PoC || GTFO

Hacking Tutorials

Rekalling the times I played with Windows

3b59773445761163b47c513057b2fc71--anime-japones-windows.jpg

The more and more you learn about Information Security, the more you learn about how insecure things are. From your personal devices that you are to protect, to devices in our environment. I remember reading my CompTIA Sec+ book back when I was a youngling, and remembered a story in there that described a raid where a hacker took a shotgun and shot his hard drive before the Feds grabbed him and seperated him from his computer. 


 I'm aware this isn't a shotgun, but it's Riza Hawkeye, who's bad-fucking-ass

I'm aware this isn't a shotgun, but it's Riza Hawkeye, who's bad-fucking-ass


Another reason as to why the Feds separate hackers from their computers, is because their RAM holds valuable information so long as the computer is on. That information includes all passwords, websites, and other types or what forensics people call 'artifacts'.

 A few of the artifacts one can acquire form an memory acquisition. (Slide by Benjamin Caudill)

A few of the artifacts one can acquire form an memory acquisition. (Slide by Benjamin Caudill)

After playing around with some Reverse Engineering challenges, I've been wanting to get deeper and deeper. Down the rabbit hole we go.

The Tools:
Rekall Memory Forensic Framework (github)
Volatility
 

Few days ago, I wanted to see if I could take a image of my RAM. Test would be conducted on my Macbook Air, so I looked for tools to do this. Rekall, created by Google, has a tool called osxpmem which will take an image of your RAM. I wrote a script to make this a bit easier. Root privileges IS required. Jonathon Poling goes deeper into how to do this in his terrific article.


#!/bin/sh

# Create directories
mkdir /tmp/mem
mkdir /tmp/mem/Memory_Captures

# Takes us to our work env
cp osxpmem_2.0.1.zip /tmp/mem
cd /tmp/mem
unzip osxpmem_2.0.1.zip

# Required to use utilites
sudo chown -R root:wheel osxpmem.app/
sudo osxpmem.app/osxpmem -o Memory_Captures/mem.aff4
sudo osxpmem.app/osxpmem -e /dev/pmem -o Memory_Captures/mem.raw Memory_Captures/mem.aff4

# Unload our kernel extension
sudo osxpmem.app/osxpmem -u

I posted my code on Github for your convenience and for the commits. No shame in my commit game.


Screen Shot 2017-12-22 at 5.02.55 AM.png

I sent this to Rekall and got some problems with profiles. More learning!
Profiles are...*research*


A Mac profile includes the structure definitions for the specific kernel version as well as the addresses of important global variables used in analysis
— The Art of Memory Forensics (pg.784)


Since Mac Profiles are pretty big, they aren't included with all the fun installs of volatility, however some are located on their github. Rekall also has profiles as well on their github. This is kinda what it looks like when you don't have the correct profiles.


rekal profiles.png

So, I put my Mac image down, and picked up the other computer next to me. A family member's Windows7 computer. Just like I'm sure the rest of you do, I reinstalled the OS for my family because someone who studies Computer Science means I can help remove your malware and spyware you got installed from just doing "normal computer stuff". =] I set a password on via login, and wanted to take an image of a Windows computer, and see if I could get the login password from it!

Initially, I was worried and thought taking an image might be difficult or maybe I'd have to dive pretty deep into a tool to figure out the password. I am very grateful for the heroes and heroines that took on this frontier.
"If I have seen further than others, it is by standing upon the shoulders of giants." - Newton. 
I accomplished this goal with 2 lines. But first image.

1. Get winpmem (current writing was winpmem-2.1.post4.exe) 
2. Open up cmd.exe as Administrator (Right-Click and click Run as Administrator)
3. winpmem -o Win7Image.aff4


Windows.jpg

Got RAM?! YEAH BITCH!

Alright, so now let's open in up in rekall.
Rekall is very well documented on how to setup their environment.

$ virtualenv  /tmp/MyEnv
New python executable in /tmp/MyEnv/bin/python
Installing setuptools, pip...done.
$ source /tmp/MyEnv/bin/activate
$ pip install --upgrade setuptools pip wheel
$ pip install rekall-agent rekall

https://github.com/google/rekall

If you don't have virtualenv, sudo pip install virtualenv.

Assuming you got it installed, check it out:
 


load.png

We got it loaded in! Now what are those two lines? Well...loading was one of them. Now use the plugin mimikatz

plain.png

Profit.

If you have any questions, as I wrote this pretty late and ran through it, please feel free to contact me!
Quickest would be Twitter. Send more more things to play with or correct me if I'm wrong! Until next time hackers! 


Chris Magistrado