0xPThree.gitbook.io

⌘Ctrlk

Read VMDK files

Windows

In Windows simply open the .VMDK files with 7-zip or similar.

Linux

➜ apt-get install guestmount libguestfs-tools
➜ virt-filesystems -a backupFile.vhdx 
/dev/sda2
➜ mkdir /mnt/share/disk
➜ sudo guestmount -a backupFile.vhdx -m /dev/sda2 --rw /mnt/share/disk

➜ sudo cp /mnt/share/disk/Windows/NTDS/ntds.dit .
➜ sudo cp /mnt/share/disk/Windows/System32/config/SYSTEM .

Restore Windows Registry

If you find a script in the .VMDK file where credentials are fetched from the registry, like below.

#user that will connect to storage
$backupUser = "backupServer01\backupUser"
$backupPass = (Get-ItemProperty HKLM:\Software\Scripts).backupUser

You can retrieve the password by restoring the registry like so:

Extract C:\Windows\System32\config\SOFTWARE from .VMDK file to local Windows Machine
Open regedit, highlight HKEY_LOCAL_MACHINE, go to File in the top left corner and press Load Hive...
Write a new name for the Hive and browse to the registry entry to find the plaintext password.

Last updated 1 year ago