Scribd
Upload
43 views6 pages

Lab 4C

This document provides instructions for analyzing a memory dump using the Volatility framework. It describes how to get basic information from the memory image, list processes, network connections, and services running on the system. It also explains how to extract password hashes from the memory dump and recover passwords by cracking the hashes. The document demonstrates recovering command history by extracting console commands.

Uploaded by

Quach Hoang Nam (K16HCM)
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
43 views6 pages

Lab 4C

This document provides instructions for analyzing a memory dump using the Volatility framework. It describes how to get basic information from the memory image, list processes, network connections, and services running on the system. It also explains how to extract password hashes from the memory dump and recover passwords by cracking the hashes. The document demonstrates recovering command history by extracting console commands.

Uploaded by

Quach Hoang Nam (K16HCM)
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

FRS301 - LAB 4C

Quách Hoàng Nam - SE161409 - IA1705

Start Your Kali Linux Machine


Launch your Kali Linux machine. If necessary, log in as kali with the password kali

Task 1: Basic Volatility Usage


Finding the RAM Image to Examine
In your Kali Linux machine, open a Terminal window and execute these commands:
cd
cd Desktop
ls -l
Note that the last command is "LS -L" in lowercase.
You should see the memdump.mem file, which should be approximately 500 MB in size, as shown
below. If you do not, you may need to repeat a previous project to create the memory image again.

Starting Volatility
In your Kali Linux machine, in a Terminal window, execute this command:
volatility -h
You see a long help message, as shown below:

The volatility help is long and confusing.


Fortunately, SANS has made a handy one-page cheat sheet which is much friendlier. The part that is
important to us is shown below:
Basic Volatility Usage
Image Information
In your Kali Linux machine, in a Terminal window, execute this command:
volatility imageinfo -f /kali/Desktop/memdump.mem
This shows basic information about the image, such as the operating system of the machine that was
imaged, and when the image was made, as shown below:

Volatility needs to know what operating system was imaged in order to interpret the memory image
correctly. The default profile is WinXPSP2x86, but we used Win2008SP1x86, so we'll have to include
that information in all future volatility command-lines.

Running Processes
In your Kali Linux machine, in a Terminal window, execute this command:
volatility pslist --profile=Win2016x64_14393 -f /kali/Desktop/memdump.mem
This shows the processes that were running on the machine when the RAM image was made, as shown
below:
Network Connections
In your Kali Linux machine, in a Terminal window, execute this command:
volatility netscan --profile=Win2016x64_14393 -f /kali/Desktop/memdump.mem
This shows the network connections on the Windows machine, as shown below:

Services
In your Kali Linux machine, in a Terminal window, execute this command:
volatility svcscan --profile=Win2016x64_14393 -f /kali/Desktop/memdump.mem | more
This shows the first page of a long list of services, as shown below:

Task 2: Extracting Password Hashes (10 pts)


Getting the Windows Server 2008 Memory Dump
If you didn't already do it in a previous project, download and unzip this file:
memdump.7z
The file is 130,398,701 bytes in size, and its MD5 hash is 364fed484bcdd1a1f81a3538a4b1cd9a.
To unzip a .7z file in Kali, use "7z x filename"
Registry Hives
In your Kali Linux machine, in a Terminal window, with the working directory in the directory
containing Windows Server 2008 Memory Dump, execute this command:
volatility hivelist --profile=Win2008SP1x86 -f memdump.mem
This shows the location in RAM of the Registry hives, as shown below:

Examine your output and find the two addresses outlined in green above: the virtual addresses of the
SAM and SYSTEM hives. Those two hives together contain enough information to extract Windows
password hashes.

Password Hashes
In your Kali Linux machine, in a Terminal window, execute the command below.
You will have to replace the two hexadecimal addresses with the correct virtual addresses of your hives,
in this format:
-y SYSTEM -s SAM
volatility hashdump --profile=Win2008SP1x86 -f memdump.mem -y 0x86226008 -s 0x89c33450
When you get the command correct, you will see the login account names and hashed passwords, as
shown below.
Windows stores two hashes with each password, delimited by colons. The first one is an extremely
insecure, obsolete hash using the LANMAN algorithm. Windows operating systems since Vista no
longer use LANMAN hashes, so they are filled with a dummy value starting with "aad".
The second hash is the newer NTLM hash, which is much better than LANMAN hashes, but still
extremely insecure and much more easily cracked than Linux or Mac OS X hashes.

Recording Your Success


Find the NT hash for the "student" account, which is partially redacted in the image above. It begins
with e19c.
Use the form below to put your name on the WINNERS PAGE.
Cracking the Password Hash
On your host machine, open a Web browser and go to
https://crackstation.net/
Paste in the hash. On the right side, fill in the CAPTCHA and click the "Crack Hashes" button.
The hash should crack, revealing the plaintext password.

Task 3: Extracting Console Commands (5 pts)


Console Commands
In your Kali Linux machine, in a Terminal window, with the working directory in the directory
containing Windows Server 2008 Memory Dump, execute this command:
volatility consoles --profile=Win2008SP1x86 -f memdump.mem
This shows the console commands that were recently executed on the Windows machine, beginning
with the "csrss" process, as shown below:

Scroll until you find the "net user" command shown below, which attempted to set a password on the
"waldo" account that violated the complexity requirement.
The password is redacted in the image below.

Recording Your Success


Use the form below to put your name on the WINNERS PAGE.

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy