Memory Analysis

OVERVIEW: This lab is part of a series of lab exercises designed through a grant initiative by the Center for SystemsSecurity and Information Assurance (CSSIA) and the Network Development Group (NDG) and funded by theNational Science Foundation’s (NSF) Advanced Technological Education (ATE) program Department ofUndergraduate Education (DUE) Award No. 0702872 and 1002746.

By the end of this lab, students will utilize various methods to determine if an attacker attempted a breachor successfully compromised a system. Some information about the attacker, such as his IP Address, maybe lost if the machine is shutdown. For this reason, an investigator collects volatile data before shuttingdown a system.

This lab includes the following tasks:

Task 1 – Obtaining a dump of physical memory using DumpIt

Task 2 – Attacking the victim system with Armitage

Task 3 – Using volatility to determine remote connections

Key TermDescriptionDumpIt generates a copy of the system's physical memory and saves it as a filevolatility an open source analysis tool used for incident response and analysisPslist will determine the running processes in RAM along with their correspondingconnscan will determine the network connections (including IP’s and ports) in RAM

ArmitageMetasploit is a very powerful exploitation framework, but it requires that the user becomfortable using the command line. Armitage is a GUI frontend for Metasploit that has manypowerful capabilities. An attacker can use Armitage to identify and exploit victim machineswithin an easy to use graphical environment.

Reading AssignmentIntroductionIn this lab, you will use various methods to determine if an attacker attempted a breach or successfullycompromised a system. Some information about the attacker, such as the system’s IP address, may belost if the machine is shut down. For this reason, an investigator collects volatile data such as an image ofRandom Access Memory (RAM) before shutting down a system. Figure 1 shows the lab topology.

This lab includes the following tasks:

Obtaining a dump of physical memory using DumpIt

Attacking the victim system with Armitage

Using volatility to determine remote connections

FIGURE 1 – LAB TOPOLOGY

Memory ForensicsMemory forensics is a process of analyzing volatile memory of a computer system. Digital forensicsprofessionals use memory forensics to help them investigate information such as network connections,running processes, and malicious behaviors active in memory.

Volatile DataThe operating system reads and writes data to memory in a system’s RAM. Data in RAM is volatile becausethe data in memory is lost when the system is turned off. Memory can contain information data such asprocesses, command history, passwords, and files that can be extracted and helpful to forensicinvestigators.

Memory Dump and DumpItDumpIt is a command line program that runs on either a 32- or a 64-bit version of Windows. This toolgenerates a copy of the system’s physical memory and saves it as a file in the same directory from whichthe command is run. DumpIt can also be run from a drive letter assigned to a USB drive and be stored onthe removable media. Figure 2 show how DumpIt works.

FIGURE 2 – DUMPIT COMMAND

Volatility is a toll written in python that runs on Linux and Windows. Volatility takes the results of the dumpabove and allows you analyze processes, command history, and even review files and passwords that arein volatile memory on a system. Figure 3 shows how volatility works by analyzing the system processes.

FIGURE 3 – VOLATILITY COMMAND

In this lab, you will be using volatility to explore system processes and remote connections.

PentestingA penetration test (or pentest for short) is broken down into stages—planning and reconnaissance,scanning, gaining access, maintaining access, and analysis of results. Planning and reconnaissance are thefirst stages that allow the attackers to select a target and harvest any information they can get fromresources such as web sites, social networking sites, and other pieces of data. The next stage is scanning.In this lab, you will be using nmap to do your initial scans. Then, you will use the Metasploit framework andArmitage which comes preloaded on some versions of Kali Linux to exploit the vulnerable Windows system.

Kali Linux/MetasploitKali Linux is a Linux distribution created for digital forensics and penetration testing. Metasploit is apenetration testing framework which comes preloaded with Kali Linux. Kali Linux along with Metasploitprovides tools for penetration testers to improve security assessments and awareness. This lab usesArmitage and Metasploit to exploit a vulnerable XAMPP application.

Postgres DBMSPostgres is an open-source object relational database system. It has over 30 years of active development.It is the successor to Ingres database from the University of California, Berkley. In this version of Kali,Metasploit and Armitage rely on the postgres service to function.

Nmap/ZenmapNmap is an open-source network vulnerability scanner used to discover hosts and open ports/services.Zenmap is the GUI interface to nmap.

Exploiting the victim with ArmitageArmitage, designed by Raphael Mudge, is a front-end hacking tool for Metasploit that visualizes targets,recommends, and performs exploits on systems to break into them. Figure 4 shows the Armitage interface.You will use Armitage to exploit a vulnerable web application and a Windows Server.

FIGURE 4 – ARMITAGE INTERFACE (SOURCE: ARMITAGE)

CONCLUSION: In this lab, you will use DumpIT to dump a copy of the physical memory and use volatility to analyze theimage of memory. You will use Kali Linux, Metasploit, and Armitage to attack a vulnerable Windows systemand then use volatility to analyze remote connections captured in the image of RAM.

Use DumpIt to Extract Running Physical MemoryDumpIt is an executable file that runs on either a 32- or 64-bit version of Windows. This tool generates acopy of the system's physical memory and saves it as a file in the same directory that you used to run thecommand. DumpIt can also be run from a USB drive.

Extracting Running Physical MemoryClick the START button in the adjoining window.1.

INITIALIZING THE VIRTUAL ENVIRONMENT

Perform the following steps on the machine running Windows Server by clicking the server icon in2.the topology.

WINDOWS SERVER

Click the Send Ctrl+Alt+Delete button when instructed to do so.3.

ACCESSING LOGIN

Click inside the password input field. Type P@ssw0rd and press <Enter>.4.

AUTHENTICATING USER

Open Chrome by double-clicking on the shortcut on the Desktop.5.

SHORTCUT TO CHROME

Minimize Chrome. This gives us a process we can identify running in memory.6.

MINIMIZE CHROME

Double-click on the shortcut on the Command Prompt.7.

COMMAND PROMPT

Type the following command and press <Enter> to image memory.8.

C:\>DumpIt.exe

DUMPIT

Click y to the question if you want to continue. The RAM will be dumped. After a short amount of9.time, you will receive the message Processing . . . Success. Press <Enter>. DumpIt creates a filewith the .raw extension. The file in the root of C:.

DUMPIT FINISHED

Type the following command and press <Enter> to view the newly created RAM dump image.10.Note: the contents of the directory contents may be slightly different, but you should see a file witha .raw extension.

C:\>dir

DIR COMMAND

Type the following command and press <Enter> to rename the memory image file.11.

C:\>ren *.raw ram1.dd

REN COMMAND

Type the following command and press <Enter> to view the renamed RAM dump image.12.

C:\>dir

DIR COMMAND

Type the following command and press <Enter> to view the sampleflag.txt file.13.

C:\>dir

Type the following command and press <Enter> to view the contents of the sampleflag.txt file.13.

C:\>more sampleflag.txt

Notice the flag of 999818. Click on the Challenge icon and type the flag number into the answer13.box. This is just to show you how to capture Challenge Flags you will see throughout this lab.

Challenge Sample #Type the following command again and press <Enter> to view the flag2.txt file.13.

Type the following command and press <Enter> to view the contents of the flag2.txt file.13.

C:\>more flag2.txt

Challenge #Click the close button on the CLI.13.

CLOSING CLI

Click the close button on the VM window.14.

CLOSING VM WINDOW

Switch to the machine running Windows 10.15.

WINDOWS 10

Right-click on the cmd – Shortcut and select Run as administrator.16.

WINDOWS 10 DESKTOP

Type the following command and press <Enter> to go back to the root of C:.17.

C:\Windows\system32>cd \

CD COMMAND

Type the following command and press <Enter> to map a drive.18.

C:\>net use x: \\192.168.1.100\c$ /u:administrator P@ssw0rd

NET USE COMMAND

Type the following command and press <Enter> to copy the RAM dump to the c:\ drive.19.

C:\>copy x:\*.dd c:\

COPY COMMAND

Type the following command and press <Enter> to view the copied RAM dump image. Note: the20.rest of the directory contents should be similar.

C:\>dir

DIR COMMAND

Type the following command and press <Enter> to view the switches for volatility.21.

C:\>volatility-2.5.exe -h

VOLATILITY COMMAND

Type the following command and press <Enter> to parse information from the image of RAM.22.

C:\>volatility-2.5.exe -f ram1.dd --profile Win2008SP1x86 imageinfo

PROCESSES IN RAM

Type the following command and press <Enter> to parse the processes running in RAM.23.

C:\>volatility-2.5.exe -f ram1.dd --profile Win2008SP1x86 pslist

PROCESSES IN RAM

Type the following command and press <Enter> to parse the chrome processes running in RAM.24.

C:\>volatility-2.5.exe -f ram1.dd --profile Win2008SP1x86 pslist | find“chrome”

PROCESSES IN RAM

Click the close button on the VM window.25.

CLOSE VM WINDOW

CONCLUSION: DumpIt is a program that will allow you to capture RAM from a system. When a machine is turned off, theinformation in RAM will go away. If a tool such as DumpIt is used, the volatile data within the captured RAMimage can be analyzed with a tool-like volatility.

DISCUSSION QUESTIONS: What were the different process ID’s for chrome? Answers will vary.1.

Based on image info, was the operating system a 32-bit or 64-bit system?2.

What is the date that the image was created?3.

Based on image info, what was the operating system installed?4.

Attacking a Remote System Utilizing ArmitageIn this section, you will be introduced to Armitage, a Graphical User Interface (GUI), front end forMetasploit. The website for Armitage, which was developed by Raphael Mudge, isfastandeasyhacking.com. Armitage provides the user with a visual interface that will help them understandwhat is happening in the background of Metasploit.

Click on the internal Kali 2 Linux icon on the topology.1.

INTERNAL KALI 2

Type root for the Username. Press <Enter>.2.

INTERNAL KALI 2 USERNAME

For the Password, type toor and click the Sign In button.3.

Note: The password of toor will not be displayed when you type it for security purposes.

INTERNAL KALI 2 PASSWORD

Click the black and white icon (second from the top) to launch the Linux terminal.4.

OPENING THE KALI 2 TERMINAL

Type the following command and press <Enter> to scan and see if port 445 is open.5.

root@kali2:~# nmap 192.168.1.100 –p 445

NMAP

Type the following command and press <Enter> to start the postgresql service.6.

root@kali2:~# service postgresql start

START POSTGRESQL

Type the following command to switch to the Armitage directory. Press <Enter>.7.

root@kali2:~# cd armitage

ARMITAGE DIRECTORY

Type the following command to switch to the Armitage directory. Press <Enter>.8.

root@kali2:~/armitage# msfconsole

ARMITAGE DIRECTORY

Type the following command to change the banner and press <Enter>. Keep typing9.the command until you see a similar banner below which will have flag3 in it. This may take anumber of times. In fact, you might see other flag numbers, but the one you need will say flag3.

msf >banner

Challenge #Again, type the following command to change the banner and press <Enter>. Keep typing the9.command until you see a similar banner below which will have flag4 in it.

msf >banner

Challenge #Again, type the following command to change the banner and press <Enter>. Keep typing9.the command until you see a similar banner below which will have flag5 in it.

msf >banner

Challenge #Type the following command to scan 192.168.1.100 for open ports. Press <Enter>.9.

msf >db_nmap -A 192.168.1.100

DB_NMAP

Note: After a few minutes the scan results will be displayed.

DB_NMAP

Type the following command to start Armitage. Press <Enter>.10.

msf>./armitage

ARMITAGE COMMAND

After the box appears, click the Connect button.11.

ARMITAGE

Click Yes when you are asked if you want to Start Metasploit.12.

START METASPLOIT

Note: For a small amount of time, you will receive a message that the connection is refused.

ERROR

Note: Windows server (192.168.1.100) from the nmap scan will be displayed.

WINDOWS SERVER

In the left-hand pane, click the arrow to the left of exploit to expand it.13.

ARMITAGE

Under exploit, click the arrow to the left of windows to expand it.14.

ARMITAGE

Under windows, click the arrow to the left of smb to expand it.15.

ARMITAGE

Click the 192.168.1.100 host once and a green box around it will appear.16.

ARMITAGE

Under smb, find ms09_050_smb2_negotiate_func_index and double-click it.17.

ARMITAGE

Check the box to use a reverse connection and click Launch.18.

Make sure you check the box for "Use a reverse connection" and you see the picture of thecompromised machine below.

ARMITAGE

Note: The machine will then become compromised. Do not use the Armitage GUI window. It will beused in Task 4.

ARMITAGE

Click the close button on the VM window.19.

CLOSING VM WINDOW

CONCLUSION: Armitage is a GUI frontend for Metasploit that allows attackers to scan, identify, and exploit remoteoperating systems. After scanning a machine, Armitage will report what operating system and service packlevel the target machine is using. The Armitage tool then allows the attacker to find attacks by open ports.If the attacker is able to successfully connect to a victim machine, the victim will be displayed with a redborder.

DISCUSSION QUESTIONS: Armitage is a GUI front end for what exploitation tool?1.

What message does Armitage display after you try to find attacks by port?2.

Explore the Armitage menu. What are some other features of the tool?3.

At what point is the victim machine considered to be compromised?4.

Using Volatility to Analyze Remote ConnectionsVolatility is an open source analysis tool used for incident response and analysis. Several tools make upVolatility and it uses the Python language. We will use some of the tools to extract information from thememory image we created on the Kali Linux system.

Memory AnalysisGo back to the Windows Server Machine by clicking the topology.1.

WINDOWS SERVER MACHINE

Double-click on the shortcut on the Command Prompt.2.

COMMAND PROMPT

Type the following command and press Enter to list the directory. Take note of the file named3.ram1.dd.

C:\>dir

LISTING DIRECTORY

Type del ram1.dd and press Enter to delete the file. Then type dir to verify.4.

DELETE AND VERIFY

Type the following command to image memory. Press Enter.5.

C:\>DumpIt.exe

DUMPIT

Click y to the question if you want to continue. The RAM will be dumped. After a short amount of6.time, you will receive the message Processing . . . Success. Press Enter. DumpIt creates a file withthe .raw extension. The file in the root of C:.

DUMPIT FINISHED

Type the following command to view the newly created RAM dump image. Press Enter.7.

C:\>dir

DIR COMMAND

Type the following command to connect to the Windows server using telnet. Press Enter.8.

C:\>ren *.raw ram2.dd

REN COMMAND

Type the following command to view the renamed RAM dump image. Press Enter.9.

C:\>dir

DIR COMMAND

Click the close button on the VM window.10.

CLOSING VM WINDOW

Go back to the Windows 10 Machine by clicking the topology.11.

WINDOWS 10

Right-click on the Windows Key and select Run.12.

RUN

Type the following in the run box: \\192.168.1.100\C$. Press Enter.13.

UNC PATH

For the username, type administrator, and for the password, type P@ssw0rd. Click OK.14.

Note: The password of P@ssw0rd will not be displayed when you type it for security purposes.

CREDENTIALS

Drag ram2.dd to the C: drive.15.

RAM FILE

Click Continue.16.

CONFIRM CHANGE

Wait for the file copy to finish.17.

FILE COPY

Right-click on the cmd - Shortcut and select Run as administrator. Note if your CLI is already18.open, you can skip this step.

WINDOWS 10 DESKTOP

Type the following command and press Enter.19.

C:\windows\system32>cd \

Type the following command and press <Enter> to view the ram2.dd file.19.

C:\>dir

Type the following command to parse the chrome processes running in RAM. Press Enter.19.

C:\>volatility-2.5.exe netscan -f ram2.dd --profile Win2008SP1x86

NETWORK CONNECTIONS IN RAM

Type the following command to parse the chrome processes running in RAM. Press Enter.20.

C:\>volatility-2.5.exe netscan -f ram2.dd --profile Win2008SP1x86 | find“445”

NETWORK CONNECTIONS IN RAM

Again, type the following command and press <Enter> to view the flag6 file.21.

C:\>dir

Type the following command to view the contents of the flag6.txt file.21.

C:\>more flag6.txt

Challenge #

Click the close button on the VM window.21.

CLOSING VM WINDOW

Note: Press the STOP button to complete the lab.

LAB COMPLETE

CONCLUSION: DumpIt is a program that will allow you to capture RAM from a system. When a machine is turned off, theinformation in RAM will go away. If a tool like DumpIt is used, the volatile data within the captured RAMimage can be analyzed with a tool like volatility. In the case of a network intrusion, capturing the RAM canbe critical so you can determine the IP Address and Port Numbers used by the attacking machine.

DISCUSSION QUESTIONS: What ports is the machine listening on?1.

Based on image info, was the operating system a 32-bit or 64-bit system?2.

What is the date that the image was created?3.

Based on image info, what was the operating system installed?4.

References: DumpIt download1.http://www.downloadcrew.com/article/23854-dumpit

Volatility download2.https://code.google.com/p/volatility/

Princeton Video on Capturing Memory3.https://citp.princeton.edu/research/memory/media/

Memory Forensics4.http://en.wikipedia.org/wiki/Memory_forensics

Volatility Framework5.http://www.forensicswiki.org/wiki/Volatility_Framework

Organization: Moraine Valley Community College

Author: Jesse Varsalone and Kevin Vaccaro

Copyright © National Information Security, Geospatial Technologies Consortium (NISGTC)

The development of this document is funded by the Department of Labor (DOL) Trade AdjustmentAssistance Community College and Career Training (TAACCCT) Grant No. TC-22525-11-60-A-48. TheNational Information Security, Geospatial Technologies Consortium (NISGTC) is an entity of Collin Collegeof Texas, Bellevue College of Washington, Bunker Hill Community College of Massachusetts, Del MarCollege of Texas, Moraine Valley Community College of Illinois, Rio Salado College of Arizona, and Salt LakeCommunity College of Utah. This work is licensed under the Creative Commons Attribution 3.0 UnportedLicense. To view a copy of this license, visit http://creativecommons.org/licenses/by/3.0/ or send a letter toCreative Commons, 444 Castro Street, Suite 900, Mountain View, California, 94041, USA.

© Infosec Learning, LLC. All rights reserved.