ComputerSecurityStudent (CSS) [Login] [Join Now]

|FORENSICS >> LosBuntu >> Current Page |Views: 29683

(LosBuntu: Volatility)

{ Download and Install Plugin }

Section 0: Background Information
  1. What is the scenario?
    • Forensics Investigators constantly have to update their skillset with tools that change the game.  Many of you have played with the stand alone version of MimiKatz and/or the Metasploit MimiKatz plugin.  But did you know that there is a MimiKatz plugin for Volatility?  This is important because it provides another way to capture a password (of a logged in user) from a memory image without having to extract the HIVE and crack passwords.
    • The following lesson will show you how to download and configure the plugin with volatility.

  2. What is mimikatz?
    • Mimikatz is a tool that pulls plain-text passwords out of WDigest interfaced through LSASS.  WDigest is a DLL first added in Windows XP that is used to authenticate users against the HTTP Digest authentication and Simple Authentication Security Layer (SASL) exchanges. Both of these require the user's plain-text password in order to derive the key to authenticate, thus why it is stored in plain-text.
    • Special thanks goes out to the mimikatz author, Benjamin DELPY (@gentilkiwi), for his game-changing work.
    • Reference:

  3. What is LosBuntu?
    • I wanted to thank my good friend Carlos Cajigas (@carlos_cajigas) for creating LosBuntu and for his generous guidance and mentorship in Cyber Forensics.
    • LosBuntu is a Linux Live DVD distribution (distro) that can be used to assist in data forensic investigations.  It is a compilation of Master Cajigas' many years of experience as a former law enforcement agent and IBM forensics investigator.

  4. Special Thanks
    • Thank you (@cruzhams) for providing the blueprints to get mimikatz working with Volatility.

  5. Pre-Requisite Lab
    1. LosBuntu: Lesson 3: Create LosBuntu Virtual Machine
  6. Lab Notes
    • In this lab we will do the following:
      1. Download
      2. Add to Volatility plugins directory
      3. Create a Construct

  7. Legal Disclaimer
    • As a condition of your use of this Web site, you warrant to that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
    • In accordance with UCC § 2-316, this product is provided with "no warranties, either express or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
    • In addition, this is a teaching website that does not condone malicious behavior of any kind.
    • You are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.
    • © 2016 No content replication of any kind is allowed without express written permission.


Section 1: Power On the LosBuntu VM
  • Note(FYI): LosBuntu will be used later to forensically collect a memory snapshot of the BadBlue Metasploit Attack Vector.
  1. Open VMware Player on your windows machine.
    • Instructions:
      1. Click the Start Button
      2. Type "vmware player" in the search box
      3. Click on VMware Player


  2. Edit Virtual Machine Settings
    • Instructions:
      1. Select LosBuntu
      2. Click Edit Virtual Machine Settings


  3. Configure Memory
    • Instructions:
      1. Click on Memory.
      2. Up the memory to 1 GB
    • Note(FYI):
      • LosBuntu really needs 1.5 to 2 GB; however, you are only configuring MimiKatz with Volatility in this lesson.
      • Do NOT Click the OK Button, we still have more to configure.


  4. Configure CD/DVD(IDE)
    • Instructions:
      1. Click on CD/DVD(IDE)
      2. Device status: Check Connect at power on
      3. Connection: Click Use physical drive
      4. Select Auto detect
    • Note(FYI):
      • Do NOT Click the OK Button, we still have more to configure


  5. Configure Network Adapter
    • Instructions:
      1. Click on Network Adapter
      2. Device status: Check Connect at power on
      3. Network Connection: Click NAT: Used to share the ....
      4. Click the OK Button


  6. Play LosBuntu Virtual Machine
    • Instructions:
      1. Select LosBuntu
      2. Click Play virtual machine


Section 2: Login to LosBuntu
  1. Login to LosBuntu
    • Instructions:
      1. Password: mtk
      2. Press <Enter>


  2. Open Terminal Windows
    • Instructions:
      1. Click on the Terminal Window


  3. Become root
    • Instructions:
      1. sudo su -
      2. password: mtk
      3. pwd
    • Note(FYI):
      • Command #1, Use (sudo su -) to simulate an initial root login where the /etc/profile, .profile and .bashrc are executed.  Not only will the root user's environment be present, but also the root user will be placed in it's own home directory (/root).
      • Command #2, Use (pwd) to display the current working directory of the particular user.


  4. Obtain IP Address
    • Instructions:
      1. ifconfig -a
      2. Record Your IP Address
    • Note(FYI):
      • Command #1, Use (ifconfig) to view all (-a) IP Addresses associated with LosBuntu.  You should only have two interfaces: eth0 and lo.
        • eth0 - Is the primary interface.  In my case, the IP Address is
        • lo - Is the local loopback address.  The loopback address is used to establish an IP connection to the same machine or computer being used by the end-user.  The loopback construct gives a computer or device capable of networking the capability to validate or establish the IP stack on the machine.
      • If your host machine has Internet Connectivity, but LosBuntu does not have an IP Address associated with eth0, then issue the following command as root.
        • dhclient -v


Section 3: Download MimiKatz Plugin
  1. Download MimiKatz (On LosBuntu)
    • Instructions:
      1. cd /var/tmp
      2. wget
      3. mv
      4. ls -l
    • Note(FYI):
      • Command #1, Use (cd) to navigate into the (/var/tmp) directory.
      • Command #2, Use (wget) to download
      • Command #3, Use (mv) to rename ( to (
      • Command #4, Use (ls -l) to list (ie., view) the details of the file.


  2. Determine Volatility Plugins Location
    • Instructions:
      1. which
      2. ls -l /usr/local/bin/
      3. find /home/mtk/Programs/volatility2.4/volatility-2.4/ -type d -print | grep "volatility/plugins$"
      4. cd /home/mtk/Programs/volatility2.4/volatility-2.4/volatility/plugins
    • Note(FYI):
      • Command #1, Use (which) to return the path name of
      • Command #2, Use (ls -l) to view the details of the program.  Notice that (/var/local/bin/ is a soft link that really points to (/home/mtk/Programs/volatility2.4/volatility-2.4/
      • Command #3, Use (find) to search the (/home/mtk/Programs/volatility2.4/volatility-2.4/) directory and use the (-type) flag to only show directories using (d) and use (grep) to only display output that ends with ($) and contains the string (volatility/plugins).  The ($) means ends with.
      • Command #4, Use (cd) to navigate to the plugins directory (/home/mtk/Programs/volatility2.4/volatility-2.4/volatility/plugins).


  3. Copy MimiKatz Into Plugins Directory
    • Instructions:
      1. cp /var/tmp/ .
      2. ls -l
    • Note(FYI):
      • Command #1, Use (cp) to copy from the (/var/tmp) directory into (.), which is the current working directory.
      • Command #2, Use (ls -l) to list the details of the file.


Section 3: Install MimiKatz Construct
  1. Install MimiKatz Construct
    • Instructions:
      1. pip install construct
    • Note(FYI):
      • Command #1, Use (pip) to install the construct to go with
      • pip is a Python package installer, recommended for installing Python packages which are not available in the Debian archive.
      • Construct is a powerful declarative parser (and builder) for binary data.


Section 4: Proof of Lab
  1. Copy Forensic Files to Samba Share (On LosBuntu)
    • Instructions:
      1. find /* -name ""
      2. --info | grep -i mimikatz
      3. date
      4. echo "Your Name"
        • Replace the string "Your Name" with your actual name.
        • e.g., echo "John Gray"
    • Note(FYI):
      • Command #1, Use (find) to search the entire server, starting slash (/) directory, which basically means search the entire computer for the ( file.
      • Command #2, Use ( --info) to list all of volatilities plugins and use (grep) to only display the mimikatz plugin.
    • Proof of Lab Instructions:
      1. Do a PrtScn
      2. Paste into a word document
      3. Upload to Moodle

Help ComputerSecurityStudent
pay for continued research,
resources & bandwidth