You suck at Memory Analysis

12,388 views

Published on

From the current offensive and defensive technique arsenal, memory analysis applied to volatile memory is far from being the most explored channel. It is more likely to hear about input validation attacks or attacks against the protocol & cryptography while keys, passphrases, credit card numbers and other precious artifacts are kept unsafely in memory. This analysis arises as a mine waiting to be explored since it is sustained by one of the most vulnerable and unavoidable resource to systems, memory. From Java to Stuxnex, as well as Windows but without forgetting the Cloud, I will try to show some scenarios where these techniques can be applied, its impact as a threat and bring an important and fun subject not just to those who work in forensics but also to penetration testers as myself. Finally, I will also try to show how can this be used for defensive technologies as tools for monitoring and protection in networks with systems in production.

Published in: Technology

You suck at Memory Analysis

  1. 1. You suck at Memory Analysis give it up, it’s not worth it
  2. 2. Disclaimer• Contents displayed such as thoughts and opinions are exclusively those of Francisco Gama Tabanez Ribeiro, the author, and do not reflect the viewpoint or policy of any of my employers.• You are free to use these contents for your works as well as make derived works from it as long as you keep visible and explicit references to this website in proper place.• Images and references to other works within this production remain the property of their respective holders. All licenses explicitly applied to individual resources shall override this one.
  3. 3. Who?• Francisco da Gama Tabanez Ribeiro• Penetration Testing @ Portugal Telecom• Certificates that I don’t have: MCITP, MCTS, MCPD, MCA, SSCP, CAP, CSSLP, RHCE, ISO27001, CISA, ITIL, CMIIB, CMIIC, CMIIS, CMIIA, CMIIP, JBCAA, CEH, CHFI, ECSA, CNDA, LPT, ECVP, ECSP, CCNA, CCDA, OSCE, CCNP and CCDP
  4. 4. Agenda• Intro: • Java: • Who? Why? How? • JMX • 1) Memory Acquisition • Web • 2) Memory Analysis • Breaking safes (Truecrypt)• Windows: • Hardware: • memory acquisition • printers • process reconstitution • cold boot attack • malware analysis • Conclusion: where next?
  5. 5. Some of the real experts here.• Michael Cohen • Mike Auty• Brendan Dolan-Gavitt • Michael L. Hale• Jesse Kornblum • Harlan Carvey• Mark Russinovich • Dmitry Vostokov
  6. 6. Dinner @ RIT’s meet-up
  7. 7. Why?• OS & process behavioral tracing• app debugging & profiling• malware analysis (Rootkit Paradox)• mining raw data artifacts• low level monitoring• plays well with Social Engineering• supports the Cloud, VM’s & mobile’s
  8. 8. Why?• OS & process behavioral tracing• app debugging & profiling• malware analysis (Rootkit Paradox)• mining raw data artifacts• low level monitoring suggested reading: Exploiting the Rootkit• plays well with Social Engineering Paradox with Windows• supports the Cloud, VM’s & mobile’s Memory Analysis Jesse D. Kornblum
  9. 9. 1) Memory Acquisition
  10. 10. Memory Acquisition Techniques (Software)• Crash Dumps• Hibernation files• Virtual Machine Imaging/Suspend• Physical memory device objects: • Windows (DevicePhysicalMemory, DeviceDebugMemory) • Linux (/dev/mem, /proc/kcore, /dev/crash)• Live kernel debug dumps (NtSystemDebugControl, NtQueryVirtualMemory)• Inferential
  11. 11. Memory Acquisition Tools• MoonSols tools, mdd, dd• memdump, userdump• nigilant32, KNTTools, WMFT• Idetect, Second Look, Goldfish, fmem (Linux, Mac OS X)
  12. 12. Memory Acquisition Tools• MoonSols tools, mdd, dd• memdump, userdump• nigilant32, KNTTools, WMFT• Idetect, Second Look, Goldfish, fmem (Linux, Mac OS X) suggested reading: Tools: Memory Imaging Forensics WiKi
  13. 13. Memory Acquisition Gotchas• memory images taken live may come “blurred”• time required increases with memory size• for faster scans, reduce kernel space size (/3G switch)
  14. 14. Memory Acquisition Gotchas• memory images taken live may come “blurred”• time required increases with memory size• for faster scans, reduce kernel space size (/3G switch) suggested reading: Acquisition and analysis of volatile memory from android devices Digital Investigation
  15. 15. /3GB Startup Switch in 32-bit Win boot.ini file0xFFFFFFFF 0xFFFFFFFF Kernel Kernel Space Space 0xC00000000x80000000 User User Space Space0x00000000 0x00000000 Default /3GB
  16. 16. /3GB Startup Switch in 32-bit Win boot.ini file0xFFFFFFFF 0xFFFFFFFF Kernel Kernel Space Space 0xC00000000x80000000 User User suggested reading: How to Set the /3GB Startup Space Space Switch in Windows0x00000000 0x00000000 Technet, Microsoft Default /3GB
  17. 17. Memory Acquisition Techniques (Hardware)• Firewire/DMA• PCI Card (“Tribble”)• Debug ports (JTAG)• Inferential
  18. 18. Memory Acquisition Techniques (Hardware)• Firewire/DMA• PCI Card (“Tribble”) suggested reading:• Debug ports (JTAG) Tools: Memory Imaging• Inferential Forensics WiKi
  19. 19. Piezo-Acoustic iPod Hack
  20. 20. Piezo-Acoustic iPod Hack flickr photo by guanix
  21. 21. Piezo-Acoustic iPod Hack• iPod 4G• firmware dump by playing sounds• ARM code that can read addresses 0 through 65535• one sound to represent a 1 bit, another for a 0 bit• 64 kb file at 5 bytes/sec• sound recognition/ error detection & correction• iPod-Linux project
  22. 22. 2) Memory Analysis
  23. 23. How?• Static• Dynamic
  24. 24. Memory Analysis Tools• Volatility• Memoryze• Windbg• Redline• Volafox
  25. 25. Volatility• an advanced memory forensics framework• extraction of digital artifacts from volatile memory (RAM) samples• plugin based architecture• major releases at present moment: 1.3, 2.0 & NG (Scudette’s branch)• Python
  26. 26. Volatility• an advanced memory forensics framework• extraction of digital artifacts from volatile memory (RAM) samples• plugin based architecture• major releases at present moment: 1.3, 2.0 & NG (Scudette’s branch)• Python suggested reading: suggested reading: An advanced memory Volatility, forensics framework Memory Forensics Volatility Volatile Systems Google Wiki pages
  27. 27. Windows - things you can analyze• processes, threads, sockets, connections, modules• files & DLLs loaded for each process• the hive (registry handles)• process addressable memory & executables extraction• OS kernel modules• mapping physical offsets to virtual addresses (strings to process)• security access tokens• more, much more...
  28. 28. mimikatz - getting clear text passwords in Windows Client Application SSPI Digest SSP Server Local Security Authority SubSystem (LSASS) LSA Server Digest SSP Service
  29. 29. mimikatz - getting clear text passwords in Windows Client Application SSPI Digest SSP Server Local Security Authority SubSystem (LSASS) LSA Server Digest SSP Service inject sekurlsa.dll 
  30. 30. mimikatz - getting clear text passwords in Windows Client Application SSPI Digest SSP Server Local Security Authority SubSystem TsPkg (LSASS) Wdigest LiveSSP LSA Server Digest SSP Service LsaProtectMemory / inject sekurlsa.dll  LsaUnprotectMemory
  31. 31. mimikatz - getting clear text passwords from Windows• Traitement du Kiwi - injects sekurlsa.dll (LSASS)• TsPkg & Wdigest store encrypted (not hashed) passwords• used for Kerberos, NTLM/LM, HTTP Digest authentication• function LsaUnprotectMemory retrieves clear text password• pass the word > pass the hash
  32. 32. Windows - Process reconstitution• OS walking (KPCR > PsActiveProcessHead > _LIST_ENTRY) > EProcess... (pslist)• pool tags (psscan)• others..
  33. 33. Windows - _EPROCESS structure• image filename• process id, parent process id• create/exit times• base priority• exit status• next/prev process block• image base address• ...
  34. 34. Windows - _EPROCESS structure• image filename• process id, parent process id• create/exit times• base priority• exit status• next/prev process block suggested reading:• image base address struct EPROCESS• ... NirSoft
  35. 35. Windows - process reconstitution PsActiveProcessHead EPROCESS EPROCESS EPROCESS
  36. 36. Windows - process reconstitution EPROCESS EPROCESS EPROCESS LIST_ENTRY LIST_ENTRY LIST_ENTRY Flink Flink Flink Blink Blink Blink
  37. 37. DKOM(Direct Kernel Object Manipulation) EPROCESS EPROCESS EPROCESS Flink Flink Flink Blink Blink Blink detectable by Volatility psscan plugin
  38. 38. Process hollowing• legitimate process loaded into memory to act as a code container• host process is created into a suspended mode• antivirus bypassing• meterpreter ‘-m’ flag• detectable with Volatility plugins pslist + procexecdump combined with fuzzy hashing (ssdeep)
  39. 39. Process hollowing• legitimate process loaded into memory to act as a code container• host process is created into a suspended mode• antivirus bypassing• meterpreter ‘-m’ flag• detectable with Volatility plugins pslist + procexecdump combined with fuzzy hashing (ssdeep) suggested reading: Eternal Sunshine on the Spotless RAM SecurityStreet, Rapid7
  40. 40. Process hollowing Process Process (suspended) (running)
  41. 41. If in doubt, its an APT.@explanoit
  42. 42. Java Management Extensions (JMX)
  43. 43. Java Management Extensions (JMX) • monitor and manage any Java based applications • automatically exposed by JMX agents • clients like Java Visual VM can connect to it locally and remotely • supports MBeans • tools: Java Visual VM, JConsole, MAT (Eclipse), JmxCli
  44. 44. Java Management Extensions (JMX) • monitor and manage any Java based applications • automatically exposed by JMX agents • clients like Java Visual VM can connect to it locally and remotely • supports MBeans suggested reading: • tools: Java Visual VM, JConsole, MAT (Eclipse), Monitoring and Management Using JMX JmxCli Technology Java SE Monitoring and Management Guide
  45. 45. Java Management Extensions (JMX)
  46. 46. Java Management Extensions (JMX) • no default port but... “statistical” guessing: 3333,6161,9999 • authentication? encryption? not by default! • properties where you can fix that: com.sun.management.jmxremote.port com.sun.management.jmxremote.ssl com.sun.management.jmxremote.authenticate
  47. 47. 1) open browser on URL:http://somevictim.com:8080/jmx-console/HtmlAdaptor?action=displayMBeans
  48. 48. 1) open browser on URL:http://somevictim.com:8080/jmx-console/HtmlAdaptor?action=displayMBeans
  49. 49. 1) open browser on URL:http://somevictim.com:8080/jmx-console/HtmlAdaptor?action=displayMBeans
  50. 50. 1) open browser on URL:http://somevictim.com:8080/jmx-console/HtmlAdaptor?action=displayMBeans
  51. 51. 1) open browser on URL:http://somevictim.com:8080/jmx-console/HtmlAdaptor?action=displayMBeans
  52. 52. jbossify for JBoss2) run jbossify:wget https://raw.github.com/blackthorne/Pentest-utils/master/jbossify.py$ python jbossify.pyjbossify.py <host> <port> <instance_name> [<properties to extract>]jbossify.py --offline <instance_folder> [<properties to extract>] for offline extraction<properties to extract> - can be conn,dd,sql or all(default is just conn)conn->ManagedConnectionFactoryProperties,dd->deploymentDescriptor Connection Strings!sql->SqlProperties
  53. 53. demo time!
  54. 54. So, Java uses Memory...tell me you were not aware of it?
  55. 55. Truecrypt
  56. 56. Truecrypt• Virtual Encrypted Disks• Partitions & storage devices• Parallelization & Pipelining• Automatic, Real-time & Transparent• Hardware accelerated• Plausible Deniability• Multiple platform
  57. 57. Truecrypt
  58. 58. Truecrypt
  59. 59. Truecrypt
  60. 60. Truecrypt
  61. 61. Truecrypt
  62. 62. Truecrypt
  63. 63. Meanwhile... in a memory chip close, close by...
  64. 64. demo time!
  65. 65. Truecrypt
  66. 66. Truecrypt1) where? DRIVER_OBJECT address
  67. 67. Truecrypt1) where? suggested reading: RAM is Key, DRIVER_OBJECT Extracting Disk Encryption address Keys From Volatile Memory by Brian Kaplan, Carnegie Mellon University2) size? DriverStart DriverStart + DriverSize
  68. 68. Truecrypt ..on a little endian architecture.. 3) what?$ xxd JOHN-2CF071298B-20120512-221220.raw |grep 123asd88f3060: 0c00 0000 3132 3361 7364 4153 4421 4023 ....123asdASD!@#
  69. 69. Truecrypt ..on a little endian architecture.. 3) what?$ xxd JOHN-2CF071298B-20120512-221220.raw |grep 123asd88f3060: 0c00 0000 3132 3361 7364 4153 4421 4023 ....123asdASD!@# that’s a 12 passphrase (passphrase length)
  70. 70. Truecrypt ..on a little endian architecture..3) what?{length, passphrase} tupleswith fingerprint: ????0000 ????????..length 0x00.. length passphrase NULL’s [1..64] ASCII printable [0x20..0x7E]
  71. 71. Truecrypt ..on a little endian architecture.. suggested reading: Cryptoscan plugin Jesse Kornblum3) what? suggested reading: TrueDecrypt plugin{length, passphrase} tuples Francisco Ribeirowith fingerprint: ????0000 ????????..length 0x00.. length passphrase NULL’s [1..64] ASCII printable [0x20..0x7E]
  72. 72. Cold Boot attacks on encryption keys • explores data remanence in volatile memory • retrieves encryption keys used to encrypt hard drivers • Truecrypt, bitlocker, Filevault
  73. 73. Cold Boot attacks on encryption keys • explores data remanence in volatile memory • retrieves encryption keys used to encrypt hard drivers • Truecrypt, bitlocker, Filevault suggested reading: Lest we remember: Cold Boot Attacks on Encryption Keys Princeton University
  74. 74. MultiFunction Printers?...stores images of all scanned, copied, printed and e-mailed documents...
  75. 75. MultiFunction Printers?1) Open it(google: “<your_MFP_model> hardrive replacement” )
  76. 76. MultiFunction Printers?1) Open it(google: “<your_MFP_model> hardrive replacement” )
  77. 77. MultiFunction Printers?1) Open it(google: “<your_MFP_model> hardrive replacement” )
  78. 78. MultiFunction Printers?1) Open it(google: “<your_MFP_model> hardrive replacement” )
  79. 79. MultiFunction Printers?2) Analyze that   V..éSODX
  80. 80. MultiFunction Printers?2) Analyze that   V..éSODX suggested reading: Survey of Scanner and Printer Forensics Purdue University suggested reading: Forensic analysis of digital copiers Svein Yngvar Willassen
  81. 81. MultiFunction Printers?2) Analyze that   V..éSODX suggested reading: Survey of Scanner and flipping bytes Printer Forensics é..VXDOS Purdue University that’s BIGDOS FAT 16! suggested reading: Forensic analysis of digital copiers Svein Yngvar Willassen
  82. 82. MultiFunction Printers?2) Analyze that   V..éSODX suggested reading: Survey of Scanner and flipping bytes Printer Forensics é..VXDOS Purdue University that’s BIGDOS FAT 16!3) open Finder suggested reading: Forensic analysis of digital copiers Svein Yngvar Willassen
  83. 83. does your company handles this properly?
  84. 84. STUXNET
  85. 85. STUXNET
  86. 86. STUXNET
  87. 87. STUXNET
  88. 88. STUXNET
  89. 89. STUXNET
  90. 90. STUXNET
  91. 91. STUXNET• source: US-Israel• target: Iran nuclear program• very sophisticated cyber warfare on SCADA• infection by USB thumb drive• exploits Siemens Simatic S7-300 PLC• deceives monitoring, destroys centrifuge machines• ~10,000 lines of code
  92. 92. STUXNET• source: US-Israel• target: Iran nuclear program• very sophisticated cyber warfare on SCADA• infection by USB thumb drive• exploits Siemens Simatic S7-300 PLC suggested reading:• deceives monitoring, destroys centrifuge machines Stuxnets Footprint in Memory with Volatility 2.0• ~10,000 lines of code MNIN Security Blog, Michael Ligh MHL
  93. 93. demo time!
  94. 94. What about searching forwhat you don’t know?
  95. 95. Codetective• an analysis tool to determine the crypto/encoding algorithm used according to traces of its representation• can be used as a volatility plugin or as a generic tool• filters (win, unix, web, win, web, db,unix or other) and level of confidence• supports: shadow and SAM files, phpBB3, Wordpress, Joomla, CRC, LM, NTLM, MD4, MD5, Apr, SHA1, SHA256, base64, MySQL323, MYSQL4+, DES, RipeMD320, Whirlpool, SHA1, SHA224, SHA256, SHA384, SHA512, Blowfish, Java Session IDs, connection strings, Credit Cards, URLs
  96. 96. Codetective• relevant options: -a (analyze) -u (show UUIDs) -v (verbose mode) -t (filters) -p (search for Process ID) -n (search for process name) If neither -p or -n is defined, if will search in all processes.• git clone git://github.com/blackthorne/Codetective.git codetective
  97. 97. Codetective• relevant options: -a (analyze) suggested reading: -u (show UUIDs) codetective plugin github @blackthorne -v (verbose mode) -t (filters) Francisco Ribeiro -p (search for Process ID) -n (search for process name) If neither -p or -n is defined, if will search in all processes.• git clone git://github.com/blackthorne/Codetective.git codetective
  98. 98. demo time!
  99. 99. Where next?
  100. 100. Where next?• Networks (Remote live forensics)• Mobiles• Virtual Machines• Cloud
  101. 101. hostname volatility plugins GRR - remote live forensics age selectorstatus pslistrawdisk
  102. 102. Memory Analysis on the Cloud• with virtualization, multiple Virtual Machines share a single physical machine and expose their Volatile Memory in snapshot files (.vmem..) that is acessible on userland• Analyzing IOS iTunes memory allows you to retrieve iCloud credentials. Years ago, that wasn’t that serious but now it’s not just music is it?• What about Dropbox and Google accounts, how complex is your password? Does it really matter? Where is it stored?
  103. 103. My clipboard supports:•mixed case passwords•numbers•special characters and length > 20
  104. 104. Special thanks to:• Michael Cohen• Brendan Dolan-Gavitt
  105. 105. References:• Tools: Memory Imaging, Forensics WiKi• Acquisition and analysis of volatile memory from android devices, Digital Investigation• struct EPROCESS, NirSoft• How to Set the /3GB Startup Switch in Windows - Technet, Microsoft• Eternal Sunshine on the Spotless RAM - SecurityStreet, Rapid7• Monitoring and Management Using JMX Technology, Java SE Monitoring and Management Guide
  106. 106. References:• RAM is Key, Extracting Disk Encryption Keys From Volatile Memory by Brian Kaplan, Carnegie Mellon University• Cryptoscan plugin, Jesse Kornblum• TrueDecrypt plugin, Francisco Ribeiro• Survey of Scanner and Printer Forensics , Purdue University• Forensic analysis of digital copiers, Svein Yngvar Willassen• Stuxnets Footprint in Memory with Volatility 2.0, MNIN Security Blog, Michael Ligh MHL
  107. 107. References:• codetective plugin - github @blackthorne, Francisco Ribeiro• Volatility - Memory Forensics, Volatile Systems• Exploiting the Rootkit Paradox with Windows - Memory Analysis, Jesse D. Kornblum• An advanced memory forensics framework - Volatility, Google Wiki pages
  108. 108. Thank youchildish wont-let-go nickname: blackthorne blackthorne (geek) bthorne_daily (social) francisco@ironik.org (PGP key: 0xBDD20CF1) http://www.digitalloft.org (homepage)

×