Jump to content
Nytro

LiMEaide

By Nytro, in Programe securitate

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

LiMEaide

v1.3.0

About

LiMEaide is a python application designed to remotely dump RAM of a Linux client and create a volatility profile for later analysis on your local host. I hope that this will simplify Linux digital forensics in a remote environment. In order to use LiMEaide all you need to do is feed a remote Linux client IP address, sit back, and consume your favorite caffeinated beverage.

How To

TL;DR 

python3 limeaide.py <IP>

and magic happens.

For more detailed usage checkout the wiki For editing the configuration file see here

Detailed usage 

limeaide.py [OPTIONS] REMOTE_IP
-h, --help
    Shows the help dialog

-u, --user : <user>
    Execute memory grab as sudo user. This is useful when root privileges are not granted.

-p, --profile : <distro> <kernel version> <arch>
    Skip the profiler by providing the distribution, kernel version, and architecture of the remote client.

-N, --no-profiler
    Do NOT run profiler and force the creation of a new module/profile for the client.

-C, --dont-compress
    Do not compress memory file. By default memory is compressed on host. If you experience issues, toggle this flag. In my tests I see a ~60% reduction in file size

--delay-pickup
    Execute a job to create a RAM dump on target system that you will retrieve later.  The stored job
    is located in the scheduled_jobs/ dir that ends in .dat

-P, --pickup <path to job file .dat>
    Pick up a job you previously ran with the --delayed-pickup switch.
    The file that follows this switch is located in the scheduled_jobs/ directory
    and ends in .dat

-o, --output : <name>
    Change name of output file. Default is dump.bin

-c, --case : <case num>
    Append case number to front of output directory.

--force-clean
    If previous attempt failed then clean up client

Set-up

Dependencies

python

  • DEB base 
sudo apt-get install python3-paramiko python3-termcolor
  • RPM base 
sudo yum install python3-paramiko python3-termcolor
  • pip3 
sudo pip3 install paramiko termcolor

LiME

In order to use LiME you must download and move the source into the LiMEaide/tools directory. Make sure the the LiME folder is named LiME. The full path should be as follows: NOTE: If you would like to build Volatility profiles, you must use my forked version of LiME. This provides debugging symbols used by dwarfdump. 

LiMEaide/tools/LiME/

How to...

  1. Download LiME v1.7.8
  2. Extract into LiMEaide/tools/
  3. Rename folder to LiME

dwarfdump

In order to build a volatility profile we need to be able to read the debugging symbols in the LKM. For this we need to install dwarfdump. If you encounter any issues finding/installing dwarfdump see the volatility page here

  • DEB package manager 
sudo apt-get install dwarfdump
  • RPM package manager 
sudo yum install libdwarf-tools

Special Thanks and Notes

  • The idea for this application was built upon the concept dreamed up by and the Linux Memory Grabber project
  • And of course none of this could be possible without the amazing LiME project

Limits at this time

  • Support on for bash. Use other shells at your own risk
  • Modules must be built on remote client. Therefore remote client must have proper headers installed.

 

Sursa: https://github.com/kd8bny/LiMEaide

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...