Saturday, March 19, 2011

Get password from memory dump

To explain how we can get password from memory dump, I will use forensic challenge #2 from "Nuit du Hack 2010" as example.
Aim : extract Administrator password from the Windows XP memory dump

We will use a great tool to extract this password which is : Volatility. Volatility has a plugin called "hashdump" to extract password hashes. So we have to use it, but before we have to locate virtual address of SYSTEM and SAM hive.

Find physical adresses of registry hives (hivescan plugin) :

user@ubuntu-vm:~/Desktop/volatility$ python volatility.py -f ../xp_forensics.vmem --profile=WinXPSP3x86 hivescan
Volatile Systems Volatility Framework 1.4_rc1
Offset          (hex)        
44666888        0x02a99008
44694368        0x02a9fb60
[...]
380343784       0x16ab95e8
424820744       0x19524008

Then locate virtual addresses (hivelist plugin) :

user@ubuntu-vm:~/Desktop/volatility$ python volatility.py -f ../xp_forensics.vmem --profile=WinXPSP3x86 hivelist
Volatile Systems Volatility Framework 1.4_rc1
Virtual     Physical    Name
0xe1cf9008  0x19524008  \??\C:\Documents and Settings\mr_esclave\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
[...]
0xe15fdb60  0x0688ab60  \Device\HarddiskVolume1\WINDOWS\system32\config\software
0xe15ebb60  0x06708b60  \Device\HarddiskVolume1\WINDOWS\system32\config\default
0xe15fd008  0x0688a008  \Device\HarddiskVolume1\WINDOWS\system32\config\SECURITY
0xe15f2658  0x066cf658  \Device\HarddiskVolume1\WINDOWS\system32\config\SAM
0xe12eb288  0x02d58288  [no name]
0xe1035b60  0x02a9fb60  \Device\HarddiskVolume1\WINDOWS\system32\config\system
0xe102e008  0x02a99008  [no name]
0x8066e904  0x0066e904  [no name]

Now we have SYSTEM and SAM virtual addresses, so we can run hashdump plugin :

user@ubuntu-vm:~/Desktop/volatility$ python volatility.py -f ../xp_forensics.vmem --profile=WinXPSP3x86 hashdump -y 0xe1035b60 -s 0xe15f2658
Volatile Systems Volatility Framework 1.4_rc1
Administrateur:500:a94c6377a507e293d87f0f06a65161cd:ca5cf9cfc07ec43a78d00bc936242594:::

Last step is to use ophcrack with rainbow tables to crack this password :


We have easily got Administrator's password which is "cuirmoustache".


Nuit du Hack challenges : http://wargame.nuitduhack.com/
Volatility plugin list : http://code.google.com/p/volatility/wiki/CommandReference