This repository contains a plugin for Volatility that can extract credentials
from the memory of an OpenVPN process. The username and password entered
by the user, as well as passwords entered to unlock a private key can be recovered. OpenVPN's --auth-nocache
flag
must not be set. The plugin supports OpenVPN 2.X.X on Windows. It was successfully tested with OpenVPN 2.2.2, 2.3.2 and
2.3.4 on Windows XP (x86) and Windows 7 (x86 & x64).
This repository also contains a small plugin to extract base64/PEM encoded RSA private keys from memory.
This plugin was developed as a part of a university assignment about virtual machine introspection. The Volatility framework was chosen, because it offers a wide variety of plugins and can interface with hypervisors through libvmi to perform introspection. OpenVPN was chosen as a target, because it is widely deployed at the university to facilitate network access control. This allowed to evaluate the security of the OpenVPN deployment and demonstrate the plugin on an application that students are familiar with in everyday use.
In a real-world scenario, the plugin may be handy to extract credentials during an investigation or pentest engagement.
You can also use it to validate that OpenVPN's --auth-nocache
flag works as intended.
Either place the plugins into Volatility's plugins/
directory, or use the --plugins=
option to point Volatility
to the directory containing openvpn.py
.
The plugins expect no further arguments, just load a memory image and specify a profile for Volatility. A memory sample can be downloaded from https://mega.co.nz/#!Wx5kiZZS!77NiMTl8B_imwhl4JSg0lmRm90LZ9wgvFhQYxmmOioo. After downloading the memory dump, decompress it and run Volatility to extract the credentials:
unxz "OpenVPN-2.3.4 XP 32.elf.xz"
volatility -f "OpenVPN-2.3.4 XP 32.elf" --profile=WinXPSP3x86 openvpn