Listen to this Post
Introduction:
In modern virtualized environments, the hypervisor is the ultimate privilege. Red Teams are now leveraging this power to compromise Windows hosts by snapshotting virtual machine memory, a technique that is often stealthier and faster than downloading entire virtual disks. This method allows attackers to extract a treasure trove of credentials directly from the frozen state of a VM’s RAM, bypassing many traditional detection mechanisms.
Learning Objectives:
- Understand the attack chain for credential acquisition via VM snapshots on ESXi and Hyper-V.
- Learn to convert and process snapshot memory files into analyzable formats.
- Master the extraction of credentials from LSASS, LSA, and registry hives using open-source forensic tools.
You Should Know:
- Initiating the Snapshot: The First Step to Memory Access
The attack begins not on the guest OS, but from the hypervisor management layer. For ESXi, this is done via the vSphere Client or the PowerCLI command line. For Hyper-V, it can be performed via Hyper-V Manager or PowerShell.
Verified Command/Code Snippet:
PowerCLI to create a snapshot of a VM on ESXi New-Snapshot -VM "TargetVM" -Name "MemSnapshot" -Description "Snapshot for memory analysis" -Memory
Hyper-V PowerShell to create a checkpoint (snapshot) with memory Checkpoint-VM -Name "TargetVM" -SnapshotName "MemSnapshot"
Step-by-step guide:
Creating a snapshot with the memory option is critical. The `-Memory` parameter in PowerCLI and the default behavior of `Checkpoint-VM` in Hyper-V ensure that the VM’s active memory state is written to disk. This creates files like `.vmsn` and `.vmem` on ESXi, or a `.vmrs` file on Hyper-V, which are the primary targets for the subsequent credential dumping process. This step requires administrative privileges on the hypervisor itself.
2. Acquiring and Converting the Memory Dump Files
Once the snapshot is created, the resulting memory files must be downloaded from the hypervisor datastore. On ESXi, these files require conversion into a standard Windows memory dump format for analysis. On Hyper-V, the `.VMRS` file can often be used directly.
Verified Command/Code Snippet:
On Windows, using vmss2core to convert ESXi snapshot files vmss2core.exe -W8 snapshot.vmsn snapshot.vmem
Step-by-step guide:
The `vmss2core` utility, part of VMware’s toolset, converts the pair of ESXi snapshot files (.vmsn and .vmem) into a single `.dmp` file. The `-W8` flag specifies the output format is for a 64-bit Windows system. For Hyper-V, the `.VMRS` file is a saved state format that compatible tools can parse natively, eliminating the conversion step. The attacker must have sufficient permissions to browse the datastore and download these files.
3. Mounting the Memory Dump with MemprocFS
MemprocFS (Memory Process File System) is a powerful tool that treats a memory dump as a virtual file system, allowing easy access to processes, memory regions, and even registry hives contained within the snapshot.
Verified Command/Code Snippet:
Mounting a converted ESXi memory dump memprocfs.exe -device .\snapshot.dmp
Mounting a Hyper-V saved state directly memprocfs.exe -device hvsavedstate://C:\Temp\snapshot.VMRS
Step-by-step guide:
When you run MemprocFS with the `-device` flag pointing to your memory file, it mounts the dump as a virtual drive (typically a new letter like V:). This virtual filesystem will contain folders for each running process (e.g., V:\process\lsass.exe), and a `registry` folder containing the raw hives (SYSTEM, SAM, SECURITY). You can then simply copy these raw hive files (SYSTEM.reghive, SAM.reghive, etc.) from the virtual drive for offline analysis.
4. Dumping Secrets from the LSA Subsystem
The Local Security Authority (LSA) subsystem is responsible for enforcing security policy and stores secrets in the SECURITY registry hive. Using the impacket script `secretsdump.py` with the extracted registry hives allows us to recover these secrets offline.
Verified Command/Code Snippet:
secretsdump.py -sam SAM.reghive -system SYSTEM.reghive -security SECURITY.reghive LOCAL
Step-by-step guide:
This command uses the relationship between the SAM, SYSTEM, and SECURITY hives to decrypt stored credentials. The `SYSTEM` hive contains the boot key, which is used to encrypt the `SECURITY` hive where LSA secrets are stored, and the `SAM` hive where local user account hashes are kept. By providing all three, `secretsdump.py` can extract NTLM hashes for local accounts, cached domain credentials, and LSA secrets like service account passwords.
5. Pillaging Credentials from the LSASS Process Dump
The Local Security Authority Subsystem Service (LSASS) process memory is the crown jewel, often containing clear-text passwords, Kerberos tickets, and other authentication material. We use a tool like pypykatz to mimic the famous Mimikatz functionality.
Verified Command/Code Snippet:
Create a minidump of the LSASS process from the MemprocFS mount First, navigate to V:\process\lsass.exe\ and copy the `mem.dmp` file. Then, run pypykatz on that minidump. pypykatz lsa minidump lsass_minidump.dmp
Step-by-step guide:
After mounting the memory dump with MemprocFS, browse to the `V:\process\lsass.exe\` directory. The `mem.dmp` file in this directory is a minidump of the LSASS process. Copy this file to your working directory. Running `pypykatz` on this minidump will parse the process memory, extracting WDigest and SSP credentials, Kerberos tickets, TGTs, and DPAPI master keys that were resident in memory at the time of the snapshot.
6. Forging Kerberos Tickets for Lateral Movement
With NTLM hashes and AES keys extracted from LSASS, an attacker can forge Kerberos tickets to impersonate users and access other systems within the domain without knowing their clear-text password.
Verified Command/Code Snippet:
Forge a Silver Ticket to gain access to a specific service ticketer.py -nthash <extracted_ntlm_hash> -domain-sid <domain_sid> -domain <domain.com> -spn cifs/targetserver.domain.com <username>
Step-by-step guide:
A Silver Ticket is a forged Kerberos service ticket. Using the `ticketer.py` script from Impacket, you supply the NTLM hash of a computer account (which is often extractable), the Domain SID, the target Service Principal Name (SPN), and a username of your choice. This generates a ticket that you can then inject into your session using the `export KRB5CCNAME` environment variable, granting you access to the specified service on the target server as that user.
7. Leveraging S4USelf for Privilege Escalation
The S4USelf (Service for User to Self) Kerberos extension allows a service to obtain a Kerberos ticket to itself on behalf of a user. If you have compromised a service account with specific privileges, you can abuse this mechanism.
Verified Command/Code Snippet:
Use getST.py to perform S4USelf getST.py -spn cifs/targetservice.domain.com -impersonate Administrator -dc-ip <DC_IP> 'domain.com/user:password'
Step-by-step guide:
This technique is powerful for privilege escalation. If you have the password or hash of a service account that is trusted for delegation (like `msds-allowedtodelegateto` is set), you can use `getST.py` to request a ticket for another user (e.g., Administrator) to a service the compromised account controls. By specifying -impersonate, you trick the KDC into giving you a TGS for the high-privilege user, which you can then use to access that service with elevated rights.
What Undercode Say:
- The hypervisor layer represents a new, largely unmonitored attack plane that bypasses most in-guest security controls.
- Offline memory analysis of snapshots provides a silent, rapid, and highly effective method for credential harvesting across entire virtual estates.
This technique fundamentally shifts the balance of power in a virtualized network. Traditional endpoint detection and response (EDR) tools operate within the guest OS and are blind to activities at the hypervisor level. By creating a snapshot, an attacker freezes a moment in time, capturing all credentials in memory without triggering a single alert on the target machine itself. The entire attack chain can be executed with open-source tools, making it accessible and repeatable. This underscores a critical defensive gap: the management interfaces for virtualization platforms (vCenter, Hyper-V Manager) are Tier-0 assets and must be protected with the utmost security, including strict access control, multi-factor authentication, and robust network segmentation. Failing to do so gives an attacker the keys to the entire virtual kingdom.
Prediction:
The adoption of this snapshot-based credential dumping technique will accelerate, forcing a paradigm shift in how organizations monitor their virtual infrastructure. We predict a surge in hypervisor-focused security tools that monitor for anomalous snapshot creation and datastore access patterns. Furthermore, as detection improves, attackers will evolve towards live memory introspection via hypervisor APIs, attempting to dump memory without creating a snapshot at all, leading to the next frontier of hypervisor-level offensive and defensive security research.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Flavio Baldassi – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
