challenge4 - Forensics100 Walkthrogh

We have dumped the RAM of a Machine on which was running a VNC server.
The goal is to get the password of that VNC server.

事前準備

解答方法

# python vol.py -f dump.raw imageinfo
Volatile Systems Volatility Framework 2.0
          Suggested Profile(s) : WinXPSP3x86, WinXPSP2x86 (Instantiated with WinXPSP2x86)
                     AS Layer1 : JKIA32PagedMemoryPae (Kernel AS)
                     AS Layer2 : FileAddressSpace (/home/kikuzou/volatility-2.0/dump.raw)
                      PAE type : PAE
                           DTB : 0xae2000
                          KDBG : 0x80544ce0L
                          KPCR : 0xffdff000L
             KUSER_SHARED_DATA : 0xffdf0000L
           Image date and time : 2011-03-10 13:28:56 
     Image local date and time : 2011-03-10 13:28:56 
          Number of Processors : 1
                    Image Type : Service Pack 2
#
# python vol.py -f dump.raw pslist
Volatile Systems Volatility Framework 2.0
 Offset(V)  Name                 PID    PPID   Thds   Hnds   Time 
---------- -------------------- ------ ------ ------ ------ ------------------- 
0x821c8830 System                    4      0     53    258 1970-01-01 00:00:00
0x81e356d8 smss.exe                544      4      3     21 2011-03-10 13:02:27
0x81e216e8 csrss.exe               608    544     11    319 2011-03-10 13:02:29
0x820ac9c0 winlogon.exe            632    544     19    440 2011-03-10 13:02:29
0x821365b0 services.exe            684    632     16    338 2011-03-10 13:02:30
0x81bce938 lsass.exe               696    632     19    328 2011-03-10 13:02:30
0x82029720 svchost.exe             860    684     17    210 2011-03-10 13:02:31
0x81bd1500 svchost.exe             928    684      9    232 2011-03-10 13:02:31
0x81bf4020 svchost.exe            1020    684     59   1148 2011-03-10 13:02:31
0x81e123c0 svchost.exe            1064    684      4     74 2011-03-10 13:02:31
0x820df548 svchost.exe            1300    684     14    203 2011-03-10 13:02:33
0x81c1d7e8 spoolsv.exe            1472    684     10    108 2011-03-10 13:02:34
0x81fcf620 explorer.exe           1580   1564     11    446 2011-03-10 13:02:34
0x81bb0020 ctfmon.exe             1664   1580      1     66 2011-03-10 13:02:35
0x81d92020 alg.exe                 500    684      6    104 2011-03-10 13:02:58
0x81be8020 wscntfy.exe             532   1020      1     36 2011-03-10 13:02:59
0x81dea980 winvnc4.exe            1696    684      3     67 2011-03-10 13:09:47
0x81f94da0 mmc.exe                1512   1580      7    241 2011-03-10 13:28:14
0x81deb558 wmiprvse.exe           1460    860     13    204 2011-03-10 13:28:33
#
# python vol.py -f dump.raw vadinfo -p 1696
Volatile Systems Volatility Framework 2.0
************************************************************************
Pid:   1696
VAD node @821e4090 Start 00ae0000 End 00b2ffff Tag Vad 
Flags: 
Commit Charge: 0 Protection: 1
ControlArea @81fd22b0 Segment e179a4b8
Dereference list: Flink 00000000, Blink 00000000
NumberOfSectionReferences:          1 NumberOfPfnReferences:           0
NumberOfMappedViews:                6 NumberOfUserReferences:          7
WaitingForDeletion Event:  00000000
Flags: Commit, HadUserReference
FileObject: none
First prototype PTE: e179a4f8 Last contiguous PTE: e179a770
Flags2: Inherit
File offset: 00000000

VAD node @81c38a60 Start 00400000 End 0046bfff Tag Vadl
Flags: ImageMap
Commit Charge: 6 Protection: 7
ControlArea @81bc9008 Segment e18fbc30
Dereference list: Flink 00000000, Blink 00000000
NumberOfSectionReferences:          1 NumberOfPfnReferences:          80
NumberOfMappedViews:                1 NumberOfUserReferences:          2
WaitingForDeletion Event:  00000000
Flags: Accessed, File, HadUserReference, Image
FileObject @81bc902c FileBuffer @ e1dc2008          , Name: \Program Files\RealVNC\VNC4\winvnc4.exe
First prototype PTE: e18fbc70 Last contiguous PTE: fffffffc
Flags2: Inherit, LongVad, ReadOnly
File offset: 00000000

※以下省略
HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4\Password
# python vol.py -f dump.raw hivelist
Volatile Systems Volatility Framework 2.0
Virtual     Physical    Name
0x8066e904  0x0066e904  [no name]
0xe1809008  0x08bfd008  \Device\HarddiskVolume1\Documents and Settings\eleve\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe1986008  0x09f7e008  \Device\HarddiskVolume1\Documents and Settings\eleve\NTUSER.DAT
0xe17a9768  0x08a48768  \Device\HarddiskVolume1\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe179b758  0x08a40758  \Device\HarddiskVolume1\Documents and Settings\LocalService\NTUSER.DAT
0xe1770008  0x085d6008  \Device\HarddiskVolume1\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe175fb60  0x08410b60  \Device\HarddiskVolume1\Documents and Settings\NetworkService\NTUSER.DAT
0xe13ffb60  0x02f2bb60  \Device\HarddiskVolume1\WINDOWS\system32\config\software
0xe14ab008  0x07023008  \Device\HarddiskVolume1\WINDOWS\system32\config\default
0xe14abb60  0x07023b60  \Device\HarddiskVolume1\WINDOWS\system32\config\SAM
0xe14e4758  0x0369d758  \Device\HarddiskVolume1\WINDOWS\system32\config\SECURITY
0xe12e8288  0x02d65288  [no name]
0xe1035b60  0x02aafb60  \Device\HarddiskVolume1\WINDOWS\system32\config\system
0xe102e008  0x02ab1008  [no name]
#
# python vol.py -f dump.raw printkey -o 0xe13ffb60
Volatile Systems Volatility Framework 2.0
Legend: (S) = Stable   (V) = Volatile

----------------------------
Registry: User Specified
Key name: $$$PROTO.HIV (S)
Last updated: 2011-03-10 13:09:47 

Subkeys:
  (S) C07ft5Y
  (S) Classes
  (S) Clients
  (S) Gemplus
  (S) Microsoft
  (S) ODBC
  (S) Policies
  (S) Program Groups
  (S) RealVNC
  (S) Schlumberger
  (S) Secure
  (S) Windows 3.1 Migration Status

Values:
#
# python vol.py -f dump.raw printkey -o 0xe13ffb60 -K "RealVNC"
Volatile Systems Volatility Framework 2.0
Legend: (S) = Stable   (V) = Volatile

----------------------------
Registry: User Specified
Key name: RealVNC (S)
Last updated: 2011-03-10 13:09:47 

Subkeys:
  (S) WinVNC4

Values:

#
# python vol.py -f dump.raw printkey -o 0xe13ffb60 -K "RealVNC\WinVNC4"
Volatile Systems Volatility Framework 2.0
Legend: (S) = Stable   (V) = Volatile

----------------------------
Registry: User Specified
Key name: WinVNC4 (S)
Last updated: 2011-03-10 13:10:51 

Subkeys:

Values:
REG_BINARY    Password        : (S) 
0000   DA 6E 31 84 95 77 AD 6B                            .n1..w.k

REG_SZ        SecurityTypes   : (S) VncAuth
REG_SZ        ReverseSecurityTypes : (S) None
REG_DWORD     QueryConnect    : (S) 0
REG_DWORD     QueryOnlyIfLoggedOn : (S) 0
#
>vncpwdump.exe -k DA6E31849577AD6B

VNCPwdump v.1.0.6 by patrik@cqure.net
-------------------------------------
Password: secretpq

>