Incident Response, Penetration Testing

Links between forensics and pen tests

Last year on the show, Marcus J. Carey presented a tech segment about using memory analysis in penetration tests. Memory acquisition came into its own for incident responders a few years back. Even before tools like Volatility, Memoryze or HBGary’s Responder were available, many incident responders, including me, used the strings command to perform rudimentary searches and “analysis” of memory artifacts.
Linux_strings.pngFigure 1: strings output of a Linux VM’s memory image. The highlighted “forensics” happens to be the root password.
Shortly after Carey’s presentation, DarkOperator posted a Meterpreter script that would dump memory and save it offline for later analysis. Passwords are a high value memory artifact for penetration testers. As someone working in app sec and incident response, Carey got me thinking about other things that forensics practitioners may find commonplace, but that may be overlooked by penetration testers. Both disciplines inform each other.
Let’s say you’re a penetration tester (or an Amortized Perennial Threat as Shawn Moyer says he is) and you’re working for a client who wants you to go beyond the shell. Your client has requested that you go after important company data. Databases are an obvious target, but companies also have critical information floating around in Microsoft Office documents (e.g. business plans, bid contracts, vulnerability remediation tracking information, etc.).
What is the best way to locate these documents? You could manually navigate the various common directories where people store documents, read the directory listings and copy down those files that look interesting. But this is a labor intensive process and you may miss something if the user has tucked important files in odd locations.
If only there were a place on the file system that held information about files, a place where we could look and see all of the files that had been opened on the system and that would map back to the location of those files, even if those files were on network shares or removable media. Fortunately for us, there is such a location, in fact, there are two well known ones.
Windows systems have a feature that creates shortcuts for common document types, including Office files when those files are opened by a user. The idea of using these shortcuts during a pen test is not new. In fact, it was mentioned before on Security Focus’ Pen-Test mailing list, but I don’t believe it’s been ahem, weaponized until now.
These shortcuts or link files are created by Windows to facilitate the “Recent” document features of modern Windows operating systems. For Windows XP the default location for link files is under Documents and Settings<username>Recent with Microsoft Office files having their own location in Documents and Settings<username>Application DataMicrosoftOfficeRecent. Vista and later versions of Windows have moved the recent link files to Users<username>AppDataRoamingMicrosoftWindowsRecent and Users<username>AppDataRoamingMicrosoftOfficeRecent. There may be other locations specific to other applications as well.
For the two common locations, I have created a Meterpreter script port of Harlan Carvey’s that is commonly used by forensics analysts to dump the contents of Windows’ .lnk files.
dumplinks.rb can be used with the Meterpreter to dump the contents of Windows’ .lnk files either to the Metasploit user’s local file system, or to the console. By default, dumplinks.rb, runs in a less verbose mode than Carvey’s, in that it only reports the time stamps for the .lnk files themselves, then prints the time stamps contained within the .lnk files that are time stamps for the target file and finally, the target file’s location is printed.
Enough drivel, here’s a couple of screen shots:
dumplinks.rb-help.pngFigure 2: dumplinks help screen
And one of the script in action, dumping to the console:
dumplinks.rb-e.pngFigure 3: dumplinks sending everything to the console
Of course there are other tools and techniques that cross-over from forensics to penetration testing. I will be back with another, as soon as I can find the time. For now, enjoy the dumplinks.
Dave Hull describes his working life as on the Venns between incident response, forensics and web applicaiton security. He will be teaching SANS Forensics 508: Computer Forensics Investigation and Incident Response in Boston, March 15 – 20

Paul Asadoorian

Paul Asadoorian is currently the Principal Security Evangelist for Eclypsium, focused on firmware and supply chain security awareness. Paul’s passion for firmware security extends back many years to the WRT54G hacking days and reverse engineering firmware on IoT devices for fun. Paul and his long-time podcast co-host Larry Pesce co-authored the book “WRTG54G Ultimate Hacking” in 2007, which fueled the firmware hacking fire even more. Paul has worked in technology and information security for over 20 years, holding various security and engineering roles in a lottery company, university, ISP, independent penetration tester, and security product companies such as Tenable. In 2005 Paul founded Security Weekly, a weekly podcast dedicated to hacking and information security. In 2020 Security Weekly was acquired by the Cyberrisk Alliance. Paul is still the host of one of the longest-running security podcasts, Paul’s Security Weekly, he enjoys coding in Python & telling everyone he uses Linux.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.