you suck at memory analysis
DESCRIPTION
From the current offensive and defensive technique arsenal, memory analysis applied to volatile memory is far from being the most explored channel. It is more likely to hear about input validation attacks or attacks against the protocol & cryptography while keys, passphrases, credit card numbers and other precious artifacts are kept unsafely in memory. This analysis arises as a mine waiting to be explored since it is sustained by one of the most vulnerable and unavoidable resource to systems, memory. From Java to Stuxnex, as well as Windows but without forgetting the Cloud, I will try to show some scenarios where these techniques can be applied, its impact as a threat and bring an important and fun subject not just to those who work in forensics but also to penetration testers as myself. Finally, I will also try to show how can this be used for defensive technologies as tools for monitoring and protection in networks with systems in production.TRANSCRIPT
You suck at Memory Analysisgive it up, it’s not worth it
Disclaimer
• Contents displayed such as thoughts and opinions are exclusively those of Francisco Gama Tabanez Ribeiro, the author, and do not reflect the viewpoint or policy of any of my employers.
• You are free to use these contents for your works as well as make derived works from it as long as you keep visible and explicit references to this website in proper place.
• Images and references to other works within this production remain the property of their respective holders. All licenses explicitly applied to individual resources shall override this one.
Who?
• Francisco da Gama Tabanez Ribeiro
• Penetration Testing @ Portugal Telecom
• Certificates that I don’t have:
MCITP, MCTS, MCPD, MCA, SSCP, CAP, CSSLP, RHCE, ISO27001, CISA, ITIL, CMIIB, CMIIC, CMIIS, CMIIA, CMIIP, JBCAA, CEH, CHFI, ECSA, CNDA, LPT, ECVP, ECSP, CCNA, CCDA, OSCE, CCNP and CCDP
Agenda• Intro:
• Who? Why? How?
• 1) Memory Acquisition
• 2) Memory Analysis
• Windows:
• memory acquisition
• process reconstitution
• malware analysis
• Java:
• JMX
• Web
• Breaking safes (Truecrypt)
• Hardware:
• printers
• cold boot attack
• Conclusion: where next?
Some of the real experts here.
• Michael Cohen
• Brendan Dolan-Gavitt
• Jesse Kornblum
• Mark Russinovich
• Mike Auty
• Michael L. Hale
• Harlan Carvey
• Dmitry Vostokov
Dinner @ RIT’s meet-up
Why?
• OS & process behavioral tracing
• app debugging & profiling
• malware analysis (Rootkit Paradox)
• mining raw data artifacts
• low level monitoring
• plays well with Social Engineering
• supports the Cloud, VM’s & mobile’s
Why?
• OS & process behavioral tracing
• app debugging & profiling
• malware analysis (Rootkit Paradox)
• mining raw data artifacts
• low level monitoring
• plays well with Social Engineering
• supports the Cloud, VM’s & mobile’s
suggested reading:Exploiting the Rootkit
Paradox with Windows
Memory AnalysisJesse D. Kornblum
1) Memory Acquisition
Memory Acquisition Techniques(Software)
• Crash Dumps
• Hibernation files
• Virtual Machine Imaging/Suspend
• Physical memory device objects:
• Windows (\\Device\PhysicalMemory, \\Device\DebugMemory)
• Linux (/dev/mem, /proc/kcore, /dev/crash)
• Live kernel debug dumps (NtSystemDebugControl, NtQueryVirtualMemory)
• Inferential
Memory Acquisition Tools
• MoonSols tools, mdd, dd
• memdump, userdump
• nigilant32, KNTTools, WMFT
• Idetect, Second Look, Goldfish, fmem (Linux, Mac OS X)
Memory Acquisition Tools
• MoonSols tools, mdd, dd
• memdump, userdump
• nigilant32, KNTTools, WMFT
• Idetect, Second Look, Goldfish, fmem (Linux, Mac OS X)
suggested reading:Tools: Memory Imaging
Forensics WiKi
Memory Acquisition Gotchas
• memory images taken live may come “blurred”
• time required increases with memory size
• for faster scans, reduce kernel space size (/3G switch)
Memory Acquisition Gotchas
• memory images taken live may come “blurred”
• time required increases with memory size
• for faster scans, reduce kernel space size (/3G switch)
suggested reading:Acquisition and analysis of
volatile memory from android devices
Digital Investigation
/3GB Startup Switch in 32-bit Win
0x00000000
0xFFFFFFFF
0xC0000000
0x00000000
0xFFFFFFFF
0x80000000
KernelSpace
UserSpace
KernelSpace
UserSpace
Default /3GB
boot.ini file
/3GB Startup Switch in 32-bit Win
suggested reading:How to Set the /3GB Startup
Switch in Windows
Technet, Microsoft0x00000000
0xFFFFFFFF
0xC0000000
0x00000000
0xFFFFFFFF
0x80000000
KernelSpace
UserSpace
KernelSpace
UserSpace
Default /3GB
boot.ini file
Memory Acquisition Techniques(Hardware)
• Firewire/DMA
• PCI Card (“Tribble”)
• Debug ports (JTAG)
• Inferential
Memory Acquisition Techniques(Hardware)
• Firewire/DMA
• PCI Card (“Tribble”)
• Debug ports (JTAG)
• Inferential
suggested reading:Tools: Memory Imaging
Forensics WiKi
Piezo-Acoustic iPod Hack
Piezo-Acoustic iPod Hack
flickr photo by guanix
Piezo-Acoustic iPod Hack
• iPod 4G
• firmware dump by playing sounds
• ARM code that can read addresses 0 through 65535
• one sound to represent a 1 bit, another for a 0 bit
• 64 kb file at 5 bytes/sec
• sound recognition/ error detection & correction
• iPod-Linux project
2) Memory Analysis
How?
• Static
• Dynamic
Memory Analysis Tools
• Volatility
• Memoryze
• Windbg
• Redline
• Volafox
Volatility
• an advanced memory forensics framework
• extraction of digital artifacts from volatile memory (RAM) samples
• plugin based architecture
• major releases at present moment: 1.3, 2.0 & NG (Scudette’s branch)
• Python
Volatility
• an advanced memory forensics framework
• extraction of digital artifacts from volatile memory (RAM) samples
• plugin based architecture
• major releases at present moment: 1.3, 2.0 & NG (Scudette’s branch)
• Pythonsuggested reading:
Volatility,Memory Forensics
Volatile Systems
suggested reading:An advanced memory forensics framework
Volatility
Google Wiki pages
Windows - things you can analyze• processes, threads, sockets, connections, modules
• files & DLLs loaded for each process
• the hive (registry handles)
• process' addressable memory & executables extraction
• OS kernel modules
• mapping physical offsets to virtual addresses (strings to process)
• security access tokens
• more, much more...
mimikatz - getting clear text passwords in Windows
SSPI Digest SSP
Client Application
Digest SSP
Local Security Authority SubSystem(LSASS)
Server
LSA Server Service
mimikatz - getting clear text passwords in Windows
SSPI Digest SSP
Client Application
Digest SSP
Local Security Authority SubSystem(LSASS)
Server
inject sekurlsa.dll
LSA Server Service
LSA Server Service
mimikatz - getting clear text passwords in Windows
SSPI Digest SSP
Client Application
Digest SSP
Local Security Authority SubSystem(LSASS)
Server
inject sekurlsa.dll
TsPkgWdigestLiveSSP
LsaProtectMemory /LsaUnprotectMemory
LSA Server Service
LSA Server Service
mimikatz - getting clear text passwords from Windows
• Traitement du Kiwi - injects sekurlsa.dll (LSASS)
• TsPkg & Wdigest store encrypted (not hashed) passwords
• used for Kerberos, NTLM/LM, HTTP Digest authentication
• function LsaUnprotectMemory retrieves clear text password
• pass the word > pass the hash
Windows - Process reconstitution
• OS walking (KPCR > PsActiveProcessHead > _LIST_ENTRY) > EProcess... (pslist)
• pool tags (psscan)
• others..
Windows - _EPROCESS structure• image filename
• process id, parent process id
• create/exit times
• base priority
• exit status
• next/prev process block
• image base address
• ...
Windows - _EPROCESS structure• image filename
• process id, parent process id
• create/exit times
• base priority
• exit status
• next/prev process block
• image base address
• ...
suggested reading:struct EPROCESS
NirSoft
Windows - process reconstitution
EPROCESS EPROCESS EPROCESS
PsActiveProcessHead
Windows - process reconstitution
EPROCESS
LIST_ENTRY
Flink
Blink
EPROCESS
LIST_ENTRY
Flink
Blink
EPROCESS
LIST_ENTRY
Flink
Blink
DKOM (Direct Kernel Object Manipulation)
EPROCESS
Flink
Blink
EPROCESS
Flink
Blink
EPROCESS
Flink
Blink
detectable by Volatility psscan plugin
Process hollowing
• legitimate process loaded into memory to act as a code container
• host process is created into a suspended mode
• antivirus bypassing
• meterpreter ‘-m’ flag
• detectable with Volatility plugins pslist + procexecdump combined with fuzzy hashing (ssdeep)
Process hollowing
• legitimate process loaded into memory to act as a code container
• host process is created into a suspended mode
• antivirus bypassing
• meterpreter ‘-m’ flag
• detectable with Volatility plugins pslist + procexecdump combined with fuzzy hashing (ssdeep) suggested reading:
Eternal Sunshine on the Spotless RAM
SecurityStreet, Rapid7
Process hollowing
Process(suspended)
Process(running)
If in doubt, it's an APT.@explanoit
Java Management Extensions (JMX)
• monitor and manage any Java based applications
• automatically exposed by JMX agents
• clients like Java Visual VM can connect to it locally and remotely
• supports MBeans
• tools: Java Visual VM, JConsole, MAT (Eclipse),
JmxCli
Java Management Extensions (JMX)
• monitor and manage any Java based applications
• automatically exposed by JMX agents
• clients like Java Visual VM can connect to it locally and remotely
• supports MBeans
• tools: Java Visual VM, JConsole, MAT (Eclipse),
JmxCli
suggested reading:Monitoring and
Management Using JMX Technology
Java SE Monitoring and Management Guide
Java Management Extensions (JMX)
Java Management Extensions (JMX)
• no default port but...
“statistical” guessing: 3333,6161,9999
• authentication? encryption?
not by default!
• properties where you can fix that:
com.sun.management.jmxremote.port
com.sun.management.jmxremote.ssl
com.sun.management.jmxremote.authenticate
Java Management Extensions (JMX)
1) open browser on URL: http://somevictim.com:8080/jmx-console/HtmlAdaptor?action=displayMBeans
1) open browser on URL: http://somevictim.com:8080/jmx-console/HtmlAdaptor?action=displayMBeans
1) open browser on URL: http://somevictim.com:8080/jmx-console/HtmlAdaptor?action=displayMBeans
1) open browser on URL: http://somevictim.com:8080/jmx-console/HtmlAdaptor?action=displayMBeans
1) open browser on URL: http://somevictim.com:8080/jmx-console/HtmlAdaptor?action=displayMBeans
2) run jbossify:
$ python jbossify.pyjbossify.py <host> <port> <instance_name> [<properties to extract>]jbossify.py --offline <instance_folder> [<properties to extract>] for offline extraction
<properties to extract> - can be 'conn','dd','sql' or 'all'(default is just conn)
conn->ManagedConnectionFactoryProperties,dd->deploymentDescriptorsql->SqlProperties
wget https://raw.github.com/blackthorne/Pentest-utils/master/jbossify.py
jbossify for JBoss
Connection Strings!
demo time!
So, Java uses Memory...tell me you were not aware of it?
Truecrypt
Truecrypt
• Virtual Encrypted Disks
• Partitions & storage devices
• Parallelization & Pipelining
• Automatic, Real-time & Transparent
• Hardware accelerated
• Plausible Deniability
• Multiple platform
Truecrypt
Truecrypt
Truecrypt
Truecrypt
Truecrypt
Truecrypt
Meanwhile... in a memory chip close, close by...
demo time!
Truecrypt
Truecrypt
DRIVER_OBJECT address
1) where?
Truecrypt
DRIVER_OBJECT address
1) where?
DriverStart DriverStart + DriverSize
2) size?
suggested reading:RAM is Key,
Extracting Disk Encryption Keys From Volatile Memory
by Brian Kaplan, Carnegie Mellon University
Truecrypt
3) what?
..on a little endian architecture..
$ xxd JOHN-2CF071298B-20120512-221220.raw |grep 123asd88f3060: 0c00 0000 3132 3361 7364 4153 4421 4023 ....123asdASD!@#
Truecrypt
3) what?
..on a little endian architecture..
that’s a 12(passphrase length)
passphrase
$ xxd JOHN-2CF071298B-20120512-221220.raw |grep 123asd88f3060: 0c00 0000 3132 3361 7364 4153 4421 4023 ....123asdASD!@#
Truecrypt
3) what?
length[1..64]
passphrase ASCII printable [0x20..0x7E]
????0000 ????????..length 0x00..NULL’s
{length, passphrase} tupleswith fingerprint:
..on a little endian architecture..
Truecrypt
3) what?
length[1..64]
passphrase ASCII printable [0x20..0x7E]
????0000 ????????..length 0x00..NULL’s
{length, passphrase} tupleswith fingerprint:
..on a little endian architecture.. suggested reading:Cryptoscan plugin
Jesse Kornblum
suggested reading:TrueDecrypt plugin
Francisco Ribeiro
Cold Boot attacks on encryption keys
• explores data remanence in volatile memory
• retrieves encryption keys used to encrypt hard drivers
• Truecrypt, bitlocker, Filevault
suggested reading:Lest we remember:
Cold Boot Attacks on Encryption Keys
Princeton University
Cold Boot attacks on encryption keys
• explores data remanence in volatile memory
• retrieves encryption keys used to encrypt hard drivers
• Truecrypt, bitlocker, Filevault
MultiFunction Printers?
...stores images of all scanned, copied, printed and e-mailed documents...
1) Open it (google: “<your_MFP_model> hardrive replacement” )
MultiFunction Printers?
1) Open it (google: “<your_MFP_model> hardrive replacement” )
MultiFunction Printers?
1) Open it (google: “<your_MFP_model> hardrive replacement” )
MultiFunction Printers?
1) Open it (google: “<your_MFP_model> hardrive replacement” )
MultiFunction Printers?
2) Analyze that
MultiFunction Printers?
V..éSODX
2) Analyze that
MultiFunction Printers?
V..éSODX
suggested reading:Forensic analysis of digital
copiers
Svein Yngvar Willassen
suggested reading:Survey of Scanner and
Printer Forensics
Purdue University
2) Analyze that
MultiFunction Printers?
V..éSODX
é..VXDOS
flipping bytes
that’s BIGDOS FAT 16!
suggested reading:Forensic analysis of digital
copiers
Svein Yngvar Willassen
suggested reading:Survey of Scanner and
Printer Forensics
Purdue University
2) Analyze that
MultiFunction Printers?
V..éSODX
é..VXDOS
flipping bytes
3) open Finderthat’s BIGDOS FAT 16!
suggested reading:Forensic analysis of digital
copiers
Svein Yngvar Willassen
suggested reading:Survey of Scanner and
Printer Forensics
Purdue University
does your company handles this properly?
STUXNET
STUXNET
STUXNET
STUXNET
STUXNET
STUXNET
STUXNET
STUXNET
• source: US-Israel
• target: Iran nuclear program
• very sophisticated cyber warfare on SCADA
• infection by USB thumb drive
• exploits Siemens Simatic S7-300 PLC
• deceives monitoring, destroys centrifuge machines
• ~10,000 lines of code
STUXNET
• source: US-Israel
• target: Iran nuclear program
• very sophisticated cyber warfare on SCADA
• infection by USB thumb drive
• exploits Siemens Simatic S7-300 PLC
• deceives monitoring, destroys centrifuge machines
• ~10,000 lines of code
suggested reading:Stuxnet's Footprint in
Memory with Volatility 2.0
MNIN Security Blog,Michael Ligh MHL
demo time!
What about searching for what you don’t know?
Codetective
• an analysis tool to determine the crypto/encoding algorithm used according to traces of its representation
• can be used as a volatility plugin or as a generic tool
• filters (win, unix, web, win, web, db,unix or other) and level of confidence
• supports:
shadow and SAM files, phpBB3, Wordpress, Joomla, CRC, LM, NTLM, MD4, MD5, Apr, SHA1, SHA256, base64, MySQL323, MYSQL4+, DES, RipeMD320, Whirlpool, SHA1, SHA224, SHA256, SHA384, SHA512, Blowfish, Java Session IDs, connection strings, Credit Cards, URLs
Codetective• relevant options:
-a (analyze)
-u (show UUIDs)
-v (verbose mode)
-t (filters)
-p (search for Process ID)
-n (search for process name)
If neither -p or -n is defined, if will search in all processes.
• git clone git://github.com/blackthorne/Codetective.git codetective
Codetective• relevant options:
-a (analyze)
-u (show UUIDs)
-v (verbose mode)
-t (filters)
-p (search for Process ID)
-n (search for process name)
If neither -p or -n is defined, if will search in all processes.
• git clone git://github.com/blackthorne/Codetective.git codetective
suggested reading:codetective plugin
github @blackthorne
Francisco Ribeiro
demo time!
Where next?
Where next?
• Networks (Remote live forensics)
• Mobiles
• Virtual Machines
• Cloud
GRR - remote live forensicshostname
pslist
volatilityplugins
status
age selector
raw disk
Memory Analysis on the Cloud
• with virtualization, multiple Virtual Machines share a single physical machine and expose their Volatile Memory in snapshot files (.vmem..) that is acessible on userland
• Analyzing IOS iTunes memory allows you to retrieve iCloud credentials. Years ago, that wasn’t that serious but now it’s not just music is it?
• What about Dropbox and Google accounts,
how complex is your password?
Does it really matter?
Where is it stored?
My clipboard supports:•mixed case passwords •numbers•special characters and length > 20
Special thanks to:
• Michael Cohen
• Brendan Dolan-Gavitt
References:
• Tools: Memory Imaging, Forensics WiKi
• Acquisition and analysis of volatile memory from android devices, Digital Investigation
• struct EPROCESS, NirSoft
• How to Set the /3GB Startup Switch in Windows - Technet, Microsoft
• Eternal Sunshine on the Spotless RAM - SecurityStreet, Rapid7
• Monitoring and Management Using JMX Technology, Java SE Monitoring and Management Guide
References:
• RAM is Key,Extracting Disk Encryption Keys From Volatile Memory by Brian Kaplan, Carnegie Mellon University
• Cryptoscan plugin, Jesse Kornblum
• TrueDecrypt plugin, Francisco Ribeiro
• Survey of Scanner and Printer Forensics , Purdue University
• Forensic analysis of digital copiers, Svein Yngvar Willassen
• Stuxnet's Footprint in Memory with Volatility 2.0, MNIN Security Blog, Michael Ligh MHL
References:
• codetective plugin - github @blackthorne, Francisco Ribeiro
• Volatility - Memory Forensics, Volatile Systems
• Exploiting the Rootkit Paradox with Windows - Memory Analysis, Jesse D. Kornblum
• An advanced memory forensics framework - Volatility, Google Wiki pages
childish wont-let-go nickname: blackthorne
blackthorne (geek) bthorne_daily (social)
[email protected] (PGP key: 0xBDD20CF1)
http://www.digitalloft.org (homepage)
Thank you