Security: Install mimikatz offline plugin to volatility (DRAFT!!!)

Hi,

here are the steps to install the mimikatz offline plugin to get it running under volatility on a Windows 7 x64 Operating system. Currently draft but works for me.

1. Install volatility
get the latest Python 2 Version and install it. In this example to target directory d:\Python27. Use the x86, 32Bit Version even on x64 systems. Otherwise the volatility installer won’t found the python installation. Choose also a installpath without spaces.

Install Volatility 2.4 Windows Python Module Installer (not the binary installer)

Dependencies

Install Microsoft Visual C++ Compiler for Python 2.7

Requiered Modules

Module diStorm3

python.exe -m pip install distorm3

Module Pycrypto

python.exe -m pip install Pycrypto

Module Yara

The pip install of the module does not work on my Windows 7 x64 Box due to x86, x64 incompatibility.

Get binary yara-python-1.7.win32-py2.7.exe 

Module construct

python.exe -m pip install construct

2. Mimikatz

Get mimikatz offline from google code

D:\temp> git clone git clone https://code.google.com/p/hotoloti/

create a plugin folder for all volatility plugins

mkdir d:\volatility\plugins

and copy the plugin to the plugin folder

copy volatility\mimikatz.py d:\volatility\plugins

Usage

Check if mimikatz plugin is loaded
D:\> python.exe "d:\Python27\Scripts\vol.py" --plugins="d:\volatility\plugins" --info | findstr /i mimi
Volatility Foundation Volatility Framework 2.4
linux_slabinfo - Mimics /proc/slabinfo on a running machine
mimikatz - mimikatz offline

Get Core info
D:\> python.exe "d:\Python27\Scripts\vol.py" -f d:\Temp\vmss.core imageinfo
Volatility Foundation Volatility Framework 2.4
Determining profile based on KDBG search...


Suggested Profile(s) : Win7SP0x64, Win7SP1x64, Win2008R2SP0x64, Win2008R2SP1x64
                     AS Layer1 : AMD64PagedMemory (Kernel AS)
                     AS Layer2 : QemuCoreDumpElf (Unnamed AS)
                     AS Layer3 : FileAddressSpace (D:\Temp\vmss.core)
                      PAE type : No PAE
                           DTB : 0x187000L
                          KDBG : 0xf80002a3f0a0L
          Number of Processors : 1
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0xfffff80002a40d00L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2013-07-10 09:21:58 UTC+0000
     Image local date and time : 2015-02-15 21:21:58 +0100

Choose the right profile for your image and let mimikatz looking for some information

d:\> python.exe "d:\Python27\Scripts\vol.py" --plugins="d:\volatility\plugins" --profile=Win7SP1x64 -f d:\Temp\vmss.core mimikatz
Volatility Foundation Volatility Framework 2.4
Module User Domain Password
-------- ---------------- ---------------- ----------------------------------------
wdigest username User-PC Password123
wdigest User-PC$ WORKGROUP

Michael

Advertisment to support michlstechblog.info

Add a comment »One comment to this article

  1. Windows Credentials and Memory Dumps – Part 4: Volatility & Mimikatz | govolution

Time limit is exhausted. Please reload CAPTCHA.

Original Theme by Schiy · Powered by WordPress