Pulling Credentials from a VMware Snapshot with Volatility

Volatility is a memory analysis tool used to perform digital forensics on Windows, Linux, and Mac memory images. You can use Volatility to do lots of cool things, but here is how you can use it to pull credentials from a VMware Snapshot, which has the file extension .vmem.

Volatility comes pre-installed in Kali Linux. The usage is pretty simple but there are a few things required to get it to work. Here is the syntax:

# volatility -f [image] [plugin] –profile=[profile]

The profile parameter is the operating system version, but it is specific. The easiest way to determine the profile of an image is by running the imageinfo plugin. This command can take a while (up to 3 minutes for me) to run:

vol_imageinfo

After you determine the profile, you can begin to gather credentials with the hashdump and mimikatz plugins:

vol_hashdump

The hashdump plugin ships with Kali, however you will need to install the mimikatz plugin and a required python library, construct.

    1. Install construct with pip:

# pip install construct

  1. Download mimikatz.py and copy or move it to the Volatility plugin directory:

# wget https://raw.githubusercontent.com/dfirfpi/hotoloti/master/volatility/mimikatz.py

# cp mimikatz.py /usr/lib/python2.7/dist-packages/volatility/plugins/

  1. Run the mimikatz plugin. It’s not as full featured as the standalone mimikatz or the one in metaspoit, but it does the trick:

Leave a Reply

Your email address will not be published. Required fields are marked *