danielsauder

IT security is a matter of trust.

Windows Credentials and Memory Dumps – Part 4: Volatility & Mimikatz

For this test I installed everything in a WinXP VM. I followed these instructions:
http://michlstechblog.info/blog/security-install-mimikatz-offline-plugin-to-volatility-draft/
… with only small changes, because I had a win32 machine.
First things first: The plugins seems to be PoC and supports Windows Vista & 7 with 32 & 64 Bit (Maybe works for Win Server 2008 too?).
Here are the steps for installing volatility with the plugin:
Download & install Python 2.7.x from https://www.python.org/downloads/release
Download & install Volatility 2.4 module installer http://downloads.volatilityfoundation.org/releases/2.4/volatility-2.4.win32.exe
Download & install Microsoft Visual C++ Compiler for Python 2.7 https://www.microsoft.com/en-us/download/details.aspx?id=44266
(Don’t know if that was really neccessary)
C:\Python27\Scripts>python.exe -m pip install distorm3
C:\Python27\Scripts>python.exe -m pip install Pycrypto
C:\Python27\Scripts>python.exe -m pip install yara
C:\Python27\Scripts>python.exe -m pip install construct
I downloaded the mimikatz plugin for volatility from:
https://raw.githubusercontent.com/RealityNet/hotoloti/master/volatility/mimikatz.py
and stored it in c:\volatility-plugins.
Check:
C:\>python.exe “c:\Python27\Scripts\vol.py” –plugins=”c:\volatility-plugins” –info | findstr /i mimi
Volatility Foundation Volatility Framework 2.4
linux_slabinfo             – Mimics /proc/slabinfo on a running machine
mimikatz                   – mimikatz offline
Success…
Then copy the test.elf image from part 1 to the vm.
Now it is possible to fetch the credentials in clear text:
C:\>python “c:\python27\scripts\vol.py” –plugins=”c:\volatility-plugins” -f “z:
\DAXAMD-20160124-111555.raw”  –profile=Win7SP0x64 mimikatz
Volatility Foundation Volatility Framework 2.4
Module   User             Domain           Password
——– —————- —————- —————————————-
wdigest  __vmware_user__  daxamd           XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
wdigest  dax              daxamd           XXXXXXXXXXXXXXXXXX
wdigest  DAXAMD$          WORKGROUP
Overview:
https://govolution.wordpress.com/2016/02/06/memdumps-volatility-mimikatz-vms-overview/

Published by

2 responses to “Windows Credentials and Memory Dumps – Part 4: Volatility & Mimikatz”

  1. […] Dump Part 2: Windows 7 Full Memory Dump & Get Hashes Part 3: WinDBG Mimikatz Extension Part 4: Volatility & Mimikatz Part 5: Virtualbox & LM/NTLM Hashes Part 6: VMWare Workstation Part 7: ESXi Server Part 8: […]

  2. […] https://govolution.wordpress.com/2016/02/06/windows-credentials-and-memory-dumps-part-4-volatility-m… $ wget http://downloads.volatilityfoundation.org/releases/2.4/volatility-2.4.tar.gz wget: /usr/lib/vmware-vix-disklib/lib64/libcrypto.so.0.9.8: no version information available (required by wget) wget: /usr/lib/vmware-vix-disklib/lib64/libssl.so.0.9.8: no version information available (required by wget) –2016-04-15 12:38:01– http://downloads.volatilityfoundation.org/releases/2.4/volatility-2.4.tar.gz Resolving downloads.volatilityfoundation.org… 173.61.222.9 Connecting to downloads.volatilityfoundation.org|173.61.222.9|:80… connected. HTTP request sent, awaiting response… 200 OK Length: 2327513 (2.2M) [application/x-gzip] Saving to: `volatility-2.4.tar.gz’ […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: