Memdumps, Volatility, Mimikatz, VMs – Part 7: ESXi Server

– I installed ESXi 6 in VMWare Workstation 12
– for this download the ESXi image
– choose “typical installation” when creating a new VM in VMWare Workstation
– for learning and testing this is awesome
esxia413004ae4cd1d083f7506beb40b91de
Screenshot of ESXi running in VMWare Workstation.
– I copied my Windows 7 VM from Workstation to ESXi.
– And made a snapshot like before (in part 6)
UPDATE: works also with .vmsn files
– Download the .vmem file from the datastore:
dsa9786e65987088417a34ba10c323eaf3
Or with the vSphere client:
dsvsphere58ca9c91c0c70b1e95ed1f3dfa2488ee
Then go on like in all the parts before:
C:\Users\dax\Downloads\volatility_2.5.win.standalone>volatility-2.5.standalone.exe -f “Windows 7 x64-Snapshot1.vmem” imageinfo
Volatility Foundation Volatility Framework 2.5
INFO    : volatility.debug    : Determining profile based on KDBG search…
          Suggested Profile(s) : Win2008R2SP0x64, Win7SP1x64, Win7SP0x64, Win200
8R2SP1x64
                     AS Layer1 : AMD64PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (C:\Users\dax\Downloads\volati
lity_2.5.win.standalone\Windows 7 x64-Snapshot1.vmem)
                      PAE type : No PAE
                           DTB : 0x187000L
                          KDBG : 0xf800029fd0a0L
          Number of Processors : 1
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0xfffff800029fed00L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2016-01-30 08:36:01 UTC+0000
     Image local date and time : 2016-01-30 09:36:01 +0100
C:\Users\dax\Downloads\volatility_2.5.win.standalone>volatility-2.5.standalone.e
xe -f “Windows 7 x64-Snapshot1.vmem” –profile=Win7SP1x64 hivelist
Volatility Foundation Volatility Framework 2.5
Virtual            Physical           Name
—————— —————— —-
0xfffff8a000f21010 0x000000000e407010 \SystemRoot\System32\Config\SAM
0xfffff8a000f241f0 0x000000001503b1f0 \SystemRoot\System32\Config\SECURITY
0xfffff8a000fcf010 0x0000000013dd3010 \??\C:\Windows\ServiceProfiles\LocalServic
e\NTUSER.DAT
0xfffff8a0010211b0 0x0000000013c0c1b0 \??\C:\Windows\ServiceProfiles\NetworkServ
ice\NTUSER.DAT
0xfffff8a00193f010 0x0000000007284010 \??\C:\Users\dax\ntuser.dat
0xfffff8a001994010 0x000000002a835010 \??\C:\Users\dax\AppData\Local\Microsoft\W
indows\UsrClass.dat
0xfffff8a003226010 0x0000000015fe6010 \SystemRoot\System32\Config\DEFAULT
0xfffff8a00000f010 0x0000000027147010 [no name]
0xfffff8a000024010 0x00000000270d2010 \REGISTRY\MACHINE\SYSTEM
0xfffff8a000053010 0x0000000027001010 \REGISTRY\MACHINE\HARDWARE
0xfffff8a000c38010 0x0000000001afb010 \Device\HarddiskVolume1\Boot\BCD
0xfffff8a000d3f010 0x0000000022d0e010 \SystemRoot\System32\Config\SOFTWARE
C:\Users\dax\Downloads\volatility_2.5.win.standalone>volatility-2.5.standalone.exe hashdump -f “Windows 7 x64-Snapshot1.vmem” –profile=Win7SP1x64 -y 0xfffff8a0
00024010 -s 0xfffff8a000f21010
Volatility Foundation Volatility Framework 2.5
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c08
9c0:::
Gast:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
dax:1000:aad3b435b51404eeaad3b435b51404ee:c5a237b7e9d8e708d8436b6148a25fa1:::
Advertisements

2 thoughts on “Memdumps, Volatility, Mimikatz, VMs – Part 7: ESXi Server

  1. Pingback: Memdumps, Volatility, Mimikatz, VMs – Overview | govolution
  2. Pingback: Lab setup |

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s