Jump to content

Dumping Passwords from Memory with Pmdump Video


Vivek Ramachandran
 Share

Recommended Posts

In this video i make a simple demonstration of how we can dump a program's memory and then use the strings program to find in memory passwords and other sensitive information. A large number of applications can fall prey to this security vulnerability and get their user's passwords hacked - web browsers, email clients, instant messengers etc fall in this category. The main idea behind the hack is that while the application is running, we should be able to dump its entire memory to file, without having to stop or tamper with the application in any way.

http://securitytube.net/Dumping-Passwords-...dump-video.aspx

Link to comment
Share on other sites

I was playing with this the other day. I got it working against remote hosts on my network and did a mini write up on when my online bank account was vulnerable and when it wasn't.

The problem is the vast amount of data that gets dumped. And searching in a string like 'password' or 'login' will rarely get you useful information. You really need to know the specifics of what you are looking for. For example, the start of your/victim's password(s).

Regardless, i really like this tool and would like to see it developed with some other features or at least utilized with some other code. I had a few sinister ideas floating around but i don't think i will share them here :)

Link to comment
Share on other sites

I was playing with this the other day. I got it working against remote hosts on my network and did a mini write up on when my online bank account was vulnerable and when it wasn't.

The problem is the vast amount of data that gets dumped. And searching in a string like 'password' or 'login' will rarely get you useful information. You really need to know the specifics of what you are looking for. For example, the start of your/victim's password(s).

Regardless, i really like this tool and would like to see it developed with some other features or at least utilized with some other code. I had a few sinister ideas floating around but i don't think i will share them here :)

I agree. I think a good way to solve this problem might be to first take the application, put your password in and check the surrounding memory bytes for a prefix or a postfix pattern. If there is a pattern which emerges (we can do this my running the program multiple times on say different machines), we can use it for searching the memory dump of a binary for which the password is unknown and then find it.

Should work.

Link to comment
Share on other sites

Nice video, though you may want to mention where you get everything, like pdump. I know you mentioned the little test program being on the same page, but unless everything else is there too it doesn't do anyone any good.

Thanks, i am glad you liked the video. The link to Pmdump etc was mentioned in the summary of the video

Quoting from the summary:

"Please download a copy of the Pmdump programs and Strings program before continuing with this video. Also, we shall use the demo application MemPass.exe to show the vulnerability. The application is a very simple piece of code which takes the user input, clears the screen and pauses its execution. "

Pmdump is a hyperlink to the downloadable binary.

Link to comment
Share on other sites

Vivek Ramachandran I was thinking the same thing though with different architectures, different OS, different version it my cause problems

we will have to really try it out and check. In some cases if the program code itself - prepends or appends some metadata to the credentials then that should remain the same always, else it might differ across architectures, OSs, program versions etc

Will probably find some time next weekend to try it out and see. Let me know if you get a chance to try and get results..

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...