Extract Hashed Credentials from VMDK Images

date
Jul 14, 2021
slug
vmdk-credentials
status
Published
tags
VMDK
Hashes
summary
Extract hashed credentials from VMDK images.
type
Post
Table of Contents

VMDK Images

If you ever come across a VMDK file on a pentest, you can mount that file, partition the drives, and retrieve hashed credentials. A VMDK file is a virtual disk file that stores the contents of the virtual machine’s hard disk drive. These can be found among the VMware and VirtualBox virtual machine files. Even if the VMDK file is a few years old, it can still lead to domain compromise if the recovered credentials are still valid.

Mount and Read the VMDK Image Contents

In this approach we are assuming you already mounted the VMDK file to your Linux machine or you already have a copy of the VMDK file on your system. To read the contents of the VMDK file, you must first use kpartx to create device maps from the VMDK partition tables. After creating the mappings, mount the partition that isn’t the boot partition, which is usually the 2nd mapping.
sudo kpartx -av /mnt/NFS/Example.vmdk
sudo mount /dev/mapper/loop0p2 /mnt/tmp
Mounting Kpartx Partition
Mounting Kpartx Partition

Dumping Hashes

From here you can copy the SAM, SYSTEM, and SECURITY hives, located in the “/Windows/System32/config” folder, to your local machine. Using impacket’s secretsdump module, you can dump the saved hashes from the three registry hives.
impacket-secretsdump -sam SAM -security SECURITY -system SYSTEM LOCAL
If the machine is a domain controller, you can retrieve the NTDS.dit file instead of the SAM hive. This file is a database that stores Active Directory data, including domain usernames and NTLM hashed passwords. You can use secretsdump to dump the domain hashes as long as you have the SYSTEM and SECURITY hives.
impacket-secretsdump -system SYSTEM -security SECURITY -ntds ntds.dit LOCAL
Secretsdump Usage
Secretsdump Usage