Monday, May 22, 2017

NSA WINDOWS RAM SNIFFER

you will need three tools: netcat (nc.exe), pmdump.exe (www. ntsecurity.nu/toolbox/pmdump/), and strings.exe (http://technet.microsoft.com/en-us/ sysinternals/bb897439.aspx) or BinText (available from www.foundstone.com/us/ resources/proddesc/bintext.htm). You can run this example using either one or two systems, but it works best when two systems are used. If you’re using one system, create two directories, with a copy of netcat in each directory.
Start by launching netcat in listening mode with the following command line:
tmp13-1_thumb
This command line tells netcat to listen on port 8080, in detached mode, and when a connection is made to launch the command prompt. Once you’ve typed in the command line and pressed Enter, open the Task Manager and note the process identifier (PID) of the process you just created. (Here I am using netcat Version 1.11 NT, which I retrieved from www.vulnwatch.org/netcat. At the time of this writing, the Web site does not appear to be available.)
Now open another command prompt on the same system, or go to your other system and open the command prompt. Type the following command line to connect to the netcat listener you just created:
tmp13-2_thumb
This command line tells netcat to open in client mode and to connect to the Internet Protocol (IP) address on port 8080, where our listener is waiting. If you’re running the test on a single system, use 127.0.0.1 as the IP address.
Once you’ve connected, you should see the command prompt header that you normally see, showing the version of the operating system and the copyright information. Type a couple of commands at the prompt, such as dir or anything else, to simply send information across the connection.
On the system where the netcat listener is running, open another command prompt and use pmdump.exe (discussed later in this topic) to obtain the contents of memory for the listener process:
tmp13-3_thumb
This command will obtain the contents of memory used by the process and will put it into the file netcat1.log. You may also dump the process memory of the client side of the connection, if you like. Now that you have the process memory saved in a file, you can exit both processes. Run strings.exe against the memory file from the listener or open the file in BinText and you will see the IP address of the client. Doing the same thing with the client’s memory file will display information about the system where the listener was running, demonstrating the concept of Locard’s Exchange Principle.

No comments: