Scavenger – A Post-Exploitation Scanning/Mapping Tool

SCAVENGER has the ability to find the newest files that have been accessed/modified/created and keep the result in an ordered database. Then, after time has passed, hours or days later the systems can be scanned again. SCAVENGER can then compare the previous list of “newest files” to the latest list of “newest files.” This gives the user the ability to find the “interesting” and most frequently files used on that system, for example password files being accessed by an administrator or heavily used credit card database files.

Whilst looking for “interesting” files, folder and services, SCAVENGER scans these filenames and their content for various “interesting” phrases, for example “password” or “secret.” Once detected SCAVENGER then downloads the “interesting” file to the local system. At the same time SCAVENGER also scans for Card Holder Data and also downloads the file if Card Holder Data is found.

• Make a list of the “latest” accessed/modified/created files and folders and keep these results in an ordered database
• Compare older versions of these lists to newly acquired ones to determine changes and identify new or most recently accessed and modified files
• Scan these filenames for words like “password” or “secret.”
• Seek out and and scrape passwords and usernames to other systems or even different Windows domains
• Seek out card holder data
• Extract password hashes from the local SAM file or the Active Directory database (to be cracked later)
• Extract saved passwords from certain applications (e.g., Chrome, apps usually used by sysadmins, etc.).

Future features will be the addition of services like NFS, FTP and database connections. Also adding more capability of retrieving passwords from remote Linux or Windows systems, without touching to the disk of the remote system. And without reinventing the wheel using SCAVENGER as a wrapper to use on Windows systems performing more post-exploitation techniques.