Are you satisfied with the memory of your Linux system?

It's no secret to anyone that on Unix systems all information is provided in the form of files.

In Linux, there is a file / proc / kcore, which is an alias for the physical memory of the system.

The manuals say that the total length of this file is the size of the physical memory (RAM) plus 4KB, but turning this file on different systems, I came to the conclusion that the file size is equal to the size of RAM + SWAP.

Similarly to this file, you can use the devices / dev / mem or / dev / kmem, but I will not consider the interaction with them in this topic.



Having a “memory cast” at hand, the first thing I wanted to check is whether it is possible to use this “memory” to restore / retrieve passwords of system users.

Non-printable characters will not be useful for us for this task, because we still cannot / will not use them in passwords, so using the strings command we can get rid of them by overtaking / proc / kcore to a text file:

# strings /proc/kcore > /tmp/kdump





# wc -l /tmp/kdump

4438050 ( 3 )



With this option of running the command, we get a lot of unnecessary and non-unique data, add sorting:

# strings /proc/kcore | sort -u > /tmp/kdump.uniq

# wc -l /tmp/kdump.uniq

3330526



There are still a lot of entries, let's imagine that the passwords used are more than 6 characters - add the -n 6 key:

# strings -n 6 /proc/kcore | sort -u > /tmp/kdump.uniq.6

# wc -l /tmp/kdump.uniq.6

674397



Thus, we received a certain file with some data, let's try to use it as a dictionary for the john the ripper program and see if it will be possible to decrypt the passwords from the / etc / shadow file

# john --wordlist=/tmp/kdump.uniq.6 /etc/shadow

Loaded 5 password hashes with 5 different salts (FreeBSD MD5 [32/32])

....



If the accounts are active and passwords were used to log in, not keys, then there is a chance to decrypt / etc / shadow with our fresh dictionary. From 5 machines on which I tested this methodology, I managed to decipher 3 unknown passwords to me.



With kcore, you can get a lot of interesting information, such as the detection of LKM rootkits or the execution of hidden commands, I suggest discussing this in the comments;)



PS For the sake of experiment, my kcore parser was written, which takes as parameters the minimum and maximum lengths of possible passwords, if someone is interested, I can lay out.

')

UPD: below is the source of the parser, which was written for tests

#include <stdio.h>

#include <unistd.h>

#include <ctype.h>

void usage( char * argv0)

{

printf( "Usage: %s [options] <filename>\n" ,argv0);

printf( "-m [MIN] minimal length of string (Default: 4)\n" );

printf( "-M [MAX] maximal length of string (Default: 12)\n" );

printf( "<filename> file that u want to dump\n" );

exit(1);

}

int main( int argc, char * argv[])

{

FILE *fp;

int arg, i, binvalid;

int MIN=4;

int MAX=12;

char pass[MAX+1],ch;

char * filename;

while ((arg = getopt(argc, argv, "m:M:" )) != EOF)

{

switch (arg)

{

case 'm' : MIN=atoi(optarg);

break ;

case 'M' : MAX=atoi(optarg);

break ;

default : usage(argv[0]);

break ;

}

}

if (optind >= argc)

{

usage(argv[0]);

}

filename = argv[optind];

fp=fopen(filename, "r" );

if (!fp)

{

printf( "ERROR: Unable open file: %s\n" ,filename);

return 1;

}

i=0;

do

{

ch=( char )fgetc(fp);

if (feof(fp)) break ;

if ( ch>33 && ch < 127 )

{

i++;

pass[i-1]=ch;

if (i>= MAX)

{

pass[i]= '\0' ;

printf( "%s\n" ,pass);

i=0;

}

}

else

{

if (i>=MIN)

{

pass[i] = '\0' ;

printf( "%s\n" ,pass);

}

i=0;

}

}

while (1);

fclose(fp);

}