{"id":2484,"date":"2015-02-19T22:33:13","date_gmt":"2015-02-19T21:33:13","guid":{"rendered":"http:\/\/michlstechblog.info\/blog\/?p=2484"},"modified":"2022-01-20T21:20:40","modified_gmt":"2022-01-20T20:20:40","slug":"security-install-mimikatz-offline-plugin-to-volatility-draft","status":"publish","type":"post","link":"https:\/\/michlstechblog.info\/blog\/security-install-mimikatz-offline-plugin-to-volatility-draft\/","title":{"rendered":"Security: Install mimikatz offline plugin to volatility (DRAFT!!!)"},"content":{"rendered":"<div class=\"twoclick_social_bookmarks_post_2484 social_share_privacy clearfix 1.6.4 locale-en_US sprite-en_US\"><\/div><div class=\"twoclick-js\"><script type=\"text\/javascript\">\/* <![CDATA[ *\/\njQuery(document).ready(function($){if($('.twoclick_social_bookmarks_post_2484')){$('.twoclick_social_bookmarks_post_2484').socialSharePrivacy({\"services\":{\"flattr\":{\"uid\":\"Michl\",\"status\":\"on\",\"the_title\":\"Security%3A%20Install%20mimikatz%20offline%20plugin%20to%20volatility%20%28DRAFT%21%21%21%29\",\"the_excerpt\":\"Hi%2C%0D%0A%0D%0Ahere%20are%20the%20steps%20to%20install%20the%20mimikatz%20offline%20plugin%20to%20get%20it%20running%20under%20volatility%20on%20a%20Windows%207%20x64%20Operating%20system.%20Currently%20draft%20but%20works%20for%20me.%0D%0A%0D%0A1.%20Install%20volatility%0D%0Aget%20the%20latest%20Python%202%20Version%20and%20install%20it.%20In%20this%20example%20to%20target%20directory%20d%3A%5CPython27.%20Use%20the%20x86%2C%2032Bit%20Version%20even%20on%20x64%20systems.%20Otherwise%20the%20volatility%20installer%20won%27t%20found%20the%20pyt%20...\",\"txt_info\":\"2 clicks for more data protection:\\r\\n\\r\\nOnly when you click here, the button will be come active and you can send your recommendation to Flattr. When activating, data are transmitted to third parties. \",\"perma_option\":\"off\"}},\"txt_help\":\"When you activate these fields by clicking, information to Flattr may be transferred abroad, and probably may also stored there.\",\"settings_perma\":\"Enable permanently and accept data transmission. \",\"info_link\":\"http:\\\/\\\/www.heise.de\\\/ct\\\/artikel\\\/2-Klicks-fuer-mehr-Datenschutz-1333879.html\",\"uri\":\"https:\\\/\\\/michlstechblog.info\\\/blog\\\/security-install-mimikatz-offline-plugin-to-volatility-draft\\\/\",\"post_id\":2484,\"post_title_referrer_track\":\"Security%3A+Install+mimikatz+offline+plugin+to+volatility+%28DRAFT%21%21%21%29\",\"display_infobox\":\"on\"});}});\n\/* ]]> *\/<\/script><\/div><p>Hi,<\/p>\n<p>here are the steps to install the mimikatz offline plugin to get it running under volatility on a Windows 7 x64 Operating system. Currently draft but works for me.<\/p>\n<p><em><strong>1. Install volatility<\/strong><\/em><br \/>\nget the latest<a title=\"Python Downloads\" href=\"https:\/\/www.python.org\/downloads\/release\" target=\"_blank\" rel=\"noopener\"> Python 2 <\/a>Version and install it. In this example to target directory d:\\Python27. Use the x86, 32Bit Version even on x64 systems. Otherwise the volatility installer won&#8217;t found the python installation. Choose also a installpath without spaces.<\/p>\n<p>Install <a title=\"Volatility\" href=\"http:\/\/www.volatilityfoundation.org\/\" target=\"_blank\" rel=\"noopener\">Volatility 2.4<\/a> Windows Python Module Installer (not the binary installer)<br \/>\n<!--more--><br \/>\nDependencies<\/p>\n<p>Install <a title=\"http:\/\/www.microsoft.com\/en-us\/download\/details.aspx?id=44266\" href=\"Microsoft Visual C++ Compiler for Python 2.7\" target=\"_blank\" rel=\"noopener\">Microsoft Visual C++ Compiler for Python 2.7<\/a><br \/>\n<!-- Modify the \"C:\\Programs (x86)\\Microsoft Visual Studio 12.0\\vc\\vcvarsall.bat\" to build x86 binaries instead of x64, otherwise you get the error\u00a0 \"ImportError: DLL load failed: %1 is not a valid Win32 application\" Replace if \/i %1 == amd64\u00a0\u00a0\u00a0\u00a0 goto x86 if \/i %1 == x64\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 goto amd64 if \/i %1 == amd64_x86 goto x86 with if \/i %1 == amd64\u00a0\u00a0\u00a0\u00a0 goto x86 if \/i %1 == x64\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 goto x86 if \/i %1 == amd64_x86 goto x86 --><\/p>\n<p><em><strong>Requiered Modules<\/strong><\/em><\/p>\n<p><strong>Module diStorm3<\/strong><\/p>\n<p><code>python.exe -m pip\u00a0install distorm3<\/code><\/p>\n<p><strong>Module Pycrypto<\/strong><\/p>\n<p><code>python.exe -m pip install Pycrypto<\/code><\/p>\n<p><strong>Module Yara<\/strong><\/p>\n<p>The pip install of the module does not work\u00a0on my Windows 7 x64 Box due to x86 , x64 incompatibility.<\/p>\n<p>Get binary <a title=\"Yara Downloads\" href=\"https:\/\/code.google.com\/p\/yara-project\/downloads\/list\" target=\"_blank\" rel=\"noopener\">yara-python-1.7.win32-py2.7.exe\u00a0 <\/a><\/p>\n<p><strong>Module construct<\/strong><\/p>\n<p><code>python.exe -m pip install construct<\/code><\/p>\n<p><em><strong>2. Mimikatz<\/strong><\/em><\/p>\n<p>Get mimikatz offline from<a title=\"hotoloti at google\" href=\"https:\/\/code.google.com\/p\/hotoloti\/source\/checkout\" target=\"_blank\" rel=\"noopener\"> google code<\/a><\/p>\n<p><code>D:\\temp&gt; git clone git clone https:\/\/code.google.com\/p\/hotoloti\/<\/code><\/p>\n<p>create a plugin folder for all volatility plugins<\/p>\n<p><code>mkdir d:\\volatility\\plugins<\/code><\/p>\n<p>and copy the plugin to the plugin folder<\/p>\n<p><code>copy <strong>volatility\\mimikatz.py<\/strong> d:\\volatility\\plugins<\/code><\/p>\n<p><em><strong>Usage<\/strong><\/em><\/p>\n<p>Check if mimikatz plugin is loaded<br \/>\n<code>D:\\&gt; python.exe \"d:\\Python27\\Scripts\\vol.py\" --plugins=\"d:\\volatility\\plugins\" --info | findstr \/i mimi<br \/>\nVolatility Foundation Volatility Framework 2.4<br \/>\nlinux_slabinfo - Mimics \/proc\/slabinfo on a running machine<br \/>\nmimikatz - mimikatz offline<br \/>\n<\/code><br \/>\nGet Core info<br \/>\n<code>D:\\&gt; python.exe \"d:\\Python27\\Scripts\\vol.py\" -f d:\\Temp\\vmss.core imageinfo<br \/>\nVolatility Foundation Volatility Framework 2.4<br \/>\nDetermining profile based on KDBG search...<\/code><\/p>\n<pre><code>\r\nSuggested Profile(s) : Win7SP0x64, Win7SP1x64, Win2008R2SP0x64, Win2008R2SP1x64\r\n                     AS Layer1 : AMD64PagedMemory (Kernel AS)\r\n                     AS Layer2 : QemuCoreDumpElf (Unnamed AS)\r\n                     AS Layer3 : FileAddressSpace (D:\\Temp\\vmss.core)\r\n                      PAE type : No PAE\r\n                           DTB : 0x187000L\r\n                          KDBG : 0xf80002a3f0a0L\r\n          Number of Processors : 1\r\n     Image Type (Service Pack) : 1\r\n                KPCR for CPU 0 : 0xfffff80002a40d00L\r\n             KUSER_SHARED_DATA : 0xfffff78000000000L\r\n           Image date and time : 2013-07-10 09:21:58 UTC+0000\r\n     Image local date and time : 2015-02-15 21:21:58 +0100\r\n<\/code><\/pre>\n<p>Choose the right profile for your image and let mimikatz looking for some information<br \/>\n<code><br \/>\nd:\\&gt; python.exe \"d:\\Python27\\Scripts\\vol.py\" --plugins=\"d:\\volatility\\plugins\" --profile=Win7SP1x64 -f d:\\Temp\\vmss.core mimikatz<br \/>\nVolatility Foundation Volatility Framework 2.4<br \/>\nModule User Domain Password<br \/>\n-------- ---------------- ---------------- ----------------------------------------<br \/>\nwdigest username User-PC Password123<br \/>\nwdigest User-PC$ WORKGROUP<br \/>\n<\/code><\/p>\n<p>Michael<br \/>\n<!-- COmments --><br \/>\n<!-- I installed it from <a title=\"Yara sources\" href=\"https:\/\/github.com\/plusvic\/yara\/releases\" target=\"_blank\" rel=\"noopener\">source<\/a> because pip moduler installer does not work due to x86, x64 incompatibility and no binary release are available.  You need Visual Studio  and the Windows SDK. <strong><\/strong>Compile  yara (\\Yara\\src\\windows\\yara) this also builds libyara and yarac. If you use a newer version than VS 2010 open all 3 projects,  alter the Platfrom Toolset to \"Visual Studio 2010\" and add the include and lib path (All configurations, Win32 Platform) to your SDK Installation. Compile the release version for Win32.\n\n<code>D:\\Yara\\src\\yara-python&gt; python.exe setup.py build<\/code>\n\nOn Error \"error: Unable to find vcvarsall.bat\" =&gt; Set the environment variable VS90COMNTOOLS to the path of your compiler version\n\nSET VS90COMNTOOLS=C:\\Users\\zzzzz5d0\\AppData\\Local\\Programs\\Common\\Microsoft\\Visual C++ for Python\\9.0\\\n\nSET VS90COMNTOOLS=%VS120COMNTOOLS%\nhttps:\/\/code.google.com\/p\/yara-project\/downloads\/list\n--><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hi, here are the steps to install the mimikatz offline plugin to get it running under volatility on a Windows 7 x64 Operating system. Currently draft but works for me. 1. Install volatility get the latest Python 2 Version and install it. In this example to target directory d:\\Python27. Use the x86, 32Bit Version even &hellip; <a href=\"https:\/\/michlstechblog.info\/blog\/security-install-mimikatz-offline-plugin-to-volatility-draft\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">Security: Install mimikatz offline plugin to volatility (DRAFT!!!)<\/span> <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[607,466],"tags":[],"class_list":["post-2484","post","type-post","status-publish","format-standard","hentry","category-forensic","category-security"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts\/2484","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/comments?post=2484"}],"version-history":[{"count":36,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts\/2484\/revisions"}],"predecessor-version":[{"id":8350,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts\/2484\/revisions\/8350"}],"wp:attachment":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/media?parent=2484"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/categories?post=2484"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/tags?post=2484"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}