Memory Analysis
Transcript of Memory Analysis
Memory Analysis
OVERVIEW: This lab is part of a series of lab exercises designed through a grant initiative by the Center for SystemsSecurity and Information Assurance (CSSIA) and the Network Development Group (NDG) and funded by theNational Science Foundation’s (NSF) Advanced Technological Education (ATE) program Department ofUndergraduate Education (DUE) Award No. 0702872 and 1002746.
By the end of this lab, students will utilize various methods to determine if an attacker attempted a breachor successfully compromised a system. Some information about the attacker, such as his IP Address, maybe lost if the machine is shutdown. For this reason, an investigator collects volatile data before shuttingdown a system.
This lab includes the following tasks:
Task 1 – Obtaining a dump of physical memory using DumpIt
Task 2 – Attacking the victim system with Armitage
Task 3 – Using volatility to determine remote connections
Key TermDescriptionDumpIt generates a copy of the system's physical memory and saves it as a filevolatility an open source analysis tool used for incident response and analysisPslist will determine the running processes in RAM along with their correspondingconnscan will determine the network connections (including IP’s and ports) in RAM
ArmitageMetasploit is a very powerful exploitation framework, but it requires that the user becomfortable using the command line. Armitage is a GUI frontend for Metasploit that has manypowerful capabilities. An attacker can use Armitage to identify and exploit victim machineswithin an easy to use graphical environment.
Reading AssignmentIntroductionIn this lab, you will use various methods to determine if an attacker attempted a breach or successfullycompromised a system. Some information about the attacker, such as the system’s IP address, may belost if the machine is shut down. For this reason, an investigator collects volatile data such as an image ofRandom Access Memory (RAM) before shutting down a system. Figure 1 shows the lab topology.
This lab includes the following tasks:
Obtaining a dump of physical memory using DumpIt
Attacking the victim system with Armitage
Using volatility to determine remote connections
FIGURE 1 – LAB TOPOLOGY
Memory ForensicsMemory forensics is a process of analyzing volatile memory of a computer system. Digital forensicsprofessionals use memory forensics to help them investigate information such as network connections,running processes, and malicious behaviors active in memory.
Volatile DataThe operating system reads and writes data to memory in a system’s RAM. Data in RAM is volatile becausethe data in memory is lost when the system is turned off. Memory can contain information data such asprocesses, command history, passwords, and files that can be extracted and helpful to forensicinvestigators.
Memory Dump and DumpItDumpIt is a command line program that runs on either a 32- or a 64-bit version of Windows. This toolgenerates a copy of the system’s physical memory and saves it as a file in the same directory from whichthe command is run. DumpIt can also be run from a drive letter assigned to a USB drive and be stored onthe removable media. Figure 2 show how DumpIt works.
FIGURE 2 – DUMPIT COMMAND
Volatility is a toll written in python that runs on Linux and Windows. Volatility takes the results of the dumpabove and allows you analyze processes, command history, and even review files and passwords that arein volatile memory on a system. Figure 3 shows how volatility works by analyzing the system processes.
FIGURE 3 – VOLATILITY COMMAND
In this lab, you will be using volatility to explore system processes and remote connections.
PentestingA penetration test (or pentest for short) is broken down into stages—planning and reconnaissance,scanning, gaining access, maintaining access, and analysis of results. Planning and reconnaissance are thefirst stages that allow the attackers to select a target and harvest any information they can get fromresources such as web sites, social networking sites, and other pieces of data. The next stage is scanning.In this lab, you will be using nmap to do your initial scans. Then, you will use the Metasploit framework andArmitage which comes preloaded on some versions of Kali Linux to exploit the vulnerable Windows system.
Kali Linux/MetasploitKali Linux is a Linux distribution created for digital forensics and penetration testing. Metasploit is apenetration testing framework which comes preloaded with Kali Linux. Kali Linux along with Metasploitprovides tools for penetration testers to improve security assessments and awareness. This lab usesArmitage and Metasploit to exploit a vulnerable XAMPP application.
Postgres DBMSPostgres is an open-source object relational database system. It has over 30 years of active development.It is the successor to Ingres database from the University of California, Berkley. In this version of Kali,Metasploit and Armitage rely on the postgres service to function.
Nmap/ZenmapNmap is an open-source network vulnerability scanner used to discover hosts and open ports/services.Zenmap is the GUI interface to nmap.
Exploiting the victim with ArmitageArmitage, designed by Raphael Mudge, is a front-end hacking tool for Metasploit that visualizes targets,recommends, and performs exploits on systems to break into them. Figure 4 shows the Armitage interface.You will use Armitage to exploit a vulnerable web application and a Windows Server.
FIGURE 4 – ARMITAGE INTERFACE (SOURCE: ARMITAGE)
CONCLUSION: In this lab, you will use DumpIT to dump a copy of the physical memory and use volatility to analyze theimage of memory. You will use Kali Linux, Metasploit, and Armitage to attack a vulnerable Windows systemand then use volatility to analyze remote connections captured in the image of RAM.
Use DumpIt to Extract Running Physical MemoryDumpIt is an executable file that runs on either a 32- or 64-bit version of Windows. This tool generates acopy of the system's physical memory and saves it as a file in the same directory that you used to run thecommand. DumpIt can also be run from a USB drive.
Extracting Running Physical MemoryClick the START button in the adjoining window.1.
INITIALIZING THE VIRTUAL ENVIRONMENT
Perform the following steps on the machine running Windows Server by clicking the server icon in2.the topology.
WINDOWS SERVER
Click the Send Ctrl+Alt+Delete button when instructed to do so.3.
ACCESSING LOGIN
Click inside the password input field. Type P@ssw0rd and press <Enter>.4.
AUTHENTICATING USER
Open Chrome by double-clicking on the shortcut on the Desktop.5.
SHORTCUT TO CHROME
Minimize Chrome. This gives us a process we can identify running in memory.6.
MINIMIZE CHROME
Double-click on the shortcut on the Command Prompt.7.
COMMAND PROMPT
Type the following command and press <Enter> to image memory.8.
C:\>DumpIt.exe
DUMPIT
Click y to the question if you want to continue. The RAM will be dumped. After a short amount of9.time, you will receive the message Processing . . . Success. Press <Enter>. DumpIt creates a filewith the .raw extension. The file in the root of C:.
DUMPIT FINISHED
Type the following command and press <Enter> to view the newly created RAM dump image.10.Note: the contents of the directory contents may be slightly different, but you should see a file witha .raw extension.
C:\>dir
DIR COMMAND
Type the following command and press <Enter> to rename the memory image file.11.
C:\>ren *.raw ram1.dd
REN COMMAND
Type the following command and press <Enter> to view the renamed RAM dump image.12.
C:\>dir
DIR COMMAND
Type the following command and press <Enter> to view the sampleflag.txt file.13.
C:\>dir
Type the following command and press <Enter> to view the contents of the sampleflag.txt file.13.
C:\>more sampleflag.txt
Notice the flag of 999818. Click on the Challenge icon and type the flag number into the answer13.box. This is just to show you how to capture Challenge Flags you will see throughout this lab.
Challenge Sample #Type the following command again and press <Enter> to view the flag2.txt file.13.
Type the following command and press <Enter> to view the contents of the flag2.txt file.13.
C:\>more flag2.txt
Challenge #Click the close button on the CLI.13.
CLOSING CLI
Click the close button on the VM window.14.
CLOSING VM WINDOW
Switch to the machine running Windows 10.15.
WINDOWS 10
Right-click on the cmd – Shortcut and select Run as administrator.16.
WINDOWS 10 DESKTOP
Type the following command and press <Enter> to go back to the root of C:.17.
C:\Windows\system32>cd \
CD COMMAND
Type the following command and press <Enter> to map a drive.18.
C:\>net use x: \\192.168.1.100\c$ /u:administrator P@ssw0rd
NET USE COMMAND
Type the following command and press <Enter> to copy the RAM dump to the c:\ drive.19.
C:\>copy x:\*.dd c:\
COPY COMMAND
Type the following command and press <Enter> to view the copied RAM dump image. Note: the20.rest of the directory contents should be similar.
C:\>dir
DIR COMMAND
Type the following command and press <Enter> to view the switches for volatility.21.
C:\>volatility-2.5.exe -h
VOLATILITY COMMAND
Type the following command and press <Enter> to parse information from the image of RAM.22.
C:\>volatility-2.5.exe -f ram1.dd --profile Win2008SP1x86 imageinfo
PROCESSES IN RAM
Type the following command and press <Enter> to parse the processes running in RAM.23.
C:\>volatility-2.5.exe -f ram1.dd --profile Win2008SP1x86 pslist
PROCESSES IN RAM
Type the following command and press <Enter> to parse the chrome processes running in RAM.24.
C:\>volatility-2.5.exe -f ram1.dd --profile Win2008SP1x86 pslist | find“chrome”
PROCESSES IN RAM
Click the close button on the VM window.25.
CLOSE VM WINDOW
CONCLUSION: DumpIt is a program that will allow you to capture RAM from a system. When a machine is turned off, theinformation in RAM will go away. If a tool such as DumpIt is used, the volatile data within the captured RAMimage can be analyzed with a tool-like volatility.
DISCUSSION QUESTIONS: What were the different process ID’s for chrome? Answers will vary.1.
Based on image info, was the operating system a 32-bit or 64-bit system?2.
What is the date that the image was created?3.
Based on image info, what was the operating system installed?4.
Attacking a Remote System Utilizing ArmitageIn this section, you will be introduced to Armitage, a Graphical User Interface (GUI), front end forMetasploit. The website for Armitage, which was developed by Raphael Mudge, isfastandeasyhacking.com. Armitage provides the user with a visual interface that will help them understandwhat is happening in the background of Metasploit.
Click on the internal Kali 2 Linux icon on the topology.1.
INTERNAL KALI 2
Type root for the Username. Press <Enter>.2.
INTERNAL KALI 2 USERNAME
For the Password, type toor and click the Sign In button.3.
Note: The password of toor will not be displayed when you type it for security purposes.
INTERNAL KALI 2 PASSWORD
Click the black and white icon (second from the top) to launch the Linux terminal.4.
OPENING THE KALI 2 TERMINAL
Type the following command and press <Enter> to scan and see if port 445 is open.5.
root@kali2:~# nmap 192.168.1.100 –p 445
NMAP
Type the following command and press <Enter> to start the postgresql service.6.
root@kali2:~# service postgresql start
START POSTGRESQL
Type the following command to switch to the Armitage directory. Press <Enter>.7.
root@kali2:~# cd armitage
ARMITAGE DIRECTORY
Type the following command to switch to the Armitage directory. Press <Enter>.8.
root@kali2:~/armitage# msfconsole
ARMITAGE DIRECTORY
Type the following command to change the banner and press <Enter>. Keep typing9.the command until you see a similar banner below which will have flag3 in it. This may take anumber of times. In fact, you might see other flag numbers, but the one you need will say flag3.
msf >banner
Challenge #Again, type the following command to change the banner and press <Enter>. Keep typing the9.command until you see a similar banner below which will have flag4 in it.
msf >banner
Challenge #Again, type the following command to change the banner and press <Enter>. Keep typing9.the command until you see a similar banner below which will have flag5 in it.
msf >banner
Challenge #Type the following command to scan 192.168.1.100 for open ports. Press <Enter>.9.
msf >db_nmap -A 192.168.1.100
DB_NMAP
Note: After a few minutes the scan results will be displayed.
DB_NMAP
Type the following command to start Armitage. Press <Enter>.10.
msf>./armitage
ARMITAGE COMMAND
After the box appears, click the Connect button.11.
ARMITAGE
Click Yes when you are asked if you want to Start Metasploit.12.
START METASPLOIT
Note: For a small amount of time, you will receive a message that the connection is refused.
ERROR
Note: Windows server (192.168.1.100) from the nmap scan will be displayed.
WINDOWS SERVER
In the left-hand pane, click the arrow to the left of exploit to expand it.13.
ARMITAGE
Under exploit, click the arrow to the left of windows to expand it.14.
ARMITAGE
Under windows, click the arrow to the left of smb to expand it.15.
ARMITAGE
Click the 192.168.1.100 host once and a green box around it will appear.16.
ARMITAGE
Under smb, find ms09_050_smb2_negotiate_func_index and double-click it.17.
ARMITAGE
Check the box to use a reverse connection and click Launch.18.
Make sure you check the box for "Use a reverse connection" and you see the picture of thecompromised machine below.
ARMITAGE
Note: The machine will then become compromised. Do not use the Armitage GUI window. It will beused in Task 4.
ARMITAGE
Click the close button on the VM window.19.
CLOSING VM WINDOW
CONCLUSION: Armitage is a GUI frontend for Metasploit that allows attackers to scan, identify, and exploit remoteoperating systems. After scanning a machine, Armitage will report what operating system and service packlevel the target machine is using. The Armitage tool then allows the attacker to find attacks by open ports.If the attacker is able to successfully connect to a victim machine, the victim will be displayed with a redborder.
DISCUSSION QUESTIONS: Armitage is a GUI front end for what exploitation tool?1.
What message does Armitage display after you try to find attacks by port?2.
Explore the Armitage menu. What are some other features of the tool?3.
At what point is the victim machine considered to be compromised?4.
Using Volatility to Analyze Remote ConnectionsVolatility is an open source analysis tool used for incident response and analysis. Several tools make upVolatility and it uses the Python language. We will use some of the tools to extract information from thememory image we created on the Kali Linux system.
Memory AnalysisGo back to the Windows Server Machine by clicking the topology.1.
WINDOWS SERVER MACHINE
Double-click on the shortcut on the Command Prompt.2.
COMMAND PROMPT
Type the following command and press Enter to list the directory. Take note of the file named3.ram1.dd.
C:\>dir
LISTING DIRECTORY
Type del ram1.dd and press Enter to delete the file. Then type dir to verify.4.
DELETE AND VERIFY
Type the following command to image memory. Press Enter.5.
C:\>DumpIt.exe
DUMPIT
Click y to the question if you want to continue. The RAM will be dumped. After a short amount of6.time, you will receive the message Processing . . . Success. Press Enter. DumpIt creates a file withthe .raw extension. The file in the root of C:.
DUMPIT FINISHED
Type the following command to view the newly created RAM dump image. Press Enter.7.
C:\>dir
DIR COMMAND
Type the following command to connect to the Windows server using telnet. Press Enter.8.
C:\>ren *.raw ram2.dd
REN COMMAND
Type the following command to view the renamed RAM dump image. Press Enter.9.
C:\>dir
DIR COMMAND
Click the close button on the VM window.10.
CLOSING VM WINDOW
Go back to the Windows 10 Machine by clicking the topology.11.
WINDOWS 10
Right-click on the Windows Key and select Run.12.
RUN
Type the following in the run box: \\192.168.1.100\C$. Press Enter.13.
UNC PATH
For the username, type administrator, and for the password, type P@ssw0rd. Click OK.14.
Note: The password of P@ssw0rd will not be displayed when you type it for security purposes.
CREDENTIALS
Drag ram2.dd to the C: drive.15.
RAM FILE
Click Continue.16.
CONFIRM CHANGE
Wait for the file copy to finish.17.
FILE COPY
Right-click on the cmd - Shortcut and select Run as administrator. Note if your CLI is already18.open, you can skip this step.
WINDOWS 10 DESKTOP
Type the following command and press Enter.19.
C:\windows\system32>cd \
Type the following command and press <Enter> to view the ram2.dd file.19.
C:\>dir
Type the following command to parse the chrome processes running in RAM. Press Enter.19.
C:\>volatility-2.5.exe netscan -f ram2.dd --profile Win2008SP1x86
NETWORK CONNECTIONS IN RAM
Type the following command to parse the chrome processes running in RAM. Press Enter.20.
C:\>volatility-2.5.exe netscan -f ram2.dd --profile Win2008SP1x86 | find“445”
NETWORK CONNECTIONS IN RAM
Again, type the following command and press <Enter> to view the flag6 file.21.
C:\>dir
Type the following command to view the contents of the flag6.txt file.21.
C:\>more flag6.txt
Challenge #
Click the close button on the VM window.21.
CLOSING VM WINDOW
Note: Press the STOP button to complete the lab.
LAB COMPLETE
CONCLUSION: DumpIt is a program that will allow you to capture RAM from a system. When a machine is turned off, theinformation in RAM will go away. If a tool like DumpIt is used, the volatile data within the captured RAMimage can be analyzed with a tool like volatility. In the case of a network intrusion, capturing the RAM canbe critical so you can determine the IP Address and Port Numbers used by the attacking machine.
DISCUSSION QUESTIONS: What ports is the machine listening on?1.
Based on image info, was the operating system a 32-bit or 64-bit system?2.
What is the date that the image was created?3.
Based on image info, what was the operating system installed?4.
References: DumpIt download1.http://www.downloadcrew.com/article/23854-dumpit
Volatility download2.https://code.google.com/p/volatility/
Princeton Video on Capturing Memory3.https://citp.princeton.edu/research/memory/media/
Memory Forensics4.http://en.wikipedia.org/wiki/Memory_forensics
Volatility Framework5.http://www.forensicswiki.org/wiki/Volatility_Framework
Organization: Moraine Valley Community College
Author: Jesse Varsalone and Kevin Vaccaro
Copyright © National Information Security, Geospatial Technologies Consortium (NISGTC)
The development of this document is funded by the Department of Labor (DOL) Trade AdjustmentAssistance Community College and Career Training (TAACCCT) Grant No. TC-22525-11-60-A-48. TheNational Information Security, Geospatial Technologies Consortium (NISGTC) is an entity of Collin Collegeof Texas, Bellevue College of Washington, Bunker Hill Community College of Massachusetts, Del MarCollege of Texas, Moraine Valley Community College of Illinois, Rio Salado College of Arizona, and Salt LakeCommunity College of Utah. This work is licensed under the Creative Commons Attribution 3.0 UnportedLicense. To view a copy of this license, visit http://creativecommons.org/licenses/by/3.0/ or send a letter toCreative Commons, 444 Castro Street, Suite 900, Mountain View, California, 94041, USA.
© Infosec Learning, LLC. All rights reserved.