Sifting Through The Sands
In the last post, we looked at how to find file shares where data we may want to steal lives. We used both Python based and PowerShell based approaches to this. Now we’re going to take the next step and find actual files of interest. Even the smallest organization can have many thousands of files. The bad guys would drown in all that data if they didn’t have ways to narrow down what they’re looking for.
Let’s start by seeing what PowerSploit has to offer on the PowerShell side. The companion to Invoke-ShareFinder, which we used last time, is Invoke-FileFinder. In the simplest case, you run it and throw
Its output into a CSV file (as pictured in Figure 1). You can give this lots of options, of course. You can narrow the search to only files with interesting names (e.g. “password”), or you can give it output from Invoke-ShareFinder as input to limit what shares it will probe for files. The advantage of that would be to limit the amount of attempts to touch files and risk getting caught along the way.
Once you’ve got that CSV, you have the advantage of having a look at precisely what you may want to target at your own pace.
This means you can come back and use your rights to grab files in an extremely targeted manner. Here in Figure 2, I’ve limited the list to files that have a non-zero length (files that aren’t empty) and I can see two files that look interesting right near the top. All I need to do now is go back, copy the files to a staging area, and then find a means to transport them out of the network. A free trial Dropbox account will do fine. If your network blocks access to Dropbox, I’m sure I can find at least one cloud storage, FTP, or other file transfer means your admins forgot.
Turning to smbmap on the Python side, we find again that it provides a bit more fine grain detail and control.
Once again, I can pass the hash so that I may scan as any user for whom I have a credential. And now I can search not just for file names but also for file contents. In Figure 3, we can see I chose to search for the regular expression ‘[Pp]assword’ since we saw those interesting files in the CSV.
Sure enough, scanning the contents of those files shows there are plain text passwords for some accounts stored there. But there are also passwords hiding out in some other not so obvious places. The ‘runbook.txt’ file seems like a logical place you would find a password since it is a step-by-step instruction including what to enter for that password prompt. We also find one in the ‘t8.shakespeare.txt’ file. (As an aside, that password was there when I grabbed the file. I went looking online for text versions of Sharespeare to use as file contents so the index numbers would look good with lots lines in the files. My intention was to slip in some passwords to the text. The very first hit was an MIT file that already had passwords in it! They were passwords to download that same file from ftp, but it goes to show how many secrets may be hiding in unexpected places.)
Finding passwords for service, application, and other accounts is one thing you may look for, but I could just as easily used a regular expression to find phone numbers, social security numbers, or other PII. A quick google will yield a ton of regexes ready made for any of that.
How to Protect Yourself
Once the bad guy has a good list of files, all that remains is to grab them. We’ve seen the bad guys use their stolen credentials to find where data lives, find the most interesting files in that data, and getting that data out is the easiest part. What can you do about this?
We have several recommendations for things you can do.
- To prevent passwords from being stolen from files, you need to both rotate passwords and inspect file content regularly to ensure no one is putting you at risk this way. Password rotation, especially for the type of service and application account whose passwords often end up in files like this, is a very large challenge. Without it, though, you are ensuring that files with ancient versions of these credentials can expose you to risk today. You also can’t assume that a policy stating not to put passwords in files will hold. So you should be scanning file contents looking for these regularly.
- For files containing your most critical data, consider implementing tagging, classification, and file protection through encryption. Tagging and classification can work in conjunction with DLP to ensure that files with your most critical data are getting the level of heightened awareness they need to ensure protections. File level encryption comes in many forms, and any of them will help ensure that simple attacks like this won’t be able to see the goods they may hide and will make it much more difficult for bad guys to take them away.
- Watch for first time access activity. If a user has had access to a share for years and never touched it, the first time they do may be suspicious. It’s possible they finally got around to the project that was the reason they were given the access to start with. Or it may be that their credentials have been hijacked and now someone is using the methods above to scan for access to data they may want to steal.
- Look for installations of the tools of the trade. Did Python suddenly appear on one of your servers? Has someone put the PowerSploit module onto a system? This may be your security team trying to probe and lock down vulnerable configurations, but it may also be a sign the bad guys are at work.
Post #1: File System Attacks
To receive a notification of the next blog in the File System Attack Series, please subscribe here: http://go.stealthbits.com/l/71852/2017-09-20/713kzd