For this test I installed everything in a WinXP VM. I followed these instructions:
… with only small changes, because I had a win32 machine.
First things first: The plugins seems to be PoC and supports Windows Vista & 7 with 32 & 64 Bit (Maybe works for Win Server 2008 too?).
Here are the steps for installing volatility with the plugin:
Download & install Python 2.7.x from https://www.python.org/downloads/release
Download & install Volatility 2.4 module installer http://downloads.volatilityfoundation.org/releases/2.4/volatility-2.4.win32.exe
Download & install Microsoft Visual C++ Compiler for Python 2.7 https://www.microsoft.com/en-us/download/details.aspx?id=44266
(Don’t know if that was really neccessary)
C:\Python27\Scripts>python.exe -m pip install distorm3
C:\Python27\Scripts>python.exe -m pip install Pycrypto
C:\Python27\Scripts>python.exe -m pip install yara
C:\Python27\Scripts>python.exe -m pip install construct
I downloaded the mimikatz plugin for volatility from:
and stored it in c:\volatility-plugins.
Check:
C:\>python.exe “c:\Python27\Scripts\vol.py” –plugins=”c:\volatility-plugins” –info | findstr /i mimi
Volatility Foundation Volatility Framework 2.4
linux_slabinfo – Mimics /proc/slabinfo on a running machine
mimikatz – mimikatz offline
Success…
Then copy the test.elf image from part 1 to the vm.
Now it is possible to fetch the credentials in clear text:
C:\>python “c:\python27\scripts\vol.py” –plugins=”c:\volatility-plugins” -f “z:
\DAXAMD-20160124-111555.raw” –profile=Win7SP0x64 mimikatz
Volatility Foundation Volatility Framework 2.4
Module User Domain Password
——– —————- —————- —————————————-
wdigest __vmware_user__ daxamd XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
wdigest dax daxamd XXXXXXXXXXXXXXXXXX
wdigest DAXAMD$ WORKGROUP
govolution 
2 thoughts on “Windows Credentials and Memory Dumps – Part 4: Volatility & Mimikatz”