Paper Tiger Posted February 5, 2016 Posted February 5, 2016 long story short: I had a box at work get compromised at and I pulled it off the network then initiated a forensic investigation. When the vendor came back with the report one section showed a memory dump of all the accounts on the box. All except one account showed their passwords encrypted, that last account showed the password in clear text in memory. What can I start looking up to understand how or why this would happen? I figured this would be a good place to ask this question. The PC is windows 7 and the account that had it's PW in clear text in the memory dump was domain admin. Quote
cooper Posted February 8, 2016 Posted February 8, 2016 My first thinking is that the pwning of the box resulted in a program being resident in memory with the unencrypted domain admin password at its disposal. So it's not so much the OS that had it in plain text but rather the attacker. Even storing the actual password, encrypted or not, is a bad idea. The user should provide it and the target platform should retain information about it without actually storing the thing itself (a.k.a. a password hash). Quote
Paper Tiger Posted February 8, 2016 Author Posted February 8, 2016 My understanding is that windows always stores passwords in SAM files on the disk. Got any good links to show me how to implement what's your referring to? Quote
cooper Posted February 9, 2016 Posted February 9, 2016 Not really (really not). But it shouldn't be hard to consider what I'm saying. My assumption is that, as you say, Windows only retains the hashed password on disk - never unencrypted. You have a memory dump on disk which I'm assuming to be the full memory. So not just the Windows OS relevant bits but the whole shebang. If there's a program running at the time of the dump that, for whatever reason, had the string "BendOverAndTakeItLikeAConvict" in memory, and this program hadn't been swapped out to disk yet, it would show that exact string somewhere in the memory dump. If you think this string was in memory because of some program you yourself wrote, there are ways to prevent them from ending up in swap: Linux Windows & Linux (2nd answer) Your friends at IBM provide some more details on how to do it in code and, specifically, in managed languages like Python and Java. Quote
Paper Tiger Posted February 9, 2016 Author Posted February 9, 2016 AHAHAHAHAHAHA - Syrup or jelly? Thanks for laying it out for me like that, I really appreciate it! Quote
i8igmac Posted February 9, 2016 Posted February 9, 2016 have you found any tools left behind? A virus scan might show the location where the guy made him self feel at home... Try to recover deleted files from the locations discovered... This sounds like alot of fun... I'm sure a publicly available tool was uploaded to the windows 7 machine to crack the password. But the exploits used would be exciting to hunt down... or what if it was done from a person in the building... boot up the windows 7 machine with kali and give me ssh :-) Quote
Paper Tiger Posted February 9, 2016 Author Posted February 9, 2016 I know right I love this detective stuff. Too bad Management took the PC and turned it over to an outside vendor before I could complete the decryption process and use bootable tools. :( However they did tell me that they're going to pay for my OSCP to get more of this going on in house. OSCP is a good start.... Scanning didn't show anything, and carbon black was ineffective too. the only way we knew the box was compromised was from insider threat software setting off an alarm from a time when the user was out of the office. I scanned that PC with a bunch of free tools and didn't find anything. Quote
Mr-Protocol Posted May 25, 2016 Posted May 25, 2016 Most programs do not encrypt while in memory. That applies to passwords. The SAM file is encoded and not in plain text. Look into the mimikatz tool that is made to pull plain text passwords from memory. It beats pass the hash or cracking them. https://www.offensive-security.com/metasploit-unleashed/mimikatz/ Quote
0phoi5 Posted June 3, 2016 Posted June 3, 2016 On 09/02/2016 at 7:42 AM, cooper said: "BendOverAndTakeItLikeAConvict" My work colleagues were concerned that I was suddenly laughing out loud. Quote
Paper Tiger Posted June 20, 2016 Author Posted June 20, 2016 I can't believe I forgot about Mimikatz!!!! How could I forget how that worked??? !!! Thanks guys! Senior moment I guess. Quote
Paper Tiger Posted June 20, 2016 Author Posted June 20, 2016 On 6/3/2016 at 5:56 AM, haze1434 said: My work colleagues were concerned that I was suddenly laughing out loud. Likewise Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.