{"id":253,"date":"2018-07-06T22:03:08","date_gmt":"2018-07-06T21:03:08","guid":{"rendered":"https:\/\/cybercop-training.ch\/?p=253"},"modified":"2018-07-06T22:03:08","modified_gmt":"2018-07-06T21:03:08","slug":"memory-dump","status":"publish","type":"post","link":"https:\/\/cybercop-training.ch\/?p=253","title":{"rendered":"Memory Dump"},"content":{"rendered":"<p>Inspired by the CQURE <a href=\"https:\/\/cqureacademy.com\/challenge\" target=\"_blank\" rel=\"noopener\">5 day challenge<\/a> I&#8217;ve decided to document some of the things that I&#8217;ve learned from the daily assesments. \ud83d\ude42<\/p>\n<p><strong>Table of Content<\/strong><\/p>\n<ul>\n<li><a href=\"https:\/\/cybercop-training.ch\/?p=164\" target=\"_blank\" rel=\"noopener\">Analyze a Windows Service<\/a><\/li>\n<li><a href=\"https:\/\/cybercop-training.ch\/?p=199\" target=\"_blank\" rel=\"noopener\">Auditing permissions<\/a><\/li>\n<li><a href=\"https:\/\/cybercop-training.ch\/?p=181\" target=\"_blank\" rel=\"noopener\">About handles and the SAM file<\/a><\/li>\n<li><a href=\"https:\/\/cybercop-training.ch\/?p=213\" target=\"_blank\" rel=\"noopener\">Password Hashes<\/a><\/li>\n<li><strong>Memory Dump<\/strong><\/li>\n<\/ul>\n<p style=\"text-align: justify;\">The last part of the 5 day Challenge was a quick introduction about forensics how you can create a complete memory dump of a windows system or create a minidump of a particular process. I&#8217;ve decided to extend this article a little bit with further study of that <a href=\"https:\/\/cqureacademy.com\/blog\/forensics\/memory-dump-analysis\" target=\"_blank\" rel=\"noopener\">Blog article<\/a> from Paula.<\/p>\n<p style=\"text-align: justify;\">Let us imagine that we have to deal with a compromised windows system and for evidence reasons we want to save a whole memory dump of the operating system. There are different tools to do that, but let&#8217;s first have a closer look on a tool called <a href=\"https:\/\/github.com\/thimbleweed\/All-In-USB\/tree\/master\/utilities\/DumpIt\" target=\"_blank\" rel=\"noopener\">Dumpit.exe<\/a> from Matthieu Suiche.\u00a0 It&#8217;s a simple and portable tool which allow us exactly to do that. The only thing you have to check is the destination path where you want to dump file get stored.<\/p>\n<p style=\"text-align: justify;\">The next thing we want to cover before we go into analysis is how to create a dump of a certain process. There is a tool called <a href=\"https:\/\/docs.microsoft.com\/de-de\/sysinternals\/downloads\/procdump\" target=\"_blank\" rel=\"noopener\">procdump<\/a> from sysinternals which we can do that. It&#8217;s also included in <a href=\"https:\/\/docs.microsoft.com\/de-de\/sysinternals\/downloads\/process-explorer\" target=\"_blank\" rel=\"noopener\">process Explorer<\/a> and alternatively we can use ProcessHacker.<\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/5_2.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-257 size-full\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/5_2.png\" alt=\"\" width=\"901\" height=\"661\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/5_2.png 901w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/5_2-300x220.png 300w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/5_2-768x563.png 768w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/5_2-80x60.png 80w\" sizes=\"auto, (max-width: 901px) 100vw, 901px\" \/><\/a><\/p>\n<p>Right Click on lsass.exe &#8211;&gt; Create dump &#8211;&gt;\u00a0 Create full dump &#8211;&gt; save<\/p>\n<p>After doing that we want to check if we can grab out some sensitive logon informations with <a href=\"https:\/\/github.com\/gentilkiwi\/mimikatz\/releases\" target=\"_blank\" rel=\"noopener\">mimikatz<\/a>.<\/p>\n<p><code>mimikatz # sekurlsa::minidump C:\\dmp\\lsass.dmp<\/code><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-260\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/5_3.png\" alt=\"\" width=\"997\" height=\"602\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/5_3.png 997w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/5_3-300x181.png 300w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/5_3-768x464.png 768w\" sizes=\"auto, (max-width: 997px) 100vw, 997px\" \/><\/p>\n<p><code><em>mimikatz # sekurlsa::logonPasswords<\/em><\/code><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-261\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/5_4-1024x699.png\" alt=\"\" width=\"1024\" height=\"699\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/5_4-1024x699.png 1024w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/5_4-300x205.png 300w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/5_4-768x524.png 768w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/5_4.png 1039w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<p>I won&#8217;t go deeper at this point, but slightly cover a toolkit called <a href=\"https:\/\/github.com\/volatilityfoundation\/volatility\" target=\"_blank\" rel=\"noopener\">volatility framework<\/a> which is a set of python scripts to do further memory analysis.<\/p>\n<p>Some examples:<\/p>\n<p>Get the output of what someone typed in the cmd<\/p>\n<p><code>vol.py -f \"Path of dump file\" --profile=Win7SP1x64 consoles\u00a0<\/code><\/p>\n<p>Showes what someone typed in the cmd<\/p>\n<p><code>vol.py -f\u00a0 \"Path of dump file\" --profile=Win7SP1x64 cmdscan<\/code><\/p>\n<p>Get a list of processes that were running on that system<\/p>\n<p><code>vol.py -f\u00a0 \"Path of dump file\" --profile=Win7SP1x64 pslist<\/code><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-263\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/5_5.png\" alt=\"\" width=\"992\" height=\"287\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/5_5.png 992w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/5_5-300x87.png 300w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/5_5-768x222.png 768w\" sizes=\"auto, (max-width: 992px) 100vw, 992px\" \/><\/p>\n<p>Get a list of processes (including hidden ones) that were running on that system<\/p>\n<p><code>vol.py -f\u00a0 \"Path of dump file\" --profile=Win7SP1x64 psscan<\/code><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-264\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/5_6.png\" alt=\"\" width=\"928\" height=\"287\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/5_6.png 928w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/5_6-300x93.png 300w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/5_6-768x238.png 768w\" sizes=\"auto, (max-width: 928px) 100vw, 928px\" \/><\/p>\n<p style=\"text-align: justify;\">The challenge itself was a set of instructions. Import a certificate with a private key marked as not exportable. Then run a modified powershell script called invoke-mimikatz.ps1 to extract the certificate out of the memory. For some reasons the script for the extraction didn&#8217;t work for me, but during this challenges I&#8217;ve learned a lot in ashort time and I think I&#8217;m addicted now to learn more! \ud83d\ude42<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-266\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/5_7-1024x445.png\" alt=\"\" width=\"1024\" height=\"445\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/5_7-1024x445.png 1024w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/5_7-300x130.png 300w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/5_7-768x334.png 768w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/5_7.png 1217w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<p>Some repeating questions:<\/p>\n<p><strong>Which process in the OS can contain data about active users?<\/strong><br \/>\nlsass.exe<\/p>\n<p><strong>How can you create a process dump with tools built-in into Windows OS?<\/strong><br \/>\nWith task manager<\/p>\n<p><strong>Which utility allows you to discover passwords from lsass.exe?<\/strong><br \/>\nMimikatz<\/p>\n<p><strong>Which file does not conatain sensitive information about passwords?<\/strong><br \/>\nTaskmg.exe dump<\/p>\n<p><strong>Is it possible to create lsass.exe dump on the remote machine?<\/strong><br \/>\nYes with some form of remote tools like psexec etc.<\/p>\n<p>Further informations about forensic tools:<\/p>\n<p><a href=\"http:\/\/forensicswiki.org\/wiki\/Main_Page\" target=\"_blank\" rel=\"noopener\">http:\/\/forensicswiki.org\/wiki\/Main_Page<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<div class=\"mh-excerpt\"><p>Inspired by the CQURE 5 day challenge I&#8217;ve decided to document some of the things that I&#8217;ve learned from the daily assesments. \ud83d\ude42 Table of <a class=\"mh-excerpt-more\" href=\"https:\/\/cybercop-training.ch\/?p=253\" title=\"Memory Dump\">[&#8230;]<\/a><\/p>\n<\/div>","protected":false},"author":2,"featured_media":256,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8,4,10],"tags":[],"class_list":["post-253","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-forensic","category-hacking","category-windows-security"],"_links":{"self":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts\/253","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=253"}],"version-history":[{"count":7,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts\/253\/revisions"}],"predecessor-version":[{"id":267,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts\/253\/revisions\/267"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/media\/256"}],"wp:attachment":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=253"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=253"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=253"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}