Project X6: Capturing Passwords from RAM on a Mac (10 Points)

What You Need for This Project

A Mac OS X computer
A second computer of any type, even a cell phone

Downloading Mac Memory Reader

On your Mac, in a Web browser, go to

http://cybermarshal.com/index.php/cyber-marshal-utilities/mac-memory-reader

Download "Mac Memory Reader 3.0.2'.

In a Terminal window, execute these commands:

cd Downloads tar xzf MacMemoryReader_3.0.2.tar.gz
cd MacMemoryReader

Now Mac Memory Reader is ready to use.

Capturing RAM

In a Terminal window, execute these commands, as shown below:

cd ~/Downloads/MacMemoryReader
sudo ./MacMemoryReader ram

When the process finishes, you have a file named "ram" that has the entire contents of your current ram.

In a Terminal window, execute these commands, as shown below:

ls -l
cat ram | strings - - > ramstr

The second command will take a few minutes to complete. It harvests all the readable strings from ram and puts them into a file named "ramstr".

Searching for BLOTTO441

In a Terminal window, execute these commands:

grep "BLOTTO441" ramstr > temp
nano temp

This searches for the string "BLOTTO441" in the captured RAM. It should not be there, so nano should show an empty file.

If you repeat this project, the string may actually be there. In that case, add another digit to the end of the string to find a string you haven't used yet.

Creating a Twitter Account

USE YOUR OTHER COMPUTER!

Don't use your Mac to create the account.

On your other computer, go to http://twitter.com

Create a new account with any name you like and this password:

BLOTTO411YOURNAME

Replace YOURNAME with your own name.

Logging in on the Mac

On the Mac, in a Web browser, go to http://twitter.com

Capturing RAM Again

In a Terminal window, execute these commands:

cd ~/Downloads/MacMemoryReader
rm ram

Enter "y" to confirm the deletion.

In the Terminal window, execute these commands:

sudo ./MacMemoryReader ram cat ram | strings - - > ramstr grep "BLOTTO441" ramstr > temp
nano temp

You should see several lines, containing the string BLOTTO441YOURNAME, as shown below (although the example below doesn't have your name in it):

Reflection

Notice that a single login causes many copies of your password to be stored in RAM. And even though the password is encrypted when sent to Twitter via HTTPS, the RAM data is not encrypted. This is one reason RAM analysis is so important.

Saving a Screen Image

Make sure your screen shows BLOTTO411 and YOUR NAME.

Press Shoft+Command+3 to capture an image of the entire desktop. It appears on the desktop as a "Screen Shot" file.

Rename the image to the filename "Your Name Proj X6". Use your real name, not the literal text "Your Name".

Turning in your Project

Email the image to me as an email attachment. Send it to: cnit.121@gmail.com with a subject line of "Proj X6 From Your Name", replacing Your Name with your own first and last name. Send a Cc to yourself.

Last Modified: 3-1-13 11 am