Finding and taking sensitive data – pillaging the target

The term pillaging (sometimes known as pilfering) is a holdover from the days when hackers who had successfully compromised a system saw themselves as pirates, racing to their target to steal or damage as much data as possible. These terms have survived as a reference to the much more careful practice of stealing or modifying proprietary or financial data when the objective of the exploit has been achieved.

The attacker can then focus on the secondary target—system files that will provide information to support additional attacks. The choice of the secondary files will depend on the operating system of the target. For example, if the compromised system is Unix, then the attacker will also target the following:

  • The system and configuration files (usually in the /etc directory, but depending on the implementation, they may be in /usr/local/etc or other locations)
  • The password files (/etc/password and /etc/shadow)
  • The configuration files and public/private keys in the .ssh directory
  • The public and private key rings that may be contained in the .gnupg directory
  • The email and data files

In a Windows system, the attacker will target the following:

  • The system memory, which can be used to extract passwords, encryption keys, and so on
  • The system registry files
  • The Security Accounts Manager (SAM) database, which contains hashed versions of the password, or alternative versions of the SAM database, which may be found in %SYSTEMROOT% epairSAM and %SYSTEMROOT%System32configRegBackSAM
  • Any other password or seed files that are used for encryption
  • The email and data files
Don't forget to review any folders that contain temporary items, such as attachments. For example, UserProfileAppDataLocalMicrosoftWindowsTemporary Internet Files may contain files, images, and cookies that may be of interest.

As stated previously, the system memory contains a significant amount of information for any attacker. Therefore, it is usually a priority file that you need to obtain. The system memory can be downloaded as a single image file from several sources, as follows:

  • By uploading a tool to the compromised system and then directly copying the memory (these tools include Belkasoft RAM capturer, Mandiant Memoryze, and MonsolsDumpIt).
  • By copying the Windows hibernation file, hiberfil.sys, and then using Volatility to decrypt and analyze the file. Volatility, which can be found on Kali in the Forensics menu, is a framework that was written to analyze memory dumps from the system RAM and other files containing system memory. It relies on plugins written in Python to analyze the memory and extract data such as encryption keys, passwords, registry information, processes, and connectivity information.
  • By copying a virtual machine and converting the VMEM file to a memory file.
If you upload a program that's designed to capture memory onto a compromised system, it is possible that this particular application will be identified as malicious software by antivirus software. Most antivirus software applications recognize the hash signature and behavior of memory acquisition software, and act to protect the sensitive contents of the physical memory by raising an alarm if it is at risk of disclosure. The acquisition software will be quarantined, and the target will receive a warning, alerting them of the attack.

To avoid this, use Metasploit Framework to run the executable completely in the target's memory using the following command:
meterpreter> execute -H -m -d calc.exe -f <memory executable + parameters>
The previous command executes calc.exe as a dummy executable, but uploads the memory acquisition executable to run in its process space instead.

The executable doesn't show up in process lists, such as Task Manager, and detection using data forensic techniques is much harder because it's not written to disk. Furthermore, it will avoid the system's antivirus software, which generally does not scan the memory space in search of malware.

Once the physical memory has been downloaded, it can be analyzed using the Volatility framework, which is a collection of Python scripts that are designed to forensically analyze memory. If the operating system is supported, Volatility will scan the memory file and extract the following:

  • The image information and system data that is sufficient for tying the image to its source system.
  • The running processes, loaded DLLs, threads, sockets, connections, and modules.
  • The open network sockets and connections, and recently opened network connections.
  • The memory address, including physical and virtual memory mapping.
  • The LM/NTLM hashes and LSA secrets. LanMan (LM) password hashes are Microsoft's original attempt at protecting passwords. Over the years, it has become simple to break them and convert the hashes back into an actual password. NT LanMan (NTLM) hashes are more recent and resilient to attack. However, they are usually stored with the NTLM versions for the purpose of backward compatibility. Local Security Authority (LSA) stores secrets that are local passwords: remote access (wired or wireless), VPN, autologon passwords, and so on. Any passwords that are stored on the system are vulnerable, especially if the user reuses passwords.
  • Specific regular expressions or strings stored in memory.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.236.145.110