Finding Where Interesting Information May Live
We’re going to make some assumptions at the start of this attack. We will assume we already have full access to any credentials we need. Why? Because we’ve already shown you how you can grab any credential you might need all the way up to the highest level of administrative rights. The question you now need to ask is this: what can you do with those rights?
Credentials are the means, but data is the ends. So the first thing you do with all these rights you’ve stolen is find the good data. Most times, organizations leave a ton of very good data sitting around in files and folders relatively unguarded. Naturally, attackers have developed mechanisms to crawl through that data to find the information they want. We will explore two platforms, built by penetration testers and other white hat hackers, which will give us a clear route to the best data.
Two Approaches to Getting Our Targets
For the first two steps of this process, we’ll take a “paper or plastic” approach, looking at both a Python-based and a PowerShell based system. First, let’s have a look at smbmap. This is a freely available tool built in Python. You should set up a Python 2.7 based testbed, and you will need a few non-standard modules including the impacket modules from the experts at CORE Security.
The smbmap utility has a ton of features, but we’ll start with the basics to simply find where we can access data. This is as simple as running the tool with some credentials and a list of hosts you want it to scan.
Figure 1 shows us this. The bit that’s blurred in the picture is a has we’re passing as the secret for the thor account. True to its name, smbmap will find all the file shares on those hosts and determine what sort of access the use you used to run it has to those shares. You can easily limit this to non-default and admin shares (e.g. exclude C$), or supply more preferences to limit the selection of shares to other qualities you may be interested in. Since we have access to an infinite amount of rights, we can also see what happens when we run this with a user that has Domain Admin level access to note the difference.
Figure 2 shows that we certainly have access to a lot more. We also see we get an error about being unable to remove a directory in the SYSVOL share on DC02. We’ll leave it as a small challenge problem to the reader to figure out why this is happening. The hint we will give you is that to determine access smbmap must be doing something to show it has write to the share. There are only so many ways to do it, and, like any good reconnaissance tool, it does try to clean up after itself.
Next, we will look at a PowerShell based method to places where data we want may live. For this, we turn to PowerSploit, a tool we’ve been using throughout our explorations into attacks on the credential side as well. PowerSploit, like smbmap, has a huge number of features. We will start with how to find shares we can target. That means using the Invoke-ShareFinder cmdlet. It will run with the rights you have.
Behind the scenes, Invoke-ShareFinder is doing most of the same things as smbmap. However, it doesn’t show you as much of the information. The assumption is you will use Invoke-ShareFinder in conjunction with other parts of PowerSploit’s framework to feed into activities like finding specific files and other angles of attack. We’ll see a bit of that in the next step of our attack.
What we have now is a survey of where the data we may want to steal lives. This will always be the first step to taking a treasure trove of information away from any infiltration. However, what we need now is to see what exact files we want to grab. That’s what we’ll zero in on in our next post.
How to Protect Yourself
Of course, all these steps did was get the information we could have gotten from popping open File Explorer and poking around. An attacker doesn’t have the time to do that again and again, so these are scripted methods to cut to the chase and be automation-friendly about it. Like we saw with Empire, the real bad guy have used these methods are part of larger frameworks that look to quickly and efficiently strip your data out of systems they’ve penetrated. But if this is just using the same methods to get the info as File Explorer, how can you protect yourself?
We have several recommendations for things you can do.
- Remove open shares wherever possible. Some open shares are business needs (e.g. the HR share with forms everyone in the organization needs to use). Since the default permissions on a share are equivalent to open (even in SharePoint this is still true), many open shares are only open to everyone because no one changed the defaults. Cutting down on the number of shares everyone can see will shorten the lists above by a lot.
- Watch for first-time access activity. If a user has had access to a share for years and never touched it, the first time they do may be suspicious. It’s possible they finally got around to the project that was the reason they were given the access to start with. Or it may be that their credentials have been hijacked and now someone is using the methods above to scan for access to data they may want to steal.
- Look for installations of the tools of the trade. Did Python suddenly appear on one of your servers? Has someone put the PowerSploit module onto a system? This may be your security team trying to probe and lock down vulnerable configurations, but it may also be a sign the bad guys are at work.
Post #1: File System Attacks
Learn about how STEALTHbits addresses file system security and governance with StealthAUDIT for File Systems.