govolution

Windows Credentials and Memory Dumps – Part 4: Volatility & Mimikatz

For this test I installed everything in a WinXP VM. I followed these instructions:
http://michlstechblog.info/blog/security-install-mimikatz-offline-plugin-to-volatility-draft/
… with only small changes, because I had a win32 machine.
First things first: The plugins seems to be PoC and supports Windows Vista & 7 with 32 & 64 Bit (Maybe works for Win Server 2008 too?).
Here are the steps for installing volatility with the plugin:
Download & install Python 2.7.x from https://www.python.org/downloads/release
Download & install Volatility 2.4 module installer http://downloads.volatilityfoundation.org/releases/2.4/volatility-2.4.win32.exe
Download & install Microsoft Visual C++ Compiler for Python 2.7 https://www.microsoft.com/en-us/download/details.aspx?id=44266
(Don’t know if that was really neccessary)
C:\Python27\Scripts>python.exe -m pip install distorm3
C:\Python27\Scripts>python.exe -m pip install Pycrypto
C:\Python27\Scripts>python.exe -m pip install yara
C:\Python27\Scripts>python.exe -m pip install construct
I downloaded the mimikatz plugin for volatility from:
https://raw.githubusercontent.com/RealityNet/hotoloti/master/volatility/mimikatz.py
and stored it in c:\volatility-plugins.
Check:
C:\>python.exe “c:\Python27\Scripts\vol.py” –plugins=”c:\volatility-plugins” –info | findstr /i mimi
Volatility Foundation Volatility Framework 2.4
linux_slabinfo             – Mimics /proc/slabinfo on a running machine
mimikatz                   – mimikatz offline
Success…
Then copy the test.elf image from part 1 to the vm.
Now it is possible to fetch the credentials in clear text:
C:\>python “c:\python27\scripts\vol.py” –plugins=”c:\volatility-plugins” -f “z:
\DAXAMD-20160124-111555.raw”  –profile=Win7SP0x64 mimikatz
Volatility Foundation Volatility Framework 2.4
Module   User             Domain           Password
——– —————- —————- —————————————-
wdigest  __vmware_user__  daxamd           XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
wdigest  dax              daxamd           XXXXXXXXXXXXXXXXXX
wdigest  DAXAMD$          WORKGROUP
Overview:
https://govolution.wordpress.com/2016/02/06/memdumps-volatility-mimikatz-vms-overview/