Digging passwords in Linux swap

Quick exploration of the forensic/post exploitation possibilities using the GNU Linux swap memory and introduction to swap_digger tool.

Article published on 20 July 2017

by Emeric Nasi


License : Copyright Emeric Nasi, some rights reserved
This work is licensed under a Creative Commons Attribution 4.0 International License.
Creative Commons License

I don’t remember how the idea came to me but I did a few research of sensitive data in RAM on Linux and Windows and one day I asked myself, "How about swap?, what can I find in there?".

I. What can be found in swap?

I am not going to explain what is swap here. If you want to know more about swap and how to increase/decrease swappiness have a look at https://www.linux.com/news/all-about-linux-swap-space

To know where is your swap device use the next command:
cat /proc/swaps

I ran several tests, mainly on various Ubuntu machines, including Kali Linux, and also Debian. Tests where run both on bare metal and virtual machines. Some machines did swap a lot some other almost nothing. So what kind of information did I found?
Below is a list of stuff I did dig in swap space.

  • Linux account clear-text passwords
  • Web login/passwords
  • Email addresses
  • Wifi network SSID and keys
  • GPG private keys
  • Keepass master key
  • Samba credentials

This list can obviously be extended; any data you can find in RAM can potentially be swapped! I also ran it on my personal laptop and was afraid by the amount of leaked data. I was happy at least my Veracrypt key was not leaked!

II. How to automate swap digging?

1) Finding patterns
There are some patterns which are easy to find. For example if you want to search for web passwords (GET/POST) you can use:
# strings <swap_device> | grep "&password="

If you want to search for web entered email (GET/POST) you can use:
# strings <swap_device> | grep -i 'email=' | grep @ | uniq

Other passwords are much more difficult to find as they are in their own string. It is the case for Linux user account. In that case, it is still possible to find a pattern by watching the surrounding strings (heavy use of grep -C option!).
For example, on Ubuntu distribs, I found that the user password is available several times in clear text. and there is always a case where the clear text password is not far from the hashed password in memory.
You can check that with:
# strings <swap_device> | grep -C 50 <hashed_password> | grep <clear_text_password>

Even if it doesn’t work, the clear-text password is probably still in memory so you can launch a dictionary attack on /etc/shadow using the swap strings as dictionary.
It may take some time to complete but in the end it will work even if the password is strong and the hash can never be cracked in reasonable time.

You can find a lot of stuff in the swap, If you want to have a look, I recommend you dump your swap string somewhere readable only by root and have fun with grep!
You can also use my swap digger tool.

2) Swap digger
I created a bash script to automate some of the swap digging process. Not surprisingly, this tool is called swap_digger.sh. It is available on Github.

It automates swap extraction and searches for Linux user credentials, Web forms credentials, web forms emails, http basic authentication, Wifi SSID and keys, etc.

Condensed example:

See more information at https://github.com/sevagas/swap_digger.

Note: Swap digging is prone to false positives. It is not possible to predict where data will be stored and if two strings from the same process will really be adjacent in swap memory.

III. Mitigations

There are several ways to explore to reduce the risk.

1) Regularly zero-out swap
Sensitive data can stay for months in swap before being replaced by something else.
What you can do is to regularly erase the content of the swap (this will require to temporarily disable the swap).

2) Encrypt swap
It is possible to encrypt the swap, this is done for example by default on Ubuntu if you chose to encrypt your home directory.
Swap encryption does protect against a forensic analysis by mounting the disk, it does not prevent against post-exploitation on a live compromised system. In a live system, the encrypted swap is mounted in a special device (something like /dev/mapper/blah_swap). The swap is available in clear text if you access this device.
There are several ways to encrypt swap, I will let the reader search which method suits his system better.

3) Developers should erase the sensitive data in RAM.
For performance reasons, memory allocation and freeing do not wipe out the concerned data. A freed data can stay available in RAM for a very long time before it is replaced. This is a problem in case of swapping but also as the sensitive data can be leaked from process memory (the mimipenguin tool does that well).
If a software contains sensitive data such as a password, it should erase it by replacing all values by zeroes or random junk before freeing the memory.

Conclusion

The swap is a treasure chest for forensic or post exploitation. In our case we just had a look at limited Linux features, and only looked as strings based pattern, not binary.
Another field of investigation would be Windows OS which also swaps. Unfortunately the Windows swap related files (Pagefile.sys, Swapfile.sys, Hiberfile.sys) are much more difficult to read. They are not accessible to system administrators. It is however possible using more advanced forensic methods.

Thx to Benjamin Chetioui (SIben) (https://twitter.com/_SIben_) and Jeremie Goldberg (https://twitter.com/BaronMillenard) for helping me for my tests.
Thx to Hunter Gregal (https://twitter.com/HunterGregal), I reused part of his mimipenguin code for Linux password digging.

Do not hesitate to comment and propose suggestion to improve swap_digger.
Bye-bye for now and have fun doing swap excavation!
http://twitter.com/EmericNasi