govolution

Memdumps, Volatility, Mimikatz, VMs – Overview

The last weeks I experimented with how to get user crendentials from memory dumps, and hopefully I will have the time to contiue this little “research” (I know, it is not really research when you just writup stuff 😉 ). There are many different ways to dump credentials as hashes or in cleartext from various types of memory dumps, so I think that will become a few short articles. I added links for sources and more in depth information.
Highly interesting for me is how to obtain memory dumbs from virtual machines when you have access to the host system. Further I will have a look at countermeasures in a later part (whereby I mean monitoring and logging).
Overview
Part 1: Mimikatz & lsass.exe Dump
Part 2: Windows 7 Full Memory Dump & Get Hashes
Part 3: WinDBG Mimikatz Extension
Part 4: Volatility & Mimikatz
Part 5: Virtualbox & LM/NTLM Hashes
Part 6: VMWare Workstation
Part 7: ESXi Server
Part 8: Attacking Scenario – Volatility on ESXi
Part 9: Logging & Monitoring ESXi