Documente Academic
Documente Profesional
Documente Cultură
Password Hashes
If you can obtain a memory image, you can get the password hashes. This is of
importance to security penetration testers because if you have the hashes, you
can then proceed to crack them or use them in pass the hash types of attacks to
access other systems on the network.
To do this we need to know the starting memory locations for the System and
SAM keys. We look in the hivelist, for this copy down the numbers in the first
column that correspond to the SAM and SYSTEM locations.
Place the virtual address for System in the y switch and the address for the SAM
into -s.
The following command pulls the password hashes out of memory and stores
them in a text file called hashs.txt:
Simply check the hash.txt file and you will see the admin hash and the password
hashes for any users these hashes could then be taken and cracked in an online
hash cracking site or any one of the password cracking programs like John the
Ripper or Hashcat.
Enumerating Processes
To enumerate processes using pool tag scanning, use the psscan command. This
can find processes that previously terminated (inactive) and processes that have
been hidden or unlinked by a rootkit
volatility psscan -f memimage.raw --profile=Win7SP1x86
From pslist output of the command discussed above, we see the physical memory
location, process name and the PID number of all process that were running. You
can also use volatility to view the exact programs that may be running under the
process. This helps malware analysts track down malicious processes and their
associated programs.
To scan physical memory for kernel modules, use the modscan command. This
can pick up previously unloaded drivers and drivers that have been
hidden/unlinked by rootkits. Included in the output is the offset of the module,
which is a physical address
volatility.exe modscan -f infected-winxp.raw --profile=WinXPSP3x86
Download the above memory dump, which is infected with a Zeus Malware.
Determine the OS of the memory snapshot were taken, use imageinfo command.
volatility imageinfo -f zeus.vmem
List out the processes which were running during the snapshot are taken. Use the
pslist command.
volatility pslist -f zeus.vmem --profile=WinXPSP2x86
Listout the registry hives loaded into memory. Use hivelist command.
volatility hivelist -f zeus.vmem --profile=WinXPSP2x86
The key UserInit specifies what program should be launched right after a user
logs into Windows.
The default program for this key is C:\windows\system32\userinit.exe.
Userinit.exe is a program that restores your profile, fonts, colors, etc. for your
username.
It is possible to add further programs that will launch from this key by separating
the programs with a comma. Its is a common place for trojans
volatility printkey -f zeus.vmem profile=WinXPSP2x86 -o 0xe153ab60
-K Microsoft\Windows NT\CurrentVersion\Winlogon
List the process in tree form using the pstree command. This plugin print process
list as a tree so we can visualize the parent/child relationships.
volatility pstree -f zeus.vmem --profile=WinXPSP2x86
We did notice that winlogon.exe launched sdra64.exe and that the system process
svchost.exe (Pid 856) is connected to the internetservices.exe (PPid 676) looked
to have some code injected into it. 9.) Lets revisit our printkey command so we
can detect if the windows firewall is enabled or disabled.
volatility printkey -f zeus.vmem --profile=WinXPSP2x86 -K
"ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\Stan
dardProfile"
The function apihooks looks at the svchost.exe process with the PID 856 and
finds two in-line hooks
Now run the malfind plugin. Create a directory called out let the malfind module
dumps the embedded program in the process id 856.
volatility malfind -f zeus.vmem profile=WinXPSP2x86 -p 856 -D out
Now upload the extracted dump from out directory to Virus Total, you can see
that it is being detected as a Zbot.
Reference:
https://code.google.com/p/volatility/wiki/CommandReference#connections