Find cleartext passwords in memory dump

The Random Access Memory (RAM) is where system components, applications and other data is kept, while the computer is working with it. It is placed there often in clear text for fast access, but there is a security risk involved in this, which is often ignored. In this tutorial, we’ll try dumping the content of the memory to the hard drive and find username and password information stored in the file.

Start by logging in to your email, Microsoft account or whatever, to make sure that the information is placed in the memory. You can log out, close your browser afterwards – doesn’t matter.

dump1_edited

Now we need to dump the memory to the hard drive. For this, we need the tool DumpIt from MoonSol. It’s a single executable file which will take a snapshoot of the host’s physical memory and save it to the folder where the program is placed. Note that if your computer has 8GB of memory then a memory dump file from your machine will be 8GB in size as well, so make sure to run the program from a location with some free space.

1. Download MoonSols DumpIt

2. Unzip the zip file and run dumpIt.exe

3. Press y when prompted

dump2_edited

Ones the program is finished writing the memory to the file you can close the program. The will be a file created called .raw Now it’s time to have a look at this file. This can be done with any Hex Editor, but I prefer WinHex.

4. Open the .raw file with WinHex

5. Press the Simultaneous Search button in the toolbar

The dialog box Simultaneous Search opens.

6. Type the search term passwd

7. Check the checkbox List search hits

8. Press the OK bottom

Dump3_edited

The dialog box Simultaneous Search closes. The search is performed, when finished the dialog box Search complete results opens and show the total results of the search.

9. Click the OK bottom

The dialog box Search complete closes. Go through the search results until you find the one that contains the username and password used.

dump4_edited

Edit:

After writhing this tutorial I played around with the file a bit. Turns out using grep from a shell works quite god a well. Ea. strings BUUJA-3DD02732A-20130327-133508.raw | grep ‘passwd’

extra_edited

Please follow and like me:
Bookmark the permalink.

7 Responses to Find cleartext passwords in memory dump

  1. Kasper says:

    Cool!
    But don’t tell it to anybody! Could be harmful on a public PC.

  2. Me says:

    HE, HE…. I told all my friends 🙂

  3. Roger Dodger says:

    For a much easier GUI based tool, use Mandiant’s Redline. You can search strings extremely easily.

Leave a Reply

Your email address will not be published. Required fields are marked *