THE CU
  • Home
  • Blogs
  • Offense
    • Pen Tester Training Program
    • Offensive Cheat Sheets >
      • Bash Commands
      • Network Enumeration
      • Web Enumeration
      • Windows Post Ex
      • Metasploit
      • Shells
      • PowerShell
    • Offensive Links
  • Defense
    • Junior SOC Analyst Roadmap
    • Intermediate SOC Analyst Training Program
    • Defense Links
  • Land A Job
    • Improve Resume
    • Find a Job
    • Interview Prep
    • Grow as a Practitioner
    • Get Experience
  • FAQS
  • Other
    • Finance Resources
    • CTFs and Cons
    • Training
    • Twitter People to Follow
    • Podcasts
    • Books
    • Twitch Streamers

 

Virtual machine credential extraction

11/1/2020

0 Comments

 
A short but sweet blog post today. If you ever find yourself with local admin credentials on a server that manages VM's, such as vCenter and esxi, think blue team. Years ago someone from work spoke about how they were able to get credentials from a virtual image by using a snapshot or a VM that was paused. This recollection inspired me to try a new technique that utilizes my relatively new forensic skills in an interesting attack.

Instead of relying on extracting registry files, assuming that is what he did, you could instead use volatility on the snapshot data to extract the hashes from a target system. These hashes can then be used with any pass the hash technique to get a shell. I wish I could remember who used the technique and what exactly they did but that was over 3 years ago and I am not as perfect at recollecting things as computers. Also, I am by no means the first person to do this, I just happened to be inspired by my circumstance at the time to try something new. I figured this may be useful to other folks as well.

See short and sweet.​

Details

Assuming you are now logged in and you have successfully created a snapshot, identify the .vmss and .vmem files from the snapshot. You will need these to files to create a memory dump.

Make sure you have a copy of vmss2core.exe which can be found at VmWares site.

Next run one of the two following commands to create the memory dump. Use -W8 flag if it is a Windows 8, Server 2012, 2016, or 2019 and -W for everything else.

    
Next, you will need to run volatility on the memory dump to extract the credentials. There are actually two versions of volatility now. The newer Volatility, version three I think is simpler, however, I had to be connected to the internet to use it because it needed to download symbols on the fly. Depending on your circumstance, this may not be possible so I will put both syntax here.
Volatility 2
A few notes about this version if you aren't familiar with the tool. You will first half to identify the correct memory profile so that all the offsets are lined up correctly. Familiar to do so will not result in passwords.

​The first command will be identifying the profile following by credential extraction. Sometimes the profile takes some trial and error to get right but if you have done good recon on your target, you should be able to nail it on the first shot. After running the image imageinfo command below, just select the one that matches the Windows version and build. The most recent version of Kali should come with the latest profiles.

    
Next extract the credentials. This requires finding the SAM and SYSTEM file offsets and using the hashdump module. Andrea Fortuna has a great write up about this on her awesome blog.

    
Volatility 3
This tool is more straight forward to run however, I found out the hard way that you need internet access for the profiles. So if you run an isolated lab then make sure to get the internet connection going.

    
You should now see a list of lm and nt hashes for local users.

Summary

I imagine a similar technique could be applied anywhere that houses virtual operating systems such as anything in the cloud and virtual box. Also, realize that to do this you will need to get access to the virtual machine management solution. If you are struggling to gain access, try targeting the admins who may have access to the systems and use attacks such as smb-relay or phishing.

References

FuzzySecurity's Blog on the Topic (Volatility2 Only) - ​https://fuzzysecurity.com/tutorials/18.html
0 Comments

Your comment will be posted after it is approved.


Leave a Reply.

    Author

    Silverbits
    - Infosec Enthusiast
    - Traveler
    - Future AT Thru-Hiker
    - CTFer
    - Red and Blue Teamer

      signup!

    Subscribe to Newsletter

    Categories

    All
    Book Review
    Certifications
    Coding
    Conferences
    Course Review
    Cracking
    Defense
    Finance
    Fire
    Forensics
    Hacking
    Hashes
    Incident Response
    Job Hunting
    Malware
    Mindset
    OSCP
    Pen Testing
    Tools
    Travel
    Updates
    Web Hacking

    Archives

    January 2023
    January 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2021
    July 2021
    June 2021
    May 2021
    April 2021
    November 2020
    October 2020
    September 2020
    August 2020
    July 2020
    October 2019
    September 2019
    August 2019
    July 2019
    June 2019
    May 2019
    April 2019
    March 2019
    May 2018
    April 2018

    RSS Feed

Home      Blogs    Disclaimers    Copyright Notice   Cookie Policy ​
  • Home
  • Blogs
  • Offense
    • Pen Tester Training Program
    • Offensive Cheat Sheets >
      • Bash Commands
      • Network Enumeration
      • Web Enumeration
      • Windows Post Ex
      • Metasploit
      • Shells
      • PowerShell
    • Offensive Links
  • Defense
    • Junior SOC Analyst Roadmap
    • Intermediate SOC Analyst Training Program
    • Defense Links
  • Land A Job
    • Improve Resume
    • Find a Job
    • Interview Prep
    • Grow as a Practitioner
    • Get Experience
  • FAQS
  • Other
    • Finance Resources
    • CTFs and Cons
    • Training
    • Twitter People to Follow
    • Podcasts
    • Books
    • Twitch Streamers