SIFT Workstation: Video 5 Gmail Passwords inside Memory Dumps

Ok, so the blog post before this one got me thinking about whether or not I could extract email passwords out of a memory dump by using strings. I assumed it was possible so I set off and gave it a try.

I decided that I didn't want to have to search for "gmail", and then look through a bunch of text for a potential username, then grep for that username looking for a password so I decided to use Burp Suite and watch what kind of raw data is sent across the wire when trying to authenticate into various email accounts (specifically Gmail in this case).

Once I identified some "strings" I used strings and grep to search them out. Turns out this was MUCH quicker. And well, it worked. It spit out the username and the password.

So while I was uploading the video I went back and ran some test against hotmail.com

Here is the important information that I grabbed from Burp Suite. The items in red could be used to quickly run strings against a memory dump and/or any image for that matter.

Here is a YouTube Video I made:

Gmail

GET /mail?gxlu=gmail123&zx=1327833361930 HTTP/1.1
continue=http%3A%2F%2Fmail.google.com%2Fmail%2F&service=mail&rm
=false&dsh=5396061135614979233&ltmpl=default&ltmpl=default&scc=1&GALX=- ELjIRn4GYQ&pstMsg=1&dnConn=&checkConnection=youtube%3A3354%3A0&
checkedDomains=youtube&timeStmp=&secTok=&
Email=gmail123* Passwd=password123

Hotmail

login=hotmail123@hotmail[.]com passwd=password123&type=11&LoginOptions=3 &NewUser=1&MEST=&PPSX=Passpor& PPFT=CqHCoxXtuDNtwn4H6vmMonNeLs0c%21bhU1IEDCfeNQs7CLyLfA
xylv4YiHg%24%24&idsbho=1&PwdPad=&
sso=&i1=&i2=1&i3=23665&i4=&i12=1
;i13=&i14=249&i15=1575&i17=

Yahoo

.tries=1&.src=ym&.md5=&.hash=&.js=&.last=&promo=&.intl=us&.lang=en-US&.bypass=&.partner=&. u=alh21ud7ia824&.v=0&.challenge=SC.wAQ3hvKZJtX3qoD.gur0b1HP2&.yplus=&.emailCode=&
pkg=&stepid=
.ev=&hasMsgr=1&.chkP=Y&.done=http%3A%2F%2F mail.yahoo.com&.pd=ymver%3D0%26c%3D%26ivt%3D%26sg%3D
ws=1&.cp=0&pad=5&aad=6&
login=username123 passwd=password123 .save=&passwd
raw=