To explain how we can get password from memory dump, I will use forensic challenge #2 from "Nuit du Hack 2010" as example.
Aim : extract Administrator password from the Windows XP memory dump
We will use a great tool to extract this password which is : Volatility. Volatility has a plugin called "hashdump" to extract password hashes. So we have to use it, but before we have to locate virtual address of SYSTEM and SAM hive.
Find physical adresses of registry hives (hivescan plugin) :
user@ubuntu-vm:~/Desktop/volatility$ python volatility.py -f ../xp_forensics.vmem --profile=WinXPSP3x86 hivescan
Volatile Systems Volatility Framework 1.4_rc1
Offset (hex)
44666888 0x02a99008
44694368 0x02a9fb60
[...]
380343784 0x16ab95e8
424820744 0x19524008
Then locate virtual addresses (hivelist plugin) :
user@ubuntu-vm:~/Desktop/volatility$ python volatility.py -f ../xp_forensics.vmem --profile=WinXPSP3x86 hivelist
Volatile Systems Volatility Framework 1.4_rc1
Virtual Physical Name
0xe1cf9008 0x19524008 \??\C:\Documents and Settings\mr_esclave\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
[...]
0xe15fdb60 0x0688ab60 \Device\HarddiskVolume1\WINDOWS\system32\config\software
0xe15ebb60 0x06708b60 \Device\HarddiskVolume1\WINDOWS\system32\config\default
0xe15fd008 0x0688a008 \Device\HarddiskVolume1\WINDOWS\system32\config\SECURITY
0xe15f2658 0x066cf658 \Device\HarddiskVolume1\WINDOWS\system32\config\SAM
0xe12eb288 0x02d58288 [no name]
0xe1035b60 0x02a9fb60 \Device\HarddiskVolume1\WINDOWS\system32\config\system
0xe102e008 0x02a99008 [no name]
0x8066e904 0x0066e904 [no name]
Now we have SYSTEM and SAM virtual addresses, so we can run hashdump plugin :
user@ubuntu-vm:~/Desktop/volatility$ python volatility.py -f ../xp_forensics.vmem --profile=WinXPSP3x86 hashdump -y 0xe1035b60 -s 0xe15f2658
Volatile Systems Volatility Framework 1.4_rc1
Administrateur:500:a94c6377a507e293d87f0f06a65161cd:ca5cf9cfc07ec43a78d00bc936242594:::
Last step is to use ophcrack with rainbow tables to crack this password :
We have easily got Administrator's password which is "cuirmoustache".
Nuit du Hack challenges : http://wargame.nuitduhack.com/
Volatility plugin list : http://code.google.com/p/volatility/wiki/CommandReference
No comments:
Post a Comment