About Virtualization, VDI, SBC, Application Compatibility and anything else I feel like
Benjamin Delpy the author of the well known mimikatz toolkit has released a very cool extension to WinDbg today.
In summary the extension can extract Windows passwords from memory dumps, hibernation files and Virtual Machine .vmem files (paging, snapshots).
Especially the ability to extract passwords from .vmem files was very interesting. So I decided to to test this out, so let’s see how it works!
Extract bin2dmp.exe from Windows Memory Toolkit and use it to convert a .vmem file to a .dmp file:
Now start WinDbg and load the generated dump file via File -> Open Crash Dump. Load the mimilib.dll file that corresponds to the dump file (32 bit lib for x86 dumps and 64 bit lib for x64 dumps).
eg: .load mimilib.dll
Now search for the lsass process (!process 0 0 lsass.exe) and use the returned address:
Finally enter !mimikatz and wait for the magic to happen:
I have just one word, WOW. Great job by Benjamin again!
.NET .NET FrameWork Active Directory Altiris Automation Manager Citrix Dell Delphi Excel Exchange Exchange2003 Exchange2010 Hack HP iOS Java LinkedIn Linux Lync Management Pack MSI Office Office 2010 Passat Password PowerPoint PowerShell RES RNS510 SasLibEx SCOM Security Terminal Server ThinApp TSAdminEx VBS VCDS Visual Basic Visual Studio VMWare Volkswagen VSAE Windows PE Wordpress XenApp