Zero-Exfil Hijacking: How VMkatz Rips Windows Credentials Directly from VM Snapshots

by ddos · April 16, 2026

VMkatz

Extract Windows credentials directly from VM memory snapshots and virtual disks

You are three weeks into a red team engagement. Your traffic crawls through a VPN, then bounces across four SOCKS proxies chained through compromised jump boxes before it touches the target network. Every packet takes the scenic route.

After days of lateral movement you land on a NAS attached to the virtualization cluster and the directory listing hits different: rows upon rows of .vmdk, .vmsn, .sav. Hundreds of gigabytes of virtual machines – domain controllers, admin workstations, the crown jewels – sitting right there.

But your link wheezes at 200 KB/s. Pulling a single 100 GB disk image would take six days, and every hour of sustained exfil is another chance the SOC spots the anomaly, burns your tunnel, and the whole chain collapses.

VMkatz exists because you shouldn’t have to exfiltrate what you can read in place. It extracts Windows secrets – NTLM hashes, DPAPI master keys, Kerberos tickets, cached domain credentials, LSA secrets, NTDS.dit, BitLocker keys – directly from VM memory snapshots and virtual disks, on the NAS, the hypervisor, wherever the VM files are.

A single static binary, ~3 MB. Drop it on the ESXi host, the Proxmox node, or the NAS. Point it at a .vmsn, .vmdk, or an entire VM folder. Walk away with credentials, not disk images.

What It Extracts

From memory snapshots (LSASS)

All 9 SSP credential providers that mimikatz implements:

Provider	Data	Notes
MSV1_0	NT/LM hashes, SHA1	Physical-scan fallback for paged entries
WDigest	Plaintext passwords	Linked-list walk + `.data` fallback
Kerberos	AES/RC4/DES keys, tickets (`.kirbi`/`.ccache`)	AVL tree walk + ticket carving for freed sessions
TsPkg	Plaintext passwords	RDP sessions only
DPAPI	Master key cache (GUID + decrypted key)	SHA1 masterkey for offline DPAPI decrypt
SSP	Plaintext credentials	`SspCredentialList` in `msv1_0.dll`
LiveSSP	Plaintext credentials	Requires `livessp.dll` (rare post-Win8)
Credman	Stored credentials	Hash-table + single-list enumeration
CloudAP	Azure AD tokens	Typically empty for local-only logon

Plus: BitLocker FVEK extraction from memory (pool tag scan for FVEc/Cngb).

From virtual disks (offline)

SAM hashes: Local account NT/LM hashes with account status (disabled, blank password)
LSA secrets: Service account passwords, auto-logon credentials, machine account keys
Cached domain credentials: DCC2 hashes (last N domain logons)
DPAPI master keys: Hashcat-ready hashes ( $DPAPImk$ — modes 15300/15310/15900/15910)
NTDS.dit: Full Active Directory hash extraction from domain controller disks (native ESE parser)
BitLocker decryption: Transparent disk decryption using FVEK extracted from memory

Supported Inputs

Format	Extensions	Source	Status
VMware snapshots	`.vmsn` + `.vmem`	Workstation, ESXi	Tested
VMware embedded snapshots	`.vmsn` (no `.vmem`)	ESXi suspend	Tested
VirtualBox saved states	`.sav`	VirtualBox	Tested
QEMU/KVM savevm states	auto-detected	Proxmox, QEMU	Tested
QEMU/KVM ELF core dumps	`.elf`	`virsh dump`	Tested
Hyper-V saved states	`.vmrs`	Hyper-V 2016+	Untested
VMware virtual disks	`.vmdk` (sparse + flat)	Workstation, ESXi	Tested
VirtualBox virtual disks	`.vdi`	VirtualBox	Tested
QEMU/KVM virtual disks	`.qcow2`	QEMU, Proxmox	Tested
Hyper-V virtual disks	`.vhdx`, `.vhd`	Hyper-V	Tested
VMFS-5/6 raw SCSI devices	`/dev/disks/...`	ESXi (bypasses file locks)	Tested
LVM block devices	`/dev/...`	Proxmox LVM-thin	Tested
Raw registry hives	`SAM`, `SYSTEM`, `SECURITY`	`reg save`	Tested
Raw NTDS.dit	`ntds.dit` + `SYSTEM`	Domain controller	Tested
LSASS minidump	`.dmp`	procdump, Task Manager	Tested
VM directories	any folder	Auto-discovers all files	Tested