Johnny,
I will try to answer your question to the best of my knowledge. I have also put the volatility user's mailing list in CC to share your problem with other users and in case somebody have a better answer than mine ;-)
Do you know how to send the memory using a netcat session from machine A to machine B? I tied to do the below, but it did not work.
Machine B (Start Netcat on BackTrack Server)
-------------------------------------------------
root@bt:/var/tmp# nc -l -vvv -p 4444 > lime.dd
listening on [any] 4444 ...
Machine A (On Metasploitable Server, Trying to send image to BackTrack[192.168.1.107])
-------------------------------------------------
root@metasploitable:/var/tmp/LIME/src# insmod lime-2.6.24-16-server.ko "path=tcp:4444 format=raw" | nc 192.168.1.107 4444
Unlike dd, LiME operates in kernel mode so you can't pipe it to netcat in user mode.
I think LiME was created to listen on the target OS (Machine A in your case) and memory acquisition needs to be started with netcat on the acquisition PC (Machine B in your case). I have not try it, but here's how I think it works:
1) insmod lime-2.6.24-16-server.ko "path=tcp:4444 format=lime"
2) nc 192.168.1.107 -p 4444 > mem.lime
Also, I suggest you to use the padded format or the lime format to dump memory because I think volatility will not be able to convert virtual to physical addresses with a raw dump and analysis will fail (unless you pad the dump manually).
Hope this helps!
Sebastien
On Mon, Feb 18, 2013 at 5:41 PM, Johnny Shaieb
<johnny.shaieb@gmail.com> wrote:
Sebastien,
My name is Johnny. I am trying to figure out how to use Lime with Volatility.
My end goal it to take and analyze the memory of a Vulnerable 8.04 VM made available by the Metasploitable Project.
+ Reference Link:http://sourceforge.net/projects/metasploitable/files/Metasploitable2/
I have been able to dump the memory (See Below)
root@metasploitable:/var/tmp/LIME/src# insmod lime-2.6.24-16-server.ko "path=/var/tmp/memory.dd format=raw"
root@metasploitable:/var/tmp/LIME/src# ls -l /var/tmp/memory.dd
-r--r--r-- 1 root root 536410112 2013-02-18 14:53 /var/tmp/memory.dd
Do you know how to send the memory using a netcat session from machine A to machine B? I tied to do the below, but it did not work.
Machine B (Start Netcat on BackTrack Server)
-------------------------------------------------
root@bt:/var/tmp# nc -l -vvv -p 4444 > lime.dd
listening on [any] 4444 ...
Machine A (On Metasploitable Server, Trying to send image to BackTrack[192.168.1.107])
-------------------------------------------------
root@metasploitable:/var/tmp/LIME/src# insmod lime-2.6.24-16-server.ko "path=tcp:4444 format=raw" | nc 192.168.1.107 4444
Thank you for any guidance,
Johnny
--
Johnny A. Shaieb
Education
BS: Management Information Systems (Oklahoma State University)
MS: Telecommunications (Oklahoma State University)
MS: Computer Science / Computer Security (University of Tulsa)
NSTISSI Certified
4011: Information Security Professional
4012: Designated Approving Authority
4013: Administration in Information Systems Security
4014: Information Systems Security Officer