Yes, LiME will opening a listening port on the machine you're dumping memory from. You need to allow that port through iptables (if it's active).

You run netcat on the machine you want to copy the memory image TO (so you don't use nc -l, because it's making an outbound connection).

Restarting what Sebastien said:
sourcethost# insmod lime-2.6.24-16-server.ko "path=tcp:4444 format=lime"
desthost$ nc targethost -p 4444 >mem.lime

When the BSidesSF videos from this year are online (haven't been recorded yet), there will be a video of this process.

--
bk

On Feb 18, 2013, at 5:47 PM, Sebastien Bourdon-Richard wrote:

Johnny,

I will try to answer your question to the best of my knowledge. I have also put the volatility user's mailing list in CC to share your problem with other users and in case somebody have a better answer than mine ;-)


Do you know how to send the memory using a netcat session from machine A to machine B?  I tied to do the below, but it did not work.

Machine B (Start Netcat on BackTrack Server)
-------------------------------------------------
root@bt:/var/tmp# nc -l -vvv -p 4444 > lime.dd
listening on [any] 4444 ...

Machine A (On Metasploitable Server, Trying to send image to BackTrack[192.168.1.107])
-------------------------------------------------
root@metasploitable:/var/tmp/LIME/src# insmod lime-2.6.24-16-server.ko "path=tcp:4444 format=raw" | nc 192.168.1.107 4444

Unlike dd, LiME operates in kernel mode so you can't pipe it to netcat in user mode. 

I think LiME was created to listen on the target OS (Machine A in your case) and memory acquisition needs to be started with netcat on the acquisition PC (Machine B in your case). I have not try it, but here's how I think it works:

1) insmod lime-2.6.24-16-server.ko "path=tcp:4444 format=lime"
2) nc 192.168.1.107 -p 4444 > mem.lime

Also, I suggest you to use the padded format or the lime format to dump memory because I think volatility will not be able to convert virtual to physical addresses with a raw dump and analysis will fail (unless you pad the dump manually).  

Hope this helps!

Sebastien

On Mon, Feb 18, 2013 at 5:41 PM, Johnny Shaieb <johnny.shaieb@gmail.com> wrote:
Sebastien,

My name is Johnny.  I am trying to figure out how to use Lime with Volatility.

My end goal it to take and analyze the memory of a Vulnerable 8.04 VM made available by the Metasploitable Project.  
+ Reference Link:http://sourceforge.net/projects/metasploitable/files/Metasploitable2/

I have been able to dump the memory (See Below)

root@metasploitable:/var/tmp/LIME/src# insmod lime-2.6.24-16-server.ko "path=/var/tmp/memory.dd format=raw"

root@metasploitable:/var/tmp/LIME/src# ls -l /var/tmp/memory.dd 
-r--r--r-- 1 root root 536410112 2013-02-18 14:53 /var/tmp/memory.dd

Do you know how to send the memory using a netcat session from machine A to machine B?  I tied to do the below, but it did not work.

Machine B (Start Netcat on BackTrack Server)
-------------------------------------------------
root@bt:/var/tmp# nc -l -vvv -p 4444 > lime.dd
listening on [any] 4444 ...

Machine A (On Metasploitable Server, Trying to send image to BackTrack[192.168.1.107])
-------------------------------------------------
root@metasploitable:/var/tmp/LIME/src# insmod lime-2.6.24-16-server.ko "path=tcp:4444 format=raw" | nc 192.168.1.107 4444

Thank you for any guidance,

Johnny

--
Johnny A. Shaieb
Education
BS: Management Information Systems (Oklahoma State University)
MS: Telecommunications (Oklahoma State University)
MS: Computer Science / Computer Security (University of Tulsa)

NSTISSI Certified
4011: Information Security Professional
4012: Designated Approving Authority
4013: Administration in Information Systems Security
4014: Information Systems Security Officer

_______________________________________________
Vol-users mailing list
Vol-users@volatilesystems.com
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users