Вы находитесь на странице: 1из 9

EHIR Tutorial Mohammad Reza Rostami

Lab 9 Analyzing a RAM Image with Volatility

What You Need for This Project


The Kali Linux virtual machine.
Memdump file

Start Your Kali Linux Machine


Launch your Kali Linux machine. If necessary, log in as root with the password toor.

Finding the RAM Image to Examine


Drag the memdump.mem file and drop it on the Kali machine desktop.
In your Kali Linux machine, open a Terminal window and execute these commands:
cd

cd Desktop

ls -l

Note that the last command is "LS -L" in lowercase.

You should see the memdump.mem file, as shown below. If you do not, you may need
to repeat a previous project to create the memory image again.

Page 1 of 9
EHIR Tutorial Mohammad Reza Rostami

Starting Volatility
In your Kali Linux machine, in a Terminal window, execute these commands:

cd /usr/share/volatility

python vol.py -h

You see a long help message, as shown below:

The volatility help is long and confusing.

Fortunately, SANS has made a handy one-page cheat sheet which is much friendlier.
The part that is important to us is shown below:

Page 2 of 9
EHIR Tutorial Mohammad Reza Rostami

Basic Volatilty Usage


Image Information

In your Kali Linux machine, in a Terminal window, execute this command:

python vol.py imageinfo -f /root/Desktop/memdump.mem

This shows basic information about the image, such as the operating system of the
machine that was imaged, and when the image was made, as shown below:

Page 3 of 9
EHIR Tutorial Mohammad Reza Rostami

Volatility needs to know what operating system was imaged in order to interpret the
memory image correctly. The default profile is WinXPSP2x86, but we used
Win2008SP1x86, so we'll have to include that information in all future volatility
command-lines.

Running Processes

In your Kali Linux machine, in a Terminal window, execute this command:

python vol.py pslist --profile=Win2008SP1x86 -f /root/Desktop/memdump.mem

This shows the processes that were running on the machine when the RAM image was
made, as shown below:

Notice these columns:

Page 4 of 9
EHIR Tutorial Mohammad Reza Rostami

Offset : The location in RAM of the process, in hexadecimal


Name : The process name, as it would be shown in Task Manager
PID : The process ID
PPID : The parent process ID--that is, the process that launched this process. In
the example above, the "System" process is process 4, and it is the parent of the
"smss.exe" process.

Console Commands

In your Kali Linux machine, in a Terminal window, execute this command:

python vol.py consoles --profile=Win2008SP1x86 -f /root/Desktop/memdump.mem

This shows the console commands that were recently executed on the Windows
machine.

You should see the command you executed to create the user account with your own
name, as shown below:

Page 5 of 9
EHIR Tutorial Mohammad Reza Rostami

Services
In your Kali Linux machine, in a Terminal window, execute this command:

python vol.py svcscan --profile=Win2008SP1x86 -f /root/Desktop/memdump.mem | more

This shows the first page of a long list of services, as shown below:

Registry Hives
In your Kali Linux machine, in a Terminal window, execute this command:

python vol.py hivelist --profile=Win2008SP1x86 -f /root/Desktop/memdump.mem

This shows the location in RAM of the Registry hives, as shown below:

Page 6 of 9
EHIR Tutorial Mohammad Reza Rostami

Examine your output and find the two addresses outlined in green above: the virtual
addresses of the SAM and SYSTEM hives. Those two hives together contain enough
information to extract Windows password hashes.

Password Hashes
In your Kali Linux machine, in a Terminal window, execute the command below.

You will have to replace the two hexadecimal addresses with the correct virtual
addresses of your hives, in this format: -y SYSTEM -s SAM

python vol.py hashdump --profile=Win2008SP1x86 -f /root/Desktop/memdump.mem -y


0x86226008 -s 0x89c33450

When you get the command correct, you will see the login account names and
hashed passwords, including one showing your name, as shown below:

Page 7 of 9
EHIR Tutorial Mohammad Reza Rostami

Cracking the Password Hash


Windows stores two hashes with each password, delimited by colons. The first one
is an extremely insecure, obsolete hash using the LANMAN algorithm. Windows
operating systems since Vista no longer use LANMAN hashes, so they are filled
with a dummy value starting with "aad".

The second hash is the newer NTLM hash, which is much better than LANMAN
hashes, but still extremely insecure and much more easily cracked than Linux or
Mac OS X hashes.

To crack your password, highlight the hash value, as shown below, right-click it, and
click Copy.

On your host Windows machine, open a Web browser and go to

https://crackstation.net/

Page 8 of 9
EHIR Tutorial Mohammad Reza Rostami

Paste in the hash. On the right side, fill in the CAPTCHA and click the "Crack
Hashes" button.

The hash should crack, revealing the password of "SuperSecret!", as shown below.

Turning in Your Lab Results

After getting the images, upload the files on the Edmodo.

Good Luck

Page 9 of 9