previous to that, Mr. Sander was a consultant at Platinum Technology focusing on the security, access control and SSO solutions. He graduated from Fordham University with a degree in Philosophy.
Proper data security begins with a strong foundation. Find out what you're standing on with a free deep-dive into the security of your Structured and Unstructured Data, Active Directory, and Windows infrastructure.Read more