Posts Tagged ‘memory’

Trolling Memory for Credit Cards in POS / PCI Environments |InfoSec Sans.EDU

Wednesday, August 27th, 2014

In a recent penetration test, I was able to parlay a network oversight into access to a point of sale terminal. Given the discussions these days, the next step for me was an obvious one – memory analysis.

My first step was to drive to the store I had compromised and purchase an item.

I’m not a memory analysis guru, but the memory capture and analysis was surprisingly easy. First, dump memory:

dumpit

Yup, it’s that simple, I had the dumpit executable locally by that point (more info here https://isc.sans.edu/diary/Acquiring+Memory+Images+with+Dumpit/17216)

or, if you don’t have keyboard access (dumpit requires a physical “enter” key, I/O redirection won’t work for this):

win32dd /f memdump.img

(from the SANS Forensics Cheat Sheet at https://blogs.sans.org/computer-forensics/files/2012/04/Memory-Forensics-Cheat-Sheet-v1_2.pdf )

Next, I’ll dig for my credit card number specifically:

strings memdump.img | grep [mycardnumbergoeshere] | wc -l

171

Yup, that’s 171 occurences in memory, unencrypted. So far, we’re still PCI complaint – PCI 2.0 doesn’t mention cardholder data in memory, and 3.0 only mentions it in passing. The PCI standard mainly cares about data at rest – which to most auditors means “on disk or in database”, or data in transit – which means on the wire, capturable by tcpdump or wireshark. Anything in memory, no matter how much of a target in today’s malware landscape, is not an impact on PCI compliance.

via InfoSec Handlers Diary Blog – Trolling Memory for Credit Cards in POS / PCI Environments.

How to run a wireshark capture on a device without crashing it from over memory utilization | ShoreTel

Friday, May 30th, 2014
Details
Wireshark is a great network packet capture and analysis tool. Its graphical interface uses copious amounts of memory, causing Wireshark to crash after some period of time capturing packets. The crashes may be delayed somewhat by using the packet capture filter (the packet display filter does not help). Use Wireshark for:

  • short periods of time
  • in low-throughput environments
  • for offline packet analysis of packet-capture files.
Answer
For long-term packet capture, use dumpcap.exe (included with Wireshark). It runs independently of Wireshark to capture packets to a file or series of files on disk.
Wireshark must be installed on the server before starting these steps:

  1. Create a directory on the server to hold the files (i.e. c:\PCAP_files\)
  2. Open a command window and navigate to the Wireshark install directory

    User-added image

  3. Run “dumpcap.exe –D” to identify interface number

    User-added image

  4. Start captures by running the following command “dumpcap -i 1 -b duration:1800 -b files:12 -w” “c:\PCAP_files\DVS.pcap” (-i equals the interface number from step 3, -b duration equals times in seconds, -b files equals the number of files before it overwrites -w equals the folder created in step one plus a file name) Must leave the command window open and to stop the captures use Ctrl-C

    User-added image

via ShoreTel | Support – How to run a wireshark capture on a device without crashing it from over memory utilization.

New Vulnerability Found in Every Single Version of Internet Explorer

Monday, April 28th, 2014

According to a confirmation by Microsoft late last night, a new zero day vulnerability has been found to affect every version of Internet Explorer.

internet explorer - vulnerable

In other words—over a quarter of the entire browser market.Attacks taking advantage of the vulnerability are largely targeting IE versions 9, 10, and 11 in something called a “use after free” attack. Essentially, the attack corrupts data as soon as memory has been released, most likely after users have been lured to phony websites. Microsoft explains: The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.Microsoft is currently investigating the issue and will likely release an out-of-cycle security patch to take care of the problem. Let’s just hope it comes soon, because according to security firm Fire Eye, this means that about 26 percent of the entire browser market is at risk.

via New Vulnerability Found in Every Single Version of Internet Explorer.