Memory Forensics: How to Pull Passwords from a Memory Dump

Last time, we talked about a quick and easy way to get a memory dump on a Windows based PC. This time, we will cover pulling passwords out of captured memory files.

Several programs exist for memory analysis, we will be using “Volatility” from Volatile Systems. If you are performing your analysis on a Windows system I recommend downloading the stand alone .exe version. If you don’t then you will also need to install Python.

Once Volatility is installed, we need to get some information from the memory dump. Open up a command prompt and run the following command:

volatility imageinfo -f memorydumpfilename.raw

This command gives you several pieces of information, for now, we just need to know the profile type of the memory dump, in this case Win7SP1x86. We will use this in the next few steps.

Now, we need the hive list so we can get the starting location in memory of where the registry information resides:

volatility hivelist -f memdumpfilename.raw –profile=Win7SP1x86 (Use double dashes in front of profile for some reason they are showing up as a single)

We now have a list of where several key items are located in the memory dump. Next, we will extract the password hashes from the memory dump. To do this we need to know the starting memory locations for the system and sam keys. We look in the dump above and copy down the numbers in the first column that correspond to the SAM and SYSTEM locations. Then output the password hashes into a text file called hashs.txt:

volatility hashdump -f memdumpfilename.raw –profile=Win7SP1x86 -y 0x87c1a248 -s 0x8bfaa008 > hashs.txt  (double dashes in front of profile)

Open the hash dump file in a text editor and you should see hashes of all the user’s passwords:

Now, if you are using Windows XP and have passwords shorter than 14 characters (LM passwords), you can run them through a password cracker like John the Ripper. Or better yet,  you can copy the long alphanumeric string after the user id number (500 or 1000 numbers) and paste them in Objectif Sécurité’s Online XP Hash cracking program. This utility cracks most LM based password hashes in 5 seconds or less. For more information see  Cracking 14 Character Complex Passwords in 5 Seconds.

This will not work on Windows 7 passwords or XP passwords longer than 14 characters though. These hashes are stored in the more secure NTLM format and can take a lot longer to crack. One cool thing though is that you do not need to crack the NTLM hash to get access to a system. You can log into a system using the hash itself as the password!

The password could be a simple 14 character password or a complex 32 character monster, it does not matter. You can still use the hash to get a command prompt. For more information see NTLM Passwords: Can’t Crack it? Just Pass it!

This really goes to show that passwords really are not as safe as one might think. Dual or multiple authentication systems are really the way to go on secure systems.

Well, that wraps up pulling passwords off of a memory dump, next we will learn how to view the active network connections and processes from a memory dump.

If you enjoyed this tutorial check out my new book, totally updated for 2018!

Basic Security Testing with Kali Linux, 3rd Edition

19 thoughts on “Memory Forensics: How to Pull Passwords from a Memory Dump”

  1. Mr. Dieterle,
    When I try to determine the profile in a raw memory dump file, Volatility 2.1 shows me that no profile can be suggested. Already tried the imageinfo and kdbgscan plugin, from Windows 7 as well as XP mode. Can you tell me what I do wrong and how I can get the correct information?
    Thanks a lot!
    Grtz. Wouter.

    1. Hi Wouter,

      Not sure what OS your memory dump is from, but you might want to try the updated Volatility version 2.2. It covers a couple additional Operation Systems.

      Thanks for the comment!

      Dan

      1. Thanks! I’m afraid it didn’t get me were I wanted…
        I tried the 2.2 version, but I still get the same information from Volatility:

        Suggested profile(s) : No suggestion (Instantiated with no profile)
        AS Layer1 : FileAddressSpace (~\memory.raw)
        PAE type : No PAE

        The only information I have, is that the memory.raw file comes from a laptop via Firewire. Are there any other options?
        Grtz. Wouter.

      2. Sounds like either you have a memory image that Volatility doesn’t recognize, or it is an OS that Volatility doesn’t support.

        Volatility works with:

        32-bit Windows XP Service Pack 2 and 3
        32-bit Windows 2003 Server Service Pack 0, 1, 2
        32-bit Windows Vista Service Pack 0, 1, 2
        32-bit Windows 2008 Server Service Pack 1, 2 (there is no SP0)
        32-bit Windows 7 Service Pack 0, 1
        64-bit Windows XP Service Pack 1 and 2 (there is no SP0)
        64-bit Windows 2003 Server Service Pack 1 and 2 (there is no SP0)
        64-bit Windows Vista Service Pack 0, 1, 2
        64-bit Windows 2008 Server Service Pack 1 and 2 (there is no SP0)
        64-bit Windows 2008 R2 Server Service Pack 0 and 1
        64-bit Windows 7 Service Pack 0 and 1

  2. Stuck at question 9, wouter? Haha.. Me too. Guess it is a linux dump but i don’t know how to create a profile in the windows volatility standalone version..

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.