Add report for image 2

cmdline-image2.txt

@@ -0,0 +1,48 @@
+Volatility 3 Framework 1.0.1
+
+PID	Process	Args
+
+4	System	Required memory at 0x10 is not valid (process exited?)
+396	smss.exe	\SystemRoot\System32\smss.exe
+460	csrss.exe	C:\Windows\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
+500	wininit.exe	wininit.exe
+584	services.exe	C:\Windows\system32\services.exe
+600	lsass.exe	C:\Windows\system32\lsass.exe
+608	lsm.exe	C:\Windows\system32\lsm.exe
+760	svchost.exe	C:\Windows\system32\svchost.exe -k DcomLaunch
+824	svchost.exe	C:\Windows\system32\svchost.exe -k rpcss
+856	svchost.exe	C:\Windows\System32\svchost.exe -k secsvcs
+988	svchost.exe	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
+1016	svchost.exe	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
+1032	svchost.exe	C:\Windows\system32\svchost.exe -k netsvcs
+1084	audiodg.exe	C:\Windows\system32\AUDIODG.EXE 0x288
+1108	svchost.exe	C:\Windows\system32\svchost.exe -k GPSvcGroup
+1132	SLsvc.exe	C:\Windows\system32\SLsvc.exe
+1224	svchost.exe	C:\Windows\system32\svchost.exe -k LocalService
+1296	svchost.exe	C:\Windows\system32\svchost.exe -k NetworkService
+1488	spoolsv.exe	C:\Windows\System32\spoolsv.exe
+1512	svchost.exe	C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
+1920	taskeng.exe	taskeng.exe {7EC134E2-8BEF-46AF-94C8-8C16150FAB71}
+496	svchost.exe	C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
+1316	VMwareService.e	"C:\Program Files\VMware\VMware Tools\VMwareService.exe"
+1444	svchost.exe	C:\Windows\System32\svchost.exe -k WerSvcGroup
+2028	SearchIndexer.e	C:\Windows\system32\SearchIndexer.exe /Embedding
+1356	dllhost.exe	C:\Windows\system32\dllhost.exe /Processid:{D34C07AA-275B-496E-A3CC-AFA75F2752EE}
+1796	dllhost.exe	C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
+2076	csrss.exe	C:\Windows\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
+2100	winlogon.exe	winlogon.exe
+2176	msdtc.exe	C:\Windows\System32\msdtc.exe
+2392	VSSVC.exe	C:\Windows\system32\vssvc.exe
+2504	taskeng.exe	taskeng.exe {7F495FBC-66B3-4B6A-A068-DC3607159EB1}
+2864	dwm.exe	"C:\Windows\system32\Dwm.exe"
+2884	explorer.exe	C:\Windows\Explorer.EXE
+2992	MSASCui.exe	"C:\Program Files\Windows Defender\MSASCui.exe" -hide
+3000	VMwareTray.exe	"C:\Program Files\VMware\VMware Tools\VMwareTray.exe" 
+3008	VMwareUser.exe	"C:\Program Files\VMware\VMware Tools\VMwareUser.exe" 
+3076	sidebar.exe	"C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
+3576	cmd.exe	"C:\Windows\System32\cmd.exe" 
+3804	SearchProtocolH	"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" 
+3828	SearchFilterHos	"C:\Windows\system32\SearchFilterHost.exe" 0 628 632 640 65536 636 
+3868	SearchProtocolH	"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_s-1-5-21-285957352-2877602163-2811336752-10002_ Global\UsGthrCtrlFltPipeMssGthrPipe_s-1-5-21-285957352-2877602163-2811336752-10002 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"  "1"
+3968	telnet.exe	telnet  towel.blinkenlights.nl
+536	WmiPrvSE.exe	C:\Windows\system32\wbem\wmiprvse.exe

hashdump-image2.txt

@@ -0,0 +1,10 @@
+Volatility 3 Framework 1.0.1
+
+User	rid	lmhash	nthash
+
+Administrator	500	aad3b435b51404eeaad3b435b51404ee	31d6cfe0d16ae931b73c59d7e0c089c0
+Guest	501	aad3b435b51404eeaad3b435b51404ee	31d6cfe0d16ae931b73c59d7e0c089c0
+Vista	1000	aad3b435b51404eeaad3b435b51404ee	209c6174da490caeb422f3fa5a7ae634
+Bob	1001	aad3b435b51404eeaad3b435b51404ee	878d8014606cda29677a44efa1353fc7
+Alice	1002	aad3b435b51404eeaad3b435b51404ee	5835048ce94ad0564e29a924a03510ef
+Eve	1003	aad3b435b51404eeaad3b435b51404ee	4d55663e41abd66cf17584c9c9f7c86c

imageinfo-image2.txt

@@ -0,0 +1,12 @@
+          Suggested Profile(s) : VistaSP1x86, Win2008SP1x86, Win2008SP2x86, VistaSP2x86
+                     AS Layer1 : IA32PagedMemoryPae (Kernel AS)
+                     AS Layer2 : FileAddressSpace (/home/zenon/Nextcloud/uni/2021WS/df/assignment2/image2/image2.vmem)
+                      PAE type : PAE
+                           DTB : 0x122000L
+                          KDBG : 0x81afcc90L
+          Number of Processors : 1
+     Image Type (Service Pack) : 1
+                KPCR for CPU 0 : 0x81afd800L
+             KUSER_SHARED_DATA : 0xffdf0000L
+           Image date and time : 2011-11-30 14:23:46 UTC+0000
+     Image local date and time : 2011-11-30 15:23:46 +0100

ntlm-cracked.txt

@@ -0,0 +1,6 @@
+Administrator:31d6cfe0d16ae931b73c59d7e0c089c0:
+Guest:31d6cfe0d16ae931b73c59d7e0c089c0:
+Vista:209c6174da490caeb422f3fa5a7ae634:admin
+Bob:878d8014606cda29677a44efa1353fc7:secret
+Alice:5835048ce94ad0564e29a924a03510ef:password1
+Eve:4d55663e41abd66cf17584c9c9f7c86c:supersecretpassword

report.tex

@@ -44,9 +44,14 @@ zip file and is password protected with the password \texttt{infected}.
 
 \section{Findings}
 
-All information is obtained through the use of the open soure \texttt{Volatility
-3 Framework} at version \texttt{1.0.1} except for the screenshot for the first
-RAM dump, because this command requires the \texttt{Volatility Framework 2.6}.
+All information is obtained through the use of the open soure
+\texttt{Volatility 3 Framework}\footnote{sha1sum:
+\texttt{b386a7475304d5e449fa0265ffc36df9c6f7835a}} at version \texttt{1.0.1}
+except for the screenshot for the first RAM dump, because this command requires
+the \texttt{Volatility Framework 2.6}.\footnote{sha1sum:
+\texttt{ac3d2333b4d96f9a0c000b7b644f0480b3bc7ff6}}
+
+All work is done on Arch Linux with kernel version 5.15.2.
 
 \subsection{Image 1}
 
@@ -56,7 +61,7 @@ This image is running Windows XP with the Service Pack 2. It was created on
 2011-11-30 12:14:10. The machine is running an Intel x86 processor and is named
 \texttt{SECURITY-91B8EC}. The user logged in at the time of the dump was the
 \texttt{Administrator} user. This information is provided by the volatility
-\texttt{windows.info.Info} and \texttt{windows.envars.Envars} commands.
+\texttt{info} and \texttt{envars} commands.
 
 \subsubsection{Processes and Network Connections}
 
@@ -85,11 +90,30 @@ protect the computer.
 
 \subsection{Image 2}
 
+\subsubsection{Basic Information}
+
+Similarly to image one, we can gather basic information about the RAM dump with
+the help of volatility 2. The RAM dump is coming from either Windows Vista or
+Windows Server 2008 with Service Pack 1 or Service Pack 2 installed. The RAM
+dump was created on 2011-11-30 15:23:46 UTC+0100. The computer's name is
+\texttt{WIN-F0U9JFUWQ3S} and the currently logged in user is \texttt{Vista}.
+Additionally to Vista, there are five other users: Administrator, Guest, Bob,
+Alice and Eve. This information is extracted via volatility's \texttt{hashdump}
+command, which also provides the hashed password of each user. These hashes have
+been cracked using the online website
+crackstation\footnote{\url{https://crackstation.net/}}.
+
+
+\subsubsection{Other Information}
+
+Volatility's plugin \texttt{cmdline} provides information about the commands
+that have been executed over the command line by various processes.
+
 \section{Analysis}
 
 \subsection{Image 1}
 
-The information gathered with volatility strongly suggests that the computer had
+The information gathered with volatility strongly suggests that the computer has
 been infected with malware. The malware seems to have been installed after
 opening the \texttt{navy procurement.pdf} file and is also most likely running
 as an additional \texttt{svchost.exe} process. This process could be responsible
@@ -99,6 +123,18 @@ EQUIPMENT} based in Texas, US.
 
 \subsection{Image 2}
 
+The password hashes of the six users have been cracked to reveal the plaintext.
+The resulting passwords can be seen in Listing~\ref{lst:passwords}. The
+Administrator password and the password for the user Guest is empty, which poses
+a substantial security risk.
+
+Looking closely at the output of the \texttt{cmdline} plugin reveals a call to
+\texttt{telnet.exe towel.blinkenlights.nl} (second to last line in the output).
+While this interface is not available anymore over the IPv4 address, it is over
+its IPv6 address \texttt{2001:7b8:666:ffff::1:42}, which can be found using the
+\texttt{nslookup} command available for Linux distributions. The command should
+show an ASCII version of Star Wars playing in the terminal.
+
 \section{Appendix}
 
 \lstinputlisting[caption=Image1 Info]{imageinfo-image1.txt}
@@ -107,4 +143,9 @@ EQUIPMENT} based in Texas, US.
 \lstinputlisting[caption=Image1 IEHistory]{iehistory-image1.txt}
 \lstinputlisting[caption=Image1 MalFind]{malfind-image1.txt}
 
+\lstinputlisting[caption=Image2 Info]{imageinfo-image2.txt}
+\lstinputlisting[caption=Image2 Hashdump]{hashdump-image2.txt}
+\lstinputlisting[caption=Image2 Command Line]{cmdline-image2.txt}
+\lstinputlisting[caption=Image2 Cracked
+Passwords,label={lst:passwords}]{ntlm-cracked.txt}
 \end{document}