I’ve had a couple of engagements where I’ve ended up with VSphere credentials, logged in, and found that all the windows servers, including the domain controller, are virtualised hosts within VSphere.

SharpSphere provides quite a few functions:

  • Command & Control - In combination with F-Secure’s C3, SharpSphere provides C&C into VMs using VMware Tools, with no direct network connectivity to the target VM required.
  • Code Execution - Allows arbitrary commands to be executed in the guest OS and returns the result
  • File Upload - Allows arbitrary files to be uploaded to the guest OS
  • File Download - Allows arbitrary files to be downloaded from the guest OS
  • List VMs - Lists the VMs managed by vCenter that have VMware Tools running

And finally, the one piece of functionality we actually want to do manually:

  • Dump Memory - Dump and download a VM’s memory

If we can dump the memory of a running windows machine, logically the memory of the LSASS process is contained somewhere within that memory.

Using VSphere to snapshot Memory

Snapshot and download the .vmem and .vmsn files.

Dumping LSASS from the memory dump

There are some good blog posts on this part already123 but I find they miss just enough that you can get stumped with some weird error. Normally I would love to sit on my Linux system to do this, but volatility and the pypykatz-volatility3 plugin breaks often. If you do still want to go down that road though… I have updated the plugin for it:

See https://github.com/f3rn0s/pypykatz-volatility3 for the updated version. In this repo I’ve included two slightly different versions of the plugin that are designed to dump LSASS. You can use these plugins like so:

$ vol -p "$(pwd)/pypykatz-volatility3" -f corp-dc01.vmem vol_pypykatz
$ vol -p "$(pwd)/pypykatz-volatility3" -f corp-dc01.vmem vol_shortkatz

The main difference between the two versions is that vol_shortkatz just prints out NT and LM hashes (which is normally all I need during a test) whereas vol_pypykatz prints all the details.

Just be aware that sometimes volatility can fail, but WinDbg is a pretty sure-fire method.

Setting up windows

You can get the vmss2core utility from here: https://flings.vmware.com/vmss2core

We can use it to create a core dump from the memory file:

./vmss2core.exe -W8 ./corp-dc01.vmsn ./corp-dc01.vmem

And the x64 version of WinDbg you need from here (Link courtesy of 1): Link

We also want to grab a copy Mimikatz which includes a small dll, called mimilib, designed to be loaded into WinDbg.

If the symbols don’t exist on your system then you need to run the following commands after loading up the file:

.symfix
.reload /o /f nt

These commands will set WinDbg to download the offsets/symbols directly from Microsoft as needed.

We can then do as the Mimikatz guides:

 .load C:\Tools\Mimikatz\x64\mimilib.dll

!process 0 0 lsass.exe
.process /r /p EPROCESS_ADDR //EPROCESS_ADDR is after PROCESS in the previous commands output
!mimikatz

  1. https://jamescoote.co.uk/Dumping-LSASS-with-SharpShere/ ↩︎ ↩︎

  2. https://danielsauder.com/2016/02/06/memdumps-volatility-mimikatz-vms-part-6-vmware-workstation/ ↩︎

  3. https://web.archive.org/web/20210204072538/https://www.remkoweijnen.nl/blog/2013/11/25/dumping-passwords-in-a-vmware-vmem-file/ ↩︎