Forensic 100
On a dumpe la RAM d’une machine sur laquelle tournait un serveur VNC.
Le but est de recupere le mot de passe de ce serveur.* * *
We have dumped the RAM of a Machine on which was running a VNC server.
The goal is to get the password of that VNC server.
We need to analyze dumped memory. I used volatility framework version 1.4_rc1. It’s a great tool for memory forensic. There are Linux and Windows 7 support since version 1.4_rc1.
Let’s dump list of process.
volatility -f dump.raw psscan
Volatile Systems Volatility Framework 1.4_rc1
*** Failed to import volatility.plugins.registry.printkey (SyntaxError: invalid syntax (printkey.py, line 47))
PID PPID Time created Time exited Offset PDB Remarks
—— —— ———————— ———————— ———- ———- —————-
0 0 0x00551b80 0x00ae2000 Idle
1664 1580 2011-03-10 13:02:35 0x01fb0020 0x06f10140 ctfmon.exe
696 632 2011-03-10 13:02:30 0x01fce938 0x06f100a0 lsass.exe
928 684 2011-03-10 13:02:31 0x01fd1500 0x06f100e0 svchost.exe
532 1020 2011-03-10 13:02:59 0x01fe8020 0x06f10200 wscntfy.exe
1020 684 2011-03-10 13:02:31 0x01ff4020 0x06f10100 svchost.exe
1472 684 2011-03-10 13:02:34 0x0201d7e8 0x06f10180 spoolsv.exe
500 684 2011-03-10 13:02:58 0x02192020 0x06f101e0 alg.exe
1696 684 2011-03-10 13:09:47 0x021ea980 0x06f10240 winvnc4.exe
1460 860 2011-03-10 13:28:33 0x021eb558 0x06f10280 wmiprvse.exe
1064 684 2011-03-10 13:02:31 0x022123c0 0x06f10120 svchost.exe
608 544 2011-03-10 13:02:29 0x022216e8 0x06f10040 csrss.exe
544 4 2011-03-10 13:02:27 0x022356d8 0x06f10020 smss.exe
1512 1580 2011-03-10 13:28:14 0x02394da0 0x06f101a0 mmc.exe
1580 1564 2011-03-10 13:02:34 0x023cf620 0x06f101c0 explorer.exe
860 684 2011-03-10 13:02:31 0x02429720 0x06f100c0 svchost.exe
632 544 2011-03-10 13:02:29 0x024ac9c0 0x06f10060 winlogon.exe
1300 684 2011-03-10 13:02:33 0x024df548 0x06f10160 svchost.exe
684 632 2011-03-10 13:02:30 0x025365b0 0x06f10080 services.exe
4 0 0x025c8830 0x00ae2000 System
There is process with name winvnc4 and pid 1696. Probably it must store pasword in memory, file or registry.
Dump the list of registry hive.
volatility -f dump.raw hivelist
Volatile Systems Volatility Framework 1.4_rc1
Virtual Physical Name
0x8066e904 0x0066e904 [no name]
0xe1809008 0x08bfd008 \Device\HarddiskVolume1\Documents and Settings\eleve\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe1986008 0x09f7e008 \Device\HarddiskVolume1\Documents and Settings\eleve\NTUSER.DAT
0xe17a9768 0x08a48768 \Device\HarddiskVolume1\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe179b758 0x08a40758 \Device\HarddiskVolume1\Documents and Settings\LocalService\NTUSER.DAT
0xe1770008 0x085d6008 \Device\HarddiskVolume1\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe175fb60 0x08410b60 \Device\HarddiskVolume1\Documents and Settings\NetworkService\NTUSER.DAT
0xe13ffb60 0x02f2bb60 \Device\HarddiskVolume1\WINDOWS\system32\config\software
0xe14ab008 0x07023008 \Device\HarddiskVolume1\WINDOWS\system32\config\default
0xe14abb60 0x07023b60 \Device\HarddiskVolume1\WINDOWS\system32\config\SAM
0xe14e4758 0x0369d758 \Device\HarddiskVolume1\WINDOWS\system32\config\SECURITY
0xe12e8288 0x02d65288 [no name]
0xe1035b60 0x02aafb60 \Device\HarddiskVolume1\WINDOWS\system32\config\system
0xe102e008 0x02ab1008 [no name]
Print subkeys of hive software.
volatility -f dump.raw printkey –hive-offset 0xe13ffb60
Volatile Systems Volatility Framework 1.4_rc1
Legend: (S) = Stable (V) = Volatile
Key name: $$$PROTO.HIV (S)
Last updated: 2011-03-10 13:09:47
Subkeys:
(S) C07ft5Y
(S) Classes
(S) Clients
(S) Gemplus
(S) Microsoft
(S) ODBC
(S) Policies
(S) Program Groups
(S) RealVNC
(S) Schlumberger
(S) Secure
(S) Windows 3.1 Migration Status
Get the password.
volatility -f dump.raw printkey –hive-offset 0xe13ffb60 –key “RealVNC\\WinVNC4”
Volatile Systems Volatility Framework 1.4_rc1
Legend: (S) = Stable (V) = Volatile
Key name: WinVNC4 (S)
Last updated: 2011-03-10 13:10:51
Subkeys:
Values:
REG_BINARY Password : (S)
0000 DA 6E 31 84 95 77 AD 6B .n1..w.k
REG_SZ SecurityTypes : (S) VncAuth
REG_SZ ReverseSecurityTypes : (S) None
REG_DWORD QueryConnect : (S) 0
REG_DWORD QueryOnlyIfLoggedOn : (S) 0
After looking in source of RealVNC, I found that password was crypted using d3des. Quick google search give a nice python implementation with VNC key.
Password : secretpq
Forensic 200
On a dumpe le fichier ntdis.dit d une machine executant un Active Directory
Il faut recuperer le mot de passe du compte john.* * *
We have dumped the ntdis.dit file of a machine running Active Directory.
You must get the password associated with john’s account.
Using program like “Reset Windows Password” it possible to dump LT/NTLM hashes:
Administrateur:500:NO PASSWORD*********************:726a36acb62f51ecee698e66fc118683:Compte d’utilisateur d’administration:
Administrateur:500:aad3b435b51404eeaad3b435b51404ee:NO PASSWORD*********************:LM history hash:
Administrateur:500:NO PASSWORD*********************:726a36acb62f51ecee698e66fc118683:NT history hash:
Administrateur:500:NO PASSWORD*********************:fbbf55d0ef0e34d39593f55c5f2ca5f2:NT history hash:
Invit�:501:NO PASSWORD*********************:NO PASSWORD*********************:Compte d’utilisateur invit:
SUPPORT_388945a0:1001:NO PASSWORD*********************:30d4a2ef16deff366bd4b9f010b1bd26:Ceci est le compte d’un fournisseur pour les service Aide et support:
SYSDREAM-TTXW4P$:1005:NO PASSWORD*********************:6580b1de7daec96c9d98dbcd2f63f527::
krbtgt:502:NO PASSWORD*********************:b316ba9fe983951bfae8262757aa6f18:Compte de service du centre de distribution de cls:
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:NO PASSWORD*********************:LM history hash:
krbtgt:502:NO PASSWORD*********************:b316ba9fe983951bfae8262757aa6f18:NT history hash:
john:1108:615a367ca6280c40b4c08420b3143e50:3fb89706895e92798aeda7a399a6c417::
john:1108:615a367ca6280c40b4c08420b3143e50:NO PASSWORD*********************:LM history hash:
john:1108:NO PASSWORD*********************:3fb89706895e92798aeda7a399a6c417:NT history hash:
Then I just used john-the-ripper to brutforce john password
Forensic 300
In this challenge we have memory dump of hacked laptop and need to find some evidence.
As in forensic 100 I used volatility and dump process list in firts place. Option –profile=Win7SP0x86 using to specify OS version.
volatility -f DumpRAM_CTF.vmem pslist –profile=Win7SP0x86
Volatile Systems Volatility Framework 1.4_rc1
Name Pid PPid Thds Hnds Time
System 4 0 70 434 2011-03-31 14:38:10
smss.exe 216 4 2 29 2011-03-31 14:38:10
csrss.exe 304 296 8 310 2011-03-31 14:38:18
wininit.exe 340 296 3 79 2011-03-31 14:38:19
csrss.exe 352 332 7 169 2011-03-31 14:38:19
winlogon.exe 392 332 4 112 2011-03-31 14:38:20
services.exe 416 340 9 185 2011-03-31 14:38:20
lsass.exe 424 340 8 462 2011-03-31 14:38:21
lsm.exe 432 340 10 141 2011-03-31 14:38:21
svchost.exe 556 416 13 354 2011-03-31 14:38:23
svchost.exe 632 416 7 218 2011-03-31 14:38:24
svchost.exe 676 416 20 408 2011-03-31 14:38:25
svchost.exe 800 416 19 401 2011-03-31 14:38:28
svchost.exe 832 416 34 902 2011-03-31 14:38:28
svchost.exe 944 416 13 265 2011-03-31 14:38:29
dwm.exe 1080 800 4 70 2011-03-31 14:38:31
svchost.exe 1140 416 16 365 2011-03-31 14:38:32
spoolsv.exe 1276 416 14 281 2011-03-31 14:38:34
svchost.exe 1312 416 22 311 2011-03-31 14:38:34
taskhost.exe 1324 416 11 166 2011-03-31 14:38:34
sppsvc.exe 1664 416 4 146 2011-03-31 14:38:39
explorer.exe 2004 1992 24 591 2011-03-31 14:38:55
rundll32.exe 356 300 4 66 2011-03-31 14:38:57
rundll32.exe 500 332 4 66 2011-03-31 14:38:57
rundll32.exe 496 504 4 67 2011-03-31 14:38:58
SearchIndexer. 1528 416 14 605 2011-03-31 14:39:05
cmd.exe 1392 2004 1 23 2011-03-31 14:39:39
conhost.exe 1380 352 3 57 2011-03-31 14:39:40
mscorsvw.exe 188 416 6 77 2011-03-31 14:40:38
svchost.exe 668 416 13 315 2011-03-31 14:40:40
nc.exe 1720 1392 2 72 2011-03-31 14:40:41
Process nc.exe looks suspicious, let’s look at open connection
volatility -f DumpRAM_CTF.vmem netscan –profile=Win7SP0x86
Volatile Systems Volatility Framework 1.4_rc1
Offset Proto Local Address Foreign Address State Pid Owner Created
0x1e4f5930 TCPv4 0.0.0.0:49156 0.0.0.0:0 LISTENING 416 services.exe
0x1e4f5930 TCPv6 :::49156 :::0 LISTENING 416 services.exe
0x1e757008 TCPv4 192.168.163.216:139 0.0.0.0:0 LISTENING 4 System
0x1e764b88 TCPv4 0.0.0.0:135 0.0.0.0:0 LISTENING 632 svchost.exe
0x1e764b88 TCPv6 :::135 :::0 LISTENING 632 svchost.exe
0x1e76ca58 TCPv4 0.0.0.0:135 0.0.0.0:0 LISTENING 632 svchost.exe
0x1e76ebc8 TCPv4 0.0.0.0:49152 0.0.0.0:0 LISTENING 340 wininit.exe
0x1e76ebc8 TCPv6 :::49152 :::0 LISTENING 340 wininit.exe
0x1e7872f0 TCPv4 0.0.0.0:49152 0.0.0.0:0 LISTENING 340 wininit.exe
0x1e7ca9b0 TCPv4 0.0.0.0:49153 0.0.0.0:0 LISTENING 676 svchost.exe
0x1e7ca9b0 TCPv6 :::49153 :::0 LISTENING 676 svchost.exe
0x1e7caf60 TCPv4 0.0.0.0:49153 0.0.0.0:0 LISTENING 676 svchost.exe
0x1eea5f60 TCPv4 0.0.0.0:49155 0.0.0.0:0 LISTENING 832 svchost.exe
0x1eea5f60 TCPv6 :::49155 :::0 LISTENING 832 svchost.exe
0x1eea6f60 TCPv4 0.0.0.0:49155 0.0.0.0:0 LISTENING 832 svchost.exe
0x1f07fcc0 TCPv4 0.0.0.0:49154 0.0.0.0:0 LISTENING 424 lsass.exe
0x1f080f60 TCPv4 0.0.0.0:49154 0.0.0.0:0 LISTENING 424 lsass.exe
0x1f080f60 TCPv6 :::49154 :::0 LISTENING 424 lsass.exe
0x1fc482d0 TCPv4 0.0.0.0:49156 0.0.0.0:0 LISTENING 416 services.exe
0x1fc49560 TCPv4 0.0.0.0:445 0.0.0.0:0 LISTENING 4 System
0x1fc49560 TCPv6 :::445 :::0 LISTENING 4 System
0x1f086df8 TCPv4 192.168.163.216:49158 88.190.230.12:48625 ESTABLISHED 1720 nc.exe
0x1e608d30 UDPv4 0.0.0.0:5355 *:* 1140 svchost.exe 2011-03-31 14:38:55
0x1e60d378 UDPv4 0.0.0.0:0 *:* 1140 svchost.exe 2011-03-31 14:38:55
0x1e60d378 UDPv6 :::0 *:* 1140 svchost.exe 2011-03-31 14:38:55
0x1e633198 UDPv4 192.168.163.216:137 *:* 4 System 2011-03-31 14:38:46
0x1e75a178 UDPv4 192.168.163.216:138 *:* 4 System 2011-03-31 14:38:46
0x1e7c6198 UDPv4 0.0.0.0:5355 *:* 1140 svchost.exe 2011-03-31 14:38:55
0x1e7c6198 UDPv6 :::5355 *:* 1140 svchost.exe 2011-03-31 14:38:55
We have established connection with 88.190.230.12:48625. Next step I tried to see what data was sent by dumping the process memory and search for suspicious ip address.
volatility -f DumpRAM_CTF.vmem memdump –profile=Win7SP0x86 –dump-dir mem
strings mem/1720.dmp | grep -C 5 88.190.230.12
%SystemRoot%\system32\mswsock.dll
mvvI
,{M%
mvvI
,{M%
w CKM88.190.230.12
t:$Bf
euLSeu
`ahu
ahu@
`huh
—
windir=C:\Windows
Secret pass is H4x0r
Nice job !
The hash is ***************
secte.server_of_dark_hamster.com
88.190.230.12
After sending the string “Secret pass is H4x0r” to 88.190.230.12 48625 is H4x0r. We got the flag.
echo ‘Secret pass is H4x0r’ | nc 88.190.230.12 48625
Nice job!
The hash is 9vjgH368$hgHGjh
1 comment
In Forensic 100, zip archive from link is corrupted :(