What is Dumpscan?
To get an idea of why Dumpscan exists, you check out the Dumping RSA Certificates with Volatility series Part 1 and Part 2. To provide better implementation for the techniques discussed for dumping private keys and other secrets from memory, I decided to write a tool to locate and extract the certificates.
The driving factors were:
- Installing Volatility 3 and understanding the options and plugins structure can be lengthy. To simply the process, I wanted to write a tool that had Volatility 3 as a dependency.
- I wanted to extend this functionality to other forms of memory dumps, primarily the Windows Minidump format.
- I wanted a custom output to make things look pretty.
Dumpscan is written in Python, uses Volatility 3 for kernel dump scanning, and implements its own minidump parser to perform the same actions for the minidump format.
To simply the installation process, it’s highly recommended to use pipx. Pipx installs tools into their own virtual environment and allows for easy management of Python CLI tools. As of this post, the proper way to install it would be:
pipx install dumpscan pipx inject dumpscan git+https://github.com/volatilityfoundation/volatility3#39e812a
Although volatility 3 is a regular dependency and would normally be listed as such, the latest release version on PyPI (v2.0.1) at this time does not work but v2.2.0 does. The magic of
pipx allows us to inject the current Github version directly into the virtual environment for dumpscan.
Kernel mode parsing is done with Volatility 3. Dumpscan wraps around some built-in Vol3 plugins as well as implements custom ones made for the x509 and SymCrypt extraction. Minidump parsing is done using
construct structures to allow for scanning through Minidump memory streams. This is still a work in progress but is currently capable of scanning x64 Windows process dumps. I am also looking into adding coredump parsing for Linux and macOS as well.
The focus for Dumpscan is to look in places where secrets might be. Two of these places of interest are the command line arguments used to launch a process as well as the process environment variables. Checking command line arguments might be useful if you’ve captured a process that accepts connection strings or credentials on the command line. Environment variables are especially useful in cloud environments. To perform this, I’ve included the Vol3 plugins for
envar to perform this for kernel dumps, and minidump parser is capable of walking the PEB to get the command line string for the process, as well as its environment variables. Additionally, I’ve included the
pslist functionality from Vol3 to make it easier to find processes of interest.
Here is an example where an lsass dump was scanned (command not shown) as well as a process of interest that was handling certificates. From the lsass dump, we find a PKCS container with a 2048 key size starting with the modulus
B2013599836403D8737AA998B1411CDA06B6D41B. In the Python process, we find a public certificate with the same starting modulus value. We’ve successfully identified a valid key pair, and we can extract both of those to combine them to make a PFX.
My goal is to make dumpscan the premier tool for scanning different types of memory dumps and processes for secrets. There’s a long way to go but if you’re interested, feel free to pivot to the Github page to check out more.