nikaiw / VMkatz

VMkatz [ ]() Too Big to Steal You are three weeks into a red team engagement. Your traffic crawls through a VPN, then bounces across four SOCKS proxies chained through compromised jump boxes before it touches the target network. Every packet takes the scenic route. After days of lateral movement you land on a NAS attached to the virtualization cluster and the directory listing hits different: rows upon rows of , , . Hundreds of gigabytes of virtual machines - domain controllers, admin workstations, the crown jewels - sitting right there. But your link wheezes at 200 KB/s. Pulling a single 100 GB disk image would take **six days**, and every hour of sustained exfil is another chance the SOC spots the anomaly, burns your tunnel, and the whole chain collapses. Without VMkatz, the traditional workflow looks like this: exfiltrate the entire VM disk or memory snapshot, mount it locally, install a full Windows analysis stack, load the snapshot into a debugger or use mimikatz on a booted copy, and manually piece together credentials from each VM - one at a time. Multiply that by a dozen VMs on the cluster and you are looking at days of bandwidth, tooling, and post-processing. VMkatz exists because you shouldn't have to exfiltrate what you can read in place. It extracts Windows secrets - NTLM hashes, DPAPI master keys, Kerberos tickets, cached domain credentials, LSA secrets, NTDS.dit - directly from VM memory snapshots and virtual disks, **on the NAS, the hypervisor, wherever the VM files are**. A single static binary, ~2.5 MB. Drop it on the ESXi host, the Proxmox node, or the NAS. Point it at a , , or an entire VM folder. Walk away with credentials, not disk images. What It Extracts From memory snapshots (LSASS) All 9 SSP credential providers that mimikatz implements: | Provider | Data | Notes | | --- | --- | --- | | MSV1_0 | NT/LM hashes, SHA1 | Physical-scan fallback for paged entries | | WDigest | Plaintext passwords | Linked-list walk + fallback | | Kerberos | AES/RC4/DES keys, tickets ( / ) | AVL tree walk, often paged in VM snapshots | | TsPkg | Plaintext passwords | RDP sessions only | | DPAPI | Master key cache (GUID + decrypted key) | SHA1 masterkey for offline DPAPI decrypt | | SSP | Plaintext credentials | in | | LiveSSP | Plaintext credentials | Requires (rare post-Win8) | | Credman | Stored credentials | Hash-table + single-list enumeration | | CloudAP | Azure AD tokens | Typically empty for local-only logon | From virtual disks (offline) • **SAM hashes**: Local account NT/LM hashes • **LSA secrets**: Service account passwords, auto-logon credentials, machine account keys • **Cached domain credentials**: DCC2 hashes (last N domain logons) • **DPAPI master keys**: Hashcat-ready hashes from user master key files ( — modes 15300/15900) • **NTDS.dit**: Full Active Directory hash extraction from domain controller disks, natively from the ESE database - no impacket or external tools needed Supported Inputs | Format | Extensions | Source | Status | | --- | --- | --- | --- | | VMware snapshots | + | Workstation, ESXi | Tested | | VirtualBox saved states | | VirtualBox | Tested | | QEMU/KVM ELF core dumps | | , | Untested | | Hyper-V saved states | | Hyper-V 2016+ (native parser) | Untested | | Hyper-V memory dumps | , | Legacy saved states, raw dumps | Untested | | VMware virtual disks | (sparse + flat) | Workstation, ESXi | Tested | | VirtualBox virtual disks | | VirtualBox | Tested | | QEMU/KVM virtual disks | | QEMU, Proxmox | Tested | | Hyper-V virtual disks | , | Hyper-V | Untested | | VMFS-6 raw SCSI devices | | ESXi datastores (bypasses file locks) | Tested | | LVM block devices | | Proxmox LVM-thin, raw LVs | Tested | | Raw registry hives | , , | Exported from disk or | Tested | | Raw NTDS.dit | + | Copied from domain controller | Tested | | LSASS minidump | | , procdump, Task Manager | Tested | | VM directories | any folder | Auto-discovers all processable files | Tested | **Target OS**: Windows XP SP3 through Windows Server 2025 (x86 PAE + x64, auto-detected). Quick Start Advanced options Output Formats | Format | Flag | Description | | --- | --- | --- | | | (default) | Full credential dump with session metadata | | | | Compact one-line-per-credential summary | | | | pwdump format | | | | Raw hashes: mode 1000 (NTLM), mode 2100 (DCC2), mode 15300/15900 (DPAPI) | | | | Machine-readable, all fields | In mode, well-known blank password hashes ( for NTLM, for LM) are annotated with . Use to control colored terminal output (default: , detects TTY). Colors highlight usernames, section headers, interesting hashes, and plaintext passwords. Example Output LSASS extraction (default text) Hashcat mode NTDS.dit extraction Pagefile resolution Pagefile Resolution Memory snapshots only capture physical RAM. Credentials that were paged to disk at snapshot time appear as . The flag reads pagefile.sys from the VM's virtual disk to resolve these. In **directory mode**, this happens automatically: VMkatz discovers both the snapshot and the disk image, and resolves paged memory without manual flags. Deployment on ESXi VMkatz compiles to a static musl binary that runs directly on ESXi without dependencies: VMFS-6 Raw Device Access (ESXi) On ESXi, VMFS locks prevent reading flat VMDK files from running VMs via the mounted filesystem. VMkatz includes a self-contained VMFS-6 parser that reads directly from the raw SCSI device, bypassing file locks entirely — no , no access, no unmounting. Discovery VMkatz auto-discovers VMFS-6 devices by scanning for SCSI LUNs containing VMFS superblocks, then enumerates the VMFS directory tree to find all flat VMDKs and the VMs they belong to. Example output: The output is designed as copy-pasteable command-line arguments. Filter to a specific device with : Extraction modes In auto-scan mode (no ), VMkatz discovers every flat VMDK on the device, checks each for NTFS partitions (skipping Linux/BSD VMs), and extracts credentials fro…