Linux Memory Tools

No Comments

First real snow this season, here in the southern part of New England means that i’m sitting home, ready to write about some new tools in security :)  So, armed with a cup of coffee, a keyboard, and hoping that the power wont go out… again… we have the making of a new article :)

Before we start talking about memory tools, let me first, for those of you who are wondering what in the world would we need to do in memory, explain the point of the tools and a bit of history.  We tend to believe that RAM is instant, that we can instantly write to it, that we can instantly erase it by turning off the power, and that somehow its a safe place to store things, because nobody can exploit it, right?  Well it certainly looked that way to about the beginning of 2008, when a couple of guys, well, much more then a couple, more like a bunch, namely J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum, and Edward W. Felten of princeton university published a research paper that undermined most people’s understanding of RAM. They showed that memory did not momentarily loose it’s contents, but rather it degraded over a period of time, long enough to, if you were able to remove the memory from one machine, put it in another, reapply power and read the contents, infact the research shows that some types of memory retained information up to a couple of minutes.  Well, so what do i get out of it you ask?  They also showed that there are programs on most current-day operating systems that stored password hashes in ram, so with this, you opened a new way to get passwords, and not just any local passwords, on windows machines for example, you could get the hashes for AD authentication, rsa and aes hashes which can allow one to decrypt normally securely encrypted information and that, if you know what i mean, can be a BIG deal :)

Back to apples or oranges, whatever you prefer, oh wait, geeks, riight, back to coffee :) , there has been later research into this, and new attack vectors have sprung from this initial research, boot kits are prime examples of things that reside in memory and would be untraceable on systems by computer forensics experts of this day. If you aren’t familiar with boot kits, please refer to this excellent article.  Normally to analyze how the security of a particular system was breached, the computer forensics experts will unplug the computer, take out the hard drive pit it in a little write-protection enclosure, take it back to their office and go and dissect the data, piece by piece, reviewing activities, logs, files, etc, etc. The problem with a boot kit is that if correctly implemented, it will leave no traces on the hard drive, it will be completely running in ram, and a couple of minutes after the system gets unplugged all of that data is gone, and on the herd drive side of it, it will look completely as though there was no intrusion to begin with.  There are other exploits that get to memory directly, what if the exploit was transported via a firewire device that wrote the executable code right into memory, then the device was taken out and data was then slowly sent out to a third party server somewhere in another country where it was safely picked up later. Thus the process of identifying an intrusion and how to trace the data is all in ram, and moments after shutting off the machine, it is gone…

For those types of attacks, there are some new interesting Linux tools that became recently available. Unfortunately this is a new venue, and there hasn’t been enough time to develop analisys tools as of yet at least none are publically available yet, that i know of, but students at Princeton University have put out a couple of tools that are already a step in the right direction. They have released a memory imager, its a tool that runs on a tiny linux distro that is bootable either via USB or PXE, though the proces is slightly different (look at their documentation of the tools, its in the sources section at the end of the article), basically you would reset the machine, by either hitting the reset button, or unplugging and plugging the machine back in. Plugging in the USB stick, if you choose to use it, or if not, going into boot device options, and making the computer boot off of the method you chose to use to get the image of the system’s ram, boot the device. If you are using USB, the stick will automatically pull the contents of ram, pxe will not, you have to run a command on the server (in pxedump dir, there is a file called pxedump, you would run ./pxedump target_ip > mem.img).  once the process is done (either method) the machine will be shut down or rebooted, depending if APM works correctly.  If you used the USB stick you will still need to extract the memory dump. A tool that is provided with the usb bootable image, you can run it on the machine you will use to analyze the memory dump, to run it you need to be root, similarly you can use sudo: sudo ./usbdump {usb device such as /dev/sdc} > mem.img

From here you can use creative techniques to get data out of ram, for  example you can use strings util to scan the image for words. Or you could use the aes and rsa extract utilities to extract keys out of the image. All those techniques are beyond this particular discussion, but they are described in the white paper that is available in the sources list. Also Not all memory can be dumped this way.  Some machines that run ECC RAM will zero the RAM before booting, in those cases significantly lowering the temperature of ram, and moving it to a machine that does not wipe zero the RAM first would be the only way to retrieve the contents of such memory in this fashion… BTW the research showed that you didnt have to chill memory to liquid nitrogen temperatures, but cooling it with the contents of a CO2 can (flip it upside down), greatly prolonged the retaining of information in this, once-thought as, instant, memory…

Sources:

research: http://citp.princeton.edu/memory/

white paper: http://citp.princeton.edu/pub/coldboot.pdf

tools: http://citp.princeton.edu/memory/code

Also a recently published article in the Linux Journal, titled “Cold Boot Attack Tools for Linux” by Kyle Rankin

- Niksoft -

Yet Another IE 0-Day

No Comments

This is more of a word of caution, there is a new IE 0-day out that allows one to run remote code execution attacks on someone’s machine.  Earlier this December, researchers found an exploit of the browser’s DHTML Data Binding functions that is easily exploitable via a properly crafted web page.  It’s not uncommon to [...]

Script Fragmentation

1 Comment

Script Fragmentation is a new attack vector, recently revealed at a couple of security conferences around the world.  It is a new browser attack that provides a way of bypassing most security measures and scanners, that bases on Web 2.0 roots, and by exploiting techniques that are used in every day Web 2.0 applications to [...]

Firefox 3.1 Beta2 Is Out

No Comments

Firefox 3.1 Beta2 was just released today, together with a list of extensions it does not yet support, it finally comes with the one feature that i have been looking for in a browser for the past 3 years!  It now has a mode that allows you to browse in a mode that does not [...]

National Cyber Security Advisor

No Comments

It is finally clear that Obama administration is much more technically-minded then the previous administration, this week there is talk that the soon coming administration is putting together a group of people that would advise the president on issues of cyber security.
Now, we all know that the current administration was not too keen on saving [...]

Personal Vulnerability Assesment Tool

No Comments

Just letting you know, Secunia, which happens IMHO to be perhaps the biggest security firm on the East coast of the US has jut put out a personal security vulnerability assesment tool, PSI for short.  This is a personal tool and is being released free of charge for personal use.  The tool scans your local [...]

BackTrack 4 and Other Remote Exploit Goodies

No Comments

Anyone who is in the security field knows of, or propably heard of BackTrack, a live linux distribution put out by the Remote Exploit team.  They are up to version 3, and going strong, each version featured software that was at the cutting edge of exploitation technology at the time, and their next release will [...]

XP Recovery, The Hard Way

No Comments

Only try this if all else fails…  Or in cases when the installer is being stubborn and the error is not documented… Or for any reason, to test this, to comment on this, just to do it for fun, whatever
Sources:
Why sources here? I think the guy who wrote that other article up, deserves [...]

DIY XP SP Any CD

No Comments

I wrote up this tutorial because i needed to make the latest XP CD to fix someone’s XP system (money is money, right ) It is not uncommon knowledge, but this is still a more complete tutorial then i’ve been able to find, and has done well as a reference for myself, now that [...]

Open-Source HIDS

No Comments

The one i am extremely excited about is called OSSEC, as they say themselves “OSSEC is a scalable, multi-platform, open source Host-based Intrusion Detection System (HIDS)”, and it’s exactly that, open-source, almost platform independentm, host-based IDS that is extremely versatile and configurable to serve your needs.

Green Web Hosting! This site hosted by DreamHost.

RSS Feed