This article records the detailed process of learning and using Kali Linux 2018.1 and penetration testing. The tutorial is the course "Kali Linux Penetration Testing" in the Security Niu Classroom
1. Make a memory image
Forensic tool Comae-Toolkit-Light
http://www.downloadcrew.com/article/23854-dumpit
Use DumpIt to make a memory image file, the memory file is close to or slightly larger than the memory size
2. Analyze the memory file
Plugin location
/usr/lib/python2.7/dist-packages/volatility/plugins
Query file information, follow profile
volatility imageinfo -f win.dmp imageinfo
vQuery database files
volatility hivelist -f win.dmp --profile=Win7SP1x86
volatility hivelist -f win.dmp --profile=Win7SP1x86 pslist volatility hivelist -f win.dmp --profile=Win7SP1x86 pstree
View registry contents by virtual memory address
volatility -f win.dmp --profile=Win7SP1x86 hivelist
volatility -f win.dmp --profile=Win7SP1x86 hivedump -o 0x91fa1648
View User Accounts
volatility -f win.dmp --profile=Win7SP1x86 printkey -K "SAM\Domains\Account\Users\Names"
Last logged in user
volatility -f win.dmp --profile=Win7SP1x86 printkey -K "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
Programs that are running, how many times they have been run, when they were last run, etc.
volatility -f win.dmp --profile=Win7SP1x86 userassist
Process list and physical memory
volatility -f win.dmp --profile=Win7SP1x86 pslist
dump process memory
volatility -f win.dmp --profile=Win7SP1x86 memdump -p 3684 -D dumpdir/
root@kali:~/dumpdir# hexeditor 3684.dmp
extract string
root@kali:~/dumpdir# strings 3684.dmp > 1111.txt root@kali:~/dumpdir# strings 3684.dmp | grep password root@kali:~/dumpdir# strings 3684.dmp | grep / root@kali:~/dumpdir# strings 3684.dmp | grep @
Command History
volatility cmdscan -f win.dmp --profile=Win7SP1x86
Internet connection
volatility netscan -f win.dmp --profile=Win7SP1x86
IE history
volatility iehistory -f win.dmp --profile=Win7SP1x86
extract hash
volatility -f win.dmp --profile=Win7SP1x86 hivelist
#volatility -f win.dmp --profile=Win7SP1x86 hashdump -y system虚地址 -s SAM虚地址 volatility -f win.dmp --profile=Win7SP1x86 hashdump -y 0x8a81c008 -s 0x95f26558
3. firefoxhistory plugin
- Firefoxhistory plugin
mv /root/volatility-plugins-master/*.py /usr/lib/python2.7/dist-packages/volatility/plugins/
# 使用 firefoxhistory
volatility -f win.dmp --profile=Win7SP1x86 firefoxhistory
4. USN logging plugin
NTFS feature, used to track hard disk content changes (do not record specific changes)
wget https://raw.githubusercontent.com/tomspencer/volatility/master/usnparser/usnparser.py mv usnparser.py /usr/lib/python2.7/dist-packages/volatility/plugins/ volatility -f win.dmp --profile=Win7SP1x86 usnparser --output=csv --output-file=usn.csv
5. Timeline plugin
Collect large amounts of system activity information from multiple locations
volatility -f win.dmp --profile=Win7SP1x86 timeliner
6. Memory forensics case study
Memory forensics finds images of malware
Memory forensics find malware
View information
volatility -f cridex.vmem imageinfo
View the number of processes
volatility -f cridex.vmem --profile=WinXPSP3x86 pstree
View network connections
volatility connscan -f cridex.vmem --profile=WinXPSP3x86
View SIDs
volatility -f cridex.vmem --profile=WinXPSP3x86 getsids -p 1484
Number of calling libraries
volatility -f cridex.vmem --profile=WinXPSP3x86 dlllist -p 1484
drug test results
volatility -f cridex.vmem --profile=WinXPSP3x86 malfind -p 1484 -D dumpdir
ls process.0x821dea70.0x1460000.dmp