danielsauder

IT security is a matter of trust.

Memdumps, Volatility, Mimikatz, VMs – Overview

The last weeks I experimented with how to get user crendentials from memory dumps, and hopefully I will have the time to contiue this little “research” (I know, it is not really research when you just writup stuff 😉 ). There are many different ways to dump credentials as hashes or in cleartext from various types of memory dumps, so I think that will become a few short articles. I added links for sources and more in depth information.
Highly interesting for me is how to obtain memory dumbs from virtual machines when you have access to the host system. Further I will have a look at countermeasures in a later part (whereby I mean monitoring and logging).
Overview
Part 1: Mimikatz & lsass.exe Dump
Part 2: Windows 7 Full Memory Dump & Get Hashes
Part 3: WinDBG Mimikatz Extension
Part 4: Volatility & Mimikatz
Part 5: Virtualbox & LM/NTLM Hashes
Part 6: VMWare Workstation
Part 7: ESXi Server
Part 8: Attacking Scenario – Volatility on ESXi
Part 9: Logging & Monitoring ESXi

Published by

Daniel

10 responses to “Memdumps, Volatility, Mimikatz, VMs – Overview”

  1. Memdumps, Volatility, Mimikatz, VMs – Part 1: Mimikatz & lsass.exe Dump | govolution

    […] Domain   : DAX-RYMZ48Z3EYO          * Password : XXXXXXX — cut — Overview: https://govolution.wordpress.com/2016/02/06/memdumps-volatility-mimikatz-vms-overview/ Links: https://github.com/gentilkiwi/mimikatz […]

    Reply
  2. Memdumps, Volatility, Mimikatz, VMs – Part 2: Windows 7 Full Memory Dump & Get Hashes | govolution

    […] UpdatusUser:1016:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX::: Overview: https://govolution.wordpress.com/2016/02/06/memdumps-volatility-mimikatz-vms-overview/   Link: […]

    Reply
  3. Memdumps, Volatility, Mimikatz, VMs – Part 3: WinDBG Mimikatz Extension | govolution

    […]      * Password : (null) — cut — Again, I found this one awesome. Overview: https://govolution.wordpress.com/2016/02/06/memdumps-volatility-mimikatz-vms-overview/ Links: http://blog.digital-forensics.it/2014/03/mimikatz-offline-addendum_28.html […]

    Reply
  4. Windows Credentials and Memory Dumps – Part 4: Volatility & Mimikatz | govolution

    […] For this test I installed everything in a WinXP VM. I followed these instructions: http://michlstechblog.info/blog/security-install-mimikatz-offline-plugin-to-volatility-draft/ … with only small changes, because I had a win32 machine. First things first: The plugins seems to be PoC and supports Windows Vista & 7 with 32 & 64 Bit (Maybe works for Win Server 2008 too?). Here are the steps for installing volatility with the plugin: Download & install Python 2.7.x from https://www.python.org/downloads/release Download & install Volatility 2.4 module installer http://downloads.volatilityfoundation.org/releases/2.4/volatility-2.4.win32.exe Download & install Microsoft Visual C++ Compiler for Python 2.7 https://www.microsoft.com/en-us/download/details.aspx?id=44266 (Don’t know if that was really neccessary) C:Python27Scripts>python.exe -m pip install distorm3 C:Python27Scripts>python.exe -m pip install Pycrypto C:Python27Scripts>python.exe -m pip install yara C:Python27Scripts>python.exe -m pip install construct I downloaded the mimikatz plugin for volatility from: https://raw.githubusercontent.com/RealityNet/hotoloti/master/volatility/mimikatz.py and stored it in c:volatility-plugins. Check: C:>python.exe “c:Python27Scriptsvol.py” –plugins=”c:volatility-plugins” –info | findstr /i mimi Volatility Foundation Volatility Framework 2.4 linux_slabinfo             – Mimics /proc/slabinfo on a running machine mimikatz                   – mimikatz offline Success… Then copy the test.elf image from part 1 to the vm. Now it is possible to fetch the credentials in clear text: C:>python “c:python27scriptsvol.py” –plugins=”c:volatility-plugins” -f “z: DAXAMD-20160124-111555.raw”  –profile=Win7SP0x64 mimikatz Volatility Foundation Volatility Framework 2.4 Module   User             Domain           Password ——– —————- —————- —————————————- wdigest  __vmware_user__  daxamd           XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX wdigest  dax              daxamd           XXXXXXXXXXXXXXXXXX wdigest  DAXAMD$          WORKGROUP Overview: https://govolution.wordpress.com/2016/02/06/memdumps-volatility-mimikatz-vms-overview/ […]

    Reply
  5. Windows Credentials and Memory Dumps – Part 5: Virtualbox & LM/NTLM Hashes | govolution

    […] x:1004:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX::: Overview: https://govolution.wordpress.com/2016/02/06/memdumps-volatility-mimikatz-vms-overview/ Links: https://code.google.com/archive/p/volatility/wikis/VirtualBoxCoreDump.wiki […]

    Reply
  6. Memdumps, Volatility, Mimikatz, VMs – Part 6: VMWare Workstation | govolution

    […]     credman : Overview: https://govolution.wordpress.com/2016/02/06/memdumps-volatility-mimikatz-vms-overview/ Links: http://www.fuzzysecurity.com/tutorials/18.html […]

    Reply
  7. Memdumps, Volatility, Mimikatz, VMs – Part 7: ESXi Server | govolution

    […] – I installed ESXi 6 in VMWare Workstation 12 – for this download the ESXi image – choose “typical installation” when creating a new VM in VMWare Workstation – for learning and testing this is awesome Screenshot of ESXi running in VMWare Workstation. – I copied my Windows 7 VM from Workstation to ESXi. – And made a snapshot like before (in part 6) – Download the .vmem file from the datastore: Or with the vSphere client: Then go on like in all the parts before: C:UsersdaxDownloadsvolatility_2.5.win.standalone>volatility-2.5.standalone.exe -f “Windows 7 x64-Snapshot1.vmem” imageinfo Volatility Foundation Volatility Framework 2.5 INFO    : volatility.debug    : Determining profile based on KDBG search…           Suggested Profile(s) : Win2008R2SP0x64, Win7SP1x64, Win7SP0x64, Win200 8R2SP1x64                      AS Layer1 : AMD64PagedMemory (Kernel AS)                      AS Layer2 : FileAddressSpace (C:UsersdaxDownloadsvolati lity_2.5.win.standaloneWindows 7 x64-Snapshot1.vmem)                       PAE type : No PAE                            DTB : 0x187000L                           KDBG : 0xf800029fd0a0L           Number of Processors : 1      Image Type (Service Pack) : 1                 KPCR for CPU 0 : 0xfffff800029fed00L              KUSER_SHARED_DATA : 0xfffff78000000000L            Image date and time : 2016-01-30 08:36:01 UTC+0000      Image local date and time : 2016-01-30 09:36:01 +0100 C:UsersdaxDownloadsvolatility_2.5.win.standalone>volatility-2.5.standalone.e xe -f “Windows 7 x64-Snapshot1.vmem” –profile=Win7SP1x64 hivelist Volatility Foundation Volatility Framework 2.5 Virtual            Physical           Name —————— —————— —- 0xfffff8a000f21010 0x000000000e407010 SystemRootSystem32ConfigSAM 0xfffff8a000f241f0 0x000000001503b1f0 SystemRootSystem32ConfigSECURITY 0xfffff8a000fcf010 0x0000000013dd3010 ??C:WindowsServiceProfilesLocalServic eNTUSER.DAT 0xfffff8a0010211b0 0x0000000013c0c1b0 ??C:WindowsServiceProfilesNetworkServ iceNTUSER.DAT 0xfffff8a00193f010 0x0000000007284010 ??C:Usersdaxntuser.dat 0xfffff8a001994010 0x000000002a835010 ??C:UsersdaxAppDataLocalMicrosoftW indowsUsrClass.dat 0xfffff8a003226010 0x0000000015fe6010 SystemRootSystem32ConfigDEFAULT 0xfffff8a00000f010 0x0000000027147010 [no name] 0xfffff8a000024010 0x00000000270d2010 REGISTRYMACHINESYSTEM 0xfffff8a000053010 0x0000000027001010 REGISTRYMACHINEHARDWARE 0xfffff8a000c38010 0x0000000001afb010 DeviceHarddiskVolume1BootBCD 0xfffff8a000d3f010 0x0000000022d0e010 SystemRootSystem32ConfigSOFTWARE C:UsersdaxDownloadsvolatility_2.5.win.standalone>volatility-2.5.standalone.exe hashdump -f “Windows 7 x64-Snapshot1.vmem” –profile=Win7SP1x64 -y 0xfffff8a0 00024010 -s 0xfffff8a000f21010 Volatility Foundation Volatility Framework 2.5 Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c08 9c0::: Gast:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: dax:1000:aad3b435b51404eeaad3b435b51404ee:c5a237b7e9d8e708d8436b6148a25fa1::: Overview: https://govolution.wordpress.com/2016/02/06/memdumps-volatility-mimikatz-vms-overview/ […]

    Reply
  8. Memdumps, Volatility, Mimikatz, VMs – Part 8: ESXi Attacking Scenario – Volatility on ESXi | govolution

    […] UTC+0000      Image local date and time : 2016-01-31 15:55:50 +0100 and so on. Overview: https://govolution.wordpress.com/2016/02/06/memdumps-volatility-mimikatz-vms-overview/ Links: […]

    Reply
  9. Memdumps, Volatility, Mimikatz, VMs – Part 9: Logging & Monitoring ESXi | govolution

    […] VMWare Wokstation connected to the ESXi server: And when doing a snapshot over ssh: Overview: https://govolution.wordpress.com/2016/02/06/memdumps-volatility-mimikatz-vms-overview/ Links: https://github.com/harrytruman/logstash-vmware […]

    Reply
  10. Overview research so far |

    […] https://govolution.wordpress.com/2016/02/06/memdumps-volatility-mimikatz-vms-overview/ […]

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: