Post-exploitation scanning tool scavenges for useful information

Philip Pieterse, Principal Consultant for Trustwave’s SpiderLabs, has demonstrated at Black Hat Arsenal Europe 2018 a new tool for penetration testers called Scavenger.

About Scavenger

Scavenger is a multi-threaded post-exploitation scanning tool that helps penetration testers pinpoint files and folders that may provide the most “interesting” or useful information.

“Scavenger confronts a challenging issue typically faced by penetration testing consultants during internal penetration tests: the issue of having too much access to too many systems with limited days for testing,” Pieterse explained.

After access to a Domain Administrative (DA) level access to the Windows Active Directory domain has been achieved, the tool can scan that and other remote systems via SMB and SSH services to:

• Make a list of the “latest” accessed/modified/created files and folders and keep these results in an ordered database
• Compare older versions of these lists to newly acquired ones to determine changes and identify new or most recently accessed and modified files
• Scan these filenames for words like “password” or “secret.”
• Seek out and and scrape passwords and usernames to other systems or even different Windows domains
• Seek out card holder data
• Extract password hashes from the local SAM file or the Active Directory database (to be cracked later)
• Extract saved passwords from certain applications (e.g., Chrome, apps usually used by sysadmins, etc.).

Pieterse’s future plans for the tool include the addition of services like NFS, FTP and database connections, more capabilities for retrieving passwords from remote Linux or Windows systems, more post-exploitation techniques on remote Windows and Linux systems, and the ability to handle SSH services running on a non-standard TCP port, with the user supplying the TCP port number of the services.