Friday, 28 December 2007

SAM Juicer does not need SYSTEM Privileges

SAM Juicer is one of the tools in the Meterpreter suite.

A part of the Meterpreter Anti-Forensic Investigation Arsenal (MAFIA), the Sam Juicer runs over a memory/LSASS channel to dump password hashes on a Windows system. Many people think that you need SYSTEM Privileges to access the SAM Database, this is not the case. Any account, service or program running with access to the memory and LSASS channels will do. In fact, the majority of accounts are still given the debug privilege to make life easier for developers (and crackers).

Why is this tool a problem for many "traditional" digital forensic practitioners?
It never hits the disk and it never hits the registry. Without leaving a signiture on the disk or opening a registry call, many forensic tools just do not have a hope. By using an existing Meterpreter channel, there is no need to start a service, open a network port or to leave all that easy to find evidence that PWCrack for instance creates.

Using direct memory injection techniques, tools like Encase have no hope. EnCase Enterprise allows the examiner to see current processes, open ports, file system, and other such volatile system areas.

As Metasploit’s Meterpreter does not leave a track on the disk but rather exploits a running process and creates threads, Encase is blind to it. (This is where a good old fashion dd.exe dump of the memory in Windows still beats the high end tools).

Metasploit Anti-Forensic (AF) Tools
The toolset includes the following AF Tools:

  • Timestomp,
  • Slacker,
  • Transmogrify, and
  • Sam Juicer
More on these other tools in the next few days.

So what exactly does MAFIA (and similar tools) mess up for the tools based analyst?
  1. Temporal locality (through the alteration of time stamps)
  2. Spatial locality (using the modification of file location)
  3. Data recovery
  4. File signatures
  5. Hashing
  6. Keywords
  7. Reverse engineering
  8. Profiling
  9. Effectiveness/info overload
  10. Disk access/hiding in memory
For details see:

1 comment:

Steven said...

Hi Craig.

The use of tools such as Sam Juicer show the increased importance of forensics analysis on physical memory. Analysing disk images alone will not provide any evidence of what has occurred so capturing the memory is crucial.

Thankfully there are a number of tools such as the Windows Memory Forensic Toolkit which provide a handful of utilities that can assist when analysing memory images. In future versions, they hope to be able to analyse memory on a live systems.

When examing UNIX based systems, binaries can be deleted after being executed (unlike Windows which locks files when executed). Analysing the memory can reveal and recreate the binary image.