Windows 8 Open Source Memory Analysis Fail

Wow, spent a lot of time yesterday trying to do some memory analysis on Windows 8 with a couple open source tools…

And completely failed.

I wanted to analyze a suspended Win8 virtual machine’s memory and see what information could be pulled from it. I know VMWare has a “vmss2core” utility that will do the trick. Of course I had Windows 8 in a Virtualbox VM. No problem, I exported and imported to VMWare Workstation with no problems. Okay, it hung up on first boot in VMWare, but a hard reset and everything was right as rain on the next boot.

Next I suspended the VM, grabbed the .vmem and the .vmss suspension files and tried to run it through vmss2core:

C:\VM>vmss2core.exe -W windows8.vmem windows8.vmss
vmss2core version 812388 Copyright (C) 1998-2012 VMware, Inc. All rights reserved.

Unrecognized .vmss file (magic f000ff53).

Unrecognized .vmss file… Okay, not to be deterred, I rebooted the Windows 8 VM and took a snapshot. Vmss2core also works with snapshots!

Same error.

I actually read the help features for Vmss2core and realized that it has a “-W8” command for Windows 8! Doh!

Used that… Same error…

Okay, bothered now, but still undeterred, I figured I would just boot the system up and run MoonSols DumpIt command to get a copy of the active RAM. Then I can use the memory dump output and feed it into Volatility!

Or so I thought…

DumpIt works great for grabbing a full copy of your active RAM so you can analyze it for artifacts. Simply Download the file, and place it where you want it – USB drive, hard drive etc. Then just run the command, and the full active memory of the system will be saved in the same directory.

I ran DumpIt in Windows 8 and it worked flawlessly:

Yeah! Now all I need to do is take the .raw memory dump file and feed it into the memory analysis program Volatility. And I should be able to see tons of information and artifacts including network connections, users, services and other goodies!  🙂

I started out by using the imageinfo command. This command returns the exact operating system level to Volatility so that it correctly maps memory locations with services when you use the more advanced commands.

(I created a whole series on using volatility to perform analysis on Windows 7 last year)

When I ran Volatility, it was unable to determine the OS level. I was using the latest version that just came out this month. A quick search on their website and it looks like Wind0ws 8 functionality will not be out for several more months…

Well, that was the final brick wall for me. I had other things to do and had to walk away from it at that point.

Anyone have any ideas or know of any other open source memory analysis tools like Volatility that will work with Windows 8?

Advertisements

Hakin9 Exploiting Software SamuraiWTF Toolkit

A new issue of Hakin9 Exploiting Software is out!

Diving Through SamuraiWTF Toolkit – Massive article on setting up and using SamuraiWTF the Web Pentesting Ubuntu Distro platform.

Penetration Testing LAB Setup Guide – Exceptional article on setting up a kickin network test lab by Jeremiah Brott. I normally use physical machines or VMWare virtual machines, but in this article Jeremiah covers setting up an awesome lab using VirtualBox and PFSense. I now use this setup regularly – it works fantastic.

Web Filtering with Websense. To be or not to be filtered: that is the dilemma – Great article on Websense the web filtering program. Also a great article on why your company needs web filtering.

Malware, a cyber threat increasingly difficult to contain – I haven’t read this article yet, but read a lot of Pierluigi Paganini’s material. He is an exceptional writer and security expert.

Also in this issue:

  • Burp Suite Automating Attacks By Ric Messier
  • Memory Levels Gate Mitigation By Amr Thabet
  • Anti-Rootkits in the Era of Cyber Wars By Igor Korkin
  • Password Construction and Management By Gaurav Kumar
  • Picking Up Mushrooms in the Rain Forest – Social Engineering Information Gathering By Vlad Styran

Subscribe to Hakin9 Exploiting Software now!

Pentoo 2012 a Penetration Testers Distro of Gentoo Linux

I’ve never seen Pentoo before, but couldn’t resist taking a peek when I saw it mentioned in the Defcon news briefs floating around. Basically Pentoo is Gentoo Linux with a bunch of security focused tweaks and additions.

I am married to Backtrack and am not interested in switching to another Linux Security Distro, but Pentoo does look enticing. It is loaded with tools that fit very well with a pentester. A quick look in the application directory and you will see the programs grouped Backtrack like under headings like:

  • Analyzer tools
  • Bluetooth
  • Database
  • Exploit
  • Forensics
  • MitM
  • SIP/ VoIP
  • Wireless

Under each group you will find a slew of programs that would make any security guru giddy.

Tools like:

  • MSF Console
  • W3af Console
  • Autopsy
  • Burpsuite
  • Nessus
  • Aircrack-ng
  • Kismet
  • Development Tools
  • and many more…

I really liked Pentoo, but as the developer mentions on his site, it is in Beta form right now. Several times I received errors when clicking on menu items. The project is very interesting though and definitely worth checking out!

Metasploitable 2 Tutorial Part 1: Checking for open Ports with Nmap

I mentioned a week or two ago that we would take a closer look at Metasploitable 2.0, the purposefully vulnerable Linux virtual machine used for learning security tactics and techniques. In this intro, we will quickly cover obtaining Metasploitable and scanning it for open ports and services. (No you do not want Metasploitable running on a open or production machine, it’s vulnerable for Pete’s sake!  🙂  )

For this series of tutorials you will need:

You can setup a test network using VMware or Virualbox. I will not cover this in the article, there are many tutorials out there for setting this up

The Rapid7 website references a great Metasploitable setup tutorial on webpwnized’s YouTube Channel. This covers installing Metasploitable 2 on Virtual Box and how to get to Mutillidae, a great learning tool for web app security:

Okay, let’s take a look at Metasploitable from our Backtrack box. Let’s run an nmap scan and see what services are installed.

Open a Terminal window on your Backtrack system and type:

nmap -v -A 192.168.12.20 (metasploitable’s IP address)

This will show us the open ports and try to enumerate what services are running. Here is a look at the ports:

Holy open ports Batman!

Nmap will churn for a while while it tries to detect the actual services running on these ports. In a few minutes you will see a screen that looks like this:

For each port, we see the port number, service type and even an attempt at the service software version.

From here, we can grab the software version, in this case “Unreal IRC 3.2.8.1”, and do a search for vulnerabilities for that software release. Just searching “unreal3.2.8.1 exploits” in Google should do the trick. With a little searching, you can find an Unreal exploit usable through Backtrack 5’s Metasploit program that will give you a root shell. See if you can find it and give it a shot. If you strike out, no worries, we will take a closer look at this in a later tutorial.

If nothing comes up, you may not have the exact software version. Nmap tries its best, but it is not always correct. Backtrack 5’s Metasploit console has several service scanners that we can use to get exact version levels. We will take a closer look at these in the next tutorial. Then we will dive into exploiting the open services.