VMkatz

March 24, 2026 · View on GitHub

License: MIT Build CI Platform

Too Big to Steal

You are three weeks into a red team engagement. Your traffic crawls through a VPN, then bounces across four SOCKS proxies chained through compromised jump boxes before it touches the target network. Every packet takes the scenic route.

After days of lateral movement you land on a NAS attached to the virtualization cluster and the directory listing hits different: rows upon rows of .vmdk, .vmsn, .sav. Hundreds of gigabytes of virtual machines - domain controllers, admin workstations, the crown jewels - sitting right there.

But your link wheezes at 200 KB/s. Pulling a single 100 GB disk image would take six days, and every hour of sustained exfil is another chance the SOC spots the anomaly, burns your tunnel, and the whole chain collapses.

VMkatz exists because you shouldn't have to exfiltrate what you can read in place. It extracts Windows secrets - NTLM hashes, DPAPI master keys, Kerberos tickets, cached domain credentials, LSA secrets, NTDS.dit, BitLocker keys - directly from VM memory snapshots and virtual disks, on the NAS, the hypervisor, wherever the VM files are.

A single static binary, ~3 MB. Drop it on the ESXi host, the Proxmox node, or the NAS. Point it at a .vmsn, .vmdk, or an entire VM folder. Walk away with credentials, not disk images.

What It Extracts

From memory snapshots (LSASS)

All 9 SSP credential providers that mimikatz implements:

ProviderDataNotes
MSV1_0NT/LM hashes, SHA1Physical-scan fallback for paged entries
WDigestPlaintext passwordsLinked-list walk + .data fallback
KerberosAES/RC4/DES keys, tickets (.kirbi/.ccache)AVL tree walk + ticket carving for freed sessions
TsPkgPlaintext passwordsRDP sessions only
DPAPIMaster key cache (GUID + decrypted key)SHA1 masterkey for offline DPAPI decrypt
SSPPlaintext credentialsSspCredentialList in msv1_0.dll
LiveSSPPlaintext credentialsRequires livessp.dll (rare post-Win8)
CredmanStored credentialsHash-table + single-list enumeration
CloudAPAzure AD tokensTypically empty for local-only logon

Plus: BitLocker FVEK extraction from memory (pool tag scan for FVEc/Cngb).

From virtual disks (offline)

  • SAM hashes: Local account NT/LM hashes with account status (disabled, blank password)
  • LSA secrets: Service account passwords, auto-logon credentials, machine account keys
  • Cached domain credentials: DCC2 hashes (last N domain logons)
  • DPAPI master keys: Hashcat-ready hashes ($DPAPImk$ — modes 15300/15310/15900/15910)
  • NTDS.dit: Full Active Directory hash extraction from domain controller disks (native ESE parser)
  • BitLocker decryption: Transparent disk decryption using FVEK extracted from memory

Supported Inputs

FormatExtensionsSourceStatus
VMware snapshots.vmsn + .vmemWorkstation, ESXiTested
VMware embedded snapshots.vmsn (no .vmem)ESXi suspendTested
VirtualBox saved states.savVirtualBoxTested
QEMU/KVM savevm statesauto-detectedProxmox, QEMUTested
QEMU/KVM ELF core dumps.elfvirsh dumpTested
Hyper-V saved states.vmrsHyper-V 2016+Untested
VMware virtual disks.vmdk (sparse + flat)Workstation, ESXiTested
VirtualBox virtual disks.vdiVirtualBoxTested
QEMU/KVM virtual disks.qcow2QEMU, ProxmoxTested
Hyper-V virtual disks.vhdx, .vhdHyper-VTested
VMFS-5/6 raw SCSI devices/dev/disks/...ESXi (bypasses file locks)Tested
LVM block devices/dev/...Proxmox LVM-thinTested
Raw registry hivesSAM, SYSTEM, SECURITYreg saveTested
Raw NTDS.ditntds.dit + SYSTEMDomain controllerTested
LSASS minidump.dmpprocdump, Task ManagerTested
VM directoriesany folderAuto-discovers all filesTested

Target OS: Windows Server 2003 through Windows Server 2025 / Windows 11 24H2 (x86 PAE + x64).

Quick Start

# Extract LSASS credentials from a VMware snapshot
./vmkatz snapshot.vmsn

# With pagefile resolution for paged-out creds
./vmkatz --disk disk.vmdk snapshot.vmsn

# Extract SAM/LSA/DCC2 from a virtual disk
./vmkatz disk.vmdk

# Extract AD hashes from a domain controller disk
./vmkatz --ntds dc-disk.qcow2

# Point at a VM folder and let it find everything
./vmkatz /path/to/vm-directory/

# Extract from raw registry hives
./vmkatz SAM SYSTEM SECURITY

# Output as hashcat-ready hashes
./vmkatz --format hashcat snapshot.vmsn

# Export Kerberos tickets
./vmkatz --kirbi snapshot.vmsn        # .kirbi files
./vmkatz --ccache snapshot.vmsn       # .ccache file

# Export BitLocker FVEK for dislocker
./vmkatz --bitlocker-fvek /tmp/keys snapshot.vmsn

# Recursively scan all VMs under a path
./vmkatz -r /vmfs/volumes/datastore1/

# Parse LSASS minidump
./vmkatz lsass.dmp

Output Formats

FormatFlagDescription
text--format text (default)Full credential dump with session metadata
brief--format briefCompact one-line-per-credential summary
ntlm--format ntlmDOMAIN\user:::hash::: pwdump format
hashcat--format hashcatRaw hashes: mode 1000 (NTLM), 2100 (DCC2), 15300/15900 (DPAPI)
csv--format csvMachine-readable, all fields

Deployment on ESXi

# Cross-compile for ESXi (musl static)
cargo build --release --target x86_64-unknown-linux-musl

# Upload and run
scp target/x86_64-unknown-linux-musl/release/vmkatz root@esxi:/tmp/
/tmp/vmkatz /vmfs/volumes/datastore1/MyVM/MyVM-Snapshot1.vmsn

When VIB protection (execInstalledOnly) is enabled, use the Python loader — no need to disable the setting:

scp tools/vmkatz_loader.py target/x86_64-unknown-linux-musl/release/vmkatz root@esxi:/tmp/
python /tmp/vmkatz_loader.py /tmp/vmkatz /vmfs/volumes/datastore1/MyVM/snapshot.vmsn

See docs/esxi.md for VIB bypass details, VMFS raw device access, and auto-discovery.

Build Features

VMkatz is modular. Features can be enabled/disabled at compile time:

FeatureDescriptionDefault
vmwareVMware .vmsn/.vmem snapshot supportYes
vboxVirtualBox .sav saved-state supportYes
qemuQEMU/KVM ELF core dumps + Proxmox savevmYes
hypervHyper-V .vmrs/.bin/.raw dump supportYes
samDisk extraction (SAM/LSA/DCC2) + disk format handlersYes
ntds.ditNTDS.dit AD extraction. Requires samYes
carveDegraded extraction from partial/truncated memoryYes
dumpProcess memory dump as minidumpYes
vmfsVMFS-5/6 raw parser for ESXi SCSI devices. Requires samYes
cargo build --release                                              # Full build
cargo build --release --no-default-features --features vmware      # VMware only
cargo build --release --no-default-features --features "sam ntds.dit"  # Disk only

Documentation

Acknowledgements

  • mimikatz by Benjamin Delpy (@gentilkiwi) -- the definitive reference for LSASS internals and Windows credential decryption.
  • pypykatz by Tamás Jós (@skelsec) -- pure Python mimikatz reimplementation, used as cross-reference for SAM/LSA/DCC2 extraction.
  • Impacket by Fortra (originally Alberto Solino @agsolino) -- reference implementation for NTDS.dit extraction and the pwdump output format.
  • Vergilius Project -- documented Windows kernel structures used to verify EPROCESS field offsets across all supported builds (XP through Win11 24H2).
  • dissect.vmfs by Fox-IT (NCC Group) -- Python VMFS parser from the Dissect DFIR framework, used as reference for VMFS on-disk structures.
  • vmfs-tools by Mike Hommey -- open-source VMFS3/5 implementation that documents core on-disk structures and address types.
  • volatility-kerberos by Sylvain Peyrefitte (@citronneur, Airbus CERT) -- Volatility 3 Kerberos plugin, inspired the ticket carving approach for recovering orphaned tickets from freed LSASS memory.