WARLOCK

Dumping Physical Memory to extract SAM Hashes

Tools Needed : MDD pyCrypto Volatility 1.3 Beta Volatility Plugin from Moyix ManTech Memory DD (MDD) (http://www.mantech.com/msma/MDD.asp) is released under GPL by Mantech International. MDD is capable of copying the complete contents of memory on the following Microsoft Operating Systems: Windows 2000, Windows XP, Windows 2003 Server, Windows 2008 Server. After downloading MDD from the Mantech site you need to run [...]

Tools Needed :

MDD

pyCrypto

Volatility 1.3 Beta

Volatility Plugin from Moyix

ManTech Memory DD (MDD) (http://www.mantech.com/msma/MDD.asp) is released under GPL by Mantech International. MDD is capable of copying the complete contents of memory on the following Microsoft Operating Systems: Windows 2000, Windows XP, Windows 2003 Server, Windows 2008 Server.

After downloading MDD from the Mantech site you need to run the program at the command line.

MDD Command Line Usage:

mdd -o OUTPUTFILENAME

Step by Step Example :

First of all, run MDD to dump the memory of the machine. The output file , would be an image of the physical memory, and MDD is often used to only dump the memory.

C:\Documents and Settings\Administrator\Desktop\MDD>mdd_1.3.exe -o dump.dd

-> mdd

-> ManTech Physical Memory Dump Utility

Copyright (C) 2008 ManTech Security & Mission Assurance

-> This program comes with ABSOLUTELY NO WARRANTY; for details use option `-w’

This is free software, and you are welcome to redistribute it

under certain conditions; use option `-c’ for details.

-> Dumping 511.48 MB of physical memory to file ‘dump.dd’.

130938 map operations succeeded (1.00)

0 map operations failed

took 32 seconds to write

MD5 is: 78924418adaf67d22a6687dcc6ff4e23

C:\Documents and Settings\Administrator\Desktop\MDD>

Next, we will need to analyze the “memory image” - dump.dd .

For this, we will be using Using Volatility (1.3_Beta), Volatility Plugin from Moyix, and a Windows Hash/Password Finder (SamInside) to identify the passwords.

1. First of all, most of these scripts are written in python, and as such, you would need to download and install a python interpreter (Active Python ).

2. Download Volatility (1.3_Beta) , extract it to a folder.

3. Download Volatility Plugin from Moyix, extract it, and copy its content into the Volatility folder, overwriting your existing forensics, memory_objects, and memory_plugins folders.

4. Download pyCrypto and install it.

5. Copy the dump.dd file (output file of MDD) into the Volatility folder.

6. Run hivescan from volatility to get the hive offsets. Execute the following:

C:\Documents and Settings\Administrator\Desktop\Volatility-1.3_Beta> python volatility hivescan -f dump.dd

Offset (hex)

45147992 0×2b0e758

45393752 0×2b4a758

49832984 0×2f86418

56797016 0×362a758

58091352 0×3766758

64191328 0×3d37b60

145440776 0×8ab4008

146819936 0×8c04b60

147082080 0×8c44b60

197245792 0xbc1bb60

215368912 0xcd644d0

228964464 0xda5b870

244838408 0xe97f008

271077384 0×10285008

271171592 0×1029c008

361696096 0×158f0b60

373147760 0×163dc870

401433808 0×17ed64d0

425734152 0×19603008

435642376 0×19f76008

452021088 0×1af14b60

489651040 0×1d2f7b60

506391392 0×1e2eeb60

509397104 0×1e5cc870

526976208 0×1f6904d0

C:\Documents and Settings\Administrator\Desktop\Volatility-1.3_Beta>

7. Next, Run hivelist from volatility with the first hivescan offset, from previous output. Execute the following:

C:\Documents and Settings\Administrator\Desktop\Volatility-1.3_Beta>python volatility hivelist -f dump.dd -o 0×2b0e758

Address Name

0xe1cda008 \Documents and Settings\Administrator\Local Settings\Application Da

ta\Microsoft\Windows\UsrClass.dat

0xe1cc4008 \Documents and Settings\Administrator\NTUSER.DAT

0xe1afeb60 \Documents and Settings\LocalService\Local Settings\Application Dat

a\Microsoft\Windows\UsrClass.dat

0xe1b4c008 \Documents and Settings\LocalService\NTUSER.DAT

0xe1b13870 \Documents and Settings\NetworkService\Local Settings\Application D

ata\Microsoft\Windows\UsrClass.dat

0xe1b004d0 \Documents and Settings\NetworkService\NTUSER.DAT

0xe1609b60 \WINDOWS\system32\config\software

0xe160bb60 \WINDOWS\system32\config\default

0xe1741b60 \WINDOWS\system32\config\SAM

0xe1607008 \WINDOWS\system32\config\SECURITY

0xe142e418 [no name]

0xe1036758 \WINDOWS\system32\config\system

0xe1022758 [no name]

C:\Documents and Settings\Administrator\Desktop\Volatility-1.3_Beta>

8. Now that we have the address locations, Pay attention to SAM & SYSTEM addresses. Find Password Hash using this command : python volatility hashdump -f dump.dd -y System Hive Offset -s SAM Hive Offset.

python volatility hashdump -f dump.dd -y 0xe1036758 -s 0xe1741b60

Extracted SAM :

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

HelpAssistant:1000:e342f6782d705142f81cce8f13488846:5cc6a7ed5dce2e04e648b8b6c14c9eed:::

SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:00fb5891d8488d816968e68a09a868b8:::

john:1003:972d6bbe1f00e65eaad3b435b51404ee:69bf94898385467264708f3cc51cf0a4:::

Now you can just open this as a pwdump file in SamInside and crack it !

Here is how your final output should look like ! Good Luck Guys !

(6) Comments     Permalink