mkarimim / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 0 forks source link

Unable to obtain password hashes #513

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
What steps will reproduce the problem?
1. Grab memory image using DumpIt (Windows7 SP1 x64 - RAM: 2GB raw file)
2. imageinfo on raw image to get OS information
3. hivelist on raw image with profile Win7Sp1x64 to get SYSTEM and SAM Virtual 
addresses
4. hashdump on raw image with profile Win7Sp1x64 to get password hashes.

What is the expected output? What do you see instead?
Expecting password hashes but hashdump results in empty file.

imageinfo
=========
Determining profile based on KDBG search...

          Suggested Profile(s) : Win2008R2SP0x64, Win7SP1x64, Win7SP0x64, Win2008R2SP1x64
                     AS Layer1 : AMD64PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (C:\.....\TARGET.raw)
                      PAE type : No PAE
                           DTB : 0x187000L
                          KDBG : 0xf80003e3a0a0L
          Number of Processors : 1
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0xfffff80003e3bd00L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2014-08-06 22:11:24 UTC+0000
     Image local date and time : 2014-08-06 23:11:24 +0100

hivelist
========
Virtual            Physical           Name
------------------ ------------------ ----
0xfffff8a001c45010 0x0000000036813010 \??\C:\Users\... 
Fu\AppData\Local\Microsoft\Windows\UsrClass.dat
0xfffff8a001c4e010 0x000000005624c010 \??\C:\Users.. .\ntuser.dat
0xfffff8a002011010 0x000000003e129010 \??\C:\System Volume 
Information\Syscache.hve
0xfffff8a006986410 0x00000000144d8410 \SystemRoot\System32\Config\DEFAULT
0xfffff8a00000d410 0x000000001c6bb410 [no name]
0xfffff8a000023010 0x000000001c5a9010 \REGISTRY\MACHINE\SYSTEM
0xfffff8a000052010 0x000000001c558010 \REGISTRY\MACHINE\HARDWARE
0xfffff8a000663010 0x000000001a9aa010 \Device\HarddiskVolume1\Boot\BCD
0xfffff8a0007f1010 0x0000000014b87010 \SystemRoot\System32\Config\SOFTWARE
0xfffff8a000b7e010 0x00000000113b7010 \SystemRoot\System32\Config\SECURITY
0xfffff8a000be8010 0x000000000a708010 \SystemRoot\System32\Config\SAM
0xfffff8a000cde010 0x0000000007c17010 
\??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
0xfffff8a000dff1d0 0x00000000113671d0 
\??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT

hashdump
========
C:\Users\...... >volatility-2.3.standalone.exe hashdump -f TARGET.raw 
--profile=Win7SP1x64 -y 0xfffff8a000023010 -s 0xfffff8a000be8010 > hashdump.txt

Result is an empty hashdump.txt !

What version of the product are you using? On what operating system?
I used volatility-2.3.standalone.exe on a Windows7 Home Premium 64bit SP1 4GB 
RAM

Please provide any additional information below.
(a) Do the Virtual and Physical addresses above seem ok?
(b) I do not know what I am doing wrong to not get the password hashes - please 
help :-)

Original issue reported on code.google.com by Kateson...@gmail.com on 8 Aug 2014 at 3:58

GoogleCodeExporter commented 8 years ago
The Virtual and Physical addresses look OK. 

I would recommend trying Volatility 2.4 from 
https://github.com/volatilityfoundation/volatility. 

Also, this issue tracker is no longer used. Please log future issues here: 
https://github.com/volatilityfoundation/volatility/issues

Original comment by michael.hale@gmail.com on 18 Sep 2014 at 4:55