IT security is a matter of trust.

Memdumps, Volatility, Mimikatz, VMs – Part 7: ESXi Server

– I installed ESXi 6 in VMWare Workstation 12
– for this download the ESXi image
– choose “typical installation” when creating a new VM in VMWare Workstation
– for learning and testing this is awesome
Screenshot of ESXi running in VMWare Workstation.
– I copied my Windows 7 VM from Workstation to ESXi.
– And made a snapshot like before (in part 6)
UPDATE: works also with .vmsn files
– Download the .vmem file from the datastore:
Or with the vSphere client:
Then go on like in all the parts before:
C:\Users\dax\Downloads\volatility_2.5.win.standalone>volatility-2.5.standalone.exe -f “Windows 7 x64-Snapshot1.vmem” imageinfo
Volatility Foundation Volatility Framework 2.5
INFO    : volatility.debug    : Determining profile based on KDBG search…
          Suggested Profile(s) : Win2008R2SP0x64, Win7SP1x64, Win7SP0x64, Win200
                     AS Layer1 : AMD64PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (C:\Users\dax\Downloads\volati
lity_2.5.win.standalone\Windows 7 x64-Snapshot1.vmem)
                      PAE type : No PAE
                           DTB : 0x187000L
                          KDBG : 0xf800029fd0a0L
          Number of Processors : 1
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0xfffff800029fed00L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2016-01-30 08:36:01 UTC+0000
     Image local date and time : 2016-01-30 09:36:01 +0100
xe -f “Windows 7 x64-Snapshot1.vmem” –profile=Win7SP1x64 hivelist
Volatility Foundation Volatility Framework 2.5
Virtual            Physical           Name
—————— —————— —-
0xfffff8a000f21010 0x000000000e407010 \SystemRoot\System32\Config\SAM
0xfffff8a000f241f0 0x000000001503b1f0 \SystemRoot\System32\Config\SECURITY
0xfffff8a000fcf010 0x0000000013dd3010 \??\C:\Windows\ServiceProfiles\LocalServic
0xfffff8a0010211b0 0x0000000013c0c1b0 \??\C:\Windows\ServiceProfiles\NetworkServ
0xfffff8a00193f010 0x0000000007284010 \??\C:\Users\dax\ntuser.dat
0xfffff8a001994010 0x000000002a835010 \??\C:\Users\dax\AppData\Local\Microsoft\W
0xfffff8a003226010 0x0000000015fe6010 \SystemRoot\System32\Config\DEFAULT
0xfffff8a00000f010 0x0000000027147010 [no name]
0xfffff8a000024010 0x00000000270d2010 \REGISTRY\MACHINE\SYSTEM
0xfffff8a000053010 0x0000000027001010 \REGISTRY\MACHINE\HARDWARE
0xfffff8a000c38010 0x0000000001afb010 \Device\HarddiskVolume1\Boot\BCD
0xfffff8a000d3f010 0x0000000022d0e010 \SystemRoot\System32\Config\SOFTWARE
C:\Users\dax\Downloads\volatility_2.5.win.standalone>volatility-2.5.standalone.exe hashdump -f “Windows 7 x64-Snapshot1.vmem” –profile=Win7SP1x64 -y 0xfffff8a0
00024010 -s 0xfffff8a000f21010
Volatility Foundation Volatility Framework 2.5

Published by

2 responses to “Memdumps, Volatility, Mimikatz, VMs – Part 7: ESXi Server”

  1. […] 4: Volatility & Mimikatz Part 5: Virtualbox & LM/NTLM Hashes Part 6: VMWare Workstation Part 7: ESXi Server Part 8: Attacking Scenario – Volatility on ESXi Part 9: Logging & Monitoring […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: