From the current offensive and defensive technique arsenal, memory analysis applied to volatile memory is far from being the most explored channel. It is more likely to hear about input validation attacks or attacks against the protocol & cryptography while keys, passphrases, credit card numbers and other precious artifacts are kept unsafely in memory. This analysis arises as a mine waiting to be explored since it is sustained by one of the most vulnerable and unavoidable resource to systems, memory. From Java to Stuxnex, as well as Windows but without forgetting the Cloud, I will try to show some scenarios where these techniques can be applied, its impact as a threat and bring an important and fun subject not just to those who work in forensics but also to penetration testers as myself. Finally, I will also try to show how can this be used for defensive technologies as tools for monitoring and protection in networks with systems in production.
1. You suck at Memory Analysis
give it up, it’s not worth it
2. Disclaimer
• Contents displayed such as thoughts and opinions are exclusively
those of Francisco Gama Tabanez Ribeiro, the author, and do not
reflect the viewpoint or policy of any of my employers.
• You are free to use these contents for your works as well as make
derived works from it as long as you keep visible and explicit
references to this website in proper place.
• Images and references to other works within this production remain
the property of their respective holders. All licenses explicitly
applied to individual resources shall override this one.
3. Who?
• Francisco da Gama Tabanez Ribeiro
• Penetration Testing @ Portugal Telecom
• Certificates that I don’t have:
MCITP, MCTS, MCPD, MCA, SSCP, CAP, CSSLP, RHCE, ISO27001,
CISA, ITIL, CMIIB, CMIIC, CMIIS, CMIIA, CMIIP, JBCAA, CEH, CHFI,
ECSA, CNDA, LPT, ECVP, ECSP, CCNA, CCDA, OSCE, CCNP and CCDP
5. Some of the real experts here.
• Michael Cohen • Mike Auty
• Brendan Dolan-Gavitt • Michael L. Hale
• Jesse Kornblum • Harlan Carvey
• Mark Russinovich • Dmitry Vostokov
7. Why?
• OS & process behavioral tracing
• app debugging & profiling
• malware analysis (Rootkit Paradox)
• mining raw data artifacts
• low level monitoring
• plays well with Social Engineering
• supports the Cloud, VM’s & mobile’s
8. Why?
• OS & process behavioral tracing
• app debugging & profiling
• malware analysis (Rootkit Paradox)
• mining raw data artifacts
• low level monitoring suggested reading:
Exploiting the Rootkit
• plays well with Social Engineering Paradox with Windows
• supports the Cloud, VM’s & mobile’s Memory Analysis
Jesse D. Kornblum
11. Memory Acquisition Tools
• MoonSols tools, mdd, dd
• memdump, userdump
• nigilant32, KNTTools, WMFT
• Idetect, Second Look, Goldfish, fmem (Linux, Mac OS X)
12. Memory Acquisition Tools
• MoonSols tools, mdd, dd
• memdump, userdump
• nigilant32, KNTTools, WMFT
• Idetect, Second Look, Goldfish, fmem (Linux, Mac OS X)
suggested reading:
Tools: Memory Imaging
Forensics WiKi
13. Memory Acquisition Gotchas
• memory images taken live may come “blurred”
• time required increases with memory size
• for faster scans, reduce kernel space size (/3G switch)
14. Memory Acquisition Gotchas
• memory images taken live may come “blurred”
• time required increases with memory size
• for faster scans, reduce kernel space size (/3G switch)
suggested reading:
Acquisition and analysis of
volatile memory from
android devices
Digital Investigation
15. /3GB Startup Switch in 32-bit Win
boot.ini file
0xFFFFFFFF 0xFFFFFFFF
Kernel
Kernel Space
Space 0xC0000000
0x80000000
User User
Space Space
0x00000000 0x00000000
Default /3GB
16. /3GB Startup Switch in 32-bit Win
boot.ini file
0xFFFFFFFF 0xFFFFFFFF
Kernel
Kernel Space
Space 0xC0000000
0x80000000
User User suggested reading:
How to Set the /3GB Startup
Space Space Switch in Windows
0x00000000 0x00000000
Technet, Microsoft
Default /3GB
21. Piezo-Acoustic iPod Hack
• iPod 4G
• firmware dump by playing sounds
• ARM code that can read addresses 0 through 65535
• one sound to represent a 1 bit, another for a 0 bit
• 64 kb file at 5 bytes/sec
• sound recognition/ error detection & correction
• iPod-Linux project
26. Volatility
• an advanced memory forensics framework
• extraction of digital artifacts from volatile memory (RAM) samples
• plugin based architecture
• major releases at present moment: 1.3, 2.0 & NG (Scudette’s branch)
• Python
27. Volatility
• an advanced memory forensics framework
• extraction of digital artifacts from volatile memory (RAM) samples
• plugin based architecture
• major releases at present moment: 1.3, 2.0 & NG (Scudette’s branch)
• Python
suggested reading:
suggested reading:
An advanced memory
Volatility,
forensics framework
Memory Forensics
Volatility
Volatile Systems
Google Wiki pages
28.
29. Windows - things you can analyze
• processes, threads, sockets, connections, modules
• files & DLLs loaded for each process
• the hive (registry handles)
• process' addressable memory & executables extraction
• OS kernel modules
• mapping physical offsets to virtual addresses (strings to process)
• security access tokens
• more, much more...
30. mimikatz - getting clear text
passwords in Windows
Client Application
SSPI Digest SSP Server
Local Security Authority SubSystem
(LSASS)
LSA Server
Digest SSP
Service
31. mimikatz - getting clear text
passwords in Windows
Client Application
SSPI Digest SSP Server
Local Security Authority SubSystem
(LSASS)
LSA Server
Digest SSP
Service
inject sekurlsa.dll
32. mimikatz - getting clear text
passwords in Windows
Client Application
SSPI Digest SSP Server
Local Security Authority SubSystem
TsPkg
(LSASS) Wdigest
LiveSSP
LSA Server
Digest SSP
Service
LsaProtectMemory /
inject sekurlsa.dll LsaUnprotectMemory
33.
34. mimikatz - getting clear text
passwords from Windows
• Traitement du Kiwi - injects sekurlsa.dll (LSASS)
• TsPkg & Wdigest store encrypted (not hashed) passwords
• used for Kerberos, NTLM/LM, HTTP Digest authentication
• function LsaUnprotectMemory retrieves clear text password
• pass the word > pass the hash
35. Windows - Process reconstitution
• OS walking (KPCR > PsActiveProcessHead > _LIST_ENTRY) >
EProcess... (pslist)
• pool tags (psscan)
• others..
36. Windows - _EPROCESS structure
• image filename
• process id, parent process id
• create/exit times
• base priority
• exit status
• next/prev process block
• image base address
• ...
37. Windows - _EPROCESS structure
• image filename
• process id, parent process id
• create/exit times
• base priority
• exit status
• next/prev process block
suggested reading:
• image base address struct EPROCESS
• ... NirSoft
38. Windows - process reconstitution
PsActiveProcessHead
EPROCESS EPROCESS EPROCESS
39. Windows - process reconstitution
EPROCESS EPROCESS EPROCESS
LIST_ENTRY LIST_ENTRY LIST_ENTRY
Flink Flink Flink
Blink Blink Blink
42. Process hollowing
• legitimate process loaded into memory to act as a code container
• host process is created into a suspended mode
• antivirus bypassing
• meterpreter ‘-m’ flag
• detectable with Volatility plugins pslist + procexecdump combined with
fuzzy hashing (ssdeep)
43. Process hollowing
• legitimate process loaded into memory to act as a code container
• host process is created into a suspended mode
• antivirus bypassing
• meterpreter ‘-m’ flag
• detectable with Volatility plugins pslist + procexecdump combined with
fuzzy hashing (ssdeep) suggested reading:
Eternal Sunshine on the
Spotless RAM
SecurityStreet,
Rapid7
48. Java Management Extensions (JMX)
• monitor and manage any Java based applications
• automatically exposed by JMX agents
• clients like Java Visual VM can connect to it locally and remotely
• supports MBeans
• tools: Java Visual VM, JConsole, MAT (Eclipse),
JmxCli
49. Java Management Extensions (JMX)
• monitor and manage any Java based applications
• automatically exposed by JMX agents
• clients like Java Visual VM can connect to it locally and remotely
• supports MBeans
suggested reading:
• tools: Java Visual VM, JConsole, MAT (Eclipse), Monitoring and
Management Using JMX
JmxCli Technology
Java SE Monitoring and
Management Guide
51. Java Management Extensions (JMX)
• no default port but...
“statistical” guessing: 3333,6161,9999
• authentication? encryption?
not by default!
• properties where you can fix that:
com.sun.management.jmxremote.port
com.sun.management.jmxremote.ssl
com.sun.management.jmxremote.authenticate
52.
53. 1) open browser on URL:
http://somevictim.com:8080/jmx-console/HtmlAdaptor?
action=displayMBeans
54. 1) open browser on URL:
http://somevictim.com:8080/jmx-console/HtmlAdaptor?
action=displayMBeans
55. 1) open browser on URL:
http://somevictim.com:8080/jmx-console/HtmlAdaptor?
action=displayMBeans
56. 1) open browser on URL:
http://somevictim.com:8080/jmx-console/HtmlAdaptor?
action=displayMBeans
57. 1) open browser on URL:
http://somevictim.com:8080/jmx-console/HtmlAdaptor?
action=displayMBeans
58. jbossify for JBoss
2) run jbossify:
wget https://raw.github.com/blackthorne/Pentest-utils/master/jbossify.py
$ python jbossify.py
jbossify.py <host> <port> <instance_name> [<properties to extract>]
jbossify.py --offline <instance_folder> [<properties to extract>]
for offline extraction
<properties to extract> - can be 'conn','dd','sql' or 'all'
(default is just conn)
conn->ManagedConnectionFactoryProperties,
dd->deploymentDescriptor Connection Strings!
sql->SqlProperties
73. Truecrypt
1) where? suggested reading:
RAM is Key,
DRIVER_OBJECT Extracting Disk Encryption
address Keys From Volatile Memory
by Brian Kaplan,
Carnegie Mellon University
2) size?
DriverStart DriverStart + DriverSize
75. Truecrypt
..on a little endian architecture..
3) what?
$ xxd JOHN-2CF071298B-20120512-221220.raw |grep 123asd
88f3060: 0c00 0000 3132 3361 7364 4153 4421 4023 ....123asdASD!@#
that’s a 12 passphrase
(passphrase length)
76. Truecrypt
..on a little endian architecture..
3) what?
{length, passphrase} tuples
with fingerprint:
????0000 ????????..length 0x00..
length passphrase NULL’s
[1..64] ASCII printable [0x20..0x7E]
77. Truecrypt
..on a little endian architecture.. suggested reading:
Cryptoscan plugin
Jesse Kornblum
3) what?
suggested reading:
TrueDecrypt plugin
{length, passphrase} tuples Francisco Ribeiro
with fingerprint:
????0000 ????????..length 0x00..
length passphrase NULL’s
[1..64] ASCII printable [0x20..0x7E]
78. Cold Boot attacks on encryption keys
• explores data remanence in volatile memory
• retrieves encryption keys used to encrypt hard drivers
• Truecrypt, bitlocker, Filevault
79. Cold Boot attacks on encryption keys
• explores data remanence in volatile memory
• retrieves encryption keys used to encrypt hard drivers
• Truecrypt, bitlocker, Filevault
suggested reading:
Lest we remember:
Cold Boot Attacks on
Encryption Keys
Princeton University
86. MultiFunction Printers?
2) Analyze that
V..éSODX suggested reading:
Survey of Scanner and
Printer Forensics
Purdue University
suggested reading:
Forensic analysis of digital
copiers
Svein Yngvar Willassen
87. MultiFunction Printers?
2) Analyze that
V..éSODX suggested reading:
Survey of Scanner and
flipping bytes Printer Forensics
é..VXDOS Purdue University
that’s BIGDOS FAT 16!
suggested reading:
Forensic analysis of digital
copiers
Svein Yngvar Willassen
88. MultiFunction Printers?
2) Analyze that
V..éSODX suggested reading:
Survey of Scanner and
flipping bytes Printer Forensics
é..VXDOS Purdue University
that’s BIGDOS FAT 16!
3) open Finder
suggested reading:
Forensic analysis of digital
copiers
Svein Yngvar Willassen
101. Codetective
• an analysis tool to determine the crypto/encoding algorithm used
according to traces of its representation
• can be used as a volatility plugin or as a generic tool
• filters (win, unix, web, win, web, db,unix or other) and level of confidence
• supports:
shadow and SAM files, phpBB3, Wordpress, Joomla, CRC, LM, NTLM,
MD4, MD5, Apr, SHA1, SHA256, base64, MySQL323, MYSQL4+, DES,
RipeMD320, Whirlpool, SHA1, SHA224, SHA256, SHA384, SHA512,
Blowfish, Java Session IDs, connection strings, Credit Cards, URLs
102. Codetective
• relevant options:
-a (analyze)
-u (show UUIDs)
-v (verbose mode)
-t (filters)
-p (search for Process ID)
-n (search for process name)
If neither -p or -n is defined, if will search in all processes.
• git clone git://github.com/blackthorne/Codetective.git codetective
103. Codetective
• relevant options:
-a (analyze)
suggested reading:
-u (show UUIDs) codetective plugin
github @blackthorne
-v (verbose mode)
-t (filters) Francisco Ribeiro
-p (search for Process ID)
-n (search for process name)
If neither -p or -n is defined, if will search in all processes.
• git clone git://github.com/blackthorne/Codetective.git codetective
107. hostname
volatility
plugins
GRR - remote live forensics
age selector
status
pslist
raw
disk
108.
109. Memory Analysis on the Cloud
• with virtualization, multiple Virtual Machines share a single physical
machine and expose their Volatile Memory in snapshot files (.vmem..)
that is acessible on userland
• Analyzing IOS iTunes memory allows you to retrieve iCloud credentials.
Years ago, that wasn’t that serious but now it’s not just music is it?
• What about Dropbox and Google accounts,
how complex is your password?
Does it really matter?
Where is it stored?
112. References:
• Tools: Memory Imaging, Forensics WiKi
• Acquisition and analysis of volatile memory from android devices,
Digital Investigation
• struct EPROCESS, NirSoft
• How to Set the /3GB Startup Switch in Windows - Technet, Microsoft
• Eternal Sunshine on the Spotless RAM - SecurityStreet, Rapid7
• Monitoring and Management Using JMX Technology, Java SE
Monitoring and Management Guide
113. References:
• RAM is Key,
Extracting Disk Encryption Keys From Volatile Memory by Brian
Kaplan, Carnegie Mellon University
• Cryptoscan plugin, Jesse Kornblum
• TrueDecrypt plugin, Francisco Ribeiro
• Survey of Scanner and Printer Forensics , Purdue University
• Forensic analysis of digital copiers, Svein Yngvar Willassen
• Stuxnet's Footprint in Memory with Volatility 2.0, MNIN Security Blog,
Michael Ligh MHL
114. References:
• codetective plugin - github @blackthorne, Francisco Ribeiro
• Volatility - Memory Forensics, Volatile Systems
• Exploiting the Rootkit Paradox with Windows - Memory Analysis,
Jesse D. Kornblum
• An advanced memory forensics framework - Volatility, Google Wiki
pages