home.social
Sign in Create account

#dpapi — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #dpapi, aggregated by home.social.

  1. hasamba @[email protected] ·

    ----------------

    🔧 Tool: VMkatz

    VMkatz is a compact forensic/offensive utility designed to extract Windows secrets directly from virtual machine artifacts without full-disk exfiltration. It targets memory snapshots and offline virtual disks to recover credential material typically harvested by in-guest tools such as mimikatz, but operates against VM files stored on NAS, hypervisors, or virtualization hosts.

    What it extracts (concise)
    • From memory snapshots (LSASS equivalents): NT/LM hashes (MSV1_0), plaintext where available (WDigest, TsPkg, SSP, LiveSSP), Kerberos keys and tickets (AES/RC4/DES), DPAPI master key cache entries, Credman entries and CloudAP tokens when present.
    • From virtual disks (offline): SAM hashes, LSA secrets, cached domain credentials (DCC2), and native NTDS.dit extraction from ESE databases on domain controller disks.

    Supported inputs and environment
    • Common snapshot/disk formats: VMware snapshots (.vmsn + .vmem), VMware virtual disks (.vmdk sparse/flat), VirtualBox saved states (.sav). Additional parsers listed include Hyper‑V and QEMU core dump variants (some untested).
    • The project is distributed as a single static binary (~2.5 MB) intended to be run on hosts that can access VM files (NAS, ESXi, Proxmox nodes), enabling credential recovery without transferring multi‑gigabyte images offsite.

    Technical notes and scope
    • Memory parsing implements provider-specific walks (AVL trees, linked lists, hash tables) and falls back to physical-scan strategies for paged entries where applicable.
    • NTDS.dit extraction reads the ESE database natively for AD hash recovery; no reliance on external tooling is required for that functionality.
    • Several input formats remain marked as untested; results may vary by hypervisor version and snapshot composition.

    Limitations and operational considerations
    • Effectiveness depends on the snapshot content and whether the relevant credential pages are present in the captured artifacts.
    • Some providers (e.g., CloudAP, LiveSSP) may be empty or absent on many systems.

    🔹 VMkatz #ntds.dit #dpapi #vmdk #forensics

    🔗 Source: github.com/nikaiw/VMkatz

    #forensics #vmdk #dpapi #ntds