Zero-Exfil Hijacking: How VMkatz Rips Windows Credentials Directly from VM Snapshots

VMkatz

Extract Windows credentials directly from VM memory snapshots and virtual disks

You are three weeks into a red team engagement. Your traffic crawls through a VPN, then bounces across four SOCKS proxies chained through compromised jump boxes before it touches the target network. Every packet takes the scenic route.

After days of lateral movement you land on a NAS attached to the virtualization cluster and the directory listing hits different: rows upon rows of .vmdk.vmsn.sav. Hundreds of gigabytes of virtual machines – domain controllers, admin workstations, the crown jewels – sitting right there.

But your link wheezes at 200 KB/s. Pulling a single 100 GB disk image would take six days, and every hour of sustained exfil is another chance the SOC spots the anomaly, burns your tunnel, and the whole chain collapses.

VMkatz exists because you shouldn’t have to exfiltrate what you can read in place. It extracts Windows secrets – NTLM hashes, DPAPI master keys, Kerberos tickets, cached domain credentials, LSA secrets, NTDS.dit, BitLocker keys – directly from VM memory snapshots and virtual disks, on the NAS, the hypervisor, wherever the VM files are.

A single static binary, ~3 MB. Drop it on the ESXi host, the Proxmox node, or the NAS. Point it at a .vmsn.vmdk, or an entire VM folder. Walk away with credentials, not disk images.

What It Extracts

From memory snapshots (LSASS)

All 9 SSP credential providers that mimikatz implements:

Provider Data Notes
MSV1_0 NT/LM hashes, SHA1 Physical-scan fallback for paged entries
WDigest Plaintext passwords Linked-list walk + .data fallback
Kerberos AES/RC4/DES keys, tickets (.kirbi/.ccache) AVL tree walk + ticket carving for freed sessions
TsPkg Plaintext passwords RDP sessions only
DPAPI Master key cache (GUID + decrypted key) SHA1 masterkey for offline DPAPI decrypt
SSP Plaintext credentials SspCredentialList in msv1_0.dll
LiveSSP Plaintext credentials Requires livessp.dll (rare post-Win8)
Credman Stored credentials Hash-table + single-list enumeration
CloudAP Azure AD tokens Typically empty for local-only logon

Plus: BitLocker FVEK extraction from memory (pool tag scan for FVEc/Cngb).

From virtual disks (offline)

  • SAM hashes: Local account NT/LM hashes with account status (disabled, blank password)
  • LSA secrets: Service account passwords, auto-logon credentials, machine account keys
  • Cached domain credentials: DCC2 hashes (last N domain logons)
  • DPAPI master keys: Hashcat-ready hashes ($DPAPImk$ — modes 15300/15310/15900/15910)
  • NTDS.dit: Full Active Directory hash extraction from domain controller disks (native ESE parser)
  • BitLocker decryption: Transparent disk decryption using FVEK extracted from memory

Supported Inputs

Format Extensions Source Status
VMware snapshots .vmsn + .vmem Workstation, ESXi Tested
VMware embedded snapshots .vmsn (no .vmem) ESXi suspend Tested
VirtualBox saved states .sav VirtualBox Tested
QEMU/KVM savevm states auto-detected Proxmox, QEMU Tested
QEMU/KVM ELF core dumps .elf virsh dump Tested
Hyper-V saved states .vmrs Hyper-V 2016+ Untested
VMware virtual disks .vmdk (sparse + flat) Workstation, ESXi Tested
VirtualBox virtual disks .vdi VirtualBox Tested
QEMU/KVM virtual disks .qcow2 QEMU, Proxmox Tested
Hyper-V virtual disks .vhdx.vhd Hyper-V Tested
VMFS-5/6 raw SCSI devices /dev/disks/... ESXi (bypasses file locks) Tested
LVM block devices /dev/... Proxmox LVM-thin Tested
Raw registry hives SAMSYSTEMSECURITY reg save Tested
Raw NTDS.dit ntds.dit + SYSTEM Domain controller Tested
LSASS minidump .dmp procdump, Task Manager Tested
VM directories any folder Auto-discovers all files Tested

Target OS: Windows Server 2003 through Windows Server 2025 / Windows 11 24H2 (x86 PAE + x64).

Download & Use

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce