29 01 2012
SIFT Workstation: Video 5 Gmail Passwords inside Memory Dumps
Ok, so the blog post before this one got me thinking about whether or not I could extract email passwords out of a memory dump by using strings. I assumed it was possible so I set off and gave it a try.
I decided that I didn’t want to have to search for “gmail”, and then look through a bunch of text for a potential username, then grep for that username looking for a password so I decided to use Burp Suite and watch what kind of raw data is sent across the wire when trying to authenticate into various email accounts (specifically Gmail in this case).
Once I identified some “strings” I used strings and grep to search them out. Turns out this was MUCH quicker. And well, it worked. It spit out the username and the password.
So while I was uploading the video I went back and ran some test against hotmail.com
Here is the important information that I grabbed from Burp Suite. The items in red could be used to quickly run strings against a memory dump and/or any image for that matter.
Gmail:
GET /mail?gxlu=gmail123&zx=1327833361930 HTTP/1.1
continue=http%3A%2F%2Fmail.google.com%2Fmail%2F&service=mail&rm=false&dsh=5396061135614979233<mpl=default<mpl=default&scc=1&GALX=-ELjIRn4GYQ&pstMsg=1&dnConn=&checkConnection=youtube%3A3354%3A0&checkedDomains=youtube&timeStmp=&secTok=&Email=gmail123&Passwd=password123&signIn=Sign+in&rmShown=1
Hotmail:
login=hotmail123@hotmail.com&passwd=password123&type=11&LoginOptions=3&NewUser=1&MEST=&PPSX=Passpor&PPFT=CqH*CoxXtuDNtwn4H6vmMonNeL*s0c%21bhU1IEDCfeNQs7CLyLfA[snip]xylv4YiHg%24%24&idsbho=1&PwdPad=&sso=&i1=&i2=1&i3=23665&i4=&i12=1&i13=&i14=249&i15=1575&i17=
Yahoo:
.tries=1&.src=ym&.md5=&.hash=&.js=&.last=&promo=&.intl=us&.lang=en-US&.bypass=&.partner=&.u=alh21ud7ia824&.v=0&.challenge=SC.wAQ3hvKZJtX3qoD.gur0b1HP2&.yplus=&.emailCode=&pkg=&stepid=&.ev=&hasMsgr=1&.chkP=Y&.done=http%3A%2F%2Fmail.yahoo.com&.pd=ym_ver%3D0%26c%3D%26ivt%3D%26sg%3D&.ws=1&.cp=0&pad=5&aad=6&login=username123&passwd=password123&.save=&passwd_raw=
Malware Analysis with SIFT and Volatility The Sleuth Kit Part 1 – Overview
Comments are currently closed.
Hey Patrick, just wanted to let you know that I wrote a post on my blog that links and refers to your blog.
Here’s the link: http://dankillam.com/2012/02/some-bold-and-broad-goals-for-2012/