Ben Bowman, How-To, Informational, Red Team, Red Team Tools Forensics, Memory Forensics, Volatility

Offline Memory Forensics With Volatility

Ben Bowman is a Security Analyst at Black Hills Information Security. He graduated in 2024 with a degree in cyber operations. Ben conducts research as well as tool development outside of testing.

As attackers, we often have one goal: dig as deep and as fast as you can. But what happens when you hit a wall with nowhere else to go? Memory forensics may provide a way out. What if you get access to ESXi and all you can do is take snapshots? You can’t add yourself to the ESXi domain group, you can’t find any unlocked computers… so now what?

Offline Memory Analysis

This scenario is where Volatility comes into play. Volatility is a memory forensics tool that can pull SAM hashes from a vmem file. These hashes can be used to escalate from a local user or no user to a domain user leading to further compromise. The following example scenario will showcase the steps involved in this process.

Scenario

Imagine you are in a network, and you find an IPMI hash disclosure vulnerability on a server. You dump the hash and somehow successfully crack it. You log onto the server and note that the server hosts ESXi. From here, you attempt to authenticate to ESXi using the credentials, which, to your surprise, works. Now what? Well, you could take the loud and noisy route and poke all the VMs and hope for the best. Alternatively, you could find a Windows VM, take a snapshot, pull the administrator credentials out of it, and relay the creds to dump LSA and get a domain account without making any noise.

Hands On

Local Admin

Start by ensuring you have the proper permissions and take a snapshot of a Windows domain joined Virtual Machine.

Make sure you check the “Include Virtual Machine’s Memory” box.

Once the snapshot is made, navigate to the snapshot and locate the vmem file. Download it to a Linux host.

Once you have the file, you’ll need to download Volatility.

git clone https://github.com/volatilityfoundation/volatility3.git 
cd volatility3/ 
python3 -m venv venv && . venv/bin/activate 
pip install -e .[dev]

Once the tool is installed, we are ready to pull SAM credentials for local administrator credentials.

Side Note: This command could be useful in finding out which EDR is in use.

python3 vol.py -f ~/Downloads/virtualmachine.vmem windows.pslist

Run the following command against the vmem file to extract SAM credentials.

python3 vol.py -f ~/Downloads/virtualmachine.vmem windows.hashdump.Hashdump

The following should dump into your terminal.

From here, you can relay the credential hashes at the same host with netexec and get lsass and get domain account credentials.

Netexec smb <IP> -u Administrator -H <HASH> --local-auth --lsa

The rest is self-explanatory; you should now be the proud owner of a domain account or two.

Conclusion

Sometimes the best way to approach an attack is with novel ideas, ones that defenders don’t see coming. Defending against memory analysis is extremely difficult and worth trying on your next engagement.

Ready to learn more?

Level up your skills with affordable classes from Antisyphon!

Pay-What-You-Can Training

Available live/virtual and on-demand