Pillaging Part 1

00:00

Hello and welcome to another penetration. Testing execution Standard discussion. Today we're going to be talking about part one of two in pillaging in our post exploitation section Now. Quick disclaimer.

00:16

The Pee test videos do cover tools and techniques that could be used for system hacking. So it is up to you to research and understand the tools and techniques that we're using and ensure that you understand the laws and regulations in your area regarding the use of such tools and techniques to ensure that you don't get into any trouble

00:36

with the loan.

00:37

Now our objective list is a little lengthy today, but don't worry, we're going to actually go through these pretty quickly. So we're going to look at what pillaging is review of these given areas, Installed programs, service's database service servers, directory servers, deployment service's virtual ization messaging

00:56

and monitoring and management. And just talk about some of the benefit of looking through and collecting data on these types of

01:03

areas. And service is

01:06

so what is pillaging while I think of pirates and Vikings when I think of pillaging so pillaging refers to obtaining information foul Kant containing personal information, credit card data passwords, etcetera from target hosts relevant to the goals defined in the pre assessment phase.

01:23

Now the information could be obtained for the purpose of satisfying goals or as part of the pivoting process, to gain further access into the network.

01:30

Remember any data sets that are typically protected by laws or regulations? We should understand what the consequences could be of taking that information off premise. And if our activities wouldn't be considered a compromise of that data set, I know that with HIPPA and things of that nature.

01:49

If I were to view a patient's medical record without permission or, you know, I wouldn't be a party treating that patient,

01:56

that would be a violation of that patient's rights under hip. So we need to understand how we're going to treat information when pillaging and what is essentially going to satisfy our client that that information was in fact compromised quote unquote based on our assessment.

02:13

Now let's jump right into installed programs when it comes to pillaging. So start up items are a great way

02:21

to see what applications are running an honest system. It start up or log on, and it helps us to provide information about the purpose of the system. Software and service is that it interacts with so the information could reveal potential countermeasures

02:34

that could be in place. That may hinder further exploitation of the Target network and its systems. And so this is things like kids and host intrusion prevention

02:42

application, white listing things of that nature and so started programs can also be beneficial, especially if they're vulnerable. Because I've seen where you can take

02:52

ANAP location and inject a payload into that application and then upon startup. Because it runs with system level privilege, you can then get root access so that could be beneficial. Security Service's are a great thing to look for is well, so that could be software designed to keep an attacker out

03:09

and keep data safe. So this is not limited to the following network firewalls host based bar walls ideas I ps,

03:16

ah, heads and hips, which are the host based version of intrusion detection and prevention systems and an empire. So

03:24

being able to see what's on that system and what version it maybe could help you to find ways that bypassing following printer shares, so servers often contained targeted data or provide an opportunity to further penetrate the target network and hosts.

03:38

So shares offered by file servers is great. Identify files of interest from the file server share Listening. A lot of Times

03:46

shares are named in a manner that, therefore departments like HR accounting billing accounts receivable are in the secret sauce. Whatever the case may be,

03:57

shares may be created in a way, enlisted in a way that you could easily glean whether or not they be sensitive. And then back ups are a great thing to find backup directories, images off systems. Things of that nature could definitely be beneficial in looking for data and during our pillaging process.

04:14

Now databases are great. They contain a wealth of information that may be targeted. And so the database itself

04:23

is a list of database names that the assessor can determine the purpose of the database type of data it may contain on an environment with many databases. You could then use that to prioritize your targets. If we could get table names and metadata like comments column names,

04:38

then we could better, you know, focus our efforts on those areas. Table content is great,

04:44

and then columns. If it's possible, and you could get all of the column names out of the table with a command.

04:49

There are usually ways that that can be done, depending on the syntax and the type of databases being used. But there are ways to easily get that information if you have access to the tables, and then that can help you to further determine how critical the databases and what your efforts should be focused on. As far as compromising critical systems

05:08

directory servers. And so

05:10

the main goal of a directory service is to provide information to Service's and host for the reference or an authentication off

05:20

those. So the compromise of this service would allow you to control the host that depend on the service, as well as provide information that could be used for further attack information that look foreign Directory service is our list of objects so usernames passwords, machines,

05:35

connections to systems, identification of protocols and security levels and so that could be

05:41

beneficial.

05:43

Deployment Service's are also great eso. With these, you can enumerate potentially unattended answer files. Permissions on files updates included applications and versions. And so if we've got

05:56

ah, fresh system, that's been installed recently, we would know at what patch level it is and what applications and versions of those on there that could be beneficial for

06:03

further attacking systems. This information, of course, can be used to allow you to get deeper into the network and potentially provide the ability to modify the depository on dhe. Then, you know, set up the installation of a back door or modification of service is to make them vulnerable to attack again.

06:23

If you're messing with golden images or deployment server, those air typically ah, full time job for some folks. And so make sure that that's within the rules of engagement in scope of service and that you're not making modifications that will do harm or that, you know, could be forgotten. Her that can't be reverted and then it causes more more damage.

06:40

Virtualization is great, And so when we're looking at virtualization platforms and software, we can enumerate virtual machines, potentially a numeric passwords and digital certificates for administrative systems, numerous virtualization software configuration and the configuration of hosts. I know a lot of times

06:57

out of the box. There are some default credentials that could be present on virtual machines and host system, so

07:02

those were definitely a good check to start. What to see if you can get further details

07:08

messaging. So identification of service is our client. Software for messaging provides the opportunity to identify directory service is get, you know, compromise of those credentials access to confidential information identification hosts on the network. So that could be great monitoring and management.

07:25

So identification of service is our client Software for the purposes of monitoring their management could provide identification of intentional service's and servers on the target network. So, um, something to look for S and m p sis. Long information could be beneficial and identifying systems

07:44

some management service is, and Software's looked at game credentials. Identify host and gain access to other service is

07:49

so you may be looking for things like sshh servers or clients. Tell meant servers or clients.

07:56

All of those things could be beneficial is well, with respect to, um, the way that an administrator would manage a network and how they could go about monitoring the network was something like S and M. P.

08:09

So let's do a quick check on learning

08:11

true or false copying backups off the network can be high risk and potentially exposed sensitive information.

08:20

All right, If you need additional time, please pause the video.

08:24

So overall, this is true. If we're copying backups off the network and we don't know everything that's on that system, we could be removing P on the e p h I credit card numbers, account information, Social Security numbers. And so this is potentially, ah, high risk. Move

08:41

on. And if you could do something to just validate that, this would be possible without moving everything off. Maybe then get a listing of what was on the server

08:50

and use that in the report that may be beneficial versus trying to move the entire systems file off network and potentially handing that data exposed and opening you up to risk.

09:01

No.

09:03

In summary,

09:05

we discussed what pillaging is. Okay, that's, you know, collecting additional information, looking for data sets and compromising additional systems with that data. And then we discussed installed programs, service's database servers, directory servers, deployment service's virtual ization, messaging

09:20

and monitoring and management with respect to things like S and M P and protocols that we could use to manage systems.