Volatility를 이용하여 Memory Dump에서 윈도우 패스워드 찾기

우선 Volatility를 다운로드 하도록 하자. 예전 버전은 Python을 이용하여 실행하였는데 최근에 2.0 으로 버전업 되면서 Python 없이 단독으로 실행이 가능해졌다.
Volatility : https://www.volatilesystems.com/default/volatility

이제 실행해 보도록 하자. 우선 예제 메모리 덤프 파일은 아래주소에서 다운로드 하도록 하자.
예제 메모리 덤프 파일 : http://www.cfreds.nist.gov/mem/memory-images.rar

우선 '-h' 옵션으로 도움말을 보도록 하자.

D:\Security Tools\Forensic\Memory Tools\volatility-2.0.standalone>volatility.exe -h
Volatile Systems Volatility Framework 2.0
Usage: Volatility - A memory forensics analysis platform.

  -h, --help            list all available options and their default values.
                        Default values may be set in the configuration file
  -d, --debug           Debug volatility
  --info                Print information about all registered objects
  --plugins=PLUGINS     Additional plugin directories to use (colon separated)
                        Directory where cache files are stored
  --no-cache            Disable caching
  --tz=TZ               Sets the timezone for displaying timestamps
  -f FILENAME, --filename=FILENAME
                        Filename to use when opening an image
  -k KPCR, --kpcr=KPCR  Specify a specific KPCR address
  --output=text         Output in this format (format support is module
                        write output in this file
  -v, --verbose         Verbose information
  -g KDBG, --kdbg=KDBG  Specify a specific KDBG virtual address
  --dtb=DTB             DTB Address
  --cache-dtb           Cache virtual to physical mappings
  --use-old-as          Use the legacy address spaces
  -w, --write           Enable write support
                        Name of the profile to load
  -l LOCATION, --location=LOCATION
                        A URN location from which to load an address space

        Supported Plugin Commands:

                bioskbd         Reads the keyboard buffer from Real Mode memory
                connections     Print list of open connections [Windows XP Only]
                connscan        Scan Physical memory for _TCPT_OBJECT objects (tcp connections)
                crashinfo       Dump crash-dump information
                dlldump         Dump DLLs from a process address space
                dlllist         Print list of loaded dlls for each process
                driverscan      Scan for driver objects _DRIVER_OBJECT
                filescan        Scan Physical memory for _FILE_OBJECT pool allocations
                getsids         Print the SIDs owning each process
                handles         Print list of open handles for each process
                hashdump        Dumps passwords hashes (LM/NTLM) from memory
                hibinfo         Dump hibernation file information
                hivedump        Prints out a hive
                hivelist        Print list of registry hives.
                hivescan        Scan Physical memory for _CMHIVE objects (registry hives)
                imagecopy       Copies a physical address space out as a raw DD image
                imageinfo       Identify information for the image
                inspectcache    Inspect the contents of a cache
                kdbgscan        Search for and dump potential KDBG values
                kpcrscan        Search for and dump potential KPCR values
                lsadump         Dump (decrypted) LSA secrets from the registry
                memdump         Dump the addressable memory for a process
                memmap          Print the memory map
                moddump         Dump a kernel driver to an executable file sample
                modscan         Scan Physical memory for _LDR_DATA_TABLE_ENTRY objects
                modules         Print list of loaded modules
                mutantscan      Scan for mutant objects _KMUTANT
                netscan         Scan a Vista, 2008 or Windows 7 image for connections and sockets
                patcher         Patches memory based on page scans
                printkey        Print a registry key, and its subkeys and values
                procexedump     Dump a process to an executable file sample
                procmemdump     Dump a process to an executable memory sample
                pslist          print all running processes by following the EPROCESS lists
                psscan          Scan Physical memory for _EPROCESS pool allocations
                pstree          Print process list as a tree
                sockets         Print list of open sockets
                sockscan        Scan Physical memory for _ADDRESS_OBJECT objects (tcp sockets)
                ssdt            Display SSDT entries
                strings         Match physical offsets to virtual addresses (may take a while, VERY verbose)
                testsuite       Run unit test suit using the Cache
                thrdscan        Scan physical memory for _ETHREAD objects
                userassist      Print userassist registry keys and information
                vaddump         Dumps out the vad sections to a file
                vadinfo         Dump the VAD info
                vadtree         Walk the VAD tree and display in tree format
                vadwalk         Walk the VAD tree
                volshell        Shell in the memory image

D:\Security Tools\Forensic\Memory Tools\volatility-2.0.standalone>

이제 패스워드를 찾아 보도록 하자.

1) hivescan 옵션을 이용하여 스캔한다.

D:\Security Tools\Forensic\Memory Tools\volatility-2.0.standalone>volatility.exe hivescan -f xp-laptop-2005-07-04-1430.img
Volatile Systems Volatility Framework 2.0
Offset          (hex)
42168328        0x02837008
42195808        0x0283db60
47598392        0x02d64b38
155764592       0x0948c770
155973608       0x094bf7e8
208587616       0x0c6ecb60
208964448       0x0c748b60
234838880       0x0dff5b60
243852936       0x0e88e688
251418760       0x0efc5888
252887048       0x0f12c008
256039736       0x0f42db38
269699936       0x10134b60
339523208       0x143cb688
346659680       0x14a99b60
377572192       0x16814b60
387192184       0x17141578
509150856       0x1e590688
521194336       0x1f10cb60
523667592       0x1f368888
527756088       0x1f74eb38

2) hivelist 옵션을 이용하여 리스트를 확인합니다.

D:\Security Tools\Forensic\Memory Tools\volatility-2.0.standalone>volatility.exe hivelist -f xp-laptop-2005-07-04-1430.img --profile=WinXPSP2x86
Volatile Systems Volatility Framework 2.0
Virtual     Physical    Name
0xe2610b60  0x14a99b60  \Device\HarddiskVolume1\Documents and Settings\Sarah\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe25f0578  0x17141578  \Device\HarddiskVolume1\Documents and Settings\Sarah\NTUSER.DAT
0xe1d33008  0x0f12c008  \Device\HarddiskVolume1\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe1c73888  0x0efc5888  \Device\HarddiskVolume1\Documents and Settings\LocalService\NTUSER.DAT
0xe1c04688  0x0e88e688  \Device\HarddiskVolume1\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe1b70b60  0x0dff5b60  \Device\HarddiskVolume1\Documents and Settings\NetworkService\NTUSER.DAT
0xe1658b60  0x0c748b60  \Device\HarddiskVolume1\WINDOWS\system32\config\software
0xe1a5a7e8  0x094bf7e8  \Device\HarddiskVolume1\WINDOWS\system32\config\default
0xe165cb60  0x0c6ecb60  \Device\HarddiskVolume1\WINDOWS\system32\config\SAM
0xe1a4f770  0x0948c770  \Device\HarddiskVolume1\WINDOWS\system32\config\SECURITY
0xe1559b38  0x02d64b38  [no name]
0xe1035b60  0x0283db60  \Device\HarddiskVolume1\WINDOWS\system32\config\system
0xe102e008  0x02837008  [no name]
0x8068d73c  0x0068d73c  [no name]

3) hashdump 옵션을 통해 hivelist에서 찾은 System 및 SAM Hive offset 값을 입력하여 확인합니다.

D:\Security Tools\Forensic\Memory Tools\volatility-2.0.standalone>volatility.exe hashdump -f xp-laptop-2005-07-04-1430.img -y 0xe1035b60 -s 0xe165cb60
Volatile Systems Volatility Framework 2.0

4) 획득한 덤프를 ophcrack이나 Cain&Abel 툴을 이용하여 크랙한다.

답글 남기기

이메일 주소는 공개되지 않습니다. 필수 필드는 *로 표시됩니다