karspersky Helpme

常规分析

查看内存快照的属性

volatility -f ./memory.vmem imageinfo
Volatility Foundation Volatility Framework 2.6
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win7SP1x86_23418, Win7SP0x86, Win7SP1x86
                     AS Layer1 : IA32PagedMemoryPae (Kernel AS)
                     AS Layer2 : FileAddressSpace (/home/flier/Desktop/karspersky/helpme/memory.vmem)
                      PAE type : PAE
                           DTB : 0x185000L
                          KDBG : 0x82961be8L
          Number of Processors : 1
     Image Type (Service Pack) : 0
                KPCR for CPU 0 : 0x82962c00L
             KUSER_SHARED_DATA : 0xffdf0000L
           Image date and time : 2017-09-25 12:18:53 UTC+0000
     Image local date and time : 2017-09-25 15:18:53 +0300

查看内存快照的进程

volatility -f ./memory.vmem --profile=Win7SP0x86 pstree
Volatility Foundation Volatility Framework 2.6
Name                                                  Pid   PPid   Thds   Hnds Time
-------------------------------------------------- ------ ------ ------ ------ ----
 0x86aa8328:wininit.exe                               400    336      3     74 2017-09-25 12:08:15 UTC+0000
. 0x86d28558:lsm.exe                                  516    400      9    141 2017-09-25 12:08:15 UTC+0000
. 0x8cbc0030:services.exe                             500    400      7    191 2017-09-25 12:08:15 UTC+0000
.. 0x86f094f8:svchost.exe                             768    500     20    452 2017-09-25 12:08:16 UTC+0000
.. 0x870aa3b8:vmtoolsd.exe                           1684    500      9    288 2017-09-25 12:08:18 UTC+0000
... 0x85730030:cmd.exe                               1956   1684      0 ------ 2017-09-25 12:18:53 UTC+0000
.... 0x86185880:ipconfig.exe                         3096   1956      0 ------ 2017-09-25 12:18:53 UTC+0000
.. 0x86fbd500:spoolsv.exe                            1304    500     13    324 2017-09-25 12:08:17 UTC+0000
.. 0x86f42860:svchost.exe                             924    500     35    910 2017-09-25 12:08:16 UTC+0000
.. 0x86ee49d0:vmacthlp.exe                            680    500      3     53 2017-09-25 12:08:16 UTC+0000
.. 0x86da7a58:svchost.exe                             884    500     19    430 2017-09-25 12:08:16 UTC+0000
... 0x87036030:dwm.exe                               1492    884      5    113 2017-09-25 12:08:17 UTC+0000
.. 0x86fd9538:svchost.exe                            1344    500     20    307 2017-09-25 12:08:17 UTC+0000
.. 0x870ded40:msdtc.exe                              2252    500     14    154 2017-09-25 12:08:29 UTC+0000
.. 0x86c3a7b8:svchost.exe                             716    500      8    251 2017-09-25 12:08:16 UTC+0000
.. 0x86f81030:svchost.exe                            1144    500     15    369 2017-09-25 12:08:16 UTC+0000
.. 0x8722cd40:SearchIndexer.                         2008    500     12    558 2017-09-25 12:08:26 UTC+0000
.. 0x8709c6a8:VGAuthService.                         1636    500      3     87 2017-09-25 12:08:18 UTC+0000
.. 0x85085488:sppsvc.exe                             3808    500      4    151 2017-09-25 12:10:21 UTC+0000
.. 0x86dcb030:svchost.exe                             620    500     11    350 2017-09-25 12:08:15 UTC+0000
... 0x86313800:WmiPrvSE.exe                          1732    620     10    199 2017-09-25 12:08:25 UTC+0000
... 0x872a8848:WmiPrvSE.exe                          2552    620      9    219 2017-09-25 12:08:45 UTC+0000
.. 0x86f71b78:svchost.exe                            1064    500     12    560 2017-09-25 12:08:16 UTC+0000
.. 0x856aea58:svchost.exe                            3844    500     12    350 2017-09-25 12:10:21 UTC+0000
.. 0x870107a0:taskhost.exe                           1400    500      7    150 2017-09-25 12:08:17 UTC+0000
.. 0x871f1480:dllhost.exe                             852    500     15    199 2017-09-25 12:08:25 UTC+0000
. 0x86d2c188:lsass.exe                                508    400      6    538 2017-09-25 12:08:15 UTC+0000
 0x86b11d40:csrss.exe                                 348    336      8    415 2017-09-25 12:08:15 UTC+0000
. 0x8504a7d8:conhost.exe                              476    348      0 ------ 2017-09-25 12:18:53 UTC+0000
 0x8703cc48:explorer.exe                             1508   1476     24    763 2017-09-25 12:08:17 UTC+0000
. 0x87100030:vmtoolsd.exe                            1792   1508      7    198 2017-09-25 12:08:19 UTC+0000
. 0x872a9458:KeePass.exe                             2464   1508      7    304 2017-09-25 12:08:33 UTC+0000
 0x84f4a8e8:System                                      4      0     87    397 2017-09-25 12:08:14 UTC+0000
. 0x8c537930:smss.exe                                 264      4      2     29 2017-09-25 12:08:14 UTC+0000
 0x86bb5d40:csrss.exe                                 408    392     10    192 2017-09-25 12:08:15 UTC+0000
 0x86ca2920:winlogon.exe                              456    392      3    117 2017-09-25 12:08:15 UTC+0000

dump 屏幕

volatility -f ./memory.vmem --profile=Win7SP0x86 screenshot -D ./dump_true 
Volatility Foundation Volatility Framework 2.6
Wrote ./dump_true/session_0.msswindowstation.mssrestricteddesk.png
Wrote ./dump_true/session_0.Service-0x0-3e4$.Default.png
Wrote ./dump_true/session_0.Service-0x0-3e5$.Default.png
Wrote ./dump_true/session_1.WinSta0.Default.png
Wrote ./dump_true/session_1.WinSta0.Disconnect.png
Wrote ./dump_true/session_1.WinSta0.Winlogon.png
Wrote ./dump_true/session_0.Service-0x0-3e7$.Default.png
Wrote ./dump_true/session_0.WinSta0.Default.png
Wrote ./dump_true/session_0.WinSta0.Disconnect.png
Wrote ./dump_true/session_0.WinSta0.Winlogon.png

KeePass

发现这个地方有问题，是用的KeePass秘钥管理软件开启了一个叫FlagDatabase.kdbx的数据库
于是，扫描文件

1
2
3

volatility -f ./memory.vmem --profile=Win7SP0x86 filescan | grep FlagDatabase.kdbx  
Volatility Foundation Volatility Framework 2.6
0x000000003daeb2c0      8      0 R--r-- \Device\HarddiskVolume1\Users\user\FlagDatabase.kdbx

Dump 下来再说

1
2
3

volatility -f ./memory.vmem --profile=Win7SP0x86 dumpfiles -Q 0x000000003daeb2c0 -D ./dump_true 
Volatility Foundation Volatility Framework 2.6
DataSectionObject 0x3daeb2c0   None   \Device\HarddiskVolume1\Users\user\FlagDatabase.kdbx

volatility dump文件都是按照page的大小dump，要记得去除结尾的无用部分，这里就不一一赘述了

进一步分析

查找KeePass配置文件

volatility -f ./memory.vmem --profile=Win7SP0x86 filescan | grep KeePass                       
Volatility Foundation Volatility Framework 2.6
0x000000003da006c0      8      0 R--r-- \Device\HarddiskVolume1\Users\user\AppData\Roaming\KeePass\KeePass.config.xml
0x000000003da0e170      6      0 R--r-d \Device\HarddiskVolume1\Program Files\KeePass Password Safe 2\KeePassLibC32.dll
0x000000003da27ae0      8      0 R--r-- \Device\HarddiskVolume1\Program Files\KeePass Password Safe 2\KeePass.config.xml
0x000000003daa8e10      2      0 R--r-- \Device\HarddiskVolume1\Users\user\AppData\Roaming\KeePass\ProtectedUserKey.bin
0x000000003dce1850      6      0 R--r-d \Device\HarddiskVolume1\Program Files\KeePass Password Safe 2\unins000.exe
0x000000003dd01568      8      0 R--r-d \Device\HarddiskVolume1\Program Files\KeePass Password Safe 2\KeePass.exe.config
0x000000003dd01b78      8      0 R--r-d \Device\HarddiskVolume1\Program Files\KeePass Password Safe 2\KeePass.exe
0x000000003dd14a00      7      0 R--r-d \Device\HarddiskVolume1\Program Files\KeePass Password Safe 2\KeePass.exe
0x000000003ddb55f8      1      1 R--rw- \Device\HarddiskVolume1\Program Files\KeePass Password Safe 2
0x000000003ddb8bc8      5      0 R--r-d \Device\HarddiskVolume1\Windows\assembly\NativeImages_v2.0.50727_32\KeePass\61401321a8fb44541efab9aa5fb7fb69\KeePass.ni.exe
0x000000003e9f8468      8      0 R--r-d \Device\HarddiskVolume1\Program Files\KeePass Password Safe 2\KeePass.XmlSerializers.dll
0x000000003e9f8678      4      1 R--r-d \Device\HarddiskVolume1\Program Files\KeePass Password Safe 2\KeePass.XmlSerializers.dll
0x000000003ef96eb8      8      0 R--rw- \Device\HarddiskVolume1\Users\user\Desktop\KeePass 2.lnk
0x000000003ff6deb8      8      0 R--rw- \Device\HarddiskVolume1\Users\user\Desktop\KeePass 2.lnk

Dump \Device\HarddiskVolume1\Users\user\AppData\Roaming\KeePass\KeePass.config.xml

1
2
3

volatility -f ./memory.vmem --profile=Win7SP0x86 dumpfiles -Q 0x000000003da006c0 -D ./dump_true
Volatility Foundation Volatility Framework 2.6
DataSectionObject 0x3da006c0   None   \Device\HarddiskVolume1\Users\user\AppData\Roaming\KeePass\KeePass.config.xml

分析配置文件

131         </PasswordGenerator>
132         <Defaults>
133                 <OptionsTabIndex>0</OptionsTabIndex>
134                 <SearchParameters>
135                         <ComparisonMode>InvariantCultureIgnoreCase</ComparisonMode>
136                 </SearchParameters>
137                 <KeySources>
138                         <Association>
139                                 <DatabasePath>..\..\Users\user\FlagDatabase.kdbx</DatabasePath>
140                                 <UserAccount>true</UserAccount>
141                         </Association>
142                 </KeySources>
143         </Defaults>
144         <Integration>
145                 <HotKeyGlobalAutoType>393281</HotKeyGlobalAutoType>
146                 <HotKeySelectedAutoType>0</HotKeySelectedAutoType>
147                 <HotKeyShowWindow>393291</HotKeyShowWindow>

这里的UserAccount置位true，表明使用了windows 用户的 master key 进行加密
由于没有其他的加密选项，所以就是只用了windows的账户验证这一种加密

奔向答案

参考 http://www.harmj0y.net/blog/redteaming/a-case-study-in-attacking-keepass/

要恢复一个操作系统上用KeePass的windows账户验证加密的数据库，我们需要以下条件：

%APPDATA%\Microsoft\Protect\目录下的所有文件
- Preferred
- master key file with a GUID naming (Windows账户主密钥文件)
KeePass加密使用的软件主密钥
- ProtectedUserKey.bin
Windows账户的信息
- UserDomain
- 密码
- SID
- UserName
xxxx.kdbx 加密后的秘钥数据库

目前，我们缺少的就是:

%APPDATA%\Microsoft\Protect\目录下的所有文件
KeePass加密使用的软件主密钥
Windows账户的信息

搞SID目录下的文件

1	0x000000003daa8d58 2 0 R--r-- \Device\HarddiskVolume1\Users\user\AppData\Roaming\Microsoft\Protect\S-1-5-21-196189514-4237867838-3788442389-1000\Preferred

1
2
3

volatility -f ./memory.vmem --profile=Win7SP0x86 dumpfiles -Q 0x000000003daa8d58 -D ./dump_true
Volatility Foundation Volatility Framework 2.6
DataSectionObject 0x3daa8d58   None   \Device\HarddiskVolume1\Users\user\AppData\Roaming\Microsoft\Protect\S-1-5-21-196189514-4237867838-3788442389-1000\Preferred

这里有个坑点，就是 \Device\HarddiskVolume1\Users\user\AppData\Roaming\Microsoft\Protect\S-1-5-21-196189514-4237867838-3788442389-1000\7315eeac-ce04-46ff-87ac-4fc9cf1d41d3 windows主密钥文件搞不下来

无奈之下，只好通过主密钥文件的特征进行搜索

master key

搞ProtectedUserKey.bin

1
2
3

volatility -f ./memory.vmem --profile=Win7SP0x86 dumpfiles -Q 0x000000003daa8e10 -D ./dump_true
Volatility Foundation Volatility Framework 2.6
DataSectionObject 0x3daa8e10   None   \Device\HarddiskVolume1\Users\user\AppData\Roaming\KeePass\ProtectedUserKey.bin

搞用户信息

尝试hashdump，发现密码太长，搞不定

volatility -f ./memory.vmem --profile=Win7SP0x86 hashdump
Volatility Foundation Volatility Framework 2.6
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
user:1000:aad3b435b51404eeaad3b435b51404ee:8943ccc24f82983c8b791b7f648679c0:::

尝试rekall mimikatz，搞定

1	rekall -f memory.vmem mimikatz

lsadump 也可以

volatility -f ./memory.vmem --profile=Win7SP0x86 lsadump 
Volatility Foundation Volatility Framework 2.6
DefaultPassword
0x00000000  4e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   N...............
0x00000010  79 00 6f 00 75 00 5f 00 6e 00 65 00 65 00 64 00   y.o.u._.n.e.e.d.
0x00000020  5f 00 61 00 6e 00 6f 00 74 00 68 00 65 00 72 00   _.a.n.o.t.h.e.r.
0x00000030  5f 00 6b 00 65 00 79 00 5f 00 74 00 6f 00 5f 00   _.k.e.y._.t.o._.
0x00000040  70 00 61 00 73 00 73 00 5f 00 74 00 68 00 69 00   p.a.s.s._.t.h.i.
0x00000050  73 00 5f 00 6c 00 65 00 76 00 65 00 6c 00 00 00   s._.l.e.v.e.l...
DPAPI_SYSTEM
0x00000000  2c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ,...............
0x00000010  01 00 00 00 b8 5c 72 98 16 2b f1 72 c9 84 2c 68   .....\r..+.r..,h
0x00000020  f3 07 bb 2b e6 ce 6a 4b 73 f1 ec fa a6 51 61 7d   ...+..jKs....Qa}
0x00000030  4a 82 97 61 db 55 d2 34 e8 df 7f b8 00 00 00 00   J..a.U.4........

密码是 yo_need_another_key_to_pass_this_level，真tmd长

搞账户信息

1508 explorer.exe         0x002ebf88 PUBLIC                         C:\Users\Public
    1508 explorer.exe         0x002ebf88 SESSIONNAME                    Console
    1508 explorer.exe         0x002ebf88 SystemDrive                    C:
    1508 explorer.exe         0x002ebf88 SystemRoot                     C:\Windows
    1508 explorer.exe         0x002ebf88 TEMP                           C:\Users\user\AppData\Local\Temp
    1508 explorer.exe         0x002ebf88 TMP                            C:\Users\user\AppData\Local\Temp
    1508 explorer.exe         0x002ebf88 USERDOMAIN                     WIN-GFCKT3R8MQ2
    1508 explorer.exe         0x002ebf88 USERNAME                       user
    1508 explorer.exe         0x002ebf88 USERPROFILE                    C:\Users\user
    1508 explorer.exe         0x002ebf88 windir                         C:\Windows
    1636 VGAuthService.       0x003207f0 ALLUSERSPROFILE                C:\ProgramData
    1636 VGAuthService.       0x003207f0 APPDATA                        C:\Windows\system32\config\systemprofile\AppD

恢复KeePass加密数据

1	Restore-UserDPAPI -Path C:\Users\W\Desktop\S-1-5-21-196189514-4237867838-3788442389-1000 -UserName user -UserDomain WIN-GFCKT3R8MQ2 -ProtectedUserKey C:\Users\W\Desktop\ProtectedUserKey.bin

Restore-UserDPAPI脚本如下

function Restore-UserDPAPI {
<#
    .SYNOPSIS
        Restores a user account's DPAPI master key on a new system.
        Author: @harmj0y
        License: BSD 3-Clause
        Required Dependencies: None
        Optional Dependencies: None
    
    .DESCRIPTION
        This function will take a backup of a user's DPAPI master key folder (C:\Users\<username>\AppData\Roaming\Microsoft\Protect\<SID>\),
        copies the folder to %APPDATA%\Microsoft\Protect\ for the current user on a new machine, sets several
        DPAPI MigratedUsers registry keys necessary, and invokes dpapimig.exe to kick off "Protected Content Migration".
        If the password for the user account associated with the master key differs from the current user's,
        the "Protected Content Migration" GUI will prompt for the old user password.
        There is more information on this process from KeePass at https://sourceforge.net/p/keepass/wiki/Recover%20Windows%20User%20Account%20Credentials/
    .PARAMETER Path
        The C:\Users\<username>\AppData\Roaming\Microsoft\Protect\<SID>\ folder to restore, must be in S-1-... SID format.
    .PARAMETER UserName
        The username linked to the folder to restore.
    .PARAMETER UserDomain
        The domain (or local machine) linked to the UserName/folder.
    
    .PARAMETER ProtectedUserKey
        The path to an optional ProtectedUserKey.bin KeePass DPAPI blob.
    .EXAMPLE
        PS C:\Temp> Restore-UserDPAPI -Path C:\Temp\S-1-5-21-456218688-4216621462-1491369290-1210\ -UserName testuser -UserDomain testlab.local
        Restores the DPAPI master key for the testlab.local\testuser (SID=S-1-5-21-456218688-4216621462-1491369290-1210) from
        the C:\Temp\S-1-5-21-456218688-4216621462-1491369290-1210\ backup folder.
    .EXAMPLE
        PS C:\Temp> Restore-UserDPAPI -Path C:\Temp\S-1-5-21-456218688-4216621462-1491369290-1210\ -UserName testuser -UserDomain testlab.local -ProtectedUserKey ProtectedUserKey.bin
        Restores the DPAPI master key for the testlab.local\testuser (SID=S-1-5-21-456218688-4216621462-1491369290-1210) from
        the C:\Temp\S-1-5-21-456218688-4216621462-1491369290-1210\ backup folder, and copies the KeePass-specific
        ProtectedUserKey.bin DPAPI blob into the proper location.
    .LINK
        https://sourceforge.net/p/keepass/wiki/Recover%20Windows%20User%20Account%20Credentials/
#>
    [CmdletBinding()]
    Param(
        [Parameter(Mandatory=$True, ValueFromPipeline=$True, ValueFromPipelineByPropertyName=$True)]
        [ValidateScript({ Test-Path -Path $_ })]
        [String]
        $Path,
        [Parameter(Mandatory=$True)]
        [ValidateNotNullOrEmpty()]
        [String]
        $UserName,
        [Parameter(Mandatory=$True)]
        [ValidateNotNullOrEmpty()]
        [String]
        $UserDomain,
        [ValidatePattern('.*ProtectedUserKey\.bin')]
        [ValidateScript({ Test-Path -Path $_ })]
        [Alias('KeePassBlob')]
        [String]
        $ProtectedUserKey
    )
    $UserFolder = Get-Item $Path
    $SID = $UserFolder.Name
    
    if($SID -notmatch '^S-1-.*') {
        throw "User folder must be in 'S-1-...' SID format!"
    }
    Write-Host "`n[*] Copying $($UserFolder.FullName) DPAPI folder to $ENV:APPDATA\Microsoft\Protect\"
    Copy-Item -Path $UserFolder -Destination $ENV:APPDATA\Microsoft\Protect\ -Recurse -Force
    Write-Host "`n[*] Creating DPAPI MigratedUsers registry keys"
    $Null = New-Item -Path "HKCU:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DPAPI\MigratedUsers\$SID\UserDomain" -Force
    $Null = New-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DPAPI\MigratedUsers\$SID\UserDomain" -Name $UserDomain -Force
    $Null = New-Item -Path "HKCU:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DPAPI\MigratedUsers\$SID\UserName" -Force
    $Null = New-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DPAPI\MigratedUsers\$SID\UserName" -Name $UserName -Force
    Write-Host "`n[*] Calling dpapimig.exe... (this may take just a bit)`n"
    Start-Process $ENV:WINDIR\System32\dpapimig.exe -NoNewWindow -Wait
    if($PSBoundParameters['ProtectedUserKey']) {
        $ProtectedUserKeyFile = Get-Item $ProtectedUserKey
        Write-Host "[*] Copying $($ProtectedUserKeyFile.FullName) to $ENV:APPDATA\KeePass\`n"
        if (-not (Test-Path -Path $ENV:APPDATA\KeePass\)) { $Null = New-Item $ENV:APPDATA\KeePass\ -Type Directory }
        Copy-Item -Path $ProtectedUserKeyFile -Destination $ENV:APPDATA\KeePass\ -Force
    }
}

会要求输入需要恢复的用户的密码，输入即可you_need_another_key_to_pass_this_level

F1r

karspersky-helpme