The technique involves either rebooting the machine with the reset button or pulling the power cable of the rig and attempting to maintain the RAM contents (one way to maintain the contents is to super-cooling the ram). A lightweight operating system is then booted, this OS will only overwrite a small portion of the memory, the remaining memory is then dumped to a file which can later be analysed off-line.
In part 1 I simply want to prove the concept of this attack and learn how it works. Then in part 2 I will attempt to combine what I have previously learnt with liquid nitrogen cooling to see if its possible to transfer the memory from one physical computer to another without losing its contents. This sort of attack might be important if the target doesn't allow selection of boot devices or if there is some other type of boot protection in place.
The Software
I have chosen to use McGrew Security's msramdmp, which in conjunction with the extremely tiny syslinux loader is a lightweight and easy to use memory dumping solution. I will not go into the details of building the bootable USB capable of performing this memory dump as McGrew Security has a great tutorial available here.
I have made a few small modifications to the McGrew Security tutorial though. Instead of using the USB stick to dump the memory contents I am going to use a Corsair Force GT SATA3 SSD. This will allow me to dump the memory contents much quicker, which is essential if you are dumping 4GB+ of memory. I found dumping to USB took in excess of 15minutes for a 2GB module, whereas the SSD took less than a minute to complete. When you are trying to dump data fro liquid nitrogen cooled memory that is slowly decaying, time is of the essence.
The Setup
Gigabyte P55-UD5 with Intel 870
Corsair Force GT SSD (for dumping the memory)
USB configured with syslinux 3.6 and msramdmp
2GB module of GSKILL PSC memory
I have chosen a single 2GB stick of PSC as the lower memory size will dump quicker. I have selected PSC because it likes cold temperatures, so when it comes time to freeze the memory I know this stick will work perfectly.
The Attack
First I prepare my SSD with the type 40 partition (Venix 80286) required to dump the memory (as per the image below).
I then booted into an USB based dos boot disk and tried to seed my blog name into the memory. I have repeated this a number of times but every time when I boot into Linux to analyse the dump, there is no mention of metasplo.it.
Next I tried booting into a Linux live USB and did the same echo command, but this time the output is sent to a file situated on a "ramdisk" in the hope this will help seed my blog address into RAM.
Next I warm reboot the machine by hitting the reset button, I hit F12 and selected to boot from my msramdmp USB and let the dump occur.
After around a minute the 2GB of memory is written to the type 40 partition on my SSD and then msramdmp changes the partition to type 41 (PPC PReP Boot) as per below.
Next I rebooted into the Linux live CD once again to analyse the SSD with the strings command. SUCCESS! This time the "blog.metasplo.it" string has survived the reboot and been dumped successfully from memory.
That was relatively easy and the end of part 1. You can see how this attack could be brutal in dumping encryption keys to even the most heavily encrypted hard disk.
Next I will try to transfer the memory module from one system to another while frozen with liquid nitrogen to proof of concept an attack in a more privileged environment.
No comments:
Post a Comment