A guide to discovering plaintext credentials in enterprise environments by Ben Burkhart

okay welcome back next up we welcome Ben burkart who's going to give a talk called a guide to discovering plain text credentials in Enterprise environments remember to please put any questions you have in the Q&A that you'll find at the bottom of the zoom window take it away Ben oh hello everyone um give me a second while I find my screen share button on

Zoom it always moves on me I swear I would have uploaded a cool photo um but I can't turn my camera on but that's okay y'all don't need to see me yeah we noticed there's an issue with the video for some reason that's okay my room's a mess anyway awesome youall should be able to see my

screen sorry yes as we were muted oh cool awesome well I'll go ahead and get started um hi hello everyone my name is Ben Burkhart this is uh a rough beginners overview Enthusiast intro guide to ways to try and find and discover PL text credentials and Enterprise environments um I would say if that's not the talk that you're here for you're in the wrong room but I think there's only one track today so um you must be here for me so thank you so first off uh here's a rough kind of agenda of what I'm GNA try and go over today this is only a half hour talk so it's a little bit abbreviated um but obviously Feel

Free at any point to to hit me up with questions either afterwards or in the Q&A box or um you know on Discord I'll do my best to answer what I can here and there but so a little bit of intro about me just kind of a quick overview of what we are and aren't going to be talking about today um a brief overview of network file shares and the things that they could contain uh a brief overview of active directory metadata and some cool stuff that can be found in that information um we'll kind of talk a little about about internal and external cidc Services things like bitbucket uh get things like that where we can find

credentials and other Secrets uh a brief warning about canaries because they do exist they are easy to deploy and prevalently use and clients with you know relatively mature Security Programs and practices so we'll talk about those briefly we'll talk about some Last Resorts some um buzzer beater full court shots if you run out of everything that you think you could do on a test to try and get somewhere and then we'll kind of move into ways that we can audit some of the things that we talked about during this talk um from like a blue team or kind of defensive perspective inside of things couple takeaways uh some time for questions if you have them or afterwards

if we don't have time today and then I've got a link dump for all of the things that I've kind of referenced in the talk so if you can't copy the stuff down or Google search it while we're we're talking or reviewing it later um there'll be clickable links in the slide deck at some point which I'm sure will get shared through the usual channels so first and foremost um just a little bit about me my name is Ben I mentioned that already um I'm on Twitter and on mastedon although I don't really post a whole lot of stuff but if you're interested in finding me on those platforms and connecting feel free um I'm based in Chicago Illinois I've been

in the city about 15 years now or so um like like it here nice and cold but that's where I'm at I'm currently working as a pentester at Black Hills information security I've been here for about a year um year in a few months probably now uh but I've been pentesting for about six years or so uh here's a kind of list of some interesting things that I've worked on um some of which are less interesting than others uh one thing I do want to call out that I've given a couple other talks about um bartending and soft skills I was a bartender for probably 10 or 11 years before I transitioned into infosec so if

you're interested in looking at some some talks on that you can search me on YouTube and find those out there um if you want a list of things that I enjoy which is kind of relatively generic except for Louise which is my adopted retired racing Greyhound who ran for about eight races and came in last and all of them and now gets to live on the couch living your best life so real quickly um just what we're going to talk about what this talk Isn't So this isn't a talk about coercion methods um my cooworker Gabriel just did a really great talk on that which you can find on the internet if you're interested um

this isn't a talk on adcs you know the windows attack surface and research landscape has had a lot of really tremendous breakthroughs in the last two years or so specifically around adcs and all the different forms of corion and PTI poam and all these different ways that you know you can Elevate privileges from a standard user to domain admin through these incredibly complex attack chains so I'm not going to talk about any of those um this isn't a talk about AWS or Cloud attacks some of the stuff that we talk about is applicable to those services but um there are people who are much more well versed in type of environment and there are much better

things that you could spend your time watching or reading um than listening to me talk about AWS or Cloud stuff this is not to talk about password cracking although I do love cracking passwords I think that um one of the most insightful things you can learn about an organization is what their end users use for their passwords um I think that's always kind of a funny insight to figure out if you get to that point where you're cracking everything in an organization um and once again this isn't bleeding edge Cutting Edge you know insane research you know I'm not a developer like I said that I came from bars before this so this is um you know

not highly technical in nature I would say um so now we'll talk about what this is you know and I think one of the things that interests me most about passwords is it's almost like a non breach breach if that makes sense right we're not really exploiting vulnerabilities you know that are present on systems we're not necessarily taking advantage of configuration issues right we're finding credentials and we're using those and we're pretending to be another user and that's honestly what a lot of users do all the time especially administrators uh and one of the things that I think we as attackers you know want to keep in mind is often the best attackers look like standard

administrators of an environment right so I think there's something interesting and something to be said about that um some of the stuff I'm going to go over in this talk is more ways of thinking and approaches and interesting ideas that I thought were interesting when it comes to trying to find passwords and environments um I've got some tools and some ways to use them but what I generally want to try and convey during the course of this is just like a methodology and a mentality when it comes to looking for passwords um the screenshot on the right is the alleged hacker who broke into Uber a few months ago or the summer whenever that was um

so we can see here that they claimed to have found uh a Powershell script with admin credits and a network file share so I mean these are these are real world implications that have you know as much impact as any other vulnerability within an environment if not more I would probably say um and then another quick aside I threw a screenshot in here of this country magazine I grew up um visiting my grandma on a farm in Southeast Ohio and she had a subscription to this country magazine and one of the things that they did and I almost thought this was like a fever dream it just kind of returned to me uh a couple weeks ago one of the things

they did was they hid this really tiny image of a needle like one of them in every issue of the magazine and as a kid I would just remember spending hours and hours like pouring over the pages of this magazine trying to find this tidy needle like you didn't get any prizes or anything like nothing came of it but it was just like kind of a fun little EAS Easter Egg and I think that kind of approach um is one of the reasons that I really enjoy looking for passwords in environments just like this idea of trying to find useful tiny hidden bits of information uh amongst a potential Hast stack so the first thing I want to talk

about is Network file shares um NFS shares so I think this is where more often than not you see the most uh the most creep when it comes to potentially sensitive data um I think creds from Network file shares have gotten me da da on more tests than probably any other configuration issue or attack path just because it's easy it's easy to impersonate other users it's easy to use tools like run as and spawn powersall sessions as other users it's easy to initiate RDP connections to other hosts as other users right like a lot of those things aren't necessarily potentially um kind of noisy or suspicious activities especially if you're an administrator like those are things that

administrators do all the time uh there's also not a whole lot of really great tooling when it comes to battling Network file share creep um there's things like Rus which I've looked into and I've heard clients use before but that costs money um and it does a lot of other things and I'm not entirely sure how it works because I've never used it so it does exist but you know there aren't a lot of really quick easy wins to like battling this and this stuff is super pervasive especially in older organizations organizations that grow over time right like this stuff just happens to like build and build and build and build and if you're not taking

an active intentional time and energy and effort to kind of call that back then it definitely gets to like a critical mass of just like you know stuff everywhere uh another thing that another reason this is kind of interesting is like the ACLS and access controlers for some of these sharers are often not what clients expect them to be right like I've been on tests where I found SQL database administrator passwords I've elevated that to the client the client's like oh well you know those are on you know a special share like so we're not worried about it and I was like well I found them so you know that means everyone else can too

right so I think those are some of the reasons why Network file Shares are just such a rich um kind of potential attack path for for finding credentials so let's talk about some of the tools that we can use to to search for Network file shares and try and find things on them um my secret sauce is snaffler when I first found this tool I thought it was the coolest thing in the world I thought no one else knew about it um as I've used it more and more I think a lot of people do use it so it's probably not that secret anymore but um snapler is a is a binary that you can build that will

automatically query active directory for every share in the environment every computer and every share within the environment uh what it then does is it checks to see if your user can access those shares and then if your user can access those shares it'll do some light grapping um if it can of file contents for potentially sensitive strings as well as file names and extensions so like things like pem like. RDP um or just gripping for the word password so one thing to note about snaffler um it's super noisy right like this is doing a ton of queries it's reaching out to like every system that it can within the environment so if there's any sort of

network-based detections Within um your testing environment that are tuned to look for things like Shar pound or other sorts of like SMB traffic that exceed a certain threshold this is probably going to get caught um there's a ton of output and it's not the most wieldy output so I think it does take a little bit of kind of grepping and cutting to find actionable data out of it um it can also take a really long time right like I've been in huge Enterprise environments where I've started this on a Thursday and come back to check on it again like the following Tuesday and it's still running because there's just so much data um on these

Network file shares so snapler is cool this is my kind of standard usage down here just to search the the domain um the TAC s pipes it the standard out and the O Tex or the O pipes it out to a log file as well um like I said it's a lot of data you know it's definitely noisy it could get you caught if you're trying to be sneaky but you know we're not always trying to be sneaky right another interesting thing that I just started recently doing within the last couple months is running this locally um running this locally just against a C drive so by default this is going to look out to active directory to

try and find shares but you can also point it at a local file system um and kind of scrape that file system for potentially sensitive information this is often really useful if you're on like a vdi or some sort of environment where there are provisioning scripts or things like that that are getting like Auto executed at start that might have sensitive information in them um so definitely run that against like any system you get on right like I would consider this kind of a rinse and repeat tool um when you get onto a box you know enumerate whatever privilege escalation opportunities might exist and also enumerate whatever sensitive files might be on that box and I know there's tools

like seat belt that kind of give you like a bigger more holistic picture of situational awareness when it comes to to being on a machine um but I think seat Bel is probably a little bit more signatured against than than running snaffler locally at least in my experience um I also have kind of a funny note down here at the bottom like if you want to really be sneaky like you can look for all of these things in network file shares with file explorer which is kind of the ultimate La buff if you really think about it so some of the places that are worth manual investigation on NFS uh shares and things like that

things that snaffler don't always doesn't always find or things that you know I think are worth investigating a little bit more intentionally um I would say recently terminated employee folders you know these are a really great place where someone gets let go or someone quits uh the first thing that some admin does somewhere is to just dump everything off of that person's workstation put it on a network file share you know someone is going to get to that somewhere someone is going to clean it up at some point hopefully someone is going to keep the pertin information from that folder and delete what's not pertinent and then apply the proper Access Control lists but I've

been on a lot of engagements where you can find these recently terminated employee folders and none of that data has gotten scraped through right you know this is kind of a process failure where unless someone is on top of taking care of that task and seeing it through to completion there's a lot of gaps that can exist in those processes where you might be able to find interesting or actionable data um another thing that snaffler doesn't always pick up on are PDFs like I don't think it does really a great job of scraping PDFs so sometimes if you can find like scan upload folders where there's some sort of device in in an office where everything that gets scan

gets sent to that that Network file share you can look through those PDFs and try and find S of data um and one note backups um I don't think snaffler does a great job at searching out OneNote backups but these things if you can find them are trivially easy to export and load locally um and I think there's kind of a little bit of inherent trust in the fact that you're using a Microsoft product so I say that jokingly but people I think have a tendency to consider what they would put in a one note Notebook on their machine maybe slightly more secure than like a flat text file on disk so there's a potential for more interesting

stuff in one of those um looking at CIS fall I think this is kind of like domain privilege escalation 101 right but uh you often find things since thisis fall that have hard-coded crowds or other deployment scripts or or things like that that are worth checking out um excuse me so you can use tools like fine string as well uh if you don't want to use like things like snaffler uh just to look for like kind of quick files or certain things like that excuse me um Power view also contains a lot of this functionality if you've got a pow shell environment I think there's like find interesting file or enumerate shares there's a couple

different functions built into power viiew that kind of give you some of this like Network file share situational awareness which is which is pretty great too um so just a quick example uh I had some heavily redacted screenshots from engagements that I've been on in the past um but I realized that was probably not a great idea to share a presentation uh so what I did is I went ahead and I just Google searched for things that were close so you'll see this is a recipe for pancakes but um you know just imagine that this was a network file share with a one note note Drive backup that had uh sensitive credentials in it that we have

found so another thing that is uh worth checking out that's kind of like Network file shares but different is SharePoint um there's a tool that was recently released not too long ago called staffo which claims to be just like snaffler but for SharePoint uh I kind of mentioned this tool with a caveat and that I haven't actively used it myself too often I haven't I just came out a couple months ago or maybe even more recently um I haven't been on an engagement with a SharePoint or SharePoint or Office 365 environment so I hadn't had a chance to use this but um I will say that SharePoint also has a really great search function that just lets you type

in whatever you want to search for it so you know you don't even really need tools to look for sensitive data within within SharePoint if you can just type in password and see what kind of comes up um also as someone who has managed Office 365 environments in the past I know that access control lists for SharePoint can be just as hard to maintain and manage if not harder than Network file share ACLS um so this is another opportunity where process failur is often abound um and users have access to things that they might not necessarily have access to and the last interesting thing that I want to call out um specifically about snaf point is

because this is accessing Cloud resources um there are a variety of different ways where you can obtain authentication of those Cloud resources right so you don't necessarily have to be on an endpoint within a client environment to be able to use this tool if you can sort of you know create a token and this used as the bearer token tool um you could theoretically be searching that SharePoint from from anywhere if you get access to Office 365 credentials uh I think the attack paths leading up to that are obviously very different you know there's tools like um MFA sweep and other tools that can check for like conditional access policies and things like that that you could take

advantage of when attacking Microsoft cloud services but um just kind of something something to note so another really great place to find creds which is something that I recently discovered when I started working at Black Hills about a year ago with active directory metadata um and you say to yourself Ben there is no way no way anyone in their right mind would store the password to a domain account in the information field of an ad object no one would do that no no way and I will tell you they do they do often and a lot um ad Explorer is a great tool for interacting with this data if you haven't used ad Explorer um

Sally has some really great blog posts on interacting with with client environments with ad explore another really great thing you can do with ad explor is export snapshots of an active directory environment which are for the most part generally much more sneaky and stealthy than using Blood Hound to collect that data um you can then convert that data into something that blood hound can read and ingest it and boom you've got blood hound data um I've got some quick strings here for looking for passwords and active directory objects this uses the adsi Searcher functionality um so that's one way to look for these strings you can also use ad Explorer you can also use BL if you

do get blood hound data different way um there are some Cipher queries that you can build to scrape these different um attributes to look for potentially sens ofate information um another place where obviously we see a lot of creds and secrets get stored is CC Services uh if you can get access to these it's really easy much like SharePoint to just search in the search bar for whatever interested in um one annoying thing I was on an engagement where I had access to bitbucket and bitbucket uses elastic I believe for its search functionality so it's not going to interpret characters so I tried to search for like atom.com um and it didn't interpret the at or the dots so a little bit harder to

search for interesting specific data that way but there are tools like truffle hog which are great for kind of automatically scraping um GitHub and S3 all sorts of different services for potentially sensitive data uh truffle hog is also really great to use for like an auditing perspective like if you have access to these you can run that yourself kind of see what comes back um and kind of go from there another note uh there's also much better talks out there in the world about kind of start to finish attack chains from open source intelligence gathering Recon and numerating buckets and things like that to getting to attack these from like an unprivileged internet perspective than

than I will get into today um so I had another kind of screenshot here of a previous engagement where I compromised credentials for a bitbucket user uh those bit bucket creds were found in like a config file on a C drive on the starting host because that starting host was you know provisioned for a developer um once you had those credits for bit bucket you just search for the word password and I found even more domain credentials obviously this is not real data but um just kind of an example that that stuff does exist and is pretty easy to find so with all of that in mind um one thing to make note of is canaries right

canaries do exist if something seems too good to be true there is the possibility that it might be um have I found Excel docs called password. XLS on tests that are legitimately full of passwords yes absolutely have there been other times where I found those same Excel docs and gotten a warning from the client after I opened it that I triggered a canary token also yes um just a reminder everyone is in charge of their own threat model you get to choose your own adventure when it comes to opsac if you want to be super slow you know there are probably really great ways to try and figure out whether or not these files are legitimate or real um maybe looking

at what the containing folder is what what El is in that containing folder what the time stamps are on these if you find multiple ones together um obviously in an Ideal World everyone would have six months to perform an engagement and we could move as slow as we wanted the entire time but the reality of pen testing is sometimes you have five to 10 days to do the work and we want to try and maximize impact and provide as much value to the client as possible um part of that might be opening a document that you have a suspicion might be a canary token but you got to find out anyway um so one time I did find one of

the that was a canary token I had a great screenshot of um the alert that the client had sent me uh so I scrubbed that and pulled one from Google so this is a sample of what a canary token alert looks like when it gets generated when you open um whatever the file might be so another interesting thing that I found um which is kind of funny and I just wanted to make a joke about joke about was files that have passwords in the name of the file um I feel like I've seen this often when testing financial institutions where there might be some sort of compliance driver that says hey this these documents because they

contain sensitive financial data need to be encrypted um or password protected so to get around that because these documents need to get shared around heavily internally um clients will put the password to the document in the file name so I have seen that a lot it's quite funny um the last time I found that there was a cfo's social security number in one of the documents so clearly not super effective um just want to talk about some kind of Last Resorts uh AK shots in the dark so this has worked for me a handful of times um in my career but if you really can't find anything anywhere um sometimes I'll run t-shark and just

run like a network traffic capture for as long as I can without that file size getting too aggressive um and there's this really great tool called peeds written by I'm gonna butcher this person's name uh Lauren lant um who's the person that created responder uh and this tool you can either have this tool listening while t-shark is running and scraping for credentials or you can point it at a PE cap or any other kind of like Network traffic file type and it will attempt to scrape all that data for potentially interesting nlm ntlmv2 keros uh HTTP basic off things like that excuse me so there have been times where I've used this and gotten HTTP PL Tex creds for

certain services that are like automated within an environment that you can use um so that's kind of fun an interesting way to try and do things uh so with all that in mind um what are some of the ways that we as Defenders can help kind of call this right so there's a really great tool from spy called Power hunt shares this is a relatively recent tool that came out um what it does is it kind of does what snaffler does except instead of pulling interesting file names and all of that it's just kind of doing a little bit more in-depth enumeration of access controls who can get to what um what computers have the

most excessive share permissions and Privileges and things like that it's really great for Defenders and Auditors um not necessarily super actionable for attackers but it is free in open source so if you're interested maybe not open source but if it is free so if you're interested you can pull that from GitHub um and do some some auditing and create some nice action actionable reports if you want to do it yourself um you can use snaffler snaffler is one of those things that I recommend clients use uh regularly themselves internally like along with Shar pound just to get an idea of what exists and doesn't in the environment um so here's kind of like my cheat sheet for that you can grap for

file uh which will give you all of the files that snapler found and then pipe that to word count line and you can also do that with creating a tree Walker which is the text that it'll snaf will create when it finds a share um You can compare those over time just to see how the number of accessible files and shares is changing you can also obviously use that data to go check out what those files and shares are um and clean those up on your own but that's just kind of a a free and open source way to do it as well that I would recommend and some last takeaways um first and foremost like fixing these

things is is incredibly hard right security is always that balance between what's usable and what's secure because if we wanted to to make things absolutely secure we would go bury our laptops in our backyards and never get on them whatsoever right or my mom who has all of her passwords written down on notepad pieces in her home you know if she loses those notepad pieces because someone breaks into her house clearly I have bigger concerns than whether or not they can get on her Facebook but you know finding that balance between usability and security is like the ultimate goal um and a lot of the ways that these creds end up being in accessible places is because of process

failures right so it's not necessarily a patch that you can just push that's going to fix these problems um these are things that need to be part of the culture kind of need to be ingrained within an organization and it has to be an active effort to keep these things secure there's no point in having last pass for your organization if a developer is still just going to save passwords to a database on a text file in their workstation right so there has to be buyin from from the people using these tools to make them effective um and honestly people are lazy and spoiler alert that's me I'm I'm the lazy person I I think we're all guilty of doing this

one time or another right like we're just going to copy paste a password into this text file you know just so we can get on a VM and we can copy and paste it easier etc etc and you know what happens in an Enterprise organization when those things accidentally get saved and not deleted and are found you know two years later by a pentester right so I I fully admit that this is not an easy problem to fix um and it does require I think intentionality and effort and kind of being aware of what the potential ramifications and implications of of finding these creds are um and even then so we've got a screenshot here we all saw the news over

the last couple days about last pass announcing further impact from from their breach that happened over the summer so regardless of of how you store passwords and where um there is always the potential for those passwords to be recovered which is another gentle reminder that defense in depth is your friend um we're not trying to make it impossible for attackers to get into your organization but we're just trying to make it harder and take longer and for them to be slower and hopefully for detections to be able to catch up up to those activities and respond accordingly and lastly um I have a side just called questions plus link dump if anything comes up uh I'm on Twitter M on

I said that you can hit me up on there I'm also on Discord so we can talk on there uh but here are all of the links to things that I referenced during the course of this talk which will be clickable once the slide deck ends up in your hands uh I'm going to go ahead and stop sharing we got about four minutes left and see if I can find the Q&A box here it is thanks for your excellent talk Ben um we've noticed that there are some questions waiting for you over in your Discord Channel but I think the most burning question is what was your favorite drink to mix when you were a

bartender oh um my favorite drinks to make I think a lot of bartenders like making Tiki drinks right they're just a little bit obenaus you're using a ton of ingredients you're using High proof ingredients you're using fun syrups and lighting things on fire and stuff like that so my favorite drink to make and to drink is um is a jungle bird it's kind of a a dark rum Tiki drink with pineapple and compari so it's got a little bit of bitterness to kind of balance out the sweetness of like that you would ordinarily find I think in a lot of tiki drinks just like a little bit of bitter to make things a little bit more palatable

overall intriguing I'll have to look for that recipe try it soon that's a good one we don't have any other open questions here on Zoom though so um thank you again for your excellent presentation we appreciate you speaking and um everyone Ben will be over in Discord to answer to to talk about this further and answer your questions so head over there and we will take the quick transition break that you've become accustomed to and be back at the top of the hour thank you thanks for listening y'all happy

Friday