Scan RAM to find ip and passwords

When searching for information on your computer, you should remember that it is placed not only in permanent storage (solid state drives, hard drives, removable media, etc.), but also in RAM, in the processes that process it.

The information when placed on the hard disk and in the RAM is not always the same:

  • can be encrypted on the hard drive, but not in the RAM (example: the VeraCrypt encrypted drive stores a text file with passwords, which is opened in a text editor – in this case the passwords from this file will be in plain text in RAM)
  • .

  • information can be created in the process of calculations, or receiving data from the network (in this case the original information is not in permanent repositories)
  • .

Content analysis (dump) of the running process is often used in reverse engineering when the source file is encrypted: to execute the file must still be in RAM decrypted, so analyzing the running process makes reverse engineering easier.

You can also think of other ways of analyzing and searching through RAM:

  • detecting applications that follow the clipboard
  • assess the quality of programs designed to store passwords – if such programs contain passwords in RAM as plain text in the running form, it is strongly recommended not to use such programs
  • .

  • search for an app that contains certain strings or connects to a certain host


mXtract is an open source tool for Linux that analyzes and stores the contents of processes in RAM. It is designed as an offensive penetration test tool, its main purpose is to scan RAM for private keys, IP addresses and passwords using regular expressions. Remember, your results are as good as your regular expressions.

/></p><p><strong> Why take results directly from memory?</p><p>In most Linux environments the user can access process memory, this allows attackers to collect credentials, keys or anything else that is not meant to be visible, but is processed by programs as plain text.</p><p>Features of .</p><ul><li>The ability to enter a list of regular expressions</li><p>.</p><li>Clear and readable results</li><li>Check whether the memory range is readable with the current resolutions</li><p>.</p><li>XML and HTML output together with default terminal output (process name:result)</li><li>The ability to mass scan each process or a specific PID</li><p>.</p><li>The ability to select a memory partition for scanning</li><p>.</p><li>The ability to show detailed information about the process</li><p>.</p><li>The ability to scan files in the workspace</li><p>.</p><li>Memory dumps automatically delete Unicode characters, allowing them to be processed by other tools or manually</li><p>.</ul><p>Home page: <a href=//

Command Line:

 -v Enable Verbose Output -s Suppress Banner -h Help -c suppress colored output -r= Regex DB -a Scan all memory ranges not just heap/stack -w Write raw memory to file Default directory is pid/ -o Write regex output to file -d= Custom Ouput Directory -p= Specify single pid to scan Either -r= or -w needed

Examples of launching mXtract.

Scan with verbal output (-v) process with PID equal to 4 (-p=4), doing a search by a simple regular expression to detect IP addresses (-r=example_regexes. db), scanning each data segment (-a), displaying information about the process (-i) and scanning work environment files (-e):

mxtract -p=4 -r=example_regexes.db -v -a -e -i


/></p><p>Scan with verbal output <strong><em>(-v)</em></strong> process with PID equal to 4 <strong><em>(-p=4)</em></strong>, doing a search by a simple regular expression to detect IP addresses <strong><em>(-r=example_regexes. db)</em></strong>, scanning each data segment <strong><em>(-a)</em></strong>, displaying information about the process <strong><em>(-i)</em></strong>:</p><pre spellcheck=mxtract -p=4 -r=example_regexes.db -v -a -i

Non-verbal process scanning with a PID of 4 (-p=4), doing a search by a simple regular expression to detect IP addresses (-r=example_regexes. db), displaying information about the process (-i) and scanning work environment files (-e):

mxtract -p=4 -r=example_regexes.db -e -i

Set mXtract.

Installation in Kali Linux.

git clone //
cd mXtract && sh
sudo mv bin/mxtract /usr/bin/
sudo mkdir -p /usr/share/doc/mxtract/
mv example_regexes.db /usr/share/doc/mxtract/

Invallation in BlackArch.

The program is pre-installed in BlackArch.

sudo pacman -S mxtract


When you start scanning processes, sometimes mXtract hangs and stops working normally until the next reboot. When creating regular expressions using wildcards (dot and asterisk), a “segmenting error” may occur.


Evaluation of password storage programs

Programs can store passwords as their primary function (different password managers), or store passwords for user convenience (FTP clients, web browsers, etc.). You can also test different ways to store passwords (e.g. in a simple text file but on an encrypted disk).

Instead of regular expressions, you can specify literal search strings. You can write down several passwords as these strings. Each regular expression has to be on separate lines. For example, you can create a file passwords.db and write there:


By the way, as for the letters of national alphabets (all except English letters), they are most likely processed by the computer in one or another encoding, so it is unlikely to find a literal coincidence of lines – first you need to write a string as a sequence of characters in the desired encoding).

After that you can run a search on the content of processes in RAM:

sudo mxtract -wr -e -i -d=/tmp/output/ -r=passwords.db

For example, passwords in an open text file, even if it is on an encrypted partition, are perfectly located this way.

Search for programs that have access to the clipboard

First, you need to remember that the data that is copied to the clipboard is often available as plain text (although it depends on the programs). Secondly, in this way you can find a program that watches the clipboard without your knowledge.

Let’s create a clipboard.db file and write any unique line into it, for example:


Let’s copy it to the clipboard and start scanning processes:

sudo mxtract -wm -wr -e -i -d=/tmp/output/ -r=clipboard.db

You will be able to detect programs that contain this line (the screenshot shows a legitimate program – I took it just as an example):


/></p><h2>Finding passwords and keys in running processes (code editors, web server)</h2><p>It is possible to combine the work of these two programs. Let’s make it so that <strong>mXtract</strong> extracts almost all lines, for this purpose let’s create a file <strong>strings.db</strong> and copy to it approximately the following:</p><div class=

[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 +/=]{30,}

What is in square brackets are the characters that can occur in a string (edit to fit your conditions), and in curly brackets the minimum size of the string (also edit if necessary). Run it:

sudo mxtract -wr -e -i -d=/tmp/output/ -r=strings.db

And now with DumpsterDiver we are looking for strings with the entropy we need:

python3 -p /tmp/output/ --entropy 5.3

This is a very rough concept, in a real situation you need to fine-tune the DumpsterDiver.

How to know which program was connected to a particular host

What if a suspicious connection to a certain host is found after it has been terminated (for example, in a file with saved network packets)? In this case the port is already closed, but if the process is still running, there is a chance to catch it. To do this, specify the host name or IP address you are interested in as a search string.

Search for a program that contains certain data

The technique described above can be used not only for network addresses, but also for any strings. In this way, you can find a program that saves certain files, shows windows with certain lines, and so on.

Extract clipboard contents

Depending on the software you use, you may find a program that stores the clipboard (copied text) as plain text. Using the -p= option, you can specify a single process identifier (PID) for scanning. If you set up regular expressions correctly, you can extract the clipboard contents.

For detailed analysis of process content -wm option will be useful – if you specify it, raw data of full content of each process will be saved. Or one process, if the option -p= is specified.

How to know the identifier of the process of interest

By the way, if you want to scan a certain process, you can find its number in the view commands:

ps a | grep -E 'cli(p)board'
ps a | grep -E 'libre(o)ffice'

Note the brackets – they do not change anything in essence, but thanks to them the process with grep does not get into the output list.

To get only the number, you can run it this way:

ps a | grep - E 'cli(p)board' | awk '{print $1}'



Source: //

WARNING! All links in the articles may lead to malicious sites or contain viruses. Follow them at your own risk. Those who purposely visit the article know what they are doing. Do not click on everything thoughtlessly.


0 0 vote
Article Rating
Notify of
Inline Feedbacks
View all comments

Do NOT follow this link or you will be banned from the site!
Would love your thoughts, please comment.x

Spelling error report

The following text will be sent to our editors: