Jump to content

Windows and Linux memory dump


Bumblebee08

Recommended Posts

Would it be possible to use the bash bunny for dumping the entire memory on both Windows and Linux systems (payload 1 & 2)? For example with volatility and LiME, but without installing anything on the target systems.

Has anyone looked into this idea aleady? Would it be possible to install and run software from the bash bunny or use some sort of portable software that doesn't require installation?

Link to comment
Share on other sites

Best way to do this would be to dump it to a remote storage.  Maybe share windows drive or samba/smbserver.py server on a machine with more storage.

On Windows you could need the out-minidump.ps1 script from Powersploit framework which can dump a process or use get-process and to get all the processes and pipe it to the cmdlet specifying the smb path and file (with credentials if necessary) to remote locate.  Make sure it runs hidden and you will not have to stick around while the dump is going.

For linux you will have to do it with the script language of your choice and mount to the smb machine and the you could dd the memory.  Do not know a way to target a process so it will be all of it.  you can use "dd if=/dev/fmem of=/smbmountpoint/linuxmem.dmp".  If you run this hidden you can leave and hope it gets done.

 

Have not tried any of this.  Just know these are the ways you get memory dumps from both machines effectively.  Helps if you are admin on both machines since permissions may break the process.

Link to comment
Share on other sites

I was thinking about this idea to create some sort of forensically sounds manner to automatically create a memory dumps for incident response. So there has to be none or minimal changes to the host system and it doesn't matter if it takes some time to load and create an actual image. But I want to be able to create these memory dumps locally, instead of over the network. Of course there are already some nice tools that can do the job, but I thought it would be cool to see if the Bash Bunny could be used, because of the payload selector switch.

Thanks for mentioning Powersploit, PoSHMagiC0de. Looks very interesting!

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...