The latter contained the single file ' memdump.raw '(physical dump of RAM).
First, the volatility tool (Windows or Linux) is used to identify the source of this dump RAM.
C: \ NDH2K12> volatility.exe imageinfo-f memdump.raw
Volatile Systems Volatility Framework 2.0
Determining profile based on search KDbg ...
Volatile Systems Volatility Framework 2.0
Determining profile based on search KDbg ...
Suggested Profile (s): WinXPSP3x86, WinXPSP2x86 (Instantiated with WinXPSP2x86)
AS Layer1: JKIA32PagedMemory (Kernel AS)
AS Layer2: FileAddressSpace (memdump.raw)
EAP Type: No PAE
DTB: 0 × 39000
KDbg: 0x8054cde0L
KPCR: 0xffdff000L
KUSER_SHARED_DATA: 0xffdf0000L
Image date and time: 2012-05-09 11:06:48
Image local date and time: 2012-05-09 11:06:48
Number of Processors: 1
Image Type: Service Pack 3
AS Layer1: JKIA32PagedMemory (Kernel AS)
AS Layer2: FileAddressSpace (memdump.raw)
EAP Type: No PAE
DTB: 0 × 39000
KDbg: 0x8054cde0L
KPCR: 0xffdff000L
KUSER_SHARED_DATA: 0xffdf0000L
Image date and time: 2012-05-09 11:06:48
Image local date and time: 2012-05-09 11:06:48
Number of Processors: 1
Image Type: Service Pack 3
The turning process in RAM will enlighten us for the rest of our Forensic searches:
C: \ NDH2K12> volatility pslist-profile = f memdump.raw WinXPSP3x86-
Volatile Systems Volatility Framework 2.0 Offset (V)
Name PID PPID THDS HNDs Time
------------------- -------
0x812ed020 System 4 0 55 231 1970 -01-01 00:00:00
0x811cc5a0 smss.exe 368 4 3 19 2012-05-09 20:06:10
[...]
0x81129a48 PassKeep.exe 1864 1508 2012-05-09 11:06:17 February 39
0xffb22da0 PassKeep.exe 1872 1864 2 104 2012-05-09 11:06:17
0x8120cc08 svchost.exe 1972 652 5 106 2012-05-09 11:06:21
0xffb7a440 wscntfy.exe 1040 1044 1 39 2012-05-09 11:06:24
0x8113f910 alg.exe 1228 652 7 104 2012-05-09 11:06:24
0xffb43c08 DumpIt.exe 124 1508 1 25 2012-05-09 11 : 06:46
Volatile Systems Volatility Framework 2.0 Offset (V)
Name PID PPID THDS HNDs Time
------------------- -------
0x812ed020 System 4 0 55 231 1970 -01-01 00:00:00
0x811cc5a0 smss.exe 368 4 3 19 2012-05-09 20:06:10
[...]
0x81129a48 PassKeep.exe 1864 1508 2012-05-09 11:06:17 February 39
0xffb22da0 PassKeep.exe 1872 1864 2 104 2012-05-09 11:06:17
0x8120cc08 svchost.exe 1972 652 5 106 2012-05-09 11:06:21
0xffb7a440 wscntfy.exe 1040 1044 1 39 2012-05-09 11:06:24
0x8113f910 alg.exe 1228 652 7 104 2012-05-09 11:06:24
0xffb43c08 DumpIt.exe 124 1508 1 25 2012-05-09 11 : 06:46
We will then be interested in PID 1872 and dump the contents in memory PassKeep.exe
D: \ NDH2K12> volatility-profile = WinXPSP3x86 memdump.raw-f-p 1872-D memdump
Volatile Systems Volatility Framework 2.0
************************ ************************************************
Writing PassKeep . exe [1872] to 1872.dmp
Volatile Systems Volatility Framework 2.0
************************ ************************************************
Writing PassKeep . exe [1872] to 1872.dmp
Search strings later give us the key!
C: \ NDH2K12> strings 1872.dmp> 1872.dmp.txt
[...]
admin
admin
J5XfFsmdrBkRE
[...]
admin
admin
J5XfFsmdrBkRE
http://flag.ndh2012.com
Good game
c: \ program files \ software by design \ passkeep
[...]
It only remains to chop to score MD5: Text: J5XfFsmdrBkRE resultabc7d6294e04e6d6f5c4a9e1aa62370f
c: \ program files \ software by design \ passkeep
[...]
It only remains to chop to score MD5: Text: J5XfFsmdrBkRE resultabc7d6294e04e6d6f5c4a9e1aa62370f
[Write-Up] Nuit Du Hack 2K12 - "Password Manager 2"
Category: Forensic Score: 1500 Description: "Please recover the password from KeePass That memory dump. "
Category: Forensic Score: 1500 Description: "Please recover the password from KeePass That memory dump. "
The latter contained a single file again: memdump.raw (physical dump of RAM).
On the same model as the test " Password manager 1 "we get to isolate the PIDKeePassX.exe .
C: \ NDH2K12> volatility pslist-profile = f memdump.raw WinXPSP3x86-
Volatile Systems Volatility Framework 2.0
Offset (V) Name PID PPID THDS HNDs Time
------------------- -------
0x8111d020 System 4 0 51 240 1970 -01-01 00:00:00
[...]
0xffa25020 KeePassX.exe 768 1584 5 364 2012-04-23 09:16:53
Volatile Systems Volatility Framework 2.0
Offset (V) Name PID PPID THDS HNDs Time
------------------- -------
0x8111d020 System 4 0 51 240 1970 -01-01 00:00:00
[...]
0xffa25020 KeePassX.exe 768 1584 5 364 2012-04-23 09:16:53
Once dumped and scrutinized strings, this time it was realized that the file was not as readable as the previous one:
The selection of encoding 16-bit little-endian will help us to see it clearer.
The selection of encoding 16-bit little-endian will help us to see it clearer.
C: \ NDH2K12> strings-el 768.dmp> 768.dmp.l.txt
This time, there are several instances of "flag.ndh2012.com", but only one with the password that we must pass to score MD5:
http://flag.ndh2012.com
textLabel7
Tahoma 7cU6QQKCqxCoHp6ii5WrBCUzVzUGzuS5 ? \ \ \ C: \ Documents and Settings \ ndh \ Application Data \ KeePassX \ config.ini fieldname 2390
Tahoma 7cU6QQKCqxCoHp6ii5WrBCUzVzUGzuS5 ? \ \ \ C: \ Documents and Settings \ ndh \ Application Data \ KeePassX \ config.ini fieldname 2390
Text: 7cU6QQKCqxCoHp6ii5WrBCUzVzUGzuS5 resulte413334776721843940e04037e99971a
0 comments:
Post a Comment