Password Hunting Part 2

This is a continuation of my previous post on searching for passwords on the system. The following post will dive into pulling passwords from memory.

Passwords in Memory

There are times when an application is running and a password provided to the application is stored in clear-text in the memory space allocated for the application. Access of the memory space is only possible if we have the same privileges as the application running. Let’s jump right into an example and see how this works.

Python FTP Server

In this example we are going to start up a Python FTP server on our Kali machine and pretend this is some FTP server on the corporate network. From our target machine, we will connect to it and simulate a user connected to an FTP server.

First install pyftpdlib on your Kali machine so you can run the FTP server.

pip install pyftpdlib

Next, we will run the FTP server with an allowable username and password combination by running this command:

python -m pyftpdlib --port=2121 --username=ftpuser --password=password999

On our target machine, we connect to our Kali FTP server by running this commands and entering the password:

user@debian:~$ ftp 192.168.56.102 2121
Connected to 192.168.56.102.
220 pyftpdlib 1.5.5 ready.
Name (192.168.56.102:root): ftpuser
331 Username ok, send password.
Password: <enter password>
230 Login successful.

We are now logged into our FTP server. The next step is to background the FTP service on the target machine by entering ctrl+z.

Let’s get the process ID of the FTP server by running this command:

ps -ef | grep ftp

We are now going to use the GNU Project Debugger program to open up this process and see what is going on inside of the memory space. We specify the process ID as an argument.

gdp -p 8932

We are able to see the start addresses of various parts of the application in memory. The part we are most interested in is the [heap] memory address. (Right column)

We take note of the start address of the heap which is 0xdfd000 and the end address which is 0xe3f000. With this information, will type q to quit the current debugging session.

Next, we will dump the memory of the address space we just specified into a file called heap.txt into the /tmp/ directory.

dump memory /tmp/heap.txt 0xdfd000 0xe3f000

We can now quit the debugger by typing q again.

Finally, we query the /tmp/heap.txt file for the password:

strings /tmp/heap.txt | grep passwd

Sure enough, we have retrieved the password entered to access the FTP server.

What can we do with a password that is found like this? I mean, the password was found on a service running with the same privileges as us. The answer will be different for everyone, but remember, people are lazy. Password are reused all over the place and it’s smart to save these passwords so you can try them everywhere a password option is available. You never know when a password will come in handy.