danielsauder

Now this is interesting. It is possible to load a full memory dump into WinDBG, load mimikatz and dump the credentials in cleartext. For this I used the dump of the windows 7 machine from part 2. For this: – Download & Install WinDBG – Download MoonSols Windows Memory Toolkit (http://www.moonsols.com/windows-memory-toolkit/) Convert the memory image: C:\Users\dax\Downloads\MWMT-v1.4>bin2dmp.exe…

For this part we first make a memory dump with the moonsols dumit.exe tool (using my physical Windows 7 x64 machine): http://www.moonsols.com/2011/07/18/moonsols-dumpit-goes-mainstream/ The next steps are simple volatility calls, like getting the basic image information: C:\Users\dax\Downloads\volatility_2.5.win.standalone>volatility-2.5.standalone.exe -f DAXAMD-20160124-111555.raw imageinfo Volatility Foundation Volatility Framework 2.5 INFO    : volatility.debug    : Determining profile based on KDBG…

Part 1 is simple. Dump the lsass.exe process and use mimikatz for getting the credentials as clear text and the hashes. You need admin or system rights for this. But as a short reminder first let’s have a look at the “normal” way for dumping credentials from the lsass.exe process with mimikatz: mimikatz # privilege::debug…

The last weeks I experimented with how to get user crendentials from memory dumps, and hopefully I will have the time to contiue this little “research” (I know, it is not really research when you just writup stuff 😉 ). There are many different ways to dump credentials as hashes or in cleartext from various…

Recently I started using IDA. For me it has a steep learning curve, and some people I talked to agreed. So here are a few links for the first steps if you want to get into IDA. I assume you already know assembly and know what reversing is. Of course there are many more on…

Last week I attended this years Brucon, where I had the chance to participate in the Malware Triage workshop by https://twitter.com/herrcore and https://twitter.com/seanmw. The workshop is awesome (look here to get the idea: http://herrcore.blogspot.de/2014/09/crowdsourced-malware-triage.html) and if you have the chance to take it go for it! The links here are from their slides and I…

Yesterday I had a talk at the OWASP meeting Cologne, here are the slides: owasp-meeting-cologne-30-09-2015 Unfortunately Evernote Presentation Mode does not support PDF export on Windows, so no working links in the PDF. Here is the link list: https://govolution.wordpress.com Tweets by DanielX4v3r http://resources.infosecinstitute.com/shellcode-detection-emulation-libemu/ https://www.winitor.com/ Digital Attack on German Parliament: Investigative Report on the Hack of…

Trivia: Shikata ga nai is Japanese and means something like “nothing can be done about it”. https://en.wikipedia.org/wiki/Shikata_ga_nai Learning is always fun and I was playing around with making ClamAV signatures. I wondered if it is possible to write a signature that matches the famous Shikata-Ga-Nai shellcode encoder shipping with metasploit. After all I succeeded to…

For testing security software and hardware I wrote a very simple keylogger (which is very noisy). Together with the winexec shellcode I wrote earlier it is possible to download and start the keylogger which simulates a very simple malware. My idea is it to have a some tools (when I will have more time to program…

Lately I was playing with my Raspberry Pi B with a Raspian GNU/Linux 7 and this is a short walkthrough with a hello world example. For a more in depth introduction for ARM shellcoding look here: http://shell-storm.org/blog/Shellcode-On-ARM-Architecture/ Adopted from that article here is the example: .section .text .global _start _start: .code 32 add r6, pc,…