You are herePen tester tools - pmdump
Pen tester tools - pmdump
Today I bumped into an interesting application called pmdump (http://www.ntsecurity.nu/toolbox/pmdump/).
According to the website "PMDump is a tool that lets you dump the memory contents of a process to a file without stopping the process."
So how is this useful you may ask? Well, let me show you.
For my test case I decided to look at Google's Chrome Browser since I know I use passwords to log into web sites like my bank's site.
I looked up the PID (process Identification number) of the browser by using Microsoft Sysinternal's pslist command line tool.
C:\hacktools>pslist chrome
...
Name Pid Pri Thd Hnd Priv CPU Time Elapsed Time
chrome 2440 8 28 582 34892 0:02:13.609 7:59:29.048
Alternatively, you can use Windows's task manager to get the PID as well.
Armed with the PID of the process I want, I run pmdump and output the data to a text file.
pmdump 2440 chrome_pmdump.txt
This produced a huge 124 MB file which represented the memory space that chrome was using.
I opened up Windows Grep (http://www.wingrep.com/) and searched for the first four letters of my bank account password. Wow, my password was there in clear text 5 times.
I played a bit more to find other patterns I can use in Grep. For example, "Passwd" reproduced my GMail password. I'm sure someone has a nice set of filters out there that can reproduce all kinds of neat things.
The crazy thing is that I did all this as a limited user with no administrator rights. Who knew there was so much revealing data in your user-level memory. Amazing.
Let me know if you have found some nice filters against other process IDs. I'm sure anything that uses passwords is fair game (I.E. IM Clients, E-mail clients, etc).
Great article especially on a tool that is not widely used. Yes it is surprising how much information is actual available to any process running within user memory. I also like your example with using Google Chrome very topical. Promoted to our front page.
I tried this out with firefox 3 and ie6, and was not able to find any password when logged into yahoo mail. gmail does disclose as does a bank site! is this something best corrected by the site itself? yahoo seems to be more secure than a very large bank site.
I just tested this with ie6 and was not able to retrieve passwords from the bank, or gmail. this is firefox portable version 3.0.5. Is the regular, no-portable any different?
I just tried Firefox 3.0.5 and Internet Explorer 7 (IE7). I was also able to see my bank's password on Firefox but not IE7! I logged in and out of a Yahoo! email account and wasn't able to see the password anywhere. This issue does seem to be caused by the level of security implemented on the website and how the particular browser obfuscates the information. Should I switch to Yahoo! email on IE? Wow, this is interesting.
A similar tool is ProcessMemoryDumper that can be downloaded from http://www.evilfingers.com/tools/ProcessMemoryDumper.php.
In looking at the mixed results listed in the follow-up posts, I think that it's important to point out that your results will indeed vary depend upon the level of browser security that you're currently using.
Google Mail (as with most modern webmail portings) offers an "Always use HTTPS" feature that invokes relatively good encryption to secure your connection (as well as the data stored in active memory).
I see that your responders are listing which applications they're using for testing, but not indicating whether or not they're using any browser-based security. I wanted to point out that browser security is an important element to consider in this process.
I've tested and used numerous similar memory scraping tools in the past. I find them useful for illustrating the dangers of caching passwords in browsers, making sure to look for the little "lock" in the browser before using any e-commerce apps on the web, etc. with clients.
It's really easy to grab unencrypted (plain text) data from a memory dump, but a more involved project to decrypt encrypted data. That's another class for another day :-)
I'm a hands-on tech and I've found that my clients love to see hands-on demonstrations. It makes security real to them & it's fun for me, as well. INFOSEC can be dry and a hard-sell if you stick to theory, best practices and FUD.
GUI-based, simple (yet effective) tools like this are excellent teaching aids! Thanks for sharing your experience and findings.
I ran some tests against firefox and found that the only passwords in plain text(not encrypted) were ones that I have cached in my browser i.e. answered yes to "do you want to save your password"
All the other passwords, from what I can tell, show up encrypted.
Firefox security settings are default. Version 3.0.5
I tried this out with firefox 3 and ie6, and was not able to find any password when logged into yahoo mail. gmail does disclose as does a bank site! is this something best corrected by the site itself? yahoo seems to be more secure than a very large bank site.
hey buddy
this is really amazing man
but the drawback here is we have to run the pmdump only when the user is clickin on the sign in button,,
then only U will be able get the passwd of the user who is logging in even.
it may be GMAIL or YAHOO........ for firefox & IE also it works..... irrespective of the versions
:)
Actually, pmdump will list the PIDs for you using the "list" argument:
pmdump.exe -listPost new comment