Mmm, bacon. When I'm doing a penetration test, bacon is what I'm looking for. And while I like the crispy, tasty kind as much as the next guy (everything is better with bacon), I'm really looking for the security insights that help a client "get it." We've all been there: we say something like "we totally owned your domain controller!" But all the client can muster is a blank stare while they try to understand the gravity of the situation. My countermeasure for this is to hit them where it hurts and express the threat in ways that business people understand. To do that, I need to show the client the impact a vulnerability has on their "pork gathering" opportunities (i.e. bringing home the bacon). The cool thing is that by demonstrating how their bacon quotient (I should trademark that) is impacted negatively, I simultaneously impact my bacon quotient in a positive way.
As some of you know, I have a love/hate relationship with Dropbox and other enterprise file sharing services (EFSS). As a network defender, given the lack of software to properly control data loss via an HTTPS encrypted channel, I don't really think EFSS belongs in most business environments. As a penetration tester, I love to see EFSS. Why (other than the obvious: DropSmack)? Well, read on.
Want to find the juicy nuggets for your out brief? Want to see what the target references the most? It's in their EFSS sync folder. This has become especially useful since access time stamps were turned off in later versions of Windows. If for instance a target uses a document but doesn't modify it, we have to resort to MRU or some other artifact to identify the files the target is using.
When EFSS is installed, you already know the files the target uses. They are the files synchronized between sites. The fact that a target synchronizes files between sites implies that they need them in multiple locations. This means they are the "important" files. All things being equal, these are the files I'm going after.
Stay tuned for more insights on EFSS and network defense/penetration testing.