When you are performing a penetration test, you need to learn how your target is working: What kind of technologies and tools are used, how internal usernames are generated, email addresses format, ... Grabbing for such information is called the reconnaissance phase. Once you collected enough details, you can prepare your different scenarios to attack the target.All pentesters have their personal toolbox that has been enhanced day after day. In many cases, there is no real magic: to abuse or get around a security control x, use the tool y. Butthere is also a question of chance...Lucky people can discover security issuesby chance. This also applies to bad guys.
A goldmine for the pentester are temporary directories. Almost all software use temporary files to perform their tasks. Users like to use them to exchange files with colleagues.Ill give you two real examples:
In a recent mission, I took control of a workstation connected to the Windows domain then I started to collectjuicy data bybrowsingall the fileshares. The customer implemented access controls and access to files was restricted at group level (Example: only the IT team was able to access the I: drive containing technical documentation about the infrastructure). However, some people exchanged IT related files via the T: share and they were still available during the pentest.
Another one?When pivoting from workstationto workstationon a LAN, I discovered a screenshot on a users desktop. This screenshot was a domain controller admin page which listed all the domain administrators. I just had to track them and, once a valid session found, to extract the users password with Mimikatz to get domain admin privileges.
On Linux systems, the /tmp directory is usually cleaned at boot time or via a cron (files older than x days are removed) but other places like /var/tmp, /usr/local/tmp are not cleaned by default! It is easy to schedule the following command at regular interval. It will delete files from /tmp that haven
On Ubuntu, files in /tmp are cleaned at book time via the variable TMPTIME=days in /etc/default/rcS. Be sure to check your Linux distribution to know how it takes care of /tmp.For Windows, its even worse, there is no automatic deletion of files stored in %TEMP%."> rd %TEMP% /s /q"> PS C:\ $days = (Get-Data).AddDays(-7)PS C:\ $path = T:\PC C:\">Some best practices:
- By definition, temporary files must have a very short life time.
- Do NOT share sensitive data via fileshares (database dumps, backups, passwords lists, ...)
- Once you finished to work with temporary files, dont forget to delete them.
- If you need to exchange files with colleagues via a shared folder, keep in mind thatoftenother people could read them.
- Change the permissions to restrict access to authorized users/groups only viachmod / chown on UNIX or icacls on Windows (or the GUI).
- Encrypt sensitive data (internally, a password protected zip file will be enough in most cases).
- On Unix, use umask to change the default permissions of created files.
Xavier Mertens
ISC Handler - Freelance Security Consultant
PGP Key