danielsauder

IT security is a matter of trust.

Memdumps, Volatility, Mimikatz, VMs – Part 2: Windows 7 Full Memory Dump & Get Hashes

For this part we first make a memory dump with the moonsols dumit.exe tool (using my physical Windows 7 x64 machine):
http://www.moonsols.com/2011/07/18/moonsols-dumpit-goes-mainstream/
dumpit0551934099191ca7d24e3bd4552ee139
The next steps are simple volatility calls, like getting the basic image information:
C:\Users\dax\Downloads\volatility_2.5.win.standalone>volatility-2.5.standalone.exe -f DAXAMD-20160124-111555.raw imageinfo
Volatility Foundation Volatility Framework 2.5
INFO    : volatility.debug    : Determining profile based on KDBG search…
          Suggested Profile(s) : Win2008R2SP0x64, Win7SP1x64, Win7SP0x64, Win200
8R2SP1x64
                     AS Layer1 : AMD64PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (C:\Users\dax\Downloads\volati
lity_2.5.win.standalone\DAXAMD-20160124-111555.raw)
                      PAE type : No PAE
                           DTB : 0x187000L
                          KDBG : 0xf80002ff20f0L
          Number of Processors : 2
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0xfffff80002ff3d00L
                KPCR for CPU 1 : 0xfffff880009e8000L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2016-01-24 11:16:03 UTC+0000
     Image local date and time : 2016-01-24 12:16:03 +0100
Get the hivelist:
C:\Users\dax\Downloads\volatility_2.5.win.standalone>volatility-2.5.standalone.exe -f DAXAMD-20160124-111555.raw hivelist –profile Win7SP1x64
Volatility Foundation Volatility Framework 2.5
Virtual            Physical           Name
—————— —————— —-
0xfffff8a00000f010 0x0000000153e5d010 [no name]
0xfffff8a0000231f0 0x0000000153e1f1f0 \REGISTRY\MACHINE\SYSTEM
0xfffff8a000062010 0x0000000150d76010 \REGISTRY\MACHINE\HARDWARE
0xfffff8a000121010 0x0000000149c8e010 \SystemRoot\System32\Config\SOFTWARE
0xfffff8a000d55010 0x0000000148258010 \Device\HarddiskVolume1\Boot\BCD
0xfffff8a000e04200 0x000000013b7ad200 \SystemRoot\System32\Config\DEFAULT
0xfffff8a001219010 0x0000000132d35010 \SystemRoot\System32\Config\SECURITY
0xfffff8a001290010 0x0000000131e09010 \SystemRoot\System32\Config\SAM
0xfffff8a00143c010 0x000000012fa23010 \??\C:\Windows\ServiceProfiles\NetworkServ
ice\NTUSER.DAT
0xfffff8a00151a240 0x000000012c2b9240 \??\C:\Windows\ServiceProfiles\LocalServic
e\NTUSER.DAT
0xfffff8a002261010 0x000000010db7f010 \??\C:\Users\dax\ntuser.dat
0xfffff8a0022f6410 0x0000000148132410 \??\C:\Users\dax\AppData\Local\Microsoft\W
indows\UsrClass.dat
0xfffff8a004e77010 0x0000000110fea010 \??\C:\System Volume Information\Syscache.
hve
0xfffff8a00ceae010 0x000000007eeb9010 \??\C:\Windows\System32\config\COMPONENTS
Help!
C:\Users\dax\Downloads\volatility_2.5.win.standalone>volatility-2.5.standalone.e
xe hashdump -h
Volatility Foundation Volatility Framework 2.5
Usage: Volatility – A memory forensics analysis platform.
Options:
  -h, –help            list all available options and their default values.
                        Default values may be set in the configuration file
                        (/etc/volatilityrc)
  –conf-file=.volatilityrc
                        User based configuration file
  -d, –debug           Debug volatility
  –plugins=PLUGINS     Additional plugin directories to use (semi-colon
                        separated)
  –info                Print information about all registered objects
  –cache-directory=C:\Users\dax/.cache\volatility
                        Directory where cache files are stored
  –cache               Use caching
  –tz=TZ               Sets the (Olson) timezone for displaying timestamps
                        using pytz (if installed) or tzset
  -f FILENAME, –filename=FILENAME
                        Filename to use when opening an image
  –profile=WinXPSP2x86
                        Name of the profile to load (use –info to see a list
                        of supported profiles)
  -l LOCATION, –location=LOCATION
                        A URN location from which to load an address space
  -w, –write           Enable write support
  –dtb=DTB             DTB Address
  –shift=SHIFT         Mac KASLR shift address
  –output=text         Output in this format (support is module specific, see
                        the Module Output Options below)
  –output-file=OUTPUT_FILE
                        Write output in this file
  -v, –verbose         Verbose information
  -g KDBG, –kdbg=KDBG  Specify a KDBG virtual address (Note: for 64-bit
                        Windows 8 and above this is the address of
                        KdCopyDataBlock)
  –force               Force utilization of suspect profile
  -k KPCR, –kpcr=KPCR  Specify a specific KPCR address
  –cookie=COOKIE       Specify the address of nt!ObHeaderCookie (valid for
                        Windows 10 only)
  -y SYS_OFFSET, –sys-offset=SYS_OFFSET
                        SYSTEM hive offset (virtual)
  -s SAM_OFFSET, –sam-offset=SAM_OFFSET
                        SAM hive offset (virtual)
Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
———————————
Module HashDump
———————————
Dumps passwords hashes (LM/NTLM) from memory
What we need for getting the hashes:
y=virtual location of system
s=virtual location of sam
Dump the hashes:
C:\Users\dax\Downloads\volatility_2.5.win.standalone>volatility-2.5.standalone.exe hashdump -f DAXAMD-20160124-111555.raw –profile Win7SP1x64 -y 0xfffff8a0000231f0 -s 0xfffff8a001290010
Volatility Foundation Volatility Framework 2.5
Administrator:500:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:::
Gast:501:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:::
dax:1001:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:::
HomeGroupUser$:1002:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:::
otto:1007:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:::
__vmware_user__:1015:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:::
UpdatusUser:1016:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:::
Overview:
https://govolution.wordpress.com/2016/02/06/memdumps-volatility-mimikatz-vms-overview/
 
Link:
https://cyberarms.wordpress.com/2011/11/04/memory-forensics-how-to-pull-passwords-from-a-memory-dump/

Published by

Daniel

One response to “Memdumps, Volatility, Mimikatz, VMs – Part 2: Windows 7 Full Memory Dump & Get Hashes”

  1. Memdumps, Volatility, Mimikatz, VMs – Overview | govolution

    […] later part (whereby I mean monitoring and logging). Overview Part 1: Mimikatz & lsass.exe Dump Part 2: Windows 7 Full Memory Dump & Get Hashes Part 3: WinDBG Mimikatz Extension Part 4: Volatility & Mimikatz Part 5: Virtualbox & […]

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: