10. 1. 2022
1
Volatile information
GOPAS: [email protected] | www.gopas.cz | www.facebook.com/P.S.GOPAS
Ing. Ondřej Ševeček | GOPAS a.s. |
MCM:Directory | MVP:Security | CEH | CHFI | CISA | CISM | CISSP |
[email protected] | www.sevecek.com |
Time
▪ your own time (time.is)
▪ time on the computer
▪ time zone of the computer
gwmi Win32_LocalTime
gwmi Win32_ComputerSystem | select CurrentTimeZone
1
2
10. 1. 2022
2
Networking
ipconfig
• IP address
• fake DHCP server and lease
• fake DNS server IP address
• NICs will disappear in a mounted VM
netstat -ano
• already established connections
• listening software
netsh http show servicestate
arp -a
• ARP poisoning
ipconfig /displaydns
HTTP.SYS
kernel
http.sys
:80
:443
:5985
:xxxx
Win
RM
IIS
w3w
p
SQ
L R
eport
ing S
erv
ices
Hyp
er-
V R
eplic
ation
AD
FS
SS
TP
VP
N
user
3
4
10. 1. 2022
3
Logon status
klist
klist -li 3e4 # network service
klist -li 3e7 # system
klist sessions
Disk and volume mappings
▪ volume letters
▪ disk signatures
gwmi Win32_LogicalDisk
gwmi Win32_DiskDrive
gwmi Win32_DiskPartition
gwmi Win32_Volume
5
6
10. 1. 2022
4
Remote access to machines what to record
▪ when
▪ from where• forensic clean source computer
• my IP address, my MAC address, ...
▪ DNS name
▪ IP address
▪ MAC• local VLAN only
▪ authenticated user, logon method• SSO?
• Kerberos?, LM/NTLM/NTLMv2?
▪ ..., transport encryption, ...
Remote process startup and other access
▪ \\target\Admin$, \\target\C$ + remote registry Autoruns• TCP 445
• start as the autorun account
• also services, local users and groups
• Remote Registry service not running by default since Windows 7
▪ psexec• TCP 445
• \\target\Admin$
• custom service registered (PSEXESVC)
• start as System or the calling user or any user with password
7
8
10. 1. 2022
5
Remote process startup and other access
(gwmi -List Win32_Process -Computer target).Create('process -parameters')
([wmiclass] '\\target\root\default:StdRegProv').EnumKey(0x80000002L, 'Software')
([wmiclass] '\\target\root\default:StdRegProv').SetDwordValue(0x80000002L, 'Software', 'SomeVal', 5)
• TCP 135 + DCOM dynamic port, on Domain networks opened by default
• start as the calling user
▪ Enter-PSSession target (PowerShell Remoting = WinRM)• TCP 5985
• enabled on Windows Server 2012+, must be enabled manually on Windows clients
• start as the calling user
▪ task scheduler• TCP 135 + DCOM dynamic port, on Domain networks opened by default
• start as System, any user with password or the remote logged-on user
Volatile registry keys
▪ HKCU\Volatile Environment
▪ HKLM\System\CCS\Control\hivelist
• currently loaded registry hives
▪ HKLM\Hardware
▪ HKLM\SYSTEM\CCS\Control\Session
Manager\FileRenameOperations
• semi-volatile, gets processed during start
9
10
10. 1. 2022
6
List of volatile shares
gwmi Win32_Share
# C$, Admin$, ...
Stopped or running services and scheduled
tasks
gwmi Win32_Service
schtasks /query /fo csv /nh /v
11
12
10. 1. 2022
7
Clipboard
▪ one clipboard per desktop session
▪ several different clipboard formats stored
• text
• formatted RTF
• HTML
• picture
• ...
[Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms')
[Windows.Forms.Clipboard]::GetText()
Processes
▪ parent process ID
▪ executable path• can be moved even when running
▪ loaded DLLs
▪ opened files
▪ user account and groups (access token)• logon session
• desktop session
▪ aero/modernUI/immersive/universal windows apps• sandbox
▪ virtual memory dump• strings, passwords, addresses, ...
• AES keys
• no kernel memory, but works under limited user
13
14
10. 1. 2022
8
RAM memory dump
▪ process memory dumps
• incomplete if in pagefile or compressed
• inconsistent over time
▪ registry
▪ AES keys
RAM dump vs. virtual memory dump
▪ virtual memory dump• all process memory
• non-admins
• non-compressed
• including all source code of EXE and DLLs
• consistent
• slower - may require paging from/to pagefile.sys
• more destructive - loads unused EXE and DLL pages from files and may force other processes to page out to swap file
▪ RAM memory dump• includes kernel memory
• non-destructive against memory contents and pagefile.sys
• most registry contents
• must be administrators
• inconsistent
• compressed memory pages
• not everything if paged out in swap files
• BSOD risks
15
16
10. 1. 2022
9
Text and sequence extractions
▪ strings.exe
▪ WinHex
Sequence extractions in PowerShell
(any logic you need)
$filePath = 'c:\temp\memory.dmp'
$seqnc = [byte[]] @(0x78, 0xF3, 0x0F)
$binFile = [IO.File]::OpenRead($filePath)
[byte[]] $buffer = New-Object byte[] $seqnc.Length
$poss = 0
while ($binFile.Read($buffer, 0, $buffer.Length) -eq $buffer.Length) {
[bool] $fits = $true
for ($i = 0; $i -lt $buffer.Length; $i ++) {
$fits = $fits -and ($seqnc[$i] -eq $buffer[$i])
}
if ($fits) { Write-Host ('Found at #: 0x{0:X8} | d-{0:D10}' -f $poss) }
$poss ++; [void] $binFile.Seek( -($buffer.Length - 1), 'Current')
}
17
18
10. 1. 2022
10
Password and hash extraction from LSASS
mimikatz
sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords
# since Windows 8.1/2012 no clean passwords by default
# Credential Delegation keeps clean passwords if enabled
# Restricted Users group membership prevents NTLM hash
extraction
# Credential Guard (Device Guard) prevents hash/ticket
extraction
AES key extraction from
memory
19
20
10. 1. 2022
11
How
▪ AES keys are random (high entropy)
• 16 bytes = 128 bit, 24 bytes = 192 bit, 32 bytes = 256 bit
• encryption is not performed by the AES key itself
▪ Key schedule
• the actual block by which the encryption is performed
• computed from the key (prolonged key)
• XORing specific 4 byte blocks
• 176 bytes, 208 bytes, 240 bytes
AES key schedule
original key (128 bits, 192 bits, 256 bits)
4 B
key schedule (176 bytes, 208 bytes, 240 bytes)
21
22
10. 1. 2022
12
AES key schedule
original key (128 bits, 192 bits, 256 bits)
4 B
key schedule (176 bytes, 208 bytes, 240 bytes)
AES key schedule
original key (128 bits, 192 bits, 256 bits)
key schedule (176 bytes, 208 bytes, 240 bytes)
23
24
10. 1. 2022
13
AES key schedule
original key (128 bits, 192 bits, 256 bits)
key schedule (176 bytes, 208 bytes, 240 bytes)
AES key schedule
original key (128 bits, 192 bits, 256 bits)
key schedule (176 bytes, 208 bytes, 240 bytes)
25
26
10. 1. 2022
14
AES key schedule
original key (128 bits, 192 bits, 256 bits)
key schedule (176 bytes, 208 bytes, 240 bytes)
AES key schedule
original key (128 bits, 192 bits, 256 bits)
key schedule (176 bytes, 208 bytes, 240 bytes)
27
28
10. 1. 2022
15
AES key schedule
original key (128 bits, 192 bits, 256 bits)
key schedule (176 bytes, 208 bytes, 240 bytes)
AES key schedule
original key (128 bits, 192 bits, 256 bits)
key schedule (176 bytes, 208 bytes, 240 bytes)
29
30
10. 1. 2022
16
AES key schedule
original key (128 bits, 192 bits, 256 bits)
key schedule (176 bytes, 208 bytes, 240 bytes)
AES key schedule
original key (128 bits, 192 bits, 256 bits)
key schedule (176 bytes, 208 bytes, 240 bytes)
31
32
10. 1. 2022
17
AES key schedule
original key (128 bits, 192 bits, 256 bits)
key schedule (176 bytes, 208 bytes, 240 bytes)
AES key schedule
original key (128 bits, 192 bits, 256 bits)
key schedule (176 bytes, 208 bytes, 240 bytes)
33
34
10. 1. 2022
18
The search process
▪ Take every 16/24/32 bytes
▪ Compute key schedule for the possible key
▪ If not present, proceed further
▪ If present, must be the key
BitLocker
35
36
10. 1. 2022
19
Key protectors
▪ password
▪ TPM
▪ TPM + PIN
▪ recovery password 48 digits
• visible to Administrators for unlocked volumes
• possibly backed-up to Active Directory or OneDrive
▪ .BEK file
encrypted with TPM
en
cry
pte
d w
ith
ra
nd
om
se
cre
t ke
y
FV
EK
BitLocker decryptors/protectors on partition metadata
data
FVEK
encrypted with USB
FVEK
encrypted with password
FVEK
encrypted with PW48
FVEK
1048576x rounds to
prevent brute-force
37
38
10. 1. 2022
20
encrypted with VMK
encrypted with VMK
encrypted with VMK
encrypted with VMKencrypted with TPM
en
cry
pte
d w
ith
ra
nd
om
se
cre
t ke
y
FV
EK
Volume Master Key (VMK) - random AES 256
data
FVEK
encrypted with USB
FVEK
encrypted with password
FVEK
encrypted with PW48
FVEK
VMK
VMK
VMK
VMK
1048576x rounds to
prevent brute-force
encrypted with TPM
en
cry
pte
d w
ith
ra
nd
om
se
cre
t ke
y
FV
EK
Protection disabled = FVEK visibly stored on the volume
data
FVEK
encrypted with USB
FVEK
encrypted with password
FVEK
encrypted with PW48
FVEK
1048576x rounds to
prevent brute-force
no encryption
FVEK
39
40
10. 1. 2022
21
manage-bde
-status c:
-protectors -get c:
-protectors -disable c: -rc 0
Other useful pre-shutdown modifications
41
42