8:47 p.m.
Johnny,
I will try to answer your question to the best of my knowledge. I have also
put the volatility user's mailing list in CC to share your problem with
other users and in case somebody have a better answer than mine ;-)
*Do you know how to send the memory using a netcat session from machine A
to machine B? I tied to do the below, but it did not work.
*
*Machine B (Start Netcat on BackTrack Server)
-------------------------------------------------
root@bt:/var/tmp# nc -l -vvv -p 4444 > lime.dd
listening on [any] 4444 ...
Machine A (On Metasploitable Server, Trying to send image to
BackTrack[192.168.1.107])
-------------------------------------------------
root@metasploitable:/var/tmp/LIME/src# insmod lime-2.6.24-16-server.ko
"path=tcp:4444 format=raw" | nc 192.168.1.107 4444*
Unlike dd, LiME operates in kernel mode so you can't pipe it to netcat in
user mode.
I think LiME was created to listen on the target OS (Machine A in your
case) and memory acquisition needs to be started with netcat on the
acquisition PC (Machine B in your case). I have not try it, but here's how
I think it works:
1) insmod lime-2.6.24-16-server.ko "path=tcp:4444 format=lime"
2) nc 192.168.1.107 -p 4444 > mem.lime
Also, I suggest you to use the padded format or the lime format to dump
memory because I think volatility will not be able to convert virtual to
physical addresses with a raw dump and analysis will fail (unless you pad
the dump manually).
Hope this helps!
Sebastien
On Mon, Feb 18, 2013 at 5:41 PM, Johnny Shaieb <johnny.shaieb(a)gmail.com>wrote:
Sebastien,
My name is Johnny. I am trying to figure out how to use Lime with
Volatility.
My end goal it to take and analyze the memory of a Vulnerable 8.04 VM made
available by the Metasploitable Project.
+ Reference Link:
http://sourceforge.net/projects/metasploitable/files/Metasploitable2/
I have been able to dump the memory (See Below)
root@metasploitable:/var/tmp/LIME/src# insmod lime-2.6.24-16-server.ko
"path=/var/tmp/memory.dd format=raw"
root@metasploitable:/var/tmp/LIME/src# ls -l /var/tmp/memory.dd
-r--r--r-- 1 root root 536410112 2013-02-18 14:53 /var/tmp/memory.dd
Do you know how to send the memory using a netcat session from machine A
to machine B? I tied to do the below, but it did not work.
*Machine B* (Start Netcat on BackTrack Server)
-------------------------------------------------
root@bt:/var/tmp# nc -l -vvv -p 4444 > lime.dd
listening on [any] 4444 ...
*Machine A *(On Metasploitable Server, Trying to send image to BackTrack[192.168.1.107])
-------------------------------------------------
root@metasploitable:/var/tmp/LIME/src# insmod lime-2.6.24-16-server.ko
"path=tcp:4444 format=raw" | nc 192.168.1.107 4444
Thank you for any guidance,
Johnny
--
Johnny A. Shaieb
http://www.computersecuritystudent.com
http://www.studentJD.com <http://www.studentjd.com/>
Education
BS: Management Information Systems (Oklahoma State University)
MS: Telecommunications (Oklahoma State University)
MS: Computer Science / Computer Security (University of Tulsa)
NSTISSI Certified
4011: Information Security Professional
4012: Designated Approving Authority
4013: Administration in Information Systems Security
4014: Information Systems Security Officer
9 p.m.
New subject: Lime Forensics Question
Yes, LiME will opening a listening port on the machine you're dumping memory from. You
need to allow that port through iptables (if it's active).
You run netcat on the machine you want to copy the memory image TO (so you don't use
nc -l, because it's making an outbound connection).
Restarting what Sebastien said:
sourcethost# insmod lime-2.6.24-16-server.ko "path=tcp:4444 format=lime"
desthost$ nc targethost -p 4444 >mem.lime
When the BSidesSF videos from this year are online (haven't been recorded yet), there
will be a video of this process.
--
bk
On Feb 18, 2013, at 5:47 PM, Sebastien Bourdon-Richard wrote:
Johnny,
I will try to answer your question to the best of my knowledge. I have also put the
volatility user's mailing list in CC to share your problem with other users and in
case somebody have a better answer than mine ;-)
Do you know how to send the memory using a netcat session from machine A to machine B? I
tied to do the below, but it did not work.
Machine B (Start Netcat on BackTrack Server)
-------------------------------------------------
root@bt:/var/tmp# nc -l -vvv -p 4444 > lime.dd
listening on [any] 4444 ...
Machine A (On Metasploitable Server, Trying to send image to BackTrack[192.168.1.107])
-------------------------------------------------
root@metasploitable:/var/tmp/LIME/src# insmod lime-2.6.24-16-server.ko
"path=tcp:4444 format=raw" | nc 192.168.1.107 4444
Unlike dd, LiME operates in kernel mode so you can't pipe it to netcat in user mode.
I think LiME was created to listen on the target OS (Machine A in your case) and memory
acquisition needs to be started with netcat on the acquisition PC (Machine B in your
case). I have not try it, but here's how I think it works:
1) insmod lime-2.6.24-16-server.ko "path=tcp:4444 format=lime"
2) nc 192.168.1.107 -p 4444 > mem.lime
Also, I suggest you to use the padded format or the lime format to dump memory because I
think volatility will not be able to convert virtual to physical addresses with a raw dump
and analysis will fail (unless you pad the dump manually).
Hope this helps!
Sebastien
On Mon, Feb 18, 2013 at 5:41 PM, Johnny Shaieb <johnny.shaieb(a)gmail.com> wrote:
Sebastien,
My name is Johnny. I am trying to figure out how to use Lime with Volatility.
My end goal it to take and analyze the memory of a Vulnerable 8.04 VM made available by
the Metasploitable Project.
+ Reference Link:http://sourceforge.net/projects/metasploitable/files/Metasploitable2/
I have been able to dump the memory (See Below)
root@metasploitable:/var/tmp/LIME/src# insmod lime-2.6.24-16-server.ko
"path=/var/tmp/memory.dd format=raw"
root@metasploitable:/var/tmp/LIME/src# ls -l /var/tmp/memory.dd
-r--r--r-- 1 root root 536410112 2013-02-18 14:53 /var/tmp/memory.dd
Do you know how to send the memory using a netcat session from machine A to machine B? I
tied to do the below, but it did not work.
Machine B (Start Netcat on BackTrack Server)
-------------------------------------------------
root@bt:/var/tmp# nc -l -vvv -p 4444 > lime.dd
listening on [any] 4444 ...
Machine A (On Metasploitable Server, Trying to send image to BackTrack[192.168.1.107])
-------------------------------------------------
root@metasploitable:/var/tmp/LIME/src# insmod lime-2.6.24-16-server.ko
"path=tcp:4444 format=raw" | nc 192.168.1.107 4444
Thank you for any guidance,
Johnny
--
Johnny A. Shaieb
http://www.computersecuritystudent.com
http://www.studentJD.com
Education
BS: Management Information Systems (Oklahoma State University)
MS: Telecommunications (Oklahoma State University)
MS: Computer Science / Computer Security (University of Tulsa)
NSTISSI Certified
4011: Information Security Professional
4012: Designated Approving Authority
4013: Administration in Information Systems Security
4014: Information Systems Security Officer
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
9:27 p.m.
New subject: Lime Forensics Question
I made an inconsistent edit--for clarity, it should be:
sourcethost# insmod lime-2.6.24-16-server.ko "path=tcp:4444 format=lime"
desthost$ nc sourcehost -p 4444 >mem.lime
--
bk
On Feb 18, 2013, at 6:00 PM, Brian Keefer wrote:
Yes, LiME will opening a listening port on the machine
you're dumping memory from. You need to allow that port through iptables (if it's
active).
You run netcat on the machine you want to copy the memory image TO (so you don't use
nc -l, because it's making an outbound connection).
Restarting what Sebastien said:
sourcethost# insmod lime-2.6.24-16-server.ko "path=tcp:4444 format=lime"
desthost$ nc targethost -p 4444 >mem.lime
When the BSidesSF videos from this year are online (haven't been recorded yet), there
will be a video of this process.
--
bk
4286
days inactive
4286
days old
vol-users@lists.volatilityfoundation.org
2 comments
2 participants
participants (2)
-
Brian Keefer -
Sebastien Bourdon-Richard