Created
April 14, 2019 06:19
-
-
Save thezakman/70d55a98859ea952c134cf277c212d90 to your computer and use it in GitHub Desktop.
volatility
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Get image profile | |
| root@kali:/tmp# volatility -f investigate_this.raw imageinfo | |
| Volatility Foundation Volatility Framework 2.6 | |
| INFO : volatility.debug : Determining profile based on KDBG search... | |
| Suggested Profile(s) : Win7SP1x86_23418, Win7SP0x86, Win7SP1x86 | |
| ... | |
| get running process | |
| root@kali:/tmp# volatility -f investigate_this.raw --profile=Win7SP1x86 pstree | |
| Volatility Foundation Volatility Framework 2.6 | |
| Name Pid PPid Thds Hnds Time | |
| ... | |
| . 0x84d81760:lsass.exe 464 360 8 828 2019-04-03 16:22:25 UTC+0000 | |
| . 0x84d83b00:lsm.exe 472 360 13 243 2019-04-03 16:22:25 UTC+0000 | |
| 0x83db6908:System 4 0 85 526 2019-04-03 16:22:18 UTC+0000 | |
| . 0x84c38020:smss.exe 236 4 3 32 2019-04-03 16:22:20 UTC+0000 | |
| 0x83f78b50:explorer.exe 2036 1148 30 833 2019-04-03 09:02:43 UTC+0000 | |
| . 0x8462fd28:VBoxTray.exe 1676 2036 11 136 2019-04-03 09:02:44 UTC+0000 | |
| 0x8591dd28:winlogon.exe 2628 2016 5 97 2019-04-03 09:09:18 UTC+0000 | |
| . 0x8568d870:Utilman.exe 2940 2628 1 27 2019-04-03 09:09:19 UTC+0000 | |
| .. 0x83fce030:nc.exe 984 2940 1 23 2019-04-03 09:10:08 UTC+0000 | |
| . 0x84656b18:LogonUI.exe 2948 2628 9 184 2019-04-03 09:09:18 UTC+0000 | |
| ... | |
| Get open handles of nc.exe (suspicious process) | |
| root@kali:/tmp# volatility -f investigate_this.raw --profile=Win7SP1x86 handles -p 984 | |
| Volatility Foundation Volatility Framework 2.6 | |
| Offset(V) Pid Handle Access Type Details | |
| 0x90930e38 984 0x4 0x3 Directory KnownDlls | |
| 0x85776ab8 984 0x8 0x120196 File DeviceHarddiskVolume1WindowstempAPP-DATA-2 | |
| 0x8462b038 984 0xc 0x100020 File DeviceHarddiskVolume1UsersPublicPicturesSample Pictures | |
| 0x84633ae0 984 0x10 0x1f0003 Event | |
| 0x857b9980 984 0x14 0x1f0001 ALPC Port | |
| 0x8578b150 984 0x18 0x1f0001 ALPC Port | |
| ... | |
| Look for APP-DATA* files (located at %TEMP% which is suspicious) | |
| root@kali:/tmp# volatility -f investigate_this.raw --profile=Win7SP1x86 filescan | grep APP-DATA | |
| Volatility Foundation Volatility Framework 2.6 | |
| 0x000000001e576ab8 2 2 -W-r-- DeviceHarddiskVolume1WindowstempAPP-DATA-2 | |
| 0x000000001e58e458 7 0 R--rwd DeviceHarddiskVolume1WindowstempAPP-DATA-1 | |
| 0x000000001f453358 7 0 R--rw- DeviceHarddiskVolume1WindowstempAPP-DATA-0 | |
| Extract APP-DATA-0, APP-DATA-1 and APP-DATA-2 files | |
| root@kali:/tmp# volatility -f investigate_this.raw --profile=Win7SP1x86 dumpfiles -Q | |
| 0x000000001e576ab8,0x000000001e58e458,0x000000001f453358 -D . | |
| Volatility Foundation Volatility Framework 2.6 | |
| DataSectionObject 0x1e576ab8 None DeviceHarddiskVolume1WindowstempAPP-DATA-2 | |
| SharedCacheMap 0x1e576ab8 None DeviceHarddiskVolume1WindowstempAPP-DATA-2 | |
| DataSectionObject 0x1e58e458 None DeviceHarddiskVolume1WindowstempAPP-DATA-1 | |
| DataSectionObject 0x1f453358 None DeviceHarddiskVolume1WindowstempAPP-DATA-0 | |
| root@kali:/tmp# file * | |
| file.None.0x83fa0ec8.dat: RAR archive data, v5 | |
| file.None.0x83fb41d8.dat: RAR archive data, v5 | |
| file.None.0x84621520.vacb: data | |
| file.None.0x84eb51c8.dat: RAR archive data, v5 | |
| investigate_this.raw: data | |
| Rename extracted files to *.rar | |
| root@kali:/tmp# mv file.None.0x83fa0ec8.dat a.rar | |
| root@kali:/tmp# mv file.None.0x83fb41d8.dat b.rar | |
| root@kali:/tmp# mv file.None.0x84eb51c8.dat c.rar | |
| Get information about .rar files | |
| root@kali:/tmp# unrar l a.rar | |
| UNRAR 5.61 beta 1 freeware Copyright (c) 1993-2018 Alexander Roshal | |
| Archive: a.rar | |
| Details: RAR 5, volume 1 | |
| Attributes Size Date Time Name | |
| ..A.... 20987904 2019-04-02 05:18 ntds.dit | |
| 20987904 1 | |
| root@kali:/tmp# unrar l b.rar | |
| UNRAR 5.61 beta 1 freeware Copyright (c) 1993-2018 Alexander Roshal | |
| Archive: b.rar | |
| Details: RAR 5, volume 3 | |
| Attributes Size Date Time Name | |
| ..A.... 10223616 2019-04-02 05:18 SYS | |
| 0 0 | |
| root@kali:/tmp# unrar l c.rar | |
| UNRAR 5.61 beta 1 freeware Copyright (c) 1993-2018 Alexander Roshal | |
| Archive: c.rar | |
| Details: RAR 5, volume 2 | |
| Attributes Size Date Time Name | |
| ..A.... 20987904 2019-04-02 05:18 ntds.dit | |
| ..A.... 10223616 2019-04-02 05:18 SYS | |
| 10223616 1 | |
| Rename files to .rar convention (part01, part02 ...) (We get the order from the last commands info "Details: RAR 5, volume X") and then extract | |
| root@kali:/tmp# mv a.rar file.rar.part01 | |
| root@kali:/tmp# mv c.rar file.rar.part02 | |
| root@kali:/tmp# mv b.rar file.rar.part03 | |
| root@kali:/tmp# unrar x file.rar.part01 | |
| UNRAR 5.61 beta 1 freeware Copyright (c) 1993-2018 Alexander Roshal | |
| Extracting from file.rar.part01 | |
| Extracting ntds.dit 45% | |
| Extracting from file.rar.part02 | |
| ... ntds.dit OK | |
| Extracting SYS 90% | |
| Extracting from file.rar.part03 | |
| ... SYS OK | |
| All OK | |
| Get Information about the extracted file types (should be obvious from file names) | |
| root@kali:/tmp# file ntds.dit SYS | |
| ntds.dit: Extensible storage engine DataBase, version 0x620, checksum 0x23caf389, page size 8192, DirtyShutdown, Windows version 6.3 | |
| SYS: MS Windows registry file, NT/2000 or above | |
| We use secretsdump.py script to extract all domain hashes from ntds.dit using bootkey from the SYS registry file, And we have got the administrator password | |
| root@kali:/tmp# python /root/Desktop/linux_tools/secretsdump/secretsdump.py -system SYS -ntds ntds.dit LOCAL | |
| Impacket v0.9.17 - Copyright 2002-2018 Core Security Technologies | |
| [] Target system bootKey: 0x9ef7b2d2b5d19b227a23c1f2b0870c32 | |
| [] Dumping Domain Credentials (domainuid:rid:lmhash:nthash) | |
| [] Searching for pekList, be patient | |
| [] PEK # 0 found and decrypted: c1fee7d773c04564705486af7f23b67b | |
| [] Reading and decrypting hashes from ntds.dit | |
| Administrator:500:aad3b435b51404eeaad3b435b51404ee:ebee1661be13dbac48f59fa8d48af4a6::: | |
| Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: | |
| WIN-KOQG5HDQIN4$:1001:aad3b435b51404eeaad3b435b51404ee:1e11722090253cc732ab552d6056c73e::: | |
| krbtgt:502:aad3b435b51404eeaad3b435b51404ee:07d3a46bbaa3492ed08bd4db34b4eea4::: | |
| EVIL.CORPPtcolby:1107:aad3b435b51404eeaad3b435b51404ee:f390e11c7246902158ca4b786fec3a63::: | |
| MSEDGEWIN10$:1109:aad3b435b51404eeaad3b435b51404ee:381f9dd4084948685fc58c2dc5c19efa::: | |
| [] Kerberos keys from ntds.dit | |
| Administrator:aes256-cts-hmac-sha1-96:2d057a43d6416f87de04eef772528ef7ab4f8d1f95def31aa8851d4dff00ffe5 | |
| Administrator:aes128-cts-hmac-sha1-96:ed01acae9cf49b70574047fef382cbb9 | |
| Administrator:des-cbc-md5:9dcbb92c3e627f67 | |
| WIN-KOQG5HDQIN4$:aes256-cts-hmac-sha1-96:6884804fbedb975225465ba6938ed53dffd7d140f632ee70ff28b9ada0e2f4a8 | |
| WIN-KOQG5HDQIN4$:aes128-cts-hmac-sha1-96:5b7d0ffaf0faf462528dcf3e8468853b | |
| WIN-KOQG5HDQIN4$:des-cbc-md5:e53eecb62a135ee3 | |
| krbtgt:aes256-cts-hmac-sha1-96:4efdb40ade457c55f4b11e57bc89f4569cb33e9a125dcc20dcba7c06acc1ac60 | |
| krbtgt:aes128-cts-hmac-sha1-96:ff1ab311255e339fcb1ff6393b91dc86 | |
| krbtgt:des-cbc-md5:40d55b2c579413da | |
| EVIL.CORPPtcolby:aes256-cts-hmac-sha1-96:c02bade092f7ea296fd203ce528e8b05dd4c948b9db6233adcaa59c31c0a65a9 | |
| EVIL.CORPPtcolby:aes128-cts-hmac-sha1-96:1545686ae5a9771e8e0e246aaeea37f7 | |
| EVIL.CORPPtcolby:des-cbc-md5:010dce7f0475cd58 | |
| MSEDGEWIN10$:aes256-cts-hmac-sha1-96:e312f74d4c6cc1820b00c394df65a0e254a860ef71c1bb3f696ef28e928dff9c | |
| MSEDGEWIN10$:aes128-cts-hmac-sha1-96:8a117f0e63d07757174a8f5b506c67e2 | |
| MSEDGEWIN10$:des-cbc-md5:8c2ab0ba7c044f45 | |
| [*] Cleaning up... |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment