[Vol-users] Re: Lime Forensics Question
18 Feb
2013
18 Feb
'13
8:47 p.m.
Johnny,
I will try to answer your question to the best of my knowledge. I have also
put the volatility user's mailing list in CC to share your problem with
other users and in case somebody have a better answer than mine ;-)
*Do you know how to send the memory using a netcat session from machine A
to machine B? I tied to do the below, but it did not work.
*
*Machine B (Start Netcat on BackTrack Server)
-------------------------------------------------
root@bt:/var/tmp# nc -l -vvv -p 4444 > lime.dd
listening on [any] 4444 ...
Machine A (On Metasploitable Server, Trying to send image to
BackTrack[192.168.1.107])
-------------------------------------------------
root@metasploitable:/var/tmp/LIME/src# insmod lime-2.6.24-16-server.ko
"path=tcp:4444 format=raw" | nc 192.168.1.107 4444*
Unlike dd, LiME operates in kernel mode so you can't pipe it to netcat in
user mode.
I think LiME was created to listen on the target OS (Machine A in your
case) and memory acquisition needs to be started with netcat on the
acquisition PC (Machine B in your case). I have not try it, but here's how
I think it works:
1) insmod lime-2.6.24-16-server.ko "path=tcp:4444 format=lime"
2) nc 192.168.1.107 -p 4444 > mem.lime
Also, I suggest you to use the padded format or the lime format to dump
memory because I think volatility will not be able to convert virtual to
physical addresses with a raw dump and analysis will fail (unless you pad
the dump manually).
Hope this helps!
Sebastien
On Mon, Feb 18, 2013 at 5:41 PM, Johnny Shaieb <johnny.shaieb(a)gmail.com>wrote:
Sebastien,
My name is Johnny. I am trying to figure out how to use Lime with
Volatility.
My end goal it to take and analyze the memory of a Vulnerable 8.04 VM made
available by the Metasploitable Project.
+ Reference Link:
http://sourceforge.net/projects/metasploitable/files/Metasploitable2/
I have been able to dump the memory (See Below)
root@metasploitable:/var/tmp/LIME/src# insmod lime-2.6.24-16-server.ko
"path=/var/tmp/memory.dd format=raw"
root@metasploitable:/var/tmp/LIME/src# ls -l /var/tmp/memory.dd
-r--r--r-- 1 root root 536410112 2013-02-18 14:53 /var/tmp/memory.dd
Do you know how to send the memory using a netcat session from machine A
to machine B? I tied to do the below, but it did not work.
*Machine B* (Start Netcat on BackTrack Server)
-------------------------------------------------
root@bt:/var/tmp# nc -l -vvv -p 4444 > lime.dd
listening on [any] 4444 ...
*Machine A *(On Metasploitable Server, Trying to send image to BackTrack[192.168.1.107])
-------------------------------------------------
root@metasploitable:/var/tmp/LIME/src# insmod lime-2.6.24-16-server.ko
"path=tcp:4444 format=raw" | nc 192.168.1.107 4444
Thank you for any guidance,
Johnny
--
Johnny A. Shaieb
http://www.computersecuritystudent.com
http://www.studentJD.com <http://www.studentjd.com/>
Education
BS: Management Information Systems (Oklahoma State University)
MS: Telecommunications (Oklahoma State University)
MS: Computer Science / Computer Security (University of Tulsa)
NSTISSI Certified
4011: Information Security Professional
4012: Designated Approving Authority
4013: Administration in Information Systems Security
4014: Information Systems Security Officer
Attachments:
- attachment.html (text/html — 4.1 KB)