Bài Tập 18.3 - Phân Tích Bộ Nhớ Máy Tính Windows Server 2003 / XP Bị Tấn Công Qua Lỗi MS 08-067

1. Copy tập tin ảnh từ máy giáo viên (hoặc tự dump bộ nhớ trên máy mà các bạn khai thác)
2. Start BackTrack VM Instance
   • Instructions:
     1. Start Up VMWare Player
     2. Select BackTrack5R1
     3. Play virtual machine
3. Login to BackTrack
   • Instructions:
     1. Login: root
     2. Password: toor or <whatever you changed it to>.
4. Bring up the GNOME
   • Instructions
     1. Type startx

Section 2. Bring up a console terminal

1. Bring up a console terminal

Section 3. Using Volatility

1. Navigate to Volatility
   • Instructions
     1. cd /pentest/forensics/volatility
     2. ls -l vol.py
   • 
2. Obtain the image profile
   • Instructions
   :
   1. ./vol.py imageinfo -f /var/forensics/images/WV01_MS08067_VNC/WV01_VNC.dd
   • Notes:
     • The Volatility Framework tries to guess and tell you what image profile to use.
     • We know that our Server is Windows XP running SP2.
     • Volatility suggest that we either use the profile WinXPSP3x86 or WinXPSP2x86.
     • We will use the WinXPSP2x86 profile.
   • 
3. View Open Connections
   • Instructions
   1. ./vol.py --profile=WinXPSP2x86 connections -f /var/forensics/images/WV01_MS08067_VNC/WV01_VNC.dd
      • This command just displays output on the screen.
   2. ./vol.py --profile=WinXPSP2x86 connections -f /var/forensics/images/WV01_MS08067_VNC/WV01_VNC.dd > /var/forensics/images/WV01_MS08067_VNC/connections.txt
      • This command saves the output to a file called connections.txt
   • Notes:
     • The Metasploit Session has a process ID of 1048 and is connected to port 4444 on the Victim's machine.
     • The last line is the Helix Netcat Dump, which is connected to port 8888 on the BackTrack machine.
     • Record the PID of the Metasploit session for the next steps.  In my case it is 1048.  In your case, it will be different.
     • 
       
   • 
4. Searching for Specific Processes
   • Instructions:
     1. ./vol.py --profile=WinXPSP2x86 pslist -f /var/forensics/images/WV01_MS08067_VNC/WV01_VNC.dd > /var/forensics/images/WV01_MS08067_VNC/pslist.txt
        • This command saves the process list to a file.
     2. ./vol.py --profile=WinXPSP2x86 pslist -f /var/forensics/images/WV01_MS08067_VNC/WV01_VNC.dd | egrep '(Off|---|1048)'
        • This command will show the column header line along with the PID 1048.
        • Remember 1048 was the PID associated with the Metasploit Session attached to port 4444.  It will probably be different in your case.
        • The svchost.exe process was attacked at 16:28 on 1-17-2012.
   • 
5. View Socket Connections
   • Instructions
   :
   1. ./vol.py --profile=WinXPSP2x86 sockscan -f /var/forensics/images/WV01_MS08067_VNC/WV01_VNC.dd > /var/forensics/images/WV01_MS08067_VNC/sockscan.txt
      • This command lets you view all open Socket Connections.
   2. ./vol.py --profile=WinXPSP2x86 sockscan -f /var/forensics/images/WV01_MS08067_VNC/WV01_VNC.dd | egrep '(Off|---|1048)'
      • Note: This command lets you search for all processes associated with PID 1048.
   • Note
   :
   • In summary, we can say with confidence that Metasploit exploited PID 1048 (svchost.exe) at 16:43 on 1-17-2012 and connected to the Victim using port 4444.
   • With less confidence, it is difficult to establish when cmd.exe (Metasploit Courtesy Command Prompt) was executed over port 4444, since the creation time is 9 hours and 30+ minutes after the svchost.exe attack. The vnc payload immediately executes a command prompt, so the creation time should be very close to the svchost.exe time.
   • The previous point could be a credibility problem in court.  I will work on some deeper forensics to show how this time was modified.
   •