Using Volatility (1.3_Beta), Volatility Plugin from Moyix, a test RAM Image (xp-laptop-
2005-06-25.img) and a Windows Hash/Password Finder (SamInside or Cain and Abel)
identify the passwords for the following users: Sarah, phoenix and the Administrator.
1. Run hivescan to get hive offsets
command: python volatility hivescan -f "C:\Dump\xp-laptop-2005-06-25.img"
Offset (hex)
42168328 0x2837008
42195808 0x283db60
47592824 0x2d63578
207677272 0xc60e758
207736840 0xc61d008
207759192 0xc622758
207822 ***** Truncated to save some space
2.Run hivelist with the first hivescan offset
command: python volatility hivelist -f "C:\Dump\xp-laptop-2005-06-25.img" -o
0x2837008
Address Name
0xe1ecd008 \Documents and Settings\Sarah\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat
0xe1eff758 \Documents and Settings\Sarah\NTUSER.DAT
0xe1bf9008 \Documents and Settings\LocalService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat
0xe1c26850 \Documents and Settings\LocalService\NTUSER.DAT
0xe1bf1b60 \Documents and Settings\NetworkService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat
0xe1c2a758 \Documents and Settings\NetworkService\NTUSER.DAT
0xe1982008 \WINDOWS\system32\config\software
0xe197f758 \WINDOWS\system32\config\default
0xe1986008 \WINDOWS\system32\config\SAM
0xe197a758 \WINDOWS\system32\config\SECURITY
0xe1558578 [no name]
0xe1035b60 \WINDOWS\system32\config\system0xe102e008 [no name]
3. Find Password Hash (-y System Hive Offset)(-s SAM Hive Offset) and Send to Text
File.
Command: volatility hashdump -f "C:\Dump\xp-laptop-2005-06-25.img" -y 0xe1035b60
-s 0xe1986008>Password_Hash.txt
Administrator:500:08f3a52bdd35f179c81667e9d738c5d9:ed88cccbc08d1c18bcded317112555f4:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:ddd4c9c883a8ecb2078f88d729ba2e67:e78d693bc40f92a534197dc1d3a6d34f:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:8bfd47482583168a0ae5ab020e1186a9:
::
phoenix:1003:07b8418e83fad948aad3b435b51404ee:53905140b80b6d8cbe1ab5953f7c1c51:::
ASPNET:1004:2b5f618079400df84f9346ce3e830467:aef73a8bb65a0f01d9470fadc55a411c:::
Sarah:1006:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
4.Import Password_Hash.txt into a Password Finder (SamInside, Cain and Abel...).
User: Sarah Password: Empty
User: phoenix Password: Neon96
User: Administrator Password: Neon1996
Dumping memory with MDD
ManTech Memory DD (MDD) (http://www.mantech.com/msma/MDD.asp) is released
under GPL by Mantech International. MDD is capable of copying the complete contents
of memory on the following Microsoft Operating Systems: Windows 2000, Windows
XP, Windows 2003 Server, Windows 2008 Server.
After downloading MDD from the Mantech site you need to run the program at the
command line.
MDD Command Line Usage:
mdd -o OUTPUTFILENAME
Example:
C:\tools\mdd> mdd -o memory.dd
-> mdd
-> ManTech Physical Memory Dump Utility
Copyright (C) 2008 ManTech Security & Mission Assurance
-> This program comes with ABSOLUTELY NO WARRANTY; for details use
option `-w'This is free software, and you are welcome to redistribute it
under certain conditions; use option `-c' for details.
-> Dumping 255.48 MB of physical memory to file 'memory.dd'.
65404 map operations succeeded (1.00)
0 map operations failed
took 21 seconds to write
MD5 is: a48986bb0558498684414e9399ca19fc
The output file is commonly referred to as an "image" . MDD function is limited to
copying physical memory, so you will have to utilize another tool to analyze the memory
image.
2005-06-25.img) and a Windows Hash/Password Finder (SamInside or Cain and Abel)
identify the passwords for the following users: Sarah, phoenix and the Administrator.
1. Run hivescan to get hive offsets
command: python volatility hivescan -f "C:\Dump\xp-laptop-2005-06-25.img"
Offset (hex)
42168328 0x2837008
42195808 0x283db60
47592824 0x2d63578
207677272 0xc60e758
207736840 0xc61d008
207759192 0xc622758
207822 ***** Truncated to save some space
2.Run hivelist with the first hivescan offset
command: python volatility hivelist -f "C:\Dump\xp-laptop-2005-06-25.img" -o
0x2837008
Address Name
0xe1ecd008 \Documents and Settings\Sarah\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat
0xe1eff758 \Documents and Settings\Sarah\NTUSER.DAT
0xe1bf9008 \Documents and Settings\LocalService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat
0xe1c26850 \Documents and Settings\LocalService\NTUSER.DAT
0xe1bf1b60 \Documents and Settings\NetworkService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat
0xe1c2a758 \Documents and Settings\NetworkService\NTUSER.DAT
0xe1982008 \WINDOWS\system32\config\software
0xe197f758 \WINDOWS\system32\config\default
0xe1986008 \WINDOWS\system32\config\SAM
0xe197a758 \WINDOWS\system32\config\SECURITY
0xe1558578 [no name]
0xe1035b60 \WINDOWS\system32\config\system0xe102e008 [no name]
3. Find Password Hash (-y System Hive Offset)(-s SAM Hive Offset) and Send to Text
File.
Command: volatility hashdump -f "C:\Dump\xp-laptop-2005-06-25.img" -y 0xe1035b60
-s 0xe1986008>Password_Hash.txt
Administrator:500:08f3a52bdd35f179c81667e9d738c5d9:ed88cccbc08d1c18bcded317112555f4:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:ddd4c9c883a8ecb2078f88d729ba2e67:e78d693bc40f92a534197dc1d3a6d34f:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:8bfd47482583168a0ae5ab020e1186a9:
::
phoenix:1003:07b8418e83fad948aad3b435b51404ee:53905140b80b6d8cbe1ab5953f7c1c51:::
ASPNET:1004:2b5f618079400df84f9346ce3e830467:aef73a8bb65a0f01d9470fadc55a411c:::
Sarah:1006:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
4.Import Password_Hash.txt into a Password Finder (SamInside, Cain and Abel...).
User: Sarah Password: Empty
User: phoenix Password: Neon96
User: Administrator Password: Neon1996
Dumping memory with MDD
ManTech Memory DD (MDD) (http://www.mantech.com/msma/MDD.asp) is released
under GPL by Mantech International. MDD is capable of copying the complete contents
of memory on the following Microsoft Operating Systems: Windows 2000, Windows
XP, Windows 2003 Server, Windows 2008 Server.
After downloading MDD from the Mantech site you need to run the program at the
command line.
MDD Command Line Usage:
mdd -o OUTPUTFILENAME
Example:
C:\tools\mdd> mdd -o memory.dd
-> mdd
-> ManTech Physical Memory Dump Utility
Copyright (C) 2008 ManTech Security & Mission Assurance
-> This program comes with ABSOLUTELY NO WARRANTY; for details use
option `-w'This is free software, and you are welcome to redistribute it
under certain conditions; use option `-c' for details.
-> Dumping 255.48 MB of physical memory to file 'memory.dd'.
65404 map operations succeeded (1.00)
0 map operations failed
took 21 seconds to write
MD5 is: a48986bb0558498684414e9399ca19fc
The output file is commonly referred to as an "image" . MDD function is limited to
copying physical memory, so you will have to utilize another tool to analyze the memory
image.
0 comments:
Post a Comment
Yes