You suck at Memory Analysis
9 likes7,368 views
The document is a comprehensive exploration of memory analysis and acquisition techniques, discussing various methods, tools, and challenges associated with both software and hardware approaches. It highlights the importance of memory forensics in cybersecurity, detailing strategies for malware analysis, process reconstitution, and additional topics like Java Management Extensions and the implications of tools like TrueCrypt and Stuxnet. The document concludes with suggested readings and future directions in the field, emphasizing advancements in remote live forensics and cloud memory analysis.
![jbossify for JBoss
2) run jbossify:
wget https://raw.github.com/blackthorne/Pentest-utils/master/jbossify.py
$ python jbossify.py
jbossify.py <host> <port> <instance_name> [<properties to extract>]
jbossify.py --offline <instance_folder> [<properties to extract>]
for offline extraction
<properties to extract> - can be 'conn','dd','sql' or 'all'
(default is just conn)
conn->ManagedConnectionFactoryProperties,
dd->deploymentDescriptor Connection Strings!
sql->SqlProperties](https://image.slidesharecdn.com/mem-120603094356-phpapp02/85/You-suck-at-Memory-Analysis-58-320.jpg)
![Truecrypt
..on a little endian architecture..
3) what?
{length, passphrase} tuples
with fingerprint:
????0000 ????????..length 0x00..
length passphrase NULL’s
[1..64] ASCII printable [0x20..0x7E]](https://image.slidesharecdn.com/mem-120603094356-phpapp02/85/You-suck-at-Memory-Analysis-76-320.jpg)
![Truecrypt
..on a little endian architecture.. suggested reading:
Cryptoscan plugin
Jesse Kornblum
3) what?
suggested reading:
TrueDecrypt plugin
{length, passphrase} tuples Francisco Ribeiro
with fingerprint:
????0000 ????????..length 0x00..
length passphrase NULL’s
[1..64] ASCII printable [0x20..0x7E]](https://image.slidesharecdn.com/mem-120603094356-phpapp02/85/You-suck-at-Memory-Analysis-77-320.jpg)
You suck at Memory Analysis
- 1. You suck at Memory Analysis give it up, it’s not worth it
- 2. Disclaimer • Contents displayed such as thoughts and opinions are exclusively those of Francisco Gama Tabanez Ribeiro, the author, and do not reflect the viewpoint or policy of any of my employers. • You are free to use these contents for your works as well as make derived works from it as long as you keep visible and explicit references to this website in proper place. • Images and references to other works within this production remain the property of their respective holders. All licenses explicitly applied to individual resources shall override this one.
- 3. Who? • Francisco da Gama Tabanez Ribeiro • Penetration Testing @ Portugal Telecom • Certificates that I don’t have: MCITP, MCTS, MCPD, MCA, SSCP, CAP, CSSLP, RHCE, ISO27001, CISA, ITIL, CMIIB, CMIIC, CMIIS, CMIIA, CMIIP, JBCAA, CEH, CHFI, ECSA, CNDA, LPT, ECVP, ECSP, CCNA, CCDA, OSCE, CCNP and CCDP
- 4. Agenda • Intro: • Java: • Who? Why? How? • JMX • 1) Memory Acquisition • Web • 2) Memory Analysis • Breaking safes (Truecrypt) • Windows: • Hardware: • memory acquisition • printers • process reconstitution • cold boot attack • malware analysis • Conclusion: where next?
- 5. Some of the real experts here. • Michael Cohen • Mike Auty • Brendan Dolan-Gavitt • Michael L. Hale • Jesse Kornblum • Harlan Carvey • Mark Russinovich • Dmitry Vostokov
- 6. Dinner @ RIT’s meet-up
- 7. Why? • OS & process behavioral tracing • app debugging & profiling • malware analysis (Rootkit Paradox) • mining raw data artifacts • low level monitoring • plays well with Social Engineering • supports the Cloud, VM’s & mobile’s
- 8. Why? • OS & process behavioral tracing • app debugging & profiling • malware analysis (Rootkit Paradox) • mining raw data artifacts • low level monitoring suggested reading: Exploiting the Rootkit • plays well with Social Engineering Paradox with Windows • supports the Cloud, VM’s & mobile’s Memory Analysis Jesse D. Kornblum
- 10. Memory Acquisition Techniques (Software) • Crash Dumps • Hibernation files • Virtual Machine Imaging/Suspend • Physical memory device objects: • Windows (DevicePhysicalMemory, DeviceDebugMemory) • Linux (/dev/mem, /proc/kcore, /dev/crash) • Live kernel debug dumps (NtSystemDebugControl, NtQueryVirtualMemory) • Inferential
- 11. Memory Acquisition Tools • MoonSols tools, mdd, dd • memdump, userdump • nigilant32, KNTTools, WMFT • Idetect, Second Look, Goldfish, fmem (Linux, Mac OS X)
- 12. Memory Acquisition Tools • MoonSols tools, mdd, dd • memdump, userdump • nigilant32, KNTTools, WMFT • Idetect, Second Look, Goldfish, fmem (Linux, Mac OS X) suggested reading: Tools: Memory Imaging Forensics WiKi
- 13. Memory Acquisition Gotchas • memory images taken live may come “blurred” • time required increases with memory size • for faster scans, reduce kernel space size (/3G switch)
- 14. Memory Acquisition Gotchas • memory images taken live may come “blurred” • time required increases with memory size • for faster scans, reduce kernel space size (/3G switch) suggested reading: Acquisition and analysis of volatile memory from android devices Digital Investigation
- 15. /3GB Startup Switch in 32-bit Win boot.ini file 0xFFFFFFFF 0xFFFFFFFF Kernel Kernel Space Space 0xC0000000 0x80000000 User User Space Space 0x00000000 0x00000000 Default /3GB
- 16. /3GB Startup Switch in 32-bit Win boot.ini file 0xFFFFFFFF 0xFFFFFFFF Kernel Kernel Space Space 0xC0000000 0x80000000 User User suggested reading: How to Set the /3GB Startup Space Space Switch in Windows 0x00000000 0x00000000 Technet, Microsoft Default /3GB
- 17. Memory Acquisition Techniques (Hardware) • Firewire/DMA • PCI Card (“Tribble”) • Debug ports (JTAG) • Inferential
- 18. Memory Acquisition Techniques (Hardware) • Firewire/DMA • PCI Card (“Tribble”) suggested reading: • Debug ports (JTAG) Tools: Memory Imaging • Inferential Forensics WiKi
- 20. Piezo-Acoustic iPod Hack flickr photo by guanix
- 21. Piezo-Acoustic iPod Hack • iPod 4G • firmware dump by playing sounds • ARM code that can read addresses 0 through 65535 • one sound to represent a 1 bit, another for a 0 bit • 64 kb file at 5 bytes/sec • sound recognition/ error detection & correction • iPod-Linux project
- 24. Memory Analysis Tools • Volatility • Memoryze • Windbg • Redline • Volafox
- 26. Volatility • an advanced memory forensics framework • extraction of digital artifacts from volatile memory (RAM) samples • plugin based architecture • major releases at present moment: 1.3, 2.0 & NG (Scudette’s branch) • Python
- 27. Volatility • an advanced memory forensics framework • extraction of digital artifacts from volatile memory (RAM) samples • plugin based architecture • major releases at present moment: 1.3, 2.0 & NG (Scudette’s branch) • Python suggested reading: suggested reading: An advanced memory Volatility, forensics framework Memory Forensics Volatility Volatile Systems Google Wiki pages
- 29. Windows - things you can analyze • processes, threads, sockets, connections, modules • files & DLLs loaded for each process • the hive (registry handles) • process' addressable memory & executables extraction • OS kernel modules • mapping physical offsets to virtual addresses (strings to process) • security access tokens • more, much more...
- 30. mimikatz - getting clear text passwords in Windows Client Application SSPI Digest SSP Server Local Security Authority SubSystem (LSASS) LSA Server Digest SSP Service
- 31. mimikatz - getting clear text passwords in Windows Client Application SSPI Digest SSP Server Local Security Authority SubSystem (LSASS) LSA Server Digest SSP Service inject sekurlsa.dll
- 32. mimikatz - getting clear text passwords in Windows Client Application SSPI Digest SSP Server Local Security Authority SubSystem TsPkg (LSASS) Wdigest LiveSSP LSA Server Digest SSP Service LsaProtectMemory / inject sekurlsa.dll LsaUnprotectMemory
- 34. mimikatz - getting clear text passwords from Windows • Traitement du Kiwi - injects sekurlsa.dll (LSASS) • TsPkg & Wdigest store encrypted (not hashed) passwords • used for Kerberos, NTLM/LM, HTTP Digest authentication • function LsaUnprotectMemory retrieves clear text password • pass the word > pass the hash
- 35. Windows - Process reconstitution • OS walking (KPCR > PsActiveProcessHead > _LIST_ENTRY) > EProcess... (pslist) • pool tags (psscan) • others..
- 36. Windows - _EPROCESS structure • image filename • process id, parent process id • create/exit times • base priority • exit status • next/prev process block • image base address • ...
- 37. Windows - _EPROCESS structure • image filename • process id, parent process id • create/exit times • base priority • exit status • next/prev process block suggested reading: • image base address struct EPROCESS • ... NirSoft
- 38. Windows - process reconstitution PsActiveProcessHead EPROCESS EPROCESS EPROCESS
- 39. Windows - process reconstitution EPROCESS EPROCESS EPROCESS LIST_ENTRY LIST_ENTRY LIST_ENTRY Flink Flink Flink Blink Blink Blink
- 40. DKOM (Direct Kernel Object Manipulation) EPROCESS EPROCESS EPROCESS Flink Flink Flink Blink Blink Blink detectable by Volatility psscan plugin
- 42. Process hollowing • legitimate process loaded into memory to act as a code container • host process is created into a suspended mode • antivirus bypassing • meterpreter ‘-m’ flag • detectable with Volatility plugins pslist + procexecdump combined with fuzzy hashing (ssdeep)
- 43. Process hollowing • legitimate process loaded into memory to act as a code container • host process is created into a suspended mode • antivirus bypassing • meterpreter ‘-m’ flag • detectable with Volatility plugins pslist + procexecdump combined with fuzzy hashing (ssdeep) suggested reading: Eternal Sunshine on the Spotless RAM SecurityStreet, Rapid7
- 44. Process hollowing Process Process (suspended) (running)
- 46. If in doubt, it's an APT. @explanoit
- 47. Java Management Extensions (JMX)
- 48. Java Management Extensions (JMX) • monitor and manage any Java based applications • automatically exposed by JMX agents • clients like Java Visual VM can connect to it locally and remotely • supports MBeans • tools: Java Visual VM, JConsole, MAT (Eclipse), JmxCli
- 49. Java Management Extensions (JMX) • monitor and manage any Java based applications • automatically exposed by JMX agents • clients like Java Visual VM can connect to it locally and remotely • supports MBeans suggested reading: • tools: Java Visual VM, JConsole, MAT (Eclipse), Monitoring and Management Using JMX JmxCli Technology Java SE Monitoring and Management Guide
- 50. Java Management Extensions (JMX)
- 51. Java Management Extensions (JMX) • no default port but... “statistical” guessing: 3333,6161,9999 • authentication? encryption? not by default! • properties where you can fix that: com.sun.management.jmxremote.port com.sun.management.jmxremote.ssl com.sun.management.jmxremote.authenticate
- 53. 1) open browser on URL: http://somevictim.com:8080/jmx-console/HtmlAdaptor? action=displayMBeans
- 54. 1) open browser on URL: http://somevictim.com:8080/jmx-console/HtmlAdaptor? action=displayMBeans
- 55. 1) open browser on URL: http://somevictim.com:8080/jmx-console/HtmlAdaptor? action=displayMBeans
- 56. 1) open browser on URL: http://somevictim.com:8080/jmx-console/HtmlAdaptor? action=displayMBeans
- 57. 1) open browser on URL: http://somevictim.com:8080/jmx-console/HtmlAdaptor? action=displayMBeans
- 58. jbossify for JBoss 2) run jbossify: wget https://raw.github.com/blackthorne/Pentest-utils/master/jbossify.py $ python jbossify.py jbossify.py <host> <port> <instance_name> [<properties to extract>] jbossify.py --offline <instance_folder> [<properties to extract>] for offline extraction <properties to extract> - can be 'conn','dd','sql' or 'all' (default is just conn) conn->ManagedConnectionFactoryProperties, dd->deploymentDescriptor Connection Strings! sql->SqlProperties
- 59. demo time!
- 60. So, Java uses Memory... tell me you were not aware of it?
- 61. Truecrypt
- 62. Truecrypt • Virtual Encrypted Disks • Partitions & storage devices • Parallelization & Pipelining • Automatic, Real-time & Transparent • Hardware accelerated • Plausible Deniability • Multiple platform
- 63. Truecrypt
- 64. Truecrypt
- 65. Truecrypt
- 66. Truecrypt
- 67. Truecrypt
- 68. Truecrypt
- 69. Meanwhile... in a memory chip close, close by...
- 70. demo time!
- 71. Truecrypt
- 72. Truecrypt 1) where? DRIVER_OBJECT address
- 73. Truecrypt 1) where? suggested reading: RAM is Key, DRIVER_OBJECT Extracting Disk Encryption address Keys From Volatile Memory by Brian Kaplan, Carnegie Mellon University 2) size? DriverStart DriverStart + DriverSize
- 74. Truecrypt ..on a little endian architecture.. 3) what? $ xxd JOHN-2CF071298B-20120512-221220.raw |grep 123asd 88f3060: 0c00 0000 3132 3361 7364 4153 4421 4023 ....123asdASD!@#
- 75. Truecrypt ..on a little endian architecture.. 3) what? $ xxd JOHN-2CF071298B-20120512-221220.raw |grep 123asd 88f3060: 0c00 0000 3132 3361 7364 4153 4421 4023 ....123asdASD!@# that’s a 12 passphrase (passphrase length)
- 76. Truecrypt ..on a little endian architecture.. 3) what? {length, passphrase} tuples with fingerprint: ????0000 ????????..length 0x00.. length passphrase NULL’s [1..64] ASCII printable [0x20..0x7E]
- 77. Truecrypt ..on a little endian architecture.. suggested reading: Cryptoscan plugin Jesse Kornblum 3) what? suggested reading: TrueDecrypt plugin {length, passphrase} tuples Francisco Ribeiro with fingerprint: ????0000 ????????..length 0x00.. length passphrase NULL’s [1..64] ASCII printable [0x20..0x7E]
- 78. Cold Boot attacks on encryption keys • explores data remanence in volatile memory • retrieves encryption keys used to encrypt hard drivers • Truecrypt, bitlocker, Filevault
- 79. Cold Boot attacks on encryption keys • explores data remanence in volatile memory • retrieves encryption keys used to encrypt hard drivers • Truecrypt, bitlocker, Filevault suggested reading: Lest we remember: Cold Boot Attacks on Encryption Keys Princeton University
- 80. MultiFunction Printers? ...stores images of all scanned, copied, printed and e-mailed documents...
- 81. MultiFunction Printers? 1) Open it (google: “<your_MFP_model> hardrive replacement” )
- 82. MultiFunction Printers? 1) Open it (google: “<your_MFP_model> hardrive replacement” )
- 83. MultiFunction Printers? 1) Open it (google: “<your_MFP_model> hardrive replacement” )
- 84. MultiFunction Printers? 1) Open it (google: “<your_MFP_model> hardrive replacement” )
- 85. MultiFunction Printers? 2) Analyze that V..éSODX
- 86. MultiFunction Printers? 2) Analyze that V..éSODX suggested reading: Survey of Scanner and Printer Forensics Purdue University suggested reading: Forensic analysis of digital copiers Svein Yngvar Willassen
- 87. MultiFunction Printers? 2) Analyze that V..éSODX suggested reading: Survey of Scanner and flipping bytes Printer Forensics é..VXDOS Purdue University that’s BIGDOS FAT 16! suggested reading: Forensic analysis of digital copiers Svein Yngvar Willassen
- 88. MultiFunction Printers? 2) Analyze that V..éSODX suggested reading: Survey of Scanner and flipping bytes Printer Forensics é..VXDOS Purdue University that’s BIGDOS FAT 16! 3) open Finder suggested reading: Forensic analysis of digital copiers Svein Yngvar Willassen
- 89. does your company handles this properly?
- 90. STUXNET
- 91. STUXNET
- 92. STUXNET
- 93. STUXNET
- 94. STUXNET
- 95. STUXNET
- 96. STUXNET
- 97. STUXNET • source: US-Israel • target: Iran nuclear program • very sophisticated cyber warfare on SCADA • infection by USB thumb drive • exploits Siemens Simatic S7-300 PLC • deceives monitoring, destroys centrifuge machines • ~10,000 lines of code
- 98. STUXNET • source: US-Israel • target: Iran nuclear program • very sophisticated cyber warfare on SCADA • infection by USB thumb drive • exploits Siemens Simatic S7-300 PLC suggested reading: • deceives monitoring, destroys centrifuge machines Stuxnet's Footprint in Memory with Volatility 2.0 • ~10,000 lines of code MNIN Security Blog, Michael Ligh MHL
- 99. demo time!
- 100. What about searching for what you don’t know?
- 101. Codetective • an analysis tool to determine the crypto/encoding algorithm used according to traces of its representation • can be used as a volatility plugin or as a generic tool • filters (win, unix, web, win, web, db,unix or other) and level of confidence • supports: shadow and SAM files, phpBB3, Wordpress, Joomla, CRC, LM, NTLM, MD4, MD5, Apr, SHA1, SHA256, base64, MySQL323, MYSQL4+, DES, RipeMD320, Whirlpool, SHA1, SHA224, SHA256, SHA384, SHA512, Blowfish, Java Session IDs, connection strings, Credit Cards, URLs
- 102. Codetective • relevant options: -a (analyze) -u (show UUIDs) -v (verbose mode) -t (filters) -p (search for Process ID) -n (search for process name) If neither -p or -n is defined, if will search in all processes. • git clone git://github.com/blackthorne/Codetective.git codetective
- 103. Codetective • relevant options: -a (analyze) suggested reading: -u (show UUIDs) codetective plugin github @blackthorne -v (verbose mode) -t (filters) Francisco Ribeiro -p (search for Process ID) -n (search for process name) If neither -p or -n is defined, if will search in all processes. • git clone git://github.com/blackthorne/Codetective.git codetective
- 104. demo time!
- 105. Where next?
- 106. Where next? • Networks (Remote live forensics) • Mobiles • Virtual Machines • Cloud
- 107. hostname volatility plugins GRR - remote live forensics age selector status pslist raw disk
- 109. Memory Analysis on the Cloud • with virtualization, multiple Virtual Machines share a single physical machine and expose their Volatile Memory in snapshot files (.vmem..) that is acessible on userland • Analyzing IOS iTunes memory allows you to retrieve iCloud credentials. Years ago, that wasn’t that serious but now it’s not just music is it? • What about Dropbox and Google accounts, how complex is your password? Does it really matter? Where is it stored?
- 110. My clipboard supports: •mixed case passwords •numbers •special characters and length > 20
- 111. Special thanks to: • Michael Cohen • Brendan Dolan-Gavitt
- 112. References: • Tools: Memory Imaging, Forensics WiKi • Acquisition and analysis of volatile memory from android devices, Digital Investigation • struct EPROCESS, NirSoft • How to Set the /3GB Startup Switch in Windows - Technet, Microsoft • Eternal Sunshine on the Spotless RAM - SecurityStreet, Rapid7 • Monitoring and Management Using JMX Technology, Java SE Monitoring and Management Guide
- 113. References: • RAM is Key, Extracting Disk Encryption Keys From Volatile Memory by Brian Kaplan, Carnegie Mellon University • Cryptoscan plugin, Jesse Kornblum • TrueDecrypt plugin, Francisco Ribeiro • Survey of Scanner and Printer Forensics , Purdue University • Forensic analysis of digital copiers, Svein Yngvar Willassen • Stuxnet's Footprint in Memory with Volatility 2.0, MNIN Security Blog, Michael Ligh MHL
- 114. References: • codetective plugin - github @blackthorne, Francisco Ribeiro • Volatility - Memory Forensics, Volatile Systems • Exploiting the Rootkit Paradox with Windows - Memory Analysis, Jesse D. Kornblum • An advanced memory forensics framework - Volatility, Google Wiki pages
- 116. Thank you childish wont-let-go nickname: blackthorne blackthorne (geek) bthorne_daily (social) francisco@ironik.org (PGP key: 0xBDD20CF1) http://www.digitalloft.org (homepage)