From 731f372794af4d13d980e7a4c4b054b65c2467a3 Mon Sep 17 00:00:00 2001 From: Tobias Eidelpes Date: Thu, 18 Nov 2021 18:04:54 +0100 Subject: [PATCH] Add report for image 2 --- cmdline-image2.txt | 48 +++++++++++++++++++++++++++++++++++++++++ hashdump-image2.txt | 10 +++++++++ imageinfo-image2.txt | 12 +++++++++++ ntlm-cracked.txt | 6 ++++++ report.tex | 51 +++++++++++++++++++++++++++++++++++++++----- 5 files changed, 122 insertions(+), 5 deletions(-) create mode 100644 cmdline-image2.txt create mode 100644 hashdump-image2.txt create mode 100644 imageinfo-image2.txt create mode 100644 ntlm-cracked.txt diff --git a/cmdline-image2.txt b/cmdline-image2.txt new file mode 100644 index 0000000..2598170 --- /dev/null +++ b/cmdline-image2.txt @@ -0,0 +1,48 @@ +Volatility 3 Framework 1.0.1 + +PID Process Args + +4 System Required memory at 0x10 is not valid (process exited?) +396 smss.exe \SystemRoot\System32\smss.exe +460 csrss.exe C:\Windows\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16 +500 wininit.exe wininit.exe +584 services.exe C:\Windows\system32\services.exe +600 lsass.exe C:\Windows\system32\lsass.exe +608 lsm.exe C:\Windows\system32\lsm.exe +760 svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch +824 svchost.exe C:\Windows\system32\svchost.exe -k rpcss +856 svchost.exe C:\Windows\System32\svchost.exe -k secsvcs +988 svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted +1016 svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted +1032 svchost.exe C:\Windows\system32\svchost.exe -k netsvcs +1084 audiodg.exe C:\Windows\system32\AUDIODG.EXE 0x288 +1108 svchost.exe C:\Windows\system32\svchost.exe -k GPSvcGroup +1132 SLsvc.exe C:\Windows\system32\SLsvc.exe +1224 svchost.exe C:\Windows\system32\svchost.exe -k LocalService +1296 svchost.exe C:\Windows\system32\svchost.exe -k NetworkService +1488 spoolsv.exe C:\Windows\System32\spoolsv.exe +1512 svchost.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork +1920 taskeng.exe taskeng.exe {7EC134E2-8BEF-46AF-94C8-8C16150FAB71} +496 svchost.exe C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted +1316 VMwareService.e "C:\Program Files\VMware\VMware Tools\VMwareService.exe" +1444 svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup +2028 SearchIndexer.e C:\Windows\system32\SearchIndexer.exe /Embedding +1356 dllhost.exe C:\Windows\system32\dllhost.exe /Processid:{D34C07AA-275B-496E-A3CC-AFA75F2752EE} +1796 dllhost.exe C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} +2076 csrss.exe C:\Windows\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16 +2100 winlogon.exe winlogon.exe +2176 msdtc.exe C:\Windows\System32\msdtc.exe +2392 VSSVC.exe C:\Windows\system32\vssvc.exe +2504 taskeng.exe taskeng.exe {7F495FBC-66B3-4B6A-A068-DC3607159EB1} +2864 dwm.exe "C:\Windows\system32\Dwm.exe" +2884 explorer.exe C:\Windows\Explorer.EXE +2992 MSASCui.exe "C:\Program Files\Windows Defender\MSASCui.exe" -hide +3000 VMwareTray.exe "C:\Program Files\VMware\VMware Tools\VMwareTray.exe" +3008 VMwareUser.exe "C:\Program Files\VMware\VMware Tools\VMwareUser.exe" +3076 sidebar.exe "C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun +3576 cmd.exe "C:\Windows\System32\cmd.exe" +3804 SearchProtocolH "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" +3828 SearchFilterHos "C:\Windows\system32\SearchFilterHost.exe" 0 628 632 640 65536 636 +3868 SearchProtocolH "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_s-1-5-21-285957352-2877602163-2811336752-10002_ Global\UsGthrCtrlFltPipeMssGthrPipe_s-1-5-21-285957352-2877602163-2811336752-10002 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1" +3968 telnet.exe telnet towel.blinkenlights.nl +536 WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe diff --git a/hashdump-image2.txt b/hashdump-image2.txt new file mode 100644 index 0000000..c3d9a05 --- /dev/null +++ b/hashdump-image2.txt @@ -0,0 +1,10 @@ +Volatility 3 Framework 1.0.1 + +User rid lmhash nthash + +Administrator 500 aad3b435b51404eeaad3b435b51404ee 31d6cfe0d16ae931b73c59d7e0c089c0 +Guest 501 aad3b435b51404eeaad3b435b51404ee 31d6cfe0d16ae931b73c59d7e0c089c0 +Vista 1000 aad3b435b51404eeaad3b435b51404ee 209c6174da490caeb422f3fa5a7ae634 +Bob 1001 aad3b435b51404eeaad3b435b51404ee 878d8014606cda29677a44efa1353fc7 +Alice 1002 aad3b435b51404eeaad3b435b51404ee 5835048ce94ad0564e29a924a03510ef +Eve 1003 aad3b435b51404eeaad3b435b51404ee 4d55663e41abd66cf17584c9c9f7c86c diff --git a/imageinfo-image2.txt b/imageinfo-image2.txt new file mode 100644 index 0000000..ed457d9 --- /dev/null +++ b/imageinfo-image2.txt @@ -0,0 +1,12 @@ + Suggested Profile(s) : VistaSP1x86, Win2008SP1x86, Win2008SP2x86, VistaSP2x86 + AS Layer1 : IA32PagedMemoryPae (Kernel AS) + AS Layer2 : FileAddressSpace (/home/zenon/Nextcloud/uni/2021WS/df/assignment2/image2/image2.vmem) + PAE type : PAE + DTB : 0x122000L + KDBG : 0x81afcc90L + Number of Processors : 1 + Image Type (Service Pack) : 1 + KPCR for CPU 0 : 0x81afd800L + KUSER_SHARED_DATA : 0xffdf0000L + Image date and time : 2011-11-30 14:23:46 UTC+0000 + Image local date and time : 2011-11-30 15:23:46 +0100 diff --git a/ntlm-cracked.txt b/ntlm-cracked.txt new file mode 100644 index 0000000..2d800bf --- /dev/null +++ b/ntlm-cracked.txt @@ -0,0 +1,6 @@ +Administrator:31d6cfe0d16ae931b73c59d7e0c089c0: +Guest:31d6cfe0d16ae931b73c59d7e0c089c0: +Vista:209c6174da490caeb422f3fa5a7ae634:admin +Bob:878d8014606cda29677a44efa1353fc7:secret +Alice:5835048ce94ad0564e29a924a03510ef:password1 +Eve:4d55663e41abd66cf17584c9c9f7c86c:supersecretpassword diff --git a/report.tex b/report.tex index d208415..8102ac0 100644 --- a/report.tex +++ b/report.tex @@ -44,9 +44,14 @@ zip file and is password protected with the password \texttt{infected}. \section{Findings} -All information is obtained through the use of the open soure \texttt{Volatility -3 Framework} at version \texttt{1.0.1} except for the screenshot for the first -RAM dump, because this command requires the \texttt{Volatility Framework 2.6}. +All information is obtained through the use of the open soure +\texttt{Volatility 3 Framework}\footnote{sha1sum: +\texttt{b386a7475304d5e449fa0265ffc36df9c6f7835a}} at version \texttt{1.0.1} +except for the screenshot for the first RAM dump, because this command requires +the \texttt{Volatility Framework 2.6}.\footnote{sha1sum: +\texttt{ac3d2333b4d96f9a0c000b7b644f0480b3bc7ff6}} + +All work is done on Arch Linux with kernel version 5.15.2. \subsection{Image 1} @@ -56,7 +61,7 @@ This image is running Windows XP with the Service Pack 2. It was created on 2011-11-30 12:14:10. The machine is running an Intel x86 processor and is named \texttt{SECURITY-91B8EC}. The user logged in at the time of the dump was the \texttt{Administrator} user. This information is provided by the volatility -\texttt{windows.info.Info} and \texttt{windows.envars.Envars} commands. +\texttt{info} and \texttt{envars} commands. \subsubsection{Processes and Network Connections} @@ -85,11 +90,30 @@ protect the computer. \subsection{Image 2} +\subsubsection{Basic Information} + +Similarly to image one, we can gather basic information about the RAM dump with +the help of volatility 2. The RAM dump is coming from either Windows Vista or +Windows Server 2008 with Service Pack 1 or Service Pack 2 installed. The RAM +dump was created on 2011-11-30 15:23:46 UTC+0100. The computer's name is +\texttt{WIN-F0U9JFUWQ3S} and the currently logged in user is \texttt{Vista}. +Additionally to Vista, there are five other users: Administrator, Guest, Bob, +Alice and Eve. This information is extracted via volatility's \texttt{hashdump} +command, which also provides the hashed password of each user. These hashes have +been cracked using the online website +crackstation\footnote{\url{https://crackstation.net/}}. + + +\subsubsection{Other Information} + +Volatility's plugin \texttt{cmdline} provides information about the commands +that have been executed over the command line by various processes. + \section{Analysis} \subsection{Image 1} -The information gathered with volatility strongly suggests that the computer had +The information gathered with volatility strongly suggests that the computer has been infected with malware. The malware seems to have been installed after opening the \texttt{navy procurement.pdf} file and is also most likely running as an additional \texttt{svchost.exe} process. This process could be responsible @@ -99,6 +123,18 @@ EQUIPMENT} based in Texas, US. \subsection{Image 2} +The password hashes of the six users have been cracked to reveal the plaintext. +The resulting passwords can be seen in Listing~\ref{lst:passwords}. The +Administrator password and the password for the user Guest is empty, which poses +a substantial security risk. + +Looking closely at the output of the \texttt{cmdline} plugin reveals a call to +\texttt{telnet.exe towel.blinkenlights.nl} (second to last line in the output). +While this interface is not available anymore over the IPv4 address, it is over +its IPv6 address \texttt{2001:7b8:666:ffff::1:42}, which can be found using the +\texttt{nslookup} command available for Linux distributions. The command should +show an ASCII version of Star Wars playing in the terminal. + \section{Appendix} \lstinputlisting[caption=Image1 Info]{imageinfo-image1.txt} @@ -107,4 +143,9 @@ EQUIPMENT} based in Texas, US. \lstinputlisting[caption=Image1 IEHistory]{iehistory-image1.txt} \lstinputlisting[caption=Image1 MalFind]{malfind-image1.txt} +\lstinputlisting[caption=Image2 Info]{imageinfo-image2.txt} +\lstinputlisting[caption=Image2 Hashdump]{hashdump-image2.txt} +\lstinputlisting[caption=Image2 Command Line]{cmdline-image2.txt} +\lstinputlisting[caption=Image2 Cracked +Passwords,label={lst:passwords}]{ntlm-cracked.txt} \end{document}