The term pillaging (sometimes known as pilfering) is a holdover from the days when hackers who had successfully compromised a system saw themselves as pirates, racing to their target to steal or damage as much data as possible. These terms have survived as a reference to the much more careful practice of stealing or modifying proprietary or financial data when the objective of the exploit has been achieved.
The attacker can then focus on the secondary target—system files that will provide information to support additional attacks. The choice of the secondary files will depend on the operating system of the target. For example, if the compromised system is Unix, then the attacker will also target the following:
- The system and configuration files (usually in the /etc directory, but depending on the implementation, they may be in /usr/local/etc or other locations)
- The password files (/etc/password and /etc/shadow)
- The configuration files and public/private keys in the .ssh directory
- The public and private key rings that may be contained in the .gnupg directory
- The email and data files
In a Windows system, the attacker will target the following:
- The system memory, which can be used to extract passwords, encryption keys, and so on
- The system registry files
- The Security Accounts Manager (SAM) database, which contains hashed versions of the password, or alternative versions of the SAM database, which may be found in %SYSTEMROOT% epairSAM and %SYSTEMROOT%System32configRegBackSAM
- Any other password or seed files that are used for encryption
- The email and data files
As stated previously, the system memory contains a significant amount of information for any attacker. Therefore, it is usually a priority file that you need to obtain. The system memory can be downloaded as a single image file from several sources, as follows:
- By uploading a tool to the compromised system and then directly copying the memory (these tools include Belkasoft RAM capturer, Mandiant Memoryze, and MonsolsDumpIt).
- By copying the Windows hibernation file, hiberfil.sys, and then using Volatility to decrypt and analyze the file. Volatility, which can be found on Kali in the Forensics menu, is a framework that was written to analyze memory dumps from the system RAM and other files containing system memory. It relies on plugins written in Python to analyze the memory and extract data such as encryption keys, passwords, registry information, processes, and connectivity information.
- By copying a virtual machine and converting the VMEM file to a memory file.
To avoid this, use Metasploit Framework to run the executable completely in the target's memory using the following command:
meterpreter> execute -H -m -d calc.exe -f <memory executable + parameters>
The previous command executes calc.exe as a dummy executable, but uploads the memory acquisition executable to run in its process space instead.
The executable doesn't show up in process lists, such as Task Manager, and detection using data forensic techniques is much harder because it's not written to disk. Furthermore, it will avoid the system's antivirus software, which generally does not scan the memory space in search of malware.
Once the physical memory has been downloaded, it can be analyzed using the Volatility framework, which is a collection of Python scripts that are designed to forensically analyze memory. If the operating system is supported, Volatility will scan the memory file and extract the following:
- The image information and system data that is sufficient for tying the image to its source system.
- The running processes, loaded DLLs, threads, sockets, connections, and modules.
- The open network sockets and connections, and recently opened network connections.
- The memory address, including physical and virtual memory mapping.
- The LM/NTLM hashes and LSA secrets. LanMan (LM) password hashes are Microsoft's original attempt at protecting passwords. Over the years, it has become simple to break them and convert the hashes back into an actual password. NT LanMan (NTLM) hashes are more recent and resilient to attack. However, they are usually stored with the NTLM versions for the purpose of backward compatibility. Local Security Authority (LSA) stores secrets that are local passwords: remote access (wired or wireless), VPN, autologon passwords, and so on. Any passwords that are stored on the system are vulnerable, especially if the user reuses passwords.
- Specific regular expressions or strings stored in memory.