Add report for image 2
This commit is contained in:
parent
f09d7d2652
commit
731f372794
48
cmdline-image2.txt
Normal file
48
cmdline-image2.txt
Normal file
@ -0,0 +1,48 @@
|
|||||||
|
Volatility 3 Framework 1.0.1
|
||||||
|
|
||||||
|
PID Process Args
|
||||||
|
|
||||||
|
4 System Required memory at 0x10 is not valid (process exited?)
|
||||||
|
396 smss.exe \SystemRoot\System32\smss.exe
|
||||||
|
460 csrss.exe C:\Windows\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
|
||||||
|
500 wininit.exe wininit.exe
|
||||||
|
584 services.exe C:\Windows\system32\services.exe
|
||||||
|
600 lsass.exe C:\Windows\system32\lsass.exe
|
||||||
|
608 lsm.exe C:\Windows\system32\lsm.exe
|
||||||
|
760 svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch
|
||||||
|
824 svchost.exe C:\Windows\system32\svchost.exe -k rpcss
|
||||||
|
856 svchost.exe C:\Windows\System32\svchost.exe -k secsvcs
|
||||||
|
988 svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
|
||||||
|
1016 svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
|
||||||
|
1032 svchost.exe C:\Windows\system32\svchost.exe -k netsvcs
|
||||||
|
1084 audiodg.exe C:\Windows\system32\AUDIODG.EXE 0x288
|
||||||
|
1108 svchost.exe C:\Windows\system32\svchost.exe -k GPSvcGroup
|
||||||
|
1132 SLsvc.exe C:\Windows\system32\SLsvc.exe
|
||||||
|
1224 svchost.exe C:\Windows\system32\svchost.exe -k LocalService
|
||||||
|
1296 svchost.exe C:\Windows\system32\svchost.exe -k NetworkService
|
||||||
|
1488 spoolsv.exe C:\Windows\System32\spoolsv.exe
|
||||||
|
1512 svchost.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
|
||||||
|
1920 taskeng.exe taskeng.exe {7EC134E2-8BEF-46AF-94C8-8C16150FAB71}
|
||||||
|
496 svchost.exe C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
|
||||||
|
1316 VMwareService.e "C:\Program Files\VMware\VMware Tools\VMwareService.exe"
|
||||||
|
1444 svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
|
||||||
|
2028 SearchIndexer.e C:\Windows\system32\SearchIndexer.exe /Embedding
|
||||||
|
1356 dllhost.exe C:\Windows\system32\dllhost.exe /Processid:{D34C07AA-275B-496E-A3CC-AFA75F2752EE}
|
||||||
|
1796 dllhost.exe C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
|
||||||
|
2076 csrss.exe C:\Windows\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
|
||||||
|
2100 winlogon.exe winlogon.exe
|
||||||
|
2176 msdtc.exe C:\Windows\System32\msdtc.exe
|
||||||
|
2392 VSSVC.exe C:\Windows\system32\vssvc.exe
|
||||||
|
2504 taskeng.exe taskeng.exe {7F495FBC-66B3-4B6A-A068-DC3607159EB1}
|
||||||
|
2864 dwm.exe "C:\Windows\system32\Dwm.exe"
|
||||||
|
2884 explorer.exe C:\Windows\Explorer.EXE
|
||||||
|
2992 MSASCui.exe "C:\Program Files\Windows Defender\MSASCui.exe" -hide
|
||||||
|
3000 VMwareTray.exe "C:\Program Files\VMware\VMware Tools\VMwareTray.exe"
|
||||||
|
3008 VMwareUser.exe "C:\Program Files\VMware\VMware Tools\VMwareUser.exe"
|
||||||
|
3076 sidebar.exe "C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
|
||||||
|
3576 cmd.exe "C:\Windows\System32\cmd.exe"
|
||||||
|
3804 SearchProtocolH "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
|
||||||
|
3828 SearchFilterHos "C:\Windows\system32\SearchFilterHost.exe" 0 628 632 640 65536 636
|
||||||
|
3868 SearchProtocolH "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_s-1-5-21-285957352-2877602163-2811336752-10002_ Global\UsGthrCtrlFltPipeMssGthrPipe_s-1-5-21-285957352-2877602163-2811336752-10002 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
|
||||||
|
3968 telnet.exe telnet towel.blinkenlights.nl
|
||||||
|
536 WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe
|
||||||
10
hashdump-image2.txt
Normal file
10
hashdump-image2.txt
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
Volatility 3 Framework 1.0.1
|
||||||
|
|
||||||
|
User rid lmhash nthash
|
||||||
|
|
||||||
|
Administrator 500 aad3b435b51404eeaad3b435b51404ee 31d6cfe0d16ae931b73c59d7e0c089c0
|
||||||
|
Guest 501 aad3b435b51404eeaad3b435b51404ee 31d6cfe0d16ae931b73c59d7e0c089c0
|
||||||
|
Vista 1000 aad3b435b51404eeaad3b435b51404ee 209c6174da490caeb422f3fa5a7ae634
|
||||||
|
Bob 1001 aad3b435b51404eeaad3b435b51404ee 878d8014606cda29677a44efa1353fc7
|
||||||
|
Alice 1002 aad3b435b51404eeaad3b435b51404ee 5835048ce94ad0564e29a924a03510ef
|
||||||
|
Eve 1003 aad3b435b51404eeaad3b435b51404ee 4d55663e41abd66cf17584c9c9f7c86c
|
||||||
12
imageinfo-image2.txt
Normal file
12
imageinfo-image2.txt
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
Suggested Profile(s) : VistaSP1x86, Win2008SP1x86, Win2008SP2x86, VistaSP2x86
|
||||||
|
AS Layer1 : IA32PagedMemoryPae (Kernel AS)
|
||||||
|
AS Layer2 : FileAddressSpace (/home/zenon/Nextcloud/uni/2021WS/df/assignment2/image2/image2.vmem)
|
||||||
|
PAE type : PAE
|
||||||
|
DTB : 0x122000L
|
||||||
|
KDBG : 0x81afcc90L
|
||||||
|
Number of Processors : 1
|
||||||
|
Image Type (Service Pack) : 1
|
||||||
|
KPCR for CPU 0 : 0x81afd800L
|
||||||
|
KUSER_SHARED_DATA : 0xffdf0000L
|
||||||
|
Image date and time : 2011-11-30 14:23:46 UTC+0000
|
||||||
|
Image local date and time : 2011-11-30 15:23:46 +0100
|
||||||
6
ntlm-cracked.txt
Normal file
6
ntlm-cracked.txt
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
Administrator:31d6cfe0d16ae931b73c59d7e0c089c0:
|
||||||
|
Guest:31d6cfe0d16ae931b73c59d7e0c089c0:
|
||||||
|
Vista:209c6174da490caeb422f3fa5a7ae634:admin
|
||||||
|
Bob:878d8014606cda29677a44efa1353fc7:secret
|
||||||
|
Alice:5835048ce94ad0564e29a924a03510ef:password1
|
||||||
|
Eve:4d55663e41abd66cf17584c9c9f7c86c:supersecretpassword
|
||||||
51
report.tex
51
report.tex
@ -44,9 +44,14 @@ zip file and is password protected with the password \texttt{infected}.
|
|||||||
|
|
||||||
\section{Findings}
|
\section{Findings}
|
||||||
|
|
||||||
All information is obtained through the use of the open soure \texttt{Volatility
|
All information is obtained through the use of the open soure
|
||||||
3 Framework} at version \texttt{1.0.1} except for the screenshot for the first
|
\texttt{Volatility 3 Framework}\footnote{sha1sum:
|
||||||
RAM dump, because this command requires the \texttt{Volatility Framework 2.6}.
|
\texttt{b386a7475304d5e449fa0265ffc36df9c6f7835a}} at version \texttt{1.0.1}
|
||||||
|
except for the screenshot for the first RAM dump, because this command requires
|
||||||
|
the \texttt{Volatility Framework 2.6}.\footnote{sha1sum:
|
||||||
|
\texttt{ac3d2333b4d96f9a0c000b7b644f0480b3bc7ff6}}
|
||||||
|
|
||||||
|
All work is done on Arch Linux with kernel version 5.15.2.
|
||||||
|
|
||||||
\subsection{Image 1}
|
\subsection{Image 1}
|
||||||
|
|
||||||
@ -56,7 +61,7 @@ This image is running Windows XP with the Service Pack 2. It was created on
|
|||||||
2011-11-30 12:14:10. The machine is running an Intel x86 processor and is named
|
2011-11-30 12:14:10. The machine is running an Intel x86 processor and is named
|
||||||
\texttt{SECURITY-91B8EC}. The user logged in at the time of the dump was the
|
\texttt{SECURITY-91B8EC}. The user logged in at the time of the dump was the
|
||||||
\texttt{Administrator} user. This information is provided by the volatility
|
\texttt{Administrator} user. This information is provided by the volatility
|
||||||
\texttt{windows.info.Info} and \texttt{windows.envars.Envars} commands.
|
\texttt{info} and \texttt{envars} commands.
|
||||||
|
|
||||||
\subsubsection{Processes and Network Connections}
|
\subsubsection{Processes and Network Connections}
|
||||||
|
|
||||||
@ -85,11 +90,30 @@ protect the computer.
|
|||||||
|
|
||||||
\subsection{Image 2}
|
\subsection{Image 2}
|
||||||
|
|
||||||
|
\subsubsection{Basic Information}
|
||||||
|
|
||||||
|
Similarly to image one, we can gather basic information about the RAM dump with
|
||||||
|
the help of volatility 2. The RAM dump is coming from either Windows Vista or
|
||||||
|
Windows Server 2008 with Service Pack 1 or Service Pack 2 installed. The RAM
|
||||||
|
dump was created on 2011-11-30 15:23:46 UTC+0100. The computer's name is
|
||||||
|
\texttt{WIN-F0U9JFUWQ3S} and the currently logged in user is \texttt{Vista}.
|
||||||
|
Additionally to Vista, there are five other users: Administrator, Guest, Bob,
|
||||||
|
Alice and Eve. This information is extracted via volatility's \texttt{hashdump}
|
||||||
|
command, which also provides the hashed password of each user. These hashes have
|
||||||
|
been cracked using the online website
|
||||||
|
crackstation\footnote{\url{https://crackstation.net/}}.
|
||||||
|
|
||||||
|
|
||||||
|
\subsubsection{Other Information}
|
||||||
|
|
||||||
|
Volatility's plugin \texttt{cmdline} provides information about the commands
|
||||||
|
that have been executed over the command line by various processes.
|
||||||
|
|
||||||
\section{Analysis}
|
\section{Analysis}
|
||||||
|
|
||||||
\subsection{Image 1}
|
\subsection{Image 1}
|
||||||
|
|
||||||
The information gathered with volatility strongly suggests that the computer had
|
The information gathered with volatility strongly suggests that the computer has
|
||||||
been infected with malware. The malware seems to have been installed after
|
been infected with malware. The malware seems to have been installed after
|
||||||
opening the \texttt{navy procurement.pdf} file and is also most likely running
|
opening the \texttt{navy procurement.pdf} file and is also most likely running
|
||||||
as an additional \texttt{svchost.exe} process. This process could be responsible
|
as an additional \texttt{svchost.exe} process. This process could be responsible
|
||||||
@ -99,6 +123,18 @@ EQUIPMENT} based in Texas, US.
|
|||||||
|
|
||||||
\subsection{Image 2}
|
\subsection{Image 2}
|
||||||
|
|
||||||
|
The password hashes of the six users have been cracked to reveal the plaintext.
|
||||||
|
The resulting passwords can be seen in Listing~\ref{lst:passwords}. The
|
||||||
|
Administrator password and the password for the user Guest is empty, which poses
|
||||||
|
a substantial security risk.
|
||||||
|
|
||||||
|
Looking closely at the output of the \texttt{cmdline} plugin reveals a call to
|
||||||
|
\texttt{telnet.exe towel.blinkenlights.nl} (second to last line in the output).
|
||||||
|
While this interface is not available anymore over the IPv4 address, it is over
|
||||||
|
its IPv6 address \texttt{2001:7b8:666:ffff::1:42}, which can be found using the
|
||||||
|
\texttt{nslookup} command available for Linux distributions. The command should
|
||||||
|
show an ASCII version of Star Wars playing in the terminal.
|
||||||
|
|
||||||
\section{Appendix}
|
\section{Appendix}
|
||||||
|
|
||||||
\lstinputlisting[caption=Image1 Info]{imageinfo-image1.txt}
|
\lstinputlisting[caption=Image1 Info]{imageinfo-image1.txt}
|
||||||
@ -107,4 +143,9 @@ EQUIPMENT} based in Texas, US.
|
|||||||
\lstinputlisting[caption=Image1 IEHistory]{iehistory-image1.txt}
|
\lstinputlisting[caption=Image1 IEHistory]{iehistory-image1.txt}
|
||||||
\lstinputlisting[caption=Image1 MalFind]{malfind-image1.txt}
|
\lstinputlisting[caption=Image1 MalFind]{malfind-image1.txt}
|
||||||
|
|
||||||
|
\lstinputlisting[caption=Image2 Info]{imageinfo-image2.txt}
|
||||||
|
\lstinputlisting[caption=Image2 Hashdump]{hashdump-image2.txt}
|
||||||
|
\lstinputlisting[caption=Image2 Command Line]{cmdline-image2.txt}
|
||||||
|
\lstinputlisting[caption=Image2 Cracked
|
||||||
|
Passwords,label={lst:passwords}]{ntlm-cracked.txt}
|
||||||
\end{document}
|
\end{document}
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user