Love My Love

Volatility and Mimikatz

2019.11.26

{% centerquote 王小波 %} 人的一切痛苦,本质上都是对自己无能的愤怒。 {% endcenterquote %}

[TOC]

ENV:

Windows* x86

python 2.7.17

# Memory dump

使用第三方软件抓取内存dump 针对于物理机,通常可以使用如下工具来抓取内存dump:

KnTTools F-Response Mandiant Memoryze HBGary FastDump MoonSols Windows Memory Toolkit AccessData FTK Imager EnCase/WinEn Belkasoft Live RAM Capturer ATC-NY Windows Memory Reader Winpmem Win32dd/Win64dd DumpIt

Dumpit

Dump memory by Dumpit, you can download it from https://my.comae.io

# Volatility

https://github.com/volatilityfoundation/volatility https://github.com/volatilityfoundation/volatility3 https://github.com/volatilityfoundation/volatility/wiki/Installation

Clone it

Download it from: https://www.volatilityfoundation.org/26

Or I recommand to do:

git clone https://github.com/volatilityfoundation/volatility.git

Dependencies

py -2 -m pip install pyinstaller
C:\Python27\Scripts\pyinstaller.exe -F pyinstaller.spec
  • construct
pip install construct

Usage

mimikatz

git clone https://github.com/volatilityfoundation/volatility.git

download mimikatz.py to ./volatility/plugins/ from https://github.com/RealityNet/hotoloti/blob/master/volatility/mimikatz.py

download mimikatz.py directly

# Get profile
volatility.exe -f win7.raw imageinfo
# Get password
volatility.exe -f win7.raw --profile=Win7SP0x86 mimikatz
# Get pslist and find out lsass' PID (the first number after `lsass.exe`)
volatility.exe -f win7.raw --profile=Win7SP0x86 pslist | findstr "lsass"

# Study logs

About lsass.exe

  • LSA - [lsass.exe entry]: lsasrv.dll
  • Msv - [LM, NTLM, SHA1]: lsasrv.dll
  • Wdigest - [password]: wdigest.dll
  • Kerberos: kerberos.dll
  • Tspkg: TSpkg.dll
  • SSP: msv1_0.dll
  • LiveSsp: msv1_0.dll
  • Dpapi: dpapisrv.dll or lsasrv.dll
00:'lsass.exe'
01:'ntdll.dll'
02:'kernel32.dll'
03:'KERNELBASE.dll'
04:'msvcrt.dll'
05:'RPCRT4.dll'
06:'SspiSrv.dll'
07:'lsasrv.dll'
08:'sechost.dll'
09:'SspiCli.dll'
10:'ADVAPI32.dll'
11:'USER32.dll'
12:'GDI32.dll'
13:'LPK.dll'
14:'USP10.dll'
15:'SAMSRV.dll'
16:'cryptdll.dll'
17:'MSASN1.dll'
18:'wevtapi.dll'
19:'IMM32.DLL'
20:'MSCTF.dll'
21:'cngaudit.dll'
22:'AUTHZ.dll'
23:'ncrypt.dll'
24:'bcrypt.dll'
25:'msprivs.DLL'
26:'netjoin.dll'
27:'bcryptprimitives.dll'
28:'negoexts.DLL'
29:'Secur32.dll'
30:'cryptbase.dll'
31:'kerberos.DLL'
32:'CRYPTSP.dll'
33:'WS2_32.dll'
34:'NSI.dll'
35:'mswsock.dll'
36:'wship6.dll'
37:''
38:'netlogon.DLL'
39:''
40:'logoncli.dll'
41:'schannel.DLL'
42:''
43:'wdigest.DLL'
44:'rsaenh.dll'
45:'tspkg.DLL'
46:'pku2u.DLL'
47:'RpcRtRemote.dll'
48:'efslsaext.dll'
49:'scecli.DLL'
50:'credssp.dll'
51:'WINSTA.dll'
52:'IPHLPAPI.DLL'
53:'WINNSI.DLL'
54:'netutils.dll'
55:'wkscli.dll'
56:'USERENV.dll'
57:'profapi.dll'
58:'wshtcpip.dll'
59:'dssenh.dll'
60:'GPAPI.dll'
61:'cryptnet.dll'
62:'WLDAP32.dll'
63:'SHLWAPI.dll'
64:'SensApi.dll'
65:'WINHTTP.dll'
66:'webio.dll'
67:'dhcpcsvc6.DLL'
68:'dhcpcsvc.DLL'
69:'ole32.dll'
70:'CFGMGR32.dll'
71:'rasadhlp.dll'
72:'fwpuclnt.dll'
__len__:73

How to find out Signatures?

I found it by https://github.com/skelsec/pypykatz/tree/master/pypykatz/lsadecryptor/packages

msv templates

Target Windows Version Signature
XP ~ 2k3 b'\x4c\x8b\xdf\x49\xc1\xe3\x04\x48\x8b\xcb\x4c\x03\xd8'
2k3 ~ Vista b'\x4c\x8b\xdf\x49\xc1\xe3\x04\x48\x8b\xcb\x4c\x03\xd8'
Vista ~ Win7 b'\x33\xff\x45\x85\xc0\x41\x89\x75\x00\x4c\x8b\xe3\x0f\x84'
Win7 ~ Win8 b'\x33\xf6\x45\x89\x2f\x4c\x8b\xf3\x85\xff\x0f\x84'
Win8 ~ Win_Blue b'\x33\xff\x41\x89\x37\x4c\x8b\xf3\x45\x85\xc0\x74'
Win_Blue ~ WIN_10_1507 b'\x8b\xde\x48\x8d\x0c\x5b\x48\xc1\xe1\x05\x48\x8d\x05'
WIN_10_1507 ~ WIN_10_1703 b'\x33\xff\x41\x89\x37\x4c\x8b\xf3\x45\x85\xc0\x74'
WIN_10_1703 ~ WIN_10_1803 b'\x33\xff\x45\x89\x37\x48\x8b\xf3\x45\x85\xc9\x74'
WIN_10_1803 ~ WIN_10_1903 b'\x33\xff\x41\x89\x37\x4c\x8b\xf3\x45\x85\xc9\x74'
WIN_10_1903 b'\x33\xff\x41\x89\x37\x4c\x8b\xf3\x45\x85\xc0\x74'

Get Credman

Reference: howto ~ credential manager saved credentials

  1. Get credentials from target:
xcopy /h /i /s %appdata%\Microsoft\Credentials .\test\AppDataCredentials
xcopy /h /i /s %localappdata%\Microsoft\Credentials .\test\localAppDataCredentials
xcopy /h /i /s %appdata%\Microsoft\Protect .\test\AppDataProtect
  1. Analisis at local
    mimikatz.exe "dpapi::cred /in:C:\\Users\\snow\\credman\\AppDataCredentials\\042450E3F8E1A3F429E61FE2963AA249" "exit" 

Return:

  .#####.   mimikatz 2.2.0 (x86) #18362 Aug 14 2019 01:31:19
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/

mimikatz(commandline) # dpapi::cred /in:C:\\Users\\snow\\credman\\AppDataCredent
ials\\042450E3F8E1A3F429E61FE2963AA249
**BLOB**
  dwVersion          : 00000001 - 1
  guidProvider       : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb}
  dwMasterKeyVersion : 00000001 - 1
  guidMasterKey      : {dc7aadf6-32ff-4aca-a053-80df0e637e00}
  dwFlags            : 20000000 - 536870912 (system ; )
  dwDescriptionLen   : 0000003a - 58
  szDescription      : Enterprise Credential Data

  algCrypt           : 00006610 - 26128 (CALG_AES_256)
  dwAlgCryptLen      : 00000100 - 256
  dwSaltLen          : 00000020 - 32
  pbSalt             : 1071acb779a51788ab4f9bc7acc34ec8881b52608c931a4bc6a08b5db
ae8f9ba
  dwHmacKeyLen       : 00000000 - 0
  pbHmackKey         :
  algHash            : 0000800e - 32782 (CALG_SHA_512)
  dwAlgHashLen       : 00000200 - 512
  dwHmac2KeyLen      : 00000020 - 32
  pbHmack2Key        : 308761fa960dbd4d7f4ee788d44117a7b823b35092df3683e7023672c
f551ef0
  dwDataLen          : 000000d0 - 208
  pbData             : 599b8ddcf80b900c90df0fe02dd31102a5e327b0967ba9d716cf5f5ff
d605abaf6c9712ab9b87b8e873706b74e75d92b0c060c9572883fc5952210c0571057529022cc01c
eda17e94577ac39339af3efff54c75a47c6d8a32af6f96681d19bf2f0878f16ca78e7105cdff3739
1c55bf80ad6f331a38bb995c8128c69d38e7988b59104e535e7cc33e1d6f487c26abe63eee8bec3d
fce368dd470324b6c7623d89b42afe3ce933eee3d9998a104c35c065002968dd458ca7ecdea32fb7
b44820bee867be744b2b36a23107dda01c44ee1
  dwSignLen          : 00000040 - 64
  pbSign             : 6beb703e4a1c1b76c0a084f90199217ab4744e7ff5ff261330ab45a9b
987e20e50d6e899f0cc90c4769aa06fd054d4866b61d9ec341b6fd9a03e7d60fe6fee27


mimikatz(commandline) # exit
Bye!
  1. Get sth importent:
    • dwFlags : 20000000 - 536870912 (system ; )
    • guidMasterKey : {dc7aadf6-32ff-4aca-a053-80df0e637e00}
  2. Decrypt:
       
    

volatility usage

If u install by apt-get or download an executable file:

volatility -f WIN7.raw imageinfo  # 操作系统信息
volatility -f WIN7.raw --profile=Win7SP0x86 pslist  # 查看进程
volatility -f WIN7.raw --profile=Win7SP0x86 hivelist  # 缓存在内存中的注册表
volatility -f WIN7.raw --profile=Win7SP0x86 hivedump -o  # 注册表的 virtual 地址
volatility -f WIN7.raw --profile=Win7SP0x86 printkey -K "SAM\Domains\Account\Users\Names"  # SAM 表中都有哪些用户
volatility -f WIN7.raw --profile=Win7SP0x86 printkey -K “SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon”  # 最后登录

If get it via git or source: To see available options, run python vol.py -h or python vol.py --info

python vol.py --plugins=volatility/plugins --profile=Win7SP1x86 -f C:\test\win7.raw imageinfo  # find out `lsass`'s pid -> 568
python vol.py --plugins=volatility/plugins --profile=Win7SP1x86 -f C:\test\win7.raw memdump -p 568 -D c:\test
python vol.py --plugins=volatility/plugins --profile=Win7SP1x86 -f C:\test\win7.raw mimikatz
python C:\Users\Notebook\Git\python\vol_mimikatz\volatility\vol.py --plugins=C:\Users\Notebook\Git\python\vol_mimikatz\volatility\volatility\plugins --profile=Win7SP1x86 -f C:\test\win7.raw mimikatz
发表评论