We all love grabbing binary option tutorials from Window machines that we have compromised, wether they are in clear-text or hashes. Sometimes, however, it is not possible to get those credentials immediately if at all.
Still, sometimes, you are in a situation where these techniques are not viable. Don’t forget to use “-accepteula” to avoid any pesky popups. If run on a 64-bit OS you have to add the “-64” flag to the command below. 2009-2014 Mark Russinovich Sysinternals – www. Dump 1 writing: Estimated dump file size is 28 MB. Dump 1 complete: 28 MB written in 1. Once we have the minidump on our local machine we can run mimikatz and extract the credentials.
Benjamin Delpy has created a useful chart to show compatibility between the target and the local host. Keep in mind that you can only recover credentials for users who have an active session on the target. For our second test case we will be targeting Virtual Machines. After compromising a target we discover that the box hosts Virtual Machines. Wouldn’t it be nice if we could compromise those machines as well! Make sure to use the appropriate version of vmss2core, in this case I needed the 64-bit OSX version. After transferring the coredump back out we can let volatility do it’s magic.
We need to determine which OS the dump comes from for volatility to parse it correctly. We can see that volatility is unable to accurately determine the OS profile, however from the vmss2core output above we can see that the correct profile is “Win7SP1x86”. Using the “hivelist” plugin we can now get the memory offsets for the various registry hives. All that remains now is to dump the hashes. To do this we need to pass volatility’s “hashdump” module the virtual memory offsets to the SYSTEM and SAM hives, which we have. If transferring them over the network is not an option you can always drop a copy of volatility on the target machine.
4, volatility has binary packages for Windows, Linux and OSX. Once we have extracted the credentials there are all sorts of things we can do with them, especially if we got clear-text passwords. For completion, however, I want to briefly mention the two most common things we will want to do if we get hashes from our target machine. If the passwords have a low level of complexity we can attempt to brute-force them. Personally I prefer to us hashcat, as it also support GPU cracking when the occasion arrises. 47 by atom with 8 threads and 32mb segment-size Added hashes from file hash. Activating quick-digest mode for single-hash NOTE: press enter for status-screen Input.