In order to training for CTF competition, today I go on with Memory Forensics, especially in Memory Dump. Let's begin!
+ Explanation
- Memory Forensics
Memory Forensics can provide unique insights into runtime system activity, including open network connections and recently executed commands or processes. In many cases, critical data pertaining to attacks or threats will exist solely in system memory – examples include network connections, account credentials, chat messages, encryption keys, running processes, injected code fragments, and internet history which is non-cacheable.
- Memory Dump:
A Memory Dump (also known as a core dump or system dump) is a snapshot capture of computer memory data from a specific instant. A memory dump can contain valuable forensics data about the state of the system before an incident such as a crash or security compromise. Memory dumps contain RAM data that can be used to identify the cause of an incident and other key details about what happened.
- Volatile Data:
Volatile data is the data stored in temporary memory on a computer while it is running. When a computer is powered off, volatile data is lost almost immediately. Volatile data resides in a computer’s short term memory storage and can include data like browsing history, chat messages, and clipboard contents.
+Types of Memory Dumps
- Complete memory dump:
A complete memory dump is the largest type of possible memory dump. This contains a copy of all the data used by Windows in physical memory. So, if you have 8 GB of RAM and Windows is using4 GB of it at the time of the system crash, the memory dump will be 4 GB in size. Crashes are usually caused by code running in kernel-mode, so the complete information including each program’s memory is rarely useful — a kernel memory dump will usually be sufficient even for a developer.
- Kernel memory dump:
A kernel memory dump will be much smaller than a complete memory dump. Microsoft says it will typically be about one-third the size of the physical memory installed on the system.
- Small memory dump:
A small memory dump is the smallest type of memory dump. It contains very little information — the blue-screen information, a list of loaded drivers, process information, and a bit of kernel information. It can be helpful for identifying the error, but offers less detailed debugging information than a kernel memory dump.
- Automatic memory dump:
This is the default option, and it contains the exact same information as a kernel memory dump
-------------------------------------------------------------------------------------------------------------------------
+ Volatility Framework:
Volatility is an open-source memory forensics framework for incident response and malware analysis. It is written in Python and supports Microsoft Windows, Mac OS X, and Linux, for the extraction digital artifacts from volatile memory (RAM) samples. The framwork is intended to introduce people to the techniques and complexities associated with digital artifacts and provide a platform for further work into this exciting area of research.
+ Install :
# git clone https://github.com/volatilityfoundation/volatility.git
+ Usage : (require python 2.x with Pycrypto & distorm3.4.4)
In this article, I will demo a simple script with memory dump : Get all passwords of users in windows. Let's setup!
I'm going to use 2 VMware machine : My Ubuntu (20.04.1) and Windows XP
+ On win XP: Install DumpIt from Moonsol company
https://github.com/thimbleweed/All-In-USB/tree/master/utilities/DumpIt
Press y and waiting for process ...
The raw file right here, it contains all information about current RAM used in Windows 10 VM machine at the time dumplt has ran .
Let's move or copy the file to the machine which installed Volatility
+ On My Ubuntu:
volatility -f <file_dump.raw> imageinfo
-f : file
imageinfo: Identify information for the image
And here is the result
At suggested profile row, this is the host created raw file which being analyzed. In this case, the result is WinXPSP2 x86 is correct.
Next step, the information we need to claim is hivelist. Hivelist is the address of the place which contains information about users in target machine.
Command
volatility -f <file_dump.raw> --profile=PROFILE hivelist
hivelist:extract the list of registry hive in memory dump
The above result present key of user at the time dumplt take snapshot. The next step is to find hash pasword
With the Virtual offset of SYSTEM and SAM , we can absolutely extract the hash (in my result : SAM is 0xe16116b8 and SYSTEM is 0xe1035b60)
volatility -f <file_dump.raw> --profile=<profile> hashdump -y <SYSTEM offset> -s <SAM offset> > hashes.txt
hashdump: Dump password hash from memory
Result :
Using John or Hascat to decrypt it, or a md5 crack website
Successfully!
Another script with memory dump using voltility : I will read specified content of notepad file which created by user
+On windows 7
Compose an abitrary text in notepad and snapshot memory with DumpIt
volatility -f <file_dump.raw> --profile=Win7SP1x86_23418 pslist | grep notepad
pslist: Print all running processes by following the EPROCESS lists.
this result is exactly what we expected!
We got the PID of notepad's processing (3244), continue using command
volatility -f /home/ubuntu/xanh.raw --profile=Win7SP1x86_23418 memdump --dump-dir=./ -p 3244
memdump: Dump the addressable memory for a process
okay, next step, we grep the content that we want to check
strings -e l ./3244.dmp | grep "flag"
One more ability I want to demo with you guys: review cmd history on target machine
Step 1: Find profile with imageinfo :
Use command
/home/ubuntu/xanh.raw --profile=Win7SP1x86_23418 cmdscan
cmdscan: Extract command history by scanning for _COMMAND_HISTORY
And the result is exactly which we expected
+ Memory Forensics in CTF
1.
Investigation - InCTF Internationals 2020
Download file: here
this file has .7z extension. After checking this type with file command, I extracted it on Windows and send to my Ubuntu.
Analyze it using Volatility
As you can see, profile is : Win7SP1x64
Question 1: When did Adam last use the Windows calculator?
Firstly, I use pslist to enum all processes which Adam have used. But when look through the table, I can't find calc.exe process
volatility -f win7.vmem --profile=Win7SP0x86 userassistuserassist: Print userassist registry keys and information
And I completely answer the question 1.
How many times did Adam use Google Chrome in this system?
2. NightSt0rm CTF 2017
Misc 100 : TRYHARD
Welcome to the journey of memory analysis. In the last step, you can use the password found in the WeakAuth challenge. Goodluck!
Profile: Win7SP1x86_23418
We can see cmd.exe. Let's take a look on it!
When I review internet explore process by iehistory, I see this interesting link. Follow it!
GnuPrivacy Guard (GPG) allows you to securely encrypt files so that only the intended recipient can decrypt them. ... GPG relies on the idea of two encryption keys per person. Each person has a private key and a public key. The public key can decrypt something that was encrypted using the private key.
Import all found key and decrypt pdf file we "had" downloaded (imagination) using gpg command
Không có nhận xét nào:
Đăng nhận xét