Basic Linux Memory Forensics - Dumping Memory and Files with DD - Analyzing Metttle/Meterpreter

Name: Basic Linux Memory Forensics - Dumping Memory and Files with DD - Analyzing Metttle/Meterpreter
Uploaded: 2022-04-03T17:01:11Z
Channel: IppSec
Description: 00:00 - Intro 00:47 - Discovering a weird binary running in /tmp/ but it doesn't exist on disk 01:55 - Start of explaining dd copying things out of memo...

IppSec · Beginner ·🔐 Cybersecurity ·3y ago

00:00 - Intro 00:47 - Discovering a weird binary running in /tmp/ but it doesn't exist on disk 01:55 - Start of explaining dd copying things out of memory 02:30 - Reading maps to identify where the file is, showing how to covnert hex to decimal in bash 04:00 - File extracted from memory 05:15 - Copying the heap from memory and discovering it is mettle/meterpreter based upon strings 06:55 - Showing we don't need to use DD to extract the file, can just use the "exe" file in proc/pid/ 09:15 - Opening the elf in Ghidra and examining its decompiled output 12:00 - Showing what the file looks like in…

Watch on YouTube ↗ (saves to browser)

Chapters (12)

Intro

0:47 Discovering a weird binary running in /tmp/ but it doesn't exist on disk

1:55 Start of explaining dd copying things out of memory

2:30 Reading maps to identify where the file is, showing how to covnert hex to deci

4:00 File extracted from memory

5:15 Copying the heap from memory and discovering it is mettle/meterpreter based up

6:55 Showing we don't need to use DD to extract the file, can just use the "exe" fi

9:15 Opening the elf in Ghidra and examining its decompiled output

12:00 Showing what the file looks like in Cutter, which has a different decompile vi

13:40 Reading the Metasploit source code to identify what it looked like, to confirm

16:00 Using MSFVenom to generate our own stager in order to confirm this is indeed w

18:50 Using GDB against the stager to just practice reversing

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →