ISC Snapshot: Search with SauronEye
SauronEye is a search tool built to aid red teams in finding files containing specific keywords.
If you’ve ever conducted a penetration test or a red/purples team engagement, you’ve been there. You’re staring at the target agency’s SharePoints and file shares and have recognized the bloody gold mine of pwnzorship it represents. Yet, as well we know, the search features in these scenarios are less than optimal. Maybe you’ve written scripts to help with this and batched up something useful, or cranked it out in PowerShell. @_vivami’s SauronEye is here to help. SauronEye is a “search tool to find specific files containing specific words, i.e. files containing passwords.”
SauronEye features, as cited from it’s GitHub page, include search of:
- multiple (network) drives
- contents of files
- contents of Microsoft Office files (.doc, .docx, .xls, .xlsx)
- multiple drives multi-threaded for increased performance
…and support for regular expressions in search keywords. Note too that SauronEye does not search %WINDIR%
and %APPDATA%
. Use the -SystemDirs
flag to search the contents of Program Files*
. SauronEye relies on multi-threading libraries only available from .NET 4.0 and later. SauronEye is a source package, you’ll need to roll your own here. I’ll assume you already have Visual Studio Community, here’s a quick build walkthrough. I work out of my C:\coding directory. In Visual Studio Community, click Clone or check out code, and give it you local path and the .git URL for SauronEye (Figure 1).
Figure 1: Clone SauronEye source
In Solution Explorer navigate to SauronEye.sln and open it.
In Solution Configuratons, switch from Debug to Release.
Click Build and select Build Solution.
Figure 2: Build SauronEye
That’s it, the resulting binary will be found in C:\coding\SauronEye\src\SauronEye\bin\Release.
The working scenario/user case here is again one that should be very familiar to red teamers and adversaries alike. I have NEVER assessed an organization where I didn’t find information and data stored on SharePoint or file shares that enabled either the compromise of individuals or systems, or both. Password files, sensitive PII, private keys, configuration strings, you name it, you’ll find it. It is here where SauronEye shines.
To validate SauronEye’s efficacy I planted a few files throughout my file directory. These included a SQL connection string in Documents\Cache, 500 really bad passwords in a text file on my Desktop, a PII file with SSNs in Documents, and 1000 test credit card numbers in Downloads. I ran SauronEye as follows:
C:\coding\SauronEye\src\SauronEye\bin\Release>SauronEye.exe -Dirs C:\Users\rmcree\ -Keywords password, connection, ssn, card* -Filetypes txt, .xls, .xlsx, .conf -Contents > results.txt
SauronEye immediately landed relevant file paths, then moved on to content:
=== SauronEye ===
Directories to search: c:\users\rmcree\
For file types: .txt, .xls, .xlsx, .conf
Containing: password, connection, ssn
Search contents: True
Search Program Files directories: False
Searching in parallel: c:\users\rmcree\
[+] c:\users\rmcree\AppData\Local\Microsoft\Windows\FileHistory\Data\613\C\Users\rmcree\Documents\cache\SQLconnection.txt
[+] c:\users\rmcree\Desktop\500-worst-passwords.txt
[+] c:\users\rmcree\Documents\cache\SQLconnection.conf
[*] Done searching file system, now searching contents
Content discovered from my planted files included the SQL connection string:
[+] c:\users\rmcree\AppData\Local\Microsoft\Windows\FileHistory\Data\613\C\Users\rmcree\Documents\cache\SQLconnection.txt:
Server=Pwn3dSQLServer\PwnM3;Database=IMPWN3D;User Id=ImaDumass;Password=123456;
Results from the 500 worst passwords are seen in Figure 3.
Figure 3: SauronEye finds really bad passwords
Customer PII is uncovered in Figure 4.
Figure 4: SauronEye reveals PII
From the 1000 credit card records:
[+] c:\users\rmcree\Downloads\1000_CC-Records.xlsx:
Jefferson Trina A Carroll Jason K Bray Denny
This is a project to watch, and definitely one to try out during your next red team engagement, penetration test, or audit/assessment. It’s guaranteed you’ll find useful results. Please use SauronEye responsibly. Vincent is committed to this project, was immediately responsive to a bug query, and deployed a fix in less than 24 hours. Please support him with bug reports, feature requests, or pull requests.
Cheers…until next time.
Comments