Find cleartext passwords in memory dump

Posted: July 16, 2015 in Uncategorized
Tags: , ,

The Random Access Memory (RAM) is where system components, applications and other data is kept, while the computer is working with it. It is placed there often in clear text for fast access, but there is a security risk involved in this, which is often ignored. In this tutorial, we’ll try dumping the content of the memory to the hard drive and find username and password information stored in the file.

Start by logging in to your email, Microsoft account or whatever, to make sure that the information is placed in the memory. You can log out, close your browser afterwards – doesn’t matter.

WebApp_1.2_LoginScreen

Now we need to dump the memory to the hard drive. For this, we need the tool DumpIt from MoonSol. It’s a single executable file which will take a snapshoot of the host’s physical memory and save it to the folder where the program is placed. Note that if your computer has 8GB of memory then a memory dump file from your machine will be 8GB in size as well, so make sure to run the program from a location with some free space.

1. Download MoonSols DumpIt

2. Unzip the zip file and run dumpIt.exe

3. Press y when prompted

dump2_edited

Ones the program is finished writing the memory to the file you can close the program. The will be a file created called .raw Now it’s time to have a look at this file. This can be done with any Hex Editor, but I prefer WinHex.

4. Open the .raw file with WinHex

5. Press the Simultaneous Search button in the toolbar

The dialog box Simultaneous Search opens.

6. Type the search term passwd

7. Check the checkbox List search hits

8. Press the OK bottom

Dump3_edited

The dialog box Simultaneous Search closes. The search is performed, when finished the dialog box Search complete results opens and show the total results of the search.

9. Click the OK bottom

The dialog box Search complete closes. Go through the search results until you find the one that contains the username and password used.

dump4_edited

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s