[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-74684":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":16,"stars7d":17,"stars30d":18,"stars90d":15,"forks30d":15,"starsTrendScore":19,"compositeScore":20,"rankGlobal":10,"rankLanguage":10,"license":21,"archived":22,"fork":22,"defaultBranch":23,"hasWiki":22,"hasPages":22,"topics":24,"createdAt":10,"pushedAt":10,"updatedAt":37,"readmeContent":38,"aiSummary":39,"trendingCount":15,"starSnapshotCount":15,"syncStatus":40,"lastSyncTime":41,"discoverSource":42},74684,"VMkatz","nikaiw\u002FVMkatz","nikaiw","Extract Windows credentials directly from VM memory snapshots and virtual disks","",null,"Rust",1333,144,4,0,5,9,67,15,19.48,"MIT License",false,"main",[25,26,27,28,29,30,31,32,33,34,35,36],"esxi","lsass","mimikatz","ntlm","offensive-security","post-exploitation","qcow2","vdi","vhdx","virtualbox","vmdk","vmware","2026-06-12 02:03:26","# VMkatz\n\n[![License: MIT](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Flicense-MIT-blue.svg)](LICENSE)\n[![Build](https:\u002F\u002Fgithub.com\u002Fnikaiw\u002FVMkatz\u002Factions\u002Fworkflows\u002Frelease.yml\u002Fbadge.svg)](https:\u002F\u002Fgithub.com\u002Fnikaiw\u002FVMkatz\u002Factions\u002Fworkflows\u002Frelease.yml)\n[![CI](https:\u002F\u002Fgithub.com\u002Fnikaiw\u002FVMkatz\u002Factions\u002Fworkflows\u002Fclippy.yml\u002Fbadge.svg)](https:\u002F\u002Fgithub.com\u002Fnikaiw\u002FVMkatz\u002Factions\u002Fworkflows\u002Fclippy.yml)\n[![Platform](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Fplatform-linux%20|%20windows%20|%20macos%20|%20esxi-lightgrey)]()\n\n## Too Big to Steal\n\nYou are three weeks into a red team engagement. Your traffic crawls through a VPN, then bounces across four SOCKS proxies chained through compromised jump boxes before it touches the target network. Every packet takes the scenic route.\n\nAfter days of lateral movement you land on a NAS attached to the virtualization cluster and the directory listing hits different: rows upon rows of `.vmdk`, `.vmsn`, `.sav`. Hundreds of gigabytes of virtual machines - domain controllers, admin workstations, the crown jewels - sitting right there.\n\nBut your link wheezes at 200 KB\u002Fs. Pulling a single 100 GB disk image would take **six days**, and every hour of sustained exfil is another chance the SOC spots the anomaly, burns your tunnel, and the whole chain collapses.\n\nVMkatz exists because you shouldn't have to exfiltrate what you can read in place. It extracts Windows secrets - NTLM hashes, DPAPI master keys, Kerberos tickets, cached domain credentials, LSA secrets, NTDS.dit, BitLocker keys - directly from VM memory snapshots and virtual disks, **on the NAS, the hypervisor, wherever the VM files are**.\n\nA single static binary, ~3 MB. Drop it on the ESXi host, the Proxmox node, or the NAS. Point it at a `.vmsn`, `.vmdk`, or an entire VM folder. Walk away with credentials, not disk images.\n\n## What It Extracts\n\n### From memory snapshots (LSASS)\nAll 9 SSP credential providers that mimikatz implements:\n\n| Provider | Data | Notes |\n| --- | --- | --- |\n| MSV1_0 | NT\u002FLM hashes, SHA1 | Physical-scan fallback for paged entries |\n| WDigest | Plaintext passwords | Linked-list walk + `.data` fallback |\n| Kerberos | AES\u002FRC4\u002FDES keys, tickets (`.kirbi`\u002F`.ccache`) | AVL tree walk + ticket carving for freed sessions |\n| TsPkg | Plaintext passwords | RDP sessions only |\n| DPAPI | Master key cache (GUID + decrypted key) | SHA1 masterkey for offline DPAPI decrypt |\n| SSP | Plaintext credentials | `SspCredentialList` in `msv1_0.dll` |\n| LiveSSP | Plaintext credentials | Requires `livessp.dll` (rare post-Win8) |\n| Credman | Stored credentials | Hash-table + single-list enumeration |\n| CloudAP | Azure AD tokens | Typically empty for local-only logon |\n\nPlus: **BitLocker FVEK** extraction from memory (pool tag scan for `FVEc`\u002F`Cngb`).\n\n### From virtual disks (offline)\n- **SAM hashes**: Local account NT\u002FLM hashes with account status (disabled, blank password)\n- **LSA secrets**: Service account passwords, auto-logon credentials, machine account keys\n- **Cached domain credentials**: DCC2 hashes (last N domain logons)\n- **DPAPI master keys**: Hashcat-ready hashes (`$DPAPImk$` — modes 15300\u002F15310\u002F15900\u002F15910)\n- **NTDS.dit**: Full Active Directory hash extraction from domain controller disks (native ESE parser)\n- **BitLocker decryption**: Transparent disk decryption using FVEK extracted from memory\n\n## Supported Inputs\n\n| Format | Extensions | Source | Status |\n| --- | --- | --- | --- |\n| VMware snapshots | `.vmsn` + `.vmem` | Workstation, ESXi | Tested |\n| VMware embedded snapshots | `.vmsn` (no `.vmem`) | ESXi suspend | Tested |\n| VirtualBox saved states | `.sav` | VirtualBox | Tested |\n| QEMU\u002FKVM savevm states | auto-detected | Proxmox, QEMU | Tested |\n| QEMU\u002FKVM ELF core dumps | `.elf` | `virsh dump` | Tested |\n| Hyper-V saved states | `.vmrs` | Hyper-V 2016+ | Untested |\n| VMware virtual disks | `.vmdk` (sparse + flat) | Workstation, ESXi | Tested |\n| VirtualBox virtual disks | `.vdi` | VirtualBox | Tested |\n| QEMU\u002FKVM virtual disks | `.qcow2` | QEMU, Proxmox | Tested |\n| Hyper-V virtual disks | `.vhdx`, `.vhd` | Hyper-V | Tested |\n| VMFS-5\u002F6 raw SCSI devices | `\u002Fdev\u002Fdisks\u002F...` | ESXi (bypasses file locks) | Tested |\n| LVM block devices | `\u002Fdev\u002F...` | Proxmox LVM-thin | Tested |\n| Raw registry hives | `SAM`, `SYSTEM`, `SECURITY` | `reg save` | Tested |\n| Raw NTDS.dit | `ntds.dit` + `SYSTEM` | Domain controller | Tested |\n| LSASS minidump | `.dmp` | procdump, Task Manager | Tested |\n| VM directories | any folder | Auto-discovers all files | Tested |\n\n**Target OS**: Windows Server 2003 through Windows Server 2025 \u002F Windows 11 24H2 (x86 PAE + x64).\n\n## Quick Start\n\n```bash\n# Extract LSASS credentials from a VMware snapshot\n.\u002Fvmkatz snapshot.vmsn\n\n# With pagefile resolution for paged-out creds\n.\u002Fvmkatz --disk disk.vmdk snapshot.vmsn\n\n# Extract SAM\u002FLSA\u002FDCC2 from a virtual disk\n.\u002Fvmkatz disk.vmdk\n\n# Extract AD hashes from a domain controller disk\n.\u002Fvmkatz --ntds dc-disk.qcow2\n\n# Point at a VM folder and let it find everything\n.\u002Fvmkatz \u002Fpath\u002Fto\u002Fvm-directory\u002F\n\n# Extract from raw registry hives\n.\u002Fvmkatz SAM SYSTEM SECURITY\n\n# Output as hashcat-ready hashes\n.\u002Fvmkatz --format hashcat snapshot.vmsn\n\n# Export Kerberos tickets\n.\u002Fvmkatz --kirbi snapshot.vmsn        # .kirbi files\n.\u002Fvmkatz --ccache snapshot.vmsn       # .ccache file\n\n# Export BitLocker FVEK for dislocker\n.\u002Fvmkatz --bitlocker-fvek \u002Ftmp\u002Fkeys snapshot.vmsn\n\n# Recursively scan all VMs under a path\n.\u002Fvmkatz -r \u002Fvmfs\u002Fvolumes\u002Fdatastore1\u002F\n\n# Parse LSASS minidump\n.\u002Fvmkatz lsass.dmp\n```\n\n## Output Formats\n\n| Format | Flag | Description |\n| --- | --- | --- |\n| `text` | `--format text` (default) | Full credential dump with session metadata |\n| `brief` | `--format brief` | Compact one-line-per-credential summary |\n| `ntlm` | `--format ntlm` | `DOMAIN\\user:::hash:::` pwdump format |\n| `hashcat` | `--format hashcat` | Raw hashes: mode 1000 (NTLM), 2100 (DCC2), 15300\u002F15900 (DPAPI) |\n| `csv` | `--format csv` | Machine-readable, all fields |\n\n## Deployment on ESXi\n\n```bash\n# Cross-compile for ESXi (musl static)\ncargo build --release --target x86_64-unknown-linux-musl\n\n# Upload and run\nscp target\u002Fx86_64-unknown-linux-musl\u002Frelease\u002Fvmkatz root@esxi:\u002Ftmp\u002F\n\u002Ftmp\u002Fvmkatz \u002Fvmfs\u002Fvolumes\u002Fdatastore1\u002FMyVM\u002FMyVM-Snapshot1.vmsn\n```\n\nWhen VIB protection (`execInstalledOnly`) is enabled, use the Python loader — no need to disable the setting:\n\n```bash\nscp tools\u002Fvmkatz_loader.py target\u002Fx86_64-unknown-linux-musl\u002Frelease\u002Fvmkatz root@esxi:\u002Ftmp\u002F\npython \u002Ftmp\u002Fvmkatz_loader.py \u002Ftmp\u002Fvmkatz \u002Fvmfs\u002Fvolumes\u002Fdatastore1\u002FMyVM\u002Fsnapshot.vmsn\n```\n\nSee [docs\u002Fesxi.md](docs\u002Fesxi.md) for VIB bypass details, VMFS raw device access, and auto-discovery.\n\n## Build Features\n\nVMkatz is modular. Features can be enabled\u002Fdisabled at compile time:\n\n| Feature | Description | Default |\n| --- | --- | --- |\n| `vmware` | VMware `.vmsn`\u002F`.vmem` snapshot support | Yes |\n| `vbox` | VirtualBox `.sav` saved-state support | Yes |\n| `qemu` | QEMU\u002FKVM ELF core dumps + Proxmox savevm | Yes |\n| `hyperv` | Hyper-V `.vmrs`\u002F`.bin`\u002F`.raw` dump support | Yes |\n| `sam` | Disk extraction (SAM\u002FLSA\u002FDCC2) + disk format handlers | Yes |\n| `ntds.dit` | NTDS.dit AD extraction. Requires `sam` | Yes |\n| `carve` | Degraded extraction from partial\u002Ftruncated memory | Yes |\n| `dump` | Process memory dump as minidump | Yes |\n| `vmfs` | VMFS-5\u002F6 raw parser for ESXi SCSI devices. Requires `sam` | Yes |\n\n```bash\ncargo build --release                                              # Full build\ncargo build --release --no-default-features --features vmware      # VMware only\ncargo build --release --no-default-features --features \"sam ntds.dit\"  # Disk only\n```\n\n## Documentation\n\n- [ESXi deployment, VIB bypass, VMFS raw access](docs\u002Fesxi.md)\n- [Example output](docs\u002Fexamples.md)\n- [Architecture and module layout](docs\u002Farchitecture.md)\n- [Tested targets and known limitations](docs\u002Ftested-targets.md)\n\n## Acknowledgements\n\n- [**mimikatz**](https:\u002F\u002Fgithub.com\u002Fgentilkiwi\u002Fmimikatz) by Benjamin Delpy ([@gentilkiwi](https:\u002F\u002Ftwitter.com\u002Fgentilkiwi)) -- the definitive reference for LSASS internals and Windows credential decryption.\n- [**pypykatz**](https:\u002F\u002Fgithub.com\u002Fskelsec\u002Fpypykatz) by Tamás Jós ([@skelsec](https:\u002F\u002Ftwitter.com\u002Fskelsec)) -- pure Python mimikatz reimplementation, used as cross-reference for SAM\u002FLSA\u002FDCC2 extraction.\n- [**Impacket**](https:\u002F\u002Fgithub.com\u002Ffortra\u002Fimpacket) by Fortra (originally Alberto Solino [@agsolino](https:\u002F\u002Ftwitter.com\u002Fagsolino)) -- reference implementation for NTDS.dit extraction and the pwdump output format.\n- [**Vergilius Project**](https:\u002F\u002Fwww.vergiliusproject.com\u002F) -- documented Windows kernel structures used to verify EPROCESS field offsets across all supported builds (XP through Win11 24H2).\n- [**dissect.vmfs**](https:\u002F\u002Fgithub.com\u002Ffox-it\u002Fdissect.vmfs) by Fox-IT (NCC Group) -- Python VMFS parser from the Dissect DFIR framework, used as reference for VMFS on-disk structures.\n- [**vmfs-tools**](https:\u002F\u002Fgithub.com\u002Fglandium\u002Fvmfs-tools) by Mike Hommey -- open-source VMFS3\u002F5 implementation that documents core on-disk structures and address types.\n- [**volatility-kerberos**](https:\u002F\u002Fgithub.com\u002Fairbus-cert\u002Fvolatility-kerberos) by Sylvain Peyrefitte ([@citronneur](https:\u002F\u002Ftwitter.com\u002Fcitronneur), Airbus CERT) -- Volatility 3 Kerberos plugin, inspired the ticket carving approach for recovering orphaned tickets from freed LSASS memory.\n","VMkatz 是一个用于从虚拟机内存快照和虚拟磁盘中提取 Windows 凭据的工具。其核心功能包括直接读取 NTLM 哈希、DPAPI 主密钥、Kerberos 票据等敏感信息，无需将整个磁盘镜像外泄。该工具采用 Rust 语言编写，具有跨平台支持（Linux、Windows、macOS 和 ESXi）的特点，并且体积小巧，仅约 3 MB。适用于渗透测试中的后期利用阶段，尤其是在网络带宽受限或需要快速获取目标系统凭证的情况下。它能够处理多种虚拟磁盘格式如 VMDK、VHDX 和 VDI，以及 VM 快照文件。",2,"2026-06-11 03:50:25","high_star"]