VMkatz — extracting Windows credentials directly from virtual machine memory snapshots and virtual disks

The tool is designed to extract NTLM hashes, DPAPI keys, Kerberos tickets, cached domain credentials, LSA secrets, and the NTDS.dit database directly from .vmsn, .vmdk and other virtual machine artifacts. It operates without downloading full images—a crucial advantage when bandwidth is limited or exfiltration detection is a concern. The tool is a statically compiled binary (~2.5 MB) capable of running directly on a NAS, hypervisor, or storage system where the VM files reside.

Features: 📍 Extracts secrets from LSASS memory for all nine SSP providers supported by Mimikatz 📍 Works with .vmsn, .vmdk, .sav files without needing to boot or "thaw" the virtual machine. 📍 Retrieves NTLM hashes, DPAPI master keys, Kerberos tickets, LSA secrets, and NTDS.dit 📍 A single‑file binary with no external dependencies or installation requirements.

Functionally, VMkatz is closest to Mimikatz and Impacket modules for offline analysis. Unlike traditional tools, it interacts directly with VM disk and memory images. While Mimikatz excels at interactive tasks on live systems, VMkatz is purpose-built for efficient, stealthy extraction from VM snapshots.

📎 Tool: https://github.com/nikaiw/VMkatz

💬 Discuss